Auditing In Advanced Information Technology System

Question 1

List the effect of electronic data interchange (EDI)

Answer 1

1. Quick reaction time
2. Continuous processing
3. Strict application of condition of payments
4. Impact on unauthorized access more significant
5. Increase importance of security control
6. Computer application must meet interface standard
7. Certain user controls become obsolete
8. Lack of paper trails
9. Human judgement and intervention falls away
10. Contractual liabilities addressed thru agreements

Question 2

List the advantages of EDI

Answer 2

1. Cost saving
2. Speed increased
3. Reduced risk of errors
4. Improved inventory and cash management
5. Improved trade relation with suppliers

Question 3

List the general risks relating to EDI

Answer 3

1. Increased reliance on trading partners
2. Increased reliance on technology
3. Less human involvements less chance of detecting errors
4. Dependency on service provider
5. Legal risks
6. Business risks

Question 4

List the internal risks in EDI

Answer 4

1. Security risks
2. Implementation risks
3. Processing risks

Question 5

List the external risks with EDI

Answer 5

1. Controls at trading partners and VANS
2. Loss of sensitive data due to unauthorized access
3. Legislation regarding business transactions
4. Loss of EDI facility
5. Error during transmission of data
6. Manipulation of transaction during transmission

Question 6

List the controls for increased reliance on trading partners

Answer 6

1. Development and acceptance of proper contractual data interchange agreement
2. Good relations between trading partners
3. Third party review of trading partners on regular basis

Question 7

List the controls for increased reliance on technology

Answer 7

1. Hardware and software continuously tested
2. Strict development standards
3. Control over physical access to critical hardware
4. Error correction procedures
5. Backup

Question 8

List the controls for less human involvement

Answer 8

1. Automated controls
2. Training on management to understand information and to react timeously
3. Limits and exception built into trading agreement
4. Authorization of transaction by users during initial development of the system

Question 9

List the controls for dependency on VANS

Answer 9

1. Assess reliability of service provider

2. Contractual agreement with service provider

Question 10

List controls for legal risks

Answer 10

1. Adherence to legal requirement
2. Contractual rights and obligations must be clearly defined in agreement
3. Employee bound by code of conduct

Question 11

Name the control for business risk

Answer 11

Information risk management policies and procedures

Question 12

List the security risks involved in internal risks

Answer 12

1. General lack of security policy for the organization as a whole
2. Absence of executive sponsorship for security issues
3. Security breach due unauthorized access
4. Manipulation of software applications
5. Blackmail

Question 13

List the controls for security risk

Answer 13

1. Security policy and procedures implemented and regularly reviewed
2. Programmed access controls
3. Audit trails of access to EDI and follow up unauthorized access
4. Backup, recovery and restoration facilities
5. Error correction procedures
6. Physical security
7. Personnel security
8. Administrative security
9. Communication security
10. Risk management

Question 14

List the controls for implementation risks

Answer 14

1. Data retention requirements determined in respect of period, medium, legal requirements
2. Perform risk analysis
3. Obtaining technical advice
4. Auditor must be involved
5. Normal system development procedures

Question 15

List the controls for processing risks in EDI

Answer 15

1. Edit tests by system
2. Exception reports printed and followed up by management
3. Sequential numbering and follow up missing items
4. Reconciliation of control accounts and transactions
5. Validation tests by system
6. Transaction logs and audit trails
7. Division of duties
8. Protection of data transmitted through encryption
9. High risk transactions are encrypted

Question 16

List the controls for trading partner and VANS

Answer 16

1. Contractual agreement
2. Good relationship
3. Third party review
4. Verify the identity of trading partners

Question 17

List the controls for loss of sensitive data due to unauthorized access

Answer 17

1. Business agreement between partners
2. Good business relationship
3. Encryption of transaction and data
4. Third party review

Question 18

List the controls for EDI facility

Answer 18

1. Regular testing of system
2. Choice of network supplier
3. Failover

Question 19

List the controls to prevent error during transmission of data

Answer 19

1. Edit tests

2. Parity test by system

Question 20

List the controls to prevent manipulation of transactions during transmission

Answer 20

1. Access controls

2. Encryption

Question 21

List the general controls in an electronic business transaction system

Answer 21

1. System development and implementation controls
2. System maintenance controls
3. Organizational and management controls
4. Access controls
5. Computer operating controls
6. System software controls
7. Business continuity controls

Question 22

List the additional considerations in system development and implementation controls in an electronic business transaction system.

Answer 22

1. Strategic planning to allow for EDI transactions and risks
2. Risk analysis performed before implementation
3. Use recognized standards and methodology in development
4. Planning of a business strategy to accommodate EDI transactions
5. Contractual agreement covering rights and obligations with trading partners and service providers
6. Necessity to update accounting processing procedures and controls

Question 23

List the aspects to be included in agreement with trading partners

Answer 23

1. Responsibilities and duties
2. Security audit
3. Adequacy of controls
4. Accountability for the creation, transmission and receipt of messages
5. The format and frequency of acknowledgement
6. Backups
7. Contractual aspects

Question 24

List the additional controls to be considered in the organizational and management control in an electronic business transaction environment

Answer 24

1. Involvement and support by senior management
2. EDI coordinator/supervisor
3. Division of duties between authorization and transmission of data
4. Risk management
5. All responsibilities and duties regarding the management and protection of data addressed in policy
6. Regular independent certification of security
7. Personnel policies
8. Administrative policies

Question 25

List the additional controls for computer operating controls for electronic business transaction system.

