Auditing IT Systems

Question 1

What is EDP?

Answer 1

Electronic data processing

Question 2

What are the six elements of an EDP-based system?

Answer 2

(1) hardware
(2) software
(3) documentation
(4) personnel
(5) data
(6) controls

Question 3

What is important to know about documentation for IT systems?

Answer 3

Control procedures for IT systems often do not leave documentary evidence behind

Question 4

What is important to know regarding a change in IT system?

Answer 4

IT systems are more difficult to change than manual systems

Question 5

What are two different transaction processing models?

Answer 5

Batch processing and online processing

Question 6

What is batch processing?

Answer 6

Accumulating transactions into groups that can then be processed all at once, as one batch, rather than each being processed individually as they arose

Question 7

What is a disadvantage of batch processing?

Answer 7

Since transactions are not processed immediately, errors will not be detected as quickly

Question 8

What is online processing?

Answer 8

Immediately processing transactions online as they occur

Question 9

What is an OLRT system?

Answer 9

An online, real-time system – it processes data quickly enough to interact with and receive responses for other data

E.g. for airline reservations, a customer’s data can be inputted, and then the available flights are returned, and then the customer can select the flight

Question 10

What is an integrated system?

Answer 10

A system where a transaction affects all the relevant files at once, rather than needing separate actions

E.g. a sale can update revenues, accounts receivable, and inventory at once

Question 11

What are different ways to do external information processing?

Answer 11

(1) Block time = renting the use of another entity’s computer
(2) Time-sharing = having equal access with other users to one system
(3) Service bureau = an outside entity which provides data service at a cost

Question 12

What is parallel processing?

Answer 12

Running a new system-to-be-implemented at the same as the old system, comparing their results

This makes the conversion smoother (providing a stepping stone) and can avoid disaster if the new system crashes

Also called parallel operating

Question 13

What is volume testing?

Answer 13

Testing the ability of a new system to handle various volumes of data

Question 14

What is important about IT documentation?

Answer 14

It provides all sorts of info concerning the system’s purpose, input and output, users, controls, etc., which can be very useful to the auditor

Question 15

What are the different kinds of IT documentation?

Answer 15

(1) Problem definition
(2) Systems
(3) Program
(4) Operations
(5) User
(6) Operator

Question 16

What is CAAT?

Answer 16

Computer-assisted audit techniques

Question 17

What is important to auditors concerning transaction trails?

Answer 17

IT systems might leave complete records of transactions only for a short time or only in computer-readable form

Question 18

What is important to auditors concerning the uniformity of transaction processing?

Answer 18

Since computers process things uniformly, they will either avoid error uniformly or commit error uniformly

Question 19

What is important to auditors concerning the segregation of duties?

Answer 19

Since computers naturally perform many tasks at once, someone with access to the computer can have too much authority to do separate functions

Question 20

What is important to auditors concerning the chance of fraud?

Answer 20

Insofar as computers process transactions without human involvement, the chance of detecting fraud is reduced

Question 21

What is important to auditors concerning management supervision?

Answer 21

Computers provide the tools to increase the ways in which management can supervise various activities

Question 22

What is important to auditors concerning transaction authorization?

Answer 22

Routine transactions that would have had periodic authorization in a manual system might not have any documentation for authorization in a computer system

Question 23

What are two different kinds of internal accounting control procedures?

Answer 23

(1) General – overall controls for data and for program changes and maintenance
(2) Application – controls for specific applications (e.g. inputs and outputs for accounts payable)

Question 24

What is important for an auditor to remember when reviewing internal control?

Answer 24

Since controls are very concentrated in IT systems, their interconnections play a big role.

E.g. application controls’ reliability usually depends on general controls’ reliability.

Question 25

What is EDI?

Answer 25

Electronic Data Interchange Business conducted electronically between customers and vendors

Question 26

What is data mining?

Answer 26

Taking large amounts of data and acquiring new info (specifically, patterns or trends) from it Good for checking for fraud, e.g. checking employee addresses to vendor addresses, vendor records with P.O. box addresses, etc.

Question 27

What is a fraud profile?

