Auditing & IT

Question 1

INTERNAL CONTROL FOR IT

Answer 1

Auditing Internal Control in a company’s IT environment helps to:

• Plan the rest of audit
  
  • Looks for shorter audit trails that may expire
  • Problem with Auditing IT: less documentation

Question 2

INTERNAL CONTROL FOR IT

Answer 2

Assess the level of Control Risk:

• Unauthorized access to systems or data is more difficult to catch
• Systems access controls adds another layer to separation of duties analysis
• Focus should be on the general controls
• Any new systems developments
• Current systems changes
  
  • Program/Data access changes
  • Program/Data access changes

Question 3

Audit of IT is NOT required

Answer 3

• Audit of IT is NOT required when Controls are redundant to another department
• The system doesn’t appear to be reliable, and testing controls wouldn’t be an efficient use of time
• Costs > Benefit

Question 4

Audit of IT

Answer 4

Audit of IT can be performed without directly interacting with the system if:

• System isn’t complex/complicated
• System output is detailed

Question 5

Database Admin

Answer 5

• Maintains Database
• Restricts Access
• Responsible for IT Internal Control

Question 6

Systems Analyst

Answer 6

• Recommends changes or upgrades
• Liaison between IT and users

Question 7

Librarian

Answer 7

• Responsible for Disc storage
• Holds System Documentation

Question 8

Generalized Audit Software

Answer 8

• Uses computer speed to quickly sort data and files, which leads to a more efficient audit
• Compatible with different client IT systems
• Extracts evidence from client databases
• Tests data without auditor needing to spend time learning the IT system in detail
• Client-tailored or commercially produced

Question 9

Structured Query Language (SQL)

Answer 9

• Relational Database
• Group of related spreadsheets
• Retrieves information through Queries

Question 10

Data Definition Language

Answer 10

• Defines a database
• Gives information on database structure
• Maintains tables
• Can be joined together
• Establishes database constraints

Data definition language is used to define a database, including creating, altering, and deleting tables and establishing various constraints

Question 11

Data Manipulation Language

Answer 11

• Data Manipulation Language (DML)
• Auditor needs information, so client uses DML to get the information needed

Question 12

Data Control Language

Answer 12

• Controls a database
• Restricts access

Question 13

Check Digits

Answer 13

• Check Digits
• Makes it more difficult for a fraudulent account to be set up or go undetected

Question 14

Code Review

Answer 14

• Tests a program’s processing logic
• Advantageous because auditor gains a greater understanding of the program

Question 15

Limit Test

Answer 15

Examines data and looks for reasonableness using upper and lower limits

Question 16

Test Data Method

Answer 16

• Auditor processes data with client’s computer
• Fake transactions are used to test program control procedures
• Each control needs to only be tested once
• Problem - Fake data could combine with real data

Question 17

Operating systems logs

Answer 17

Auditor can review logs to see which applications were run and by whom

Question 18

Access Security Software

Answer 18

• Helpful in online environments
• Restricts computer access
• May use encryption

Question 19

Library Management Software

Answer 19

Logs any changes to system/applications etc

Question 20

Embedded Audit Modules

Answer 20

• Embedded Audit Modules
• Enable continuous monitoring in an audit environment that is changing
• Weakness: requires implementation into the system design
• Collects information based on some criteria and can be analyzed at a later time (necessary because the audit environment is continually changing)

Question 21

Audit Hook

Answer 21

Application instruction that gives auditor controlover the application to grab transactions for analysis

Question 22

Transaction tagging

Answer 22

Auditor tags transactions and traces them through the system

Question 23

Extended records

Answer 23

Adds audit data to financial records to assist in audit trail creation

Question 24

Real Time Processing

Answer 24

• Destroys prior data when updated
• aka “Destructive Updating
• Requires well-documented Audit Trail

Question 25

Requires well-documented Audit Trail

Answer 25

If the auditor only audits the outputs of a computer system and doesn’t also audit the software applications, an error in the applications could be missed

Question 26

Compiler

Answer 26

Software that translates source program (similar to English) into a language that the computer can understand

Question 27

Parallel Simulation

Answer 27

• Client data is processed using Generalized Audit Software (GAS)
• Sample size can be expanded without significantly increasing the audit cost
• GAS output compared to client output

Question 29

Data manipulation language

Answer 29

Data manipulation language is composed of commands used to maintain and query a database, including updating, inserting in, modifying and querying (asking for data)

Question 30

Data control language

Answer 30

Data control language is composed of commands used to control a database, including controlling which users have various privileges (e.g., who is able to read from and write to various portions of the database)

Question 32

Five Trust Services Principles

Answer 32

Five Trust Services principles are

• Security
• Availability
• Processing Integrity
• Online Privacy
• Confidentiality

Question 33

IT on Internal Control

Answer 33

The following factors related to control activities may impact an auditor’s consideration of the effect of IT on internal control.

a. Information processing. Two areas in which control activities can be affected by computer processing are authorization of transactions and the maintenance of adequate documents and records. Authorization procedures in many computer systems are a part of the computer program. Thus, there is increased potential for unauthorized individuals to gain access to sensitive accounting information. Concerning the maintenance of adequate documentary evidence, auditors must be aware that the traditional audit trail may not be available due to the fact that the IT system does not provide a hard copy of source documents.
b. Segregation of duties. Adequate controls must be established within the IT department to compensate for the lack of segregation of duties that would normally be available in a manual system.
c. Physical controls. In an IT department, access to assets is often possible through the computer system. As such, the need for enhanced physical controls is of great importance in an IT environment. It is also important to have adequate backup for computer files, as their destruction or damage could result in significant problems for a business entity.