Chapter 13 Flashcards
Define Preventive Controls.
These are designed to stop and prevent errors or irregularities from occurring. e.g;
- Authorization of Transactions.
- Physical and logical access controls to restrict unauthorized access.
- Segregation of duties.
Define Detective Controls.
These are designed to identify errors or irregularities that may have occurred. Example: 1. Exception report. 2. Reconcilitaitons. 3. Review of system logs.
Define Exception Report.
These are computerized reports to identify unexpected results or unusual conditions that require follow up.
Define Corrective Controls
These are designed to correct errors or irregularities that may have detected.
Example:
1. Disciplinary mechanism.
2. Controls to ensure continuity of operations.
Differentiate b/w IT General Controls and IT Application Controls.
IT General Control:
IT General Controls are policies and procedures that relate to many or all applications. They support effective functioning of application controls by ensuring continued proper operations of IT system.
Importance of IT General Controls:
Auditor first test IT general controls to assess control risk of IT system as a whole. If control is assessed as low, only then he will test application controls to decide if he can rely on specific system and reduce substantive testing.
Application Controls:
Application controls apply to processing of individual applications (sales application or payroll application). These controls ensure that input transactions are authorized, transactions are accurately processed, and output is timely and confidentially distributed.
Application controls could be either manual (Authorization) or computerized (Input validation check).
Define Audit Trail and its types.
Audit trail is the ability of users to trace a transaction through all of its processing stages. Its types are as follows:
- Paper audit trail means tracing a transaction through all of its processing stages by going from one paper document to another paper document is process.
- Electronic audit trail means tracing a transaction through all of its processing stages by using computer programs. A log (record of events and transactions) provide audit trail.
Define System Log.
A system log is a record of transactions and events that take place in performance of a system. System log provide audit trail that can be used to understand the activities of system and to diagnose problems. System logs are also used in analyzing and improving system performance.
Examples:
1. Failed log-in attempts.
2. Which user logged-in, when and from where.
3. Who accessed and amended file.
4. Which web page a user accessed.
5. Attempted cyber intrusions.
6. CPU speed & Broadband Speed.
7. Changes made to a program, what when and by whom.
Explain the categorization of IT Application Controls.
- Input Controls:
Objective is to ensure that input data is authorized and valid. - Controls over processing:
Objective is to ensure that correct number of transactions has been processed and that they have been fully processed and recorded. - Controls over Output:
Objective is to ensure that output reports are distributed to authorized personnel, output is not lost and privacy is not voilated. - Controls over master file and standing data:
Objective is to ensure that data held on master file and standing file is accurate and complete. e.g: In sales application, price list for products is up-to-date.
Provide the examples of some Input Controls:
- Limit check / test
- Range test / Reasonableness test
- Sequence check
- Existance Test.
- Batch total.
6 completeness check. - Duplicate check.
- Check digit.
Differentiate b/w Auditing around computers and Auditing through computers.
Auditing around computers:
Auditing around computers means that client’s internal software is not audited. Auditor agrees input of the system with output and compares actual output with expected output.
This method of auditing increases audit risk because:
1. Auditor has no direct evidence that programs are working correctly because actual program files of system are not tested.
2. If discrepancies are identified in Input or Output system, it may be difficult or even impossible to determine how discrepancies occurred.
Auditing through computers.
Auditing through computers means that auditor uses various techniques(CAAT) to evaluate client’s computerized information system to determine reliability of its operations.
Define CAAT.
CAAT (Computer Assisted Audit Techniques) are the use of computer techniques by auditor to perform audit procedures and obtain evidence. CAATs are often used when processing is electronic and paper audit trail is not available.
There are 2 types of CAATs:
1. Test data.
2. Audit Softwares.
Advantages and Disadvantages of CAAT.
Advantages:
- Auditors are able to check the accuracy and completeness of processing of transactions in IT system.
- Enable auditors to test large volume of data accurately.
- Reduce efforts on routine work and gives opportunity to concentrate on judgmental areas.
Disadvantages:
CAATs can be expensive. Cost my include:
1. Cost of purchasing infrastructure.
2. Cost of purchasing or developing the programs.
3. Cost of keeping program up-to-date.
4. Cost of training audit staff to use CAATs.
Define Test Data.
Test data is set of dummy transactions developed by auditor and processed by client’s IT system. After processing, auditor compares actual results with expected results to determine whether controls are operating effectively. Their principal objective it testing of controls.
Examples of Test Data:
Test Data can be used in any area of F/S to test client’s system of internal controls.
In Sales System:
- Credit Limit.
- Inventory Balance.
- Dispatch note without invoice.
In purchase System:
- Order exceeding authority.
- Invoice with invalid supplier code.
Problems with Test data and who these can be reduced.
A problem with test data is that it provide evidence about operation of controls only at the time when test data is performed.
One way to remove this problem is use of Embedded Audit Facilities. This is auditor’s computer program that is built into client’s IT system to allow auditor to carry out test at the time transactions are processed.
Embedded Audit Facilities are suitable when:
- Database is continually processed and updated in real time by client.
- Paper audit trail is not available after processing of transactions.
Define Audit Softwares and provide the examples of use.
Audit softwares are computer programs used by auditor to extract and interrogate financial information in client IT system for use in audit work.
Their principal objective is substantive testing.
examples of use:
- To recalculate large populations.
- In analytical procedures.
- In detection of large or unusual items.
- In stratification of population and sample selection.