Answer 27

A set of data characteristics which would signify a higher chance of fraud, given the entity's internal controls

Question 28

What are some ways in which paper evidence is superior to electronic evidence?

Answer 28

- more difficult to alter - more credible in its source (direct mailing rather than through electronic system) - often includes approvals in the documentation - easier to use

Question 29

What are some benefits to an IT system over a traditional/manual system?

Answer 29

- can perform large and complex calculations - increases how timely, available, and accurate info is - allows further analysis - allows further monitoring - can have stricter controls

Question 30

What are some risks to an IT system?

Answer 30

- errors can be systematic - unauthorized access can give the user great power - data can be lost - programs can be neglected/not updated

Question 31

What is one way in which control automation informs an auditor's judgment about controls' effectiveness?

Answer 31

Since IT controls are more uniform and interrelated, judgments on controls' effectiveness for more general controls can bear on more specific controls E.g. if there is evidence for application controls' implementation and general controls' effectiveness, that could constitute evidence for the application controls' effectiveness

Question 32

What two segregation controls are important in small-business IT environments?

Answer 32

- between data entry and processing | - between IT and transaction authorization for users

Question 33

What might an auditor do if a company does not document changes made to an IT program?

Answer 33

Obtain the original software from the manufacturer and see what changes have been made

Question 34

What are distributed systems?

Answer 34

Systems with a main/central computer system and several remote computer sites

Question 35

What are important factors to remember if a client utilizes an IT service center?

Answer 35

(1) Transmission (2) Error correction (3) Audit trail (4) Master file changes (5) Output (6) Security

Question 36

What are some general controls restricting IT department activity?

Answer 36

(1) Segregating functions of users and the IT department (2) Barring IT people from making or authorizing transactions (3) Segregating duties within the IT department

Question 37

What are different IT functions that ought to be segregated?

Answer 37

(1) Control group (2) Operators (3) Programmers (4) Analysts (5) Librarians

Question 38

What is the role of a control group in the IT department?

Answer 38

It oversees internal control

Question 39

What is the role of operators in the IT department?

Answer 39

They convert data into a machine-readable form

Question 40

What is the role of programmers in the IT department?

Answer 40

They write and debug programs - Applications programmers = deal with application programs - Systems programmers = deal with software that runs the hardware

Question 41

What is the role of analysts in the IT department?

Answer 41

They design the overall system, mapping it out with a flowchart

Question 42

What is the role of librarians in the IT department?

Answer 42

They track the access, use, and storage of programs or other files, including backups

Question 43

What are some general controls related to systems development?

Answer 43

- users should be involved in the procedures for system design and the choice of software - systems testing should involve both users and IT people - there should be controls barring unauthorized changes - mgmt should require documentation for choices made regarding the system

Question 44

What is a parity bit?

Answer 44

A way to test hardware for malfunctions Odd parity = characters are represented by some odd number of magnetized dots Even parity = characters are represented by some even number A parity bit tests for whether a character has the wrong number (e.g. due to dust)

Question 45

What is an echo check?

Answer 45

Signal is sent to activate a device, which sends a signal back, and the computer "checks" this "echo"

Question 46

What is a hardware check?

Answer 46

The computer checks the hardware equipment

Question 47

What is boundary protection?

Answer 47

Separates files or programs when they are shared in a common place (e.g. in time-sharing)

Question 48

What are two different kinds of internal file labels?

Answer 48

(1) Header label = at beginning of file - contains name, ID #, tape reel # (2) Trailer label = at end of file - contains # of records in file, end-of-file code

Question 49

What is an external label?

Answer 49

A label that is attached to some secondary storage device rather than inside the file, readable by humans rather than machines

Question 50

What is a file protection ring?

Answer 50

A plastic ring placed around magnetic tape to avoid accidentally erasing information through physical writing or marking

Question 51

What are different file protection plans?

Answer 51

(1) Duplicate files (2) Disk reconstruction plan (3) Grandfather-father-son retention

Question 52

What is a disk reconstruction plan?

Answer 52

Periodically saves a disk file, so that the file can be reconstructed at any given point in time

Question 53

What is grandfather-father-son retention?

