Chapter 13

Question 1

Define Preventive Controls.

Answer 1

These are designed to stop and prevent errors or irregularities from occurring. e.g;

1. Authorization of Transactions.
2. Physical and logical access controls to restrict unauthorized access.
3. Segregation of duties.

Question 2

Define Detective Controls.

Answer 2

These are designed to identify errors or irregularities that may have occurred. 
Example:
1. Exception report.
2. Reconcilitaitons.
3. Review of system logs.

Question 3

Define Exception Report.

Answer 3

These are computerized reports to identify unexpected results or unusual conditions that require follow up.

Question 4

Define Corrective Controls

Answer 4

These are designed to correct errors or irregularities that may have detected.
Example:
1. Disciplinary mechanism.
2. Controls to ensure continuity of operations.

Question 5

Differentiate b/w IT General Controls and IT Application Controls.

Answer 5

IT General Control:
IT General Controls are policies and procedures that relate to many or all applications. They support effective functioning of application controls by ensuring continued proper operations of IT system.

Importance of IT General Controls:
Auditor first test IT general controls to assess control risk of IT system as a whole. If control is assessed as low, only then he will test application controls to decide if he can rely on specific system and reduce substantive testing.

Application Controls:
Application controls apply to processing of individual applications (sales application or payroll application). These controls ensure that input transactions are authorized, transactions are accurately processed, and output is timely and confidentially distributed.
Application controls could be either manual (Authorization) or computerized (Input validation check).

Question 6

Define Audit Trail and its types.

Answer 6

Audit trail is the ability of users to trace a transaction through all of its processing stages. Its types are as follows:

1. Paper audit trail means tracing a transaction through all of its processing stages by going from one paper document to another paper document is process.
2. Electronic audit trail means tracing a transaction through all of its processing stages by using computer programs. A log (record of events and transactions) provide audit trail.

Question 7

Define System Log.

Answer 7

A system log is a record of transactions and events that take place in performance of a system. System log provide audit trail that can be used to understand the activities of system and to diagnose problems. System logs are also used in analyzing and improving system performance.
Examples:
1. Failed log-in attempts.
2. Which user logged-in, when and from where.
3. Who accessed and amended file.
4. Which web page a user accessed.
5. Attempted cyber intrusions.
6. CPU speed & Broadband Speed.
7. Changes made to a program, what when and by whom.

Question 8

Explain the categorization of IT Application Controls.

Answer 8

1. Input Controls:
   Objective is to ensure that input data is authorized and valid.
2. Controls over processing:
   Objective is to ensure that correct number of transactions has been processed and that they have been fully processed and recorded.
3. Controls over Output:
   Objective is to ensure that output reports are distributed to authorized personnel, output is not lost and privacy is not voilated.
4. Controls over master file and standing data:
   Objective is to ensure that data held on master file and standing file is accurate and complete. e.g: In sales application, price list for products is up-to-date.

Question 9

Provide the examples of some Input Controls:

Answer 9

1. Limit check / test
2. Range test / Reasonableness test
3. Sequence check
4. Existance Test.
5. Batch total.
   6 completeness check.
6. Duplicate check.
7. Check digit.

Question 10

Differentiate b/w Auditing around computers and Auditing through computers.

Answer 10

Auditing around computers:
Auditing around computers means that client’s internal software is not audited. Auditor agrees input of the system with output and compares actual output with expected output.
This method of auditing increases audit risk because:
1. Auditor has no direct evidence that programs are working correctly because actual program files of system are not tested.
2. If discrepancies are identified in Input or Output system, it may be difficult or even impossible to determine how discrepancies occurred.

Auditing through computers.
Auditing through computers means that auditor uses various techniques(CAAT) to evaluate client’s computerized information system to determine reliability of its operations.

Question 11

Define CAAT.

Answer 11

CAAT (Computer Assisted Audit Techniques) are the use of computer techniques by auditor to perform audit procedures and obtain evidence. CAATs are often used when processing is electronic and paper audit trail is not available.
There are 2 types of CAATs:
1. Test data.
2. Audit Softwares.

Question 12

Advantages and Disadvantages of CAAT.

Answer 12

Advantages:

1. Auditors are able to check the accuracy and completeness of processing of transactions in IT system.
2. Enable auditors to test large volume of data accurately.
3. Reduce efforts on routine work and gives opportunity to concentrate on judgmental areas.

Disadvantages:
CAATs can be expensive. Cost my include:
1. Cost of purchasing infrastructure.
2. Cost of purchasing or developing the programs.
3. Cost of keeping program up-to-date.
4. Cost of training audit staff to use CAATs.

Question 13

Define Test Data.

Answer 13

Test data is set of dummy transactions developed by auditor and processed by client’s IT system. After processing, auditor compares actual results with expected results to determine whether controls are operating effectively. Their principal objective it testing of controls.