Answer 25

1. Hardware devices validate the source of all incoming messages using recognition codes
2. Hardware devices confirm the identity of recipient of all outgoing messages
3. Central computer should pool all remote devices on regular basis
4. Communication links and network maintenance
5. Recognition of receipt of data
6. Correction of error
7. Backup and recovery procedures
8. System logs record all incoming and outgoing messages
9. Line interference protection ensure messages not distorted

Question 26

List the system recovery procedures from operational failure

Answer 26

1. System provide a record of accepted data transfer
2. Written procedures for the re-transmission of non-accepted data transfer
3. Controls to prevent duplication following syste recovery
4. An incident log should be kept of all interruption
5. Hardware failure, processing switch to alternative terminal or server
6. Line failure, processing switch to other communication media
7. Contingency plan tested periodically

Question 27

List the additional controls for system software controls

Answer 27

1. Encryption of sensitive data before transmission
2. Use of secure server software programs to encrypt all information before transmission
3. Control in place to protect data against unauthorized manipulation and deletion during transmission and storage
4. Secure electronic transmission (SET) set up by organization in respect of credit card transactions
5. Protection of transaction data transmitted by use of digital signature

Question 28

List the additional controls for business continuity controls

Answer 28

1. Contract with service provider/trading partners
2. Power backup
3. Communication lines
4. Hardware
5. Logging and storage copies of incoming and outgoing messages
6. Numbering or other forms of systematic storage of incoming and outgoing messages

Question 29

List the programmed application controls for electronic business transaction system

Answer 29

1. Echo checking
2. Verification of headers, trailers and record counts to ensure completeness of message
3. Hash values and hash value comparisons
4. Check digits on control fields
5. Verification of controls and/or hash totals
6. Message automatically re-transmitted if any error detected
7. Verification of proper message structure

Question 30

List the user application controls for electronic business transaction system

Answer 30

1. Authorization of transaction by users
2. Regular audit trails printout of incoming messages with exception reports
3. Regular review of audit trails and exception reports by management
4. Correction of error as soon as possible
5. Reconciliation of control account

Question 31

List the controls in EFT transactions

Answer 31

1. Master file changes
2. Execution of payments
   - validity
   - completeness
   - accuracy

Question 32

List the accuracy control in EFT

Answer 32

1. Training
2. Edit tests
   
   • format test
   • screen test
   • dependency test
   • limit/reasonability test
   • check digits
   • control totals
   • validity/existence test
   • field size

Question 33

Problem areas in auditing in an EDI environment

Answer 33

1. Transaction are performed and accounted for electronically without paper/documentation
2. Transaction often take place automatically
3. Authorized by computer
4. Large Number of transactions
5. High risk of unauthorized access
6. Transaction stored in electronic format

Question 34

List the benefits of trading via Internet

Answer 34

1. Ability to exchange information
2. Ability to share information
3. Cost-effective
4. Marketing, advertising

Question 35

Risks on trading via Internet

Answer 35

1. Security risks
2. Privacy risks
3. Hackers, hactivist, phishing, spoofing and spyware
4. Wireless application
5. Business continuity risks
6. Payment via credit card
7. Accounting risks
8. Tax and regulation
9. Outsourcing

Question 36

What are some of security risks of trading via internet

Answer 36

1. Internet protocol carrying no identity enabling Intruders to pose as someone else
2. Internet not defined with security in mind
3. No central management of the Internet
4. Dependence on on appropriate and adequate system design to prevent and detect abnormalities
5. Dependence on programmed controls to cope with large volume of transactions
6. Remote transactions initiated by users
7. Risks relating to managing security ranging from choice of business model at the strategic level to the interface between processes
8. Failure of encryption based security

Question 37

Name the privacy risks relating to trading via Internet

Answer 37

1. Invasion of privacy may increase

2. Issues concerning payment with credit card

Question 38

List the risks relating to wireless applications

Answer 38

1. Interception of confidential information by unauthorized data
2. Risk of unauthorized access to computers and servers through wireless connection

Question 39

List the risks with payment via credit card

Answer 39

1. Unauthorized acquisition of credit card information
2. Claims against the organization where client information is accessed unauthorized users
3. Risk of bad debts resulting for stolen card

Question 40

List the controls in Internet based system

Answer 40

1. Certification
2. Authentication
3. Confidentiality
4. Credit card
5. Non-repudiation
6. Identification and authentication
7. Privacy policy
8. Assurance logo
9. Firewalls
10. Controls relating to transaction integrity
11. Controls over master file information

Question 41

List the controls against viruses

Answer 41

1. Software protection
2. Data file protection
3. Staff

Question 42

Steps taken to implement software protection controls against virus

Answer 42

1. Purchase from reputable suppliers, program tested before implementation
2. Care taken when using free or public domain software
3. Do not lend out removable media devices
4. Never boot up a hard drive from removable devices
5. Set anti-virus software to scan before mount
6. Never use illegal copies of software

Question 43

List the controls for data file protection

Answer 43

1. Sound access controls including firewall
2. Install virus detection software
3. Test data for virus before use
4. Regular backups
5. Keep removable device set on”write protect”

Question 44

Advantages of outsourcing and using a service provider

Answer 44

1. Division of duties effected through processing being done by third party
2. Cost consideration
3. Hardware, resources and expertise are provided by service provider
4. Reliability of processing
5. Service provider is likely to have secure control environment

Question 45

Disadvantages of using service providers

Answer 45

1. Dependence on service provider for processing
2. Loss of control over information processing
3. Reliability of service provider in respect of processing and safeguarding of integrity of data
4. Risk of being locked into obsolete technology

Question 46

Factors to be consider when using a service provider

Answer 46

1. Fee structure
2. Speed of information turnaround
3. Whether or not the service provider is financially sound
4. Quality of backups and support available
5. The service provider’s contingency plan
6. Service provider’s ability to keep pace with technology
7. Quality of information available
8. Implication of management control
9. Implication of accounting controls
10. Effect of company’s image