Answer 53

When a master file has a day's transactions processed against it, the new master file will be the father and the old one the grandfather. When the father master file has the next day's transactions processed against it, the new file will be the son. The terms "grandfather," "father," and "son" are relative, referring to how far back in the chain older files are retained. For instance, when the son master file (mentioned above) has a new day's transactions processed against it, the new master file is effectively the son, the old son file is the father, the old father is the grandfather, and the old grandfather is erased. The important point is that two older files are retained for backup purposes at any given time -- the grandfather and father are the two backups for the son.

Question 54

What are some important factors to consider concerning physical safeguards?

Answer 54

(1) Temperature, humidity, dust, and other factors are not problematic/extreme (2) The environment is prepared for physical disaster (e.g. basement flooding) (3) Other facilities are ready in case of disaster

Question 55

For backup facilities, what do the terms "cold" and "hot" mean?

Answer 55

``` Cold = facility is unprepared for resuming operations (also less expensive) Hot = facility is prepared for resuming operations ``` There can be degrees of "warmth" involved here

Question 56

What do microcomputers signify for internal controls?

Answer 56

A weakness in internal controls -- since they are usually not in isolated areas, and since they can more easily be modified (including at home)

Question 57

What are different types of inputs which should have internal controls as safeguards?

Answer 57

(1) transaction entries (2) file maintenance (3) inquiries (4) error corrections

Question 58

What are control totals?

Answer 58

A type of internal control meant to double-check data inputted into the system Can be financial totals (e.g. total $ in A/Rs), hash totals (e.g. sum of account #s), or record/document counts (# of transactions processed)

Question 59

What are edit tests?

Answer 59

Checks performed by a computer to test data being inputted

Question 60

What is a limit test?

Answer 60

An edit test to see whether a value is not greater than or lesser than certain amounts Also called a reasonableness test

Question 61

What is a character test?

Answer 61

An edit test to see whether an input has a proper size and composition (e.g. if an input ought to always have 7 numbers) Also called a valid field test

Question 62

What is a code test?

Answer 62

An edit test to ensure that a wrong number is not used (e.g. if a company has four stores, the entry should not be greater than 4) Also called a valid number test

Question 63

What is a sequence check?

Answer 63

An edit test that ensures data is inputted in the right order

Question 64

What is a missing data test?

Answer 64

An edit test to see whether all fields contain data

Question 65

What is a valid transaction test?

Answer 65

An edit test that sees whether an inputted transaction is the right kind for the file (e.g. for A/R, it might be that all inputted transactions are either debits or credits to A/R)

Question 66

What is a valid combination of fields test?

Answer 66

An edit test that sees whether certain data, when combined, is reasonable (e.g. selling a large quantity of washers and dryers to a single customer -- this might show that the wrong quantity was entered)

Question 67

What is a self-checking digit?

Answer 67

An edit test where a digit is added to some number (e.g. an order ID number) based off the number itself, and then checked for accuracy later E.g. there might be a formula to add the sum of the 2nd and 5th digits of an order ID, so an order ID of 41853 would be changed to 418534, since 1+3=4. This can help ensure that other data is inputted correctly.

Question 68

What is a valid sign test?

Answer 68

An edit test that checks whether a sign (i.e. positive or negative) is accurate for a record

Question 69

What is an error log?

Answer 69

A record of transactions that aren't processed due to some error -- exists to ensure that transactions skipped over (due to error) will later be corrected Also called an error listing

Question 70

What are some application controls related to processing?

Answer 70

(1) Reconciling control totals with inputs (2) Prevention of processing the wrong files (3) Limit tests built into programs

Question 71

What are some application controls related to output?

Answer 71

(1) Reconciling output totals with input totals (2) Comparing scanned outputs to original documents (3) Distributing outputs only to authorized users

Question 72

What does it mean to audit "around" or "without" the computer?

Answer 72

The auditor ignores the workings of the computer, focusing only on input and output without directly testing computer controls

Question 73

For what systems is auditing around the computer appropriate?

Answer 73

Systems that are (a) simple and (b) provide a good audit trail of documentation

Question 74

