Auditing with Technology

Question 1

What is a primary advantage of using generalized audit software packages to audit the FS of a client that uses a computer system?

Answer 1

Auditor may access info on computer files while having a limited understanding of the client’s hardware and software features. Generalized audit software allows auditor to test client’s data, not the software or hardware.

Question 2

What can using generalized audit software lead to?

Answer 2

Can lead to increase or decrease in the use of either substantive tests of transactions or analytical procedures. It will not necessarily reduce the level of tests of controls.

Question 3

When should a test of controls be omitted?

Answer 3

If controls appear adequate, the auditor tests them UNLESS 1 - the costs of testing are expected to exceed the savings in substantive tests or 2 - the controls are redundant to other internal control activities (ex: if the controls duplicate operative controls existing elsewhere in the system).

Question 4

What does the test data approach do?

Answer 4

It uses a set of dummy transactions developed by the auditor and processed by the client’s computer programs to determine whether the controls which the auditor intends to test to restrict control risk are operating effectively. It tests the procedures contained within the program, NOT the accuracy of input or validity of output (parallel simulation method).

Question 5

What is parallel simulation?

Answer 5

It allows the auditor to process all client transactions. The electronic nature and speed of computer allows auditors to greatly expand the population at little cost. It tests validity of output more directly.

Question 6

What is the best approach to extracting evidence in electronic form?

Answer 6

Use generalized audit software to extract evidence from client databases. This is an effective approach for interfacing with and extracting.

Question 7

What is code review?

Answer 7

Involves actual analysis of the logic of a computer program’s processing routines. The primary advantage is that the auditor obtains a detailed understanding of the program.

Question 8

What is comparison review?

Answer 8

Code comparison program is used to compare source and or object codes of a controlled copy of a program currently being used to process data.

Question 9

What are extended records?

Answer 9

Attaches additional audit data which would not otherwise be saved to regular historic records and thereby helps to provide a more complete audit trail.
A technique for continuous or concurrent testing.

Question 10

What is test data?

Answer 10

It is a set of dummy transactions developed by the auditor and processed by the client’s computer programs to determine whether the controls which the auditor intends to test to restrict control risk are operating effectively using the test data technique.

Question 11

What is a check digit

Answer 11

A check digit while normally placed at the end of an account number, may be placed consistently in any position in the account when adequate computer programming exists (math calc of the check digit can be performed regardless of placement)

Question 12

What is the purpose of generalized computer audit package

Answer 12

Can be used for audits of clients that use different computer equipment and file formats. They are a very generalized input output program. They are used to assist the auditor in related tests of controls, but cannot be used as a substitute for the testing.

Question 13

Auditing by testing input and output of a computer system instead of the program will…

Answer 13

not detect program errors which do not show up in the output sampled. Portions of the program may contain errors which are not reflected in the output. Ex: if a loop in a program is not used in any app, it is not tested and any errors in the loop cannot be detected.

Question 14

What is a benefit of IT used for internal control?

Answer 14

Enhanced timeliness of info
Not benefits - potential loss of data, recording of unauthorized transactions, processing of unusual or nonrecurring transactions.

Question 15

What does a join command do?

Answer 15

Combines various tables or parts of tables

Question 16

In what order are controls usually tested?

Answer 16

Begin by considering general control procedures. Since the effectiveness of specific app controls is often dependent on the existence of effective general controls over all computer activities, this is an efficient approach.
Next auditor would look at programmed, application, or output controls.

Question 17

What are embedded audit modules?

Answer 17

They are programmed routines incorporated directly into an application program that will help auditors perform audit functions such as calculations and to allow continuous monitoring.
Parallel simulation and controlled reprocessing are more effective in an environment that does not involve continuous auditing.

Question 18

What are problems with the use of test data for computer audit purposes

Answer 18

Test data approach - difficult to design test data that incorporates all potential variations in transactions
Test data may be commingled with live data causing operating problems for client
Test data approach - program used to process test data may differ from the one used in actual operations.

Question 19

What procedures can and cannot be performed using a generalized audit software package?

Answer 19

Can - selecting sample items of inventory, analyzing data from inventory, and recalculating balances in inventory reports
Software cannot observe the inventory.

Question 20

When would an auditor expect to find an entity that has implemented automated controls to reduce risks of misstatement?

Answer 20

When transactions are high volume and recurring due to nature and volume.
While automated controls can be developed in all cases, it is not as easy to develop if misstatements/errors are difficult to predict or define or when transactions are large, unusual or nonrecurring requiring judgment.

Question 21

What is destructive updating and what is necessary?

Answer 21

In an online computer system, this is destructive of transaction files. Auditing of the balances in accounts where transactions are periodically destroyed requires a well documented audit trail for the auditor.

Question 22

What are audit hooks

Answer 22

Describes a method of retaining selected or all transaction files for the auditor. Audit hooks have to be used during the year (prior to the destruction of transaction files to be feasible).

Question 23

Detection risk vs inherent risk

Answer 23

Inherent risk - can be indicated by environment, the level assessed need not be difficult to determine
Detection - auditors accept a certain level, its level should not be difficult to determine because of irretrievable audit evidence

Question 24

What is data manipulation language?

Answer 24

Composed of commands used to maintain and query a database, including updating, inserting in, modifying and querying (asking for data).

Question 25

What is data control language?

Answer 25

Composed of commands used to control a db, including controlling which uses have various privileges (read or write ability to various portions of db)

Question 26

What is data definition language?

Answer 26

Used to define a db, including creating, altering, and deleting tables and establishing various constraints.

Question 27

What are examples of tests of controls?

Answer 27

They are designed to determine if the purported controls are in effect. An examination of the machine room log book to verify that control info is properly recorded is a test of controls. Not a test of controls - examining org charts, systems manuals, flowcharts - these only provide understanding, not tests of controls.

Question 28

What language does a generalized audit package input/output?

Answer 28

It converts machine readable data into auditor readable form rather than gather and store data in machine readable form.

Question 29

What is the run manual?

Answer 29

Consists of program documentation including problem statement, system flow chart, operating instructions, record layouts, program flow charts, program listing, test data, and an approval and change sheet.
Reviewing the run manual would be part of the review of the system’s controls and not a test of performance

Question 30

What is an advantage of using a value added network for EDI transactions?

Answer 30

Computer control procedures leave no visible evidence indicating the procedures have been performed, thus the auditor should test these controls by reviewing transactions submitted for processing and comparing them with related output.
The objective is to determine that no transactions tested with unacceptable conditions went unreported and without appropriate resolution. This procedure can use actual client data or dummy data.

Question 31

What is system control audit review files

Answer 31

SCARF is a log, usually created by an embedded audit module, used to collect info for subsequent review and analysis. A technique for continuous or concurrent testing.

Question 32

What is transaction tagging

Answer 32

Transaction tagging is a technique in which an identifier providing a transaction with a special designation is added to the transaction record. A technique for continuous or concurrent testing.

Question 33

What are major reasons for maintaining an audit trail for a computer system

Answer 33

• deter irregularities since perp may realize his act may be detected
• monitoring by mgmt
• easier to answer queries
  Note that analytical procedures uses the output, so audit trail is not important to it

Question 34

If control risk is LOW, then would they test controls?

Answer 34

YES - start with general controls then application controls , output, programmed