How does auditing around the computer generally test computer controls?

Answer 74

Through the error log -- sees what the specific errors were

Question 75

What does it mean to audit "through" or "with" the computer?

Answer 75

Auditing where the computer is directly included in performing tests of control and substantive tests, focusing more on the inputs and the processing

Question 76

What is one way to summarize the difference between auditing around the computer and auditing through the computer?

Answer 76

Around = focuses on inputs and outputs, ignoring the processing (since if inputs and outputs are good, processing probably is) Through = focuses on inputs and processing, ignoring the outputs (since if inputs and processing are good, outputs probably are)

Question 77

When is auditing through the computer necessary?

Answer 77

More complex systems do more processing only in machine-readable form, thus leaving a smaller (or no) audit trail. Thus the processing has to be analyzed.

Question 78

What are the first three different ways for auditing through the computer?

Answer 78

(1) Writing one's own program for a substantive test (2) Embedded audit modules (3) Tagging

Question 79

What are embedded audit modules?

Answer 79

These are chunks of program code included in the application program and designed to gather audit information Best to include in systems design, rather than after the system is already functioning

Question 80

What is tagging?

Answer 80

Marking transactions before they are inputted, so that extra documentation is produced with specific reference to those transactions as they are processed

Question 81

What are the second three different ways for auditing through the computer?

Answer 81

(4) Client-prepared program (5) Utility program/routine (6) Program comparison

Question 82

What is a client-prepared program?

Answer 82

Programs to collect audit evidence that are already made by the client's internal auditors These programs need to be tested by the external auditor before being used, however

Question 83

What is a utility program (or utility routine)?

Answer 83

A processing function already included in a program by the manufacturer Auditor will need to make sure these have not been altered

Question 84

What is program comparison?

Answer 84

The auditor compares his copy of the program with the program being used by the client This is usually done by surprise, so that the auditor can find any unauthorized changes in the program A problem with this is that the auditor's copy could simply be wrong, as programs can be updated frequently

Question 85

What are the final five different ways for auditing through the computer?

Answer 85

(7) Test data/deck (8) Review of program logic (9) Integrated test facility (ITF), minicompany approach (10) Parallel simulation (11) Program tracing

Question 86

What is test data (or a test deck)?

Answer 86

When the auditor prepares fake data with certain errors to see if the processes catch the errors The auditor must be careful to keep the fake data separate from real data

Question 87

What is a review of program logic?

Answer 87

The auditor simply analyzes the program itself, e.g. as a flowchart, to understand it Can take a long time

Question 88

What is the integrated test facility (ITF) minicompany approach?

Answer 88

The auditor includes some fake account or customer within the real data, unbeknownst to the client, and then does certain actions to see if the system processes it correctly E.g. for an A/R system, he could underpay it, overpay it, make no payments, etc. Similar to test data, except that it is mixed with true data and tested over a longer period

Question 89

What is parallel simulation?

Answer 89

The auditor processes the client data through his own copy of the program and compares the outputs to the data run through the client's program

Question 90

What is program tracing?

Answer 90

This is a process that prints the steps of a program which a transaction goes through

Question 91

What is GAS?

Answer 91

Generalized audit software -- programs designed to do auditing processing Also called general purpose audit software (GPAS) or general purpose computer audit software (GPCAS)

Question 92

Why is GAS frequently used?

Answer 92

(1) Can be used for a variety of machine-readable data (2) Can deal with large volumes of data (3) Removes need for other personnel (4) Can remove need for technical understanding of client IT

Question 93

What are the six main tasks accomplished by GAS?

Answer 93

(1) Testing for quality, completeness, consistency, and correctness (2) Testing calculations (3) Comparing data on separate files (4) Selecting, printing, and analyzing samples (5) Summarizing/resequencing data (6) Comparing data from other audit procedures with company records

Question 94

What is a coding sheet?

Answer 94

A sheet on which the auditor describes the GAS routines in order, including info on the client system and data files

Question 95

Should the auditor always remain in physical control of GAS?

Answer 95

Yes -- and he should be present as it is run