Examples of Test Data:
Test Data can be used in any area of F/S to test client’s system of internal controls.

In Sales System:

1. Credit Limit.
2. Inventory Balance.
3. Dispatch note without invoice.

In purchase System:

1. Order exceeding authority.
2. Invoice with invalid supplier code.

Question 14

Problems with Test data and who these can be reduced.

Answer 14

A problem with test data is that it provide evidence about operation of controls only at the time when test data is performed.
One way to remove this problem is use of Embedded Audit Facilities. This is auditor’s computer program that is built into client’s IT system to allow auditor to carry out test at the time transactions are processed.

Embedded Audit Facilities are suitable when:

1. Database is continually processed and updated in real time by client.
2. Paper audit trail is not available after processing of transactions.

Question 15

Define Audit Softwares and provide the examples of use.

Answer 15

Audit softwares are computer programs used by auditor to extract and interrogate financial information in client IT system for use in audit work.
Their principal objective is substantive testing.

examples of use:

1. To recalculate large populations.
2. In analytical procedures.
3. In detection of large or unusual items.
4. In stratification of population and sample selection.

Question 16

What are significant problems with use of Audit Softwares.

Answer 16

1. If it is used first time on a client, it has high set-up cost.
2. If a client changes its accounting system, audit software may not be compatible with client’s system so new audit software may be needed.
3. Checking client’s original files lively may result in increased risk of files being corrupted. If client gives a copy of files, there is a risk that copy is not genuine.

Question 17

List down categories of IT General Controls.

Answer 17

1. Development and acquisition of IT system.
2. Documentation and testing of changes made to system.
3. Prevention and Detection of Unauthorized changes to program and data file.
4. Using correct version of program and data file.
5. Access controls to prevent unauthorized access to data file.
6. Ensure continuity of operations.

Question 18

Explain Development and acquisition of IT system.

Answer 18

Objective:
To ensure computer based information system and applications are developed/acquired in consistency with entity’s objectives.
Examples of controls:
1. Use of appropriate IT Standards for design, documenting, testing, training, and approval of new computer system.
2. Segregation of duties b/w designer of controls and tester of controls.
3. Full documentation of new system.
4. All new system should be tested before implementation.
5. Training should be provided to staff before live operation of new system.
6. New system should be formally approved by system-user.

Question 19

Explain documentation and testing of changes to program.

Answer 19

Objective:
To ensure that proper development, documentation, testing, training and approval of changes.

Examples of controls:

1. Suitable general controls over updation and amendments of program.
2. All program changes should be fully documented.
3. Changes in program should be tested before implementation.
4. Staff should be given training before live operation of changes to program.
5. Changes in program should be approved by appropriate level of MGT.

Question 20

Explain prevention and detection of unauthorized changes to program and data file.

Answer 20

Objective:
To ensure that unauthorized persons do not make changes to the program.

Examples of Controls:

1. Segregation of duties b/w task of programmer and operator.
2. Physical and Logical access controls to restrict unauthorized access.
3. Programs log should be maintained and periodically reviewed.
4. There should be virus-protection and back-up copy of all programs.

Question 21

Explain Using correct version of program.

Answer 21

Objective:
To ensure that correct version of program is used as required by circumstances.

Examples of Controls:

1. Operating staff should be properly trained and should follow standard procedures for checking the version of program they are using.
2. There should be job scheduling of individuals in large organizations and a job schedule should specify which version of program to sue.
3. Supervisor should monitor activities of operating staff.
4. MGT should conduct review to ensure that correct version of program is used.

Question 22

Explain access controls to prevent unauthorized access to data files.

Answer 22

Objective:
To prevent unauthorized access to resources.

Physical access controls and its examples:
Physical access controls are used to prevent or detect unauthorized access to hardware.
1. Fences and door-locks.
2. Finger-print readers to enter a secured area.
3. Identification badges.
4. Lockable briefcases.
5. Cables to lock a laptop to a desk.
6. Alarm.

Logical Access Controls:
Physical access controls are used to prevent or detect unauthorized access to software and data file.
1. Each user has a username and password to access the system.
2. Promptly removing account when employee leaves.
3. Access rights.
4. Use of antivirus and firewalls to prevent unauthorized access via internet.
5. System logs are available for all important activities.

Question 23

Explain Ensure Continuity of operations.

Answer 23

Objective:
To ensure continuity of operations in event of disaster.

Examples of Controls:
1. Appropriate measures should be taken for protection of hardware from fire, flood, theft or other disasters.
2. Company should have a disaster recovery plan /contingency plan.
_ Insurance coverage of IT infrastructure.
_ Backup copies of all programs and data files should be maintained.
_ Maintenance and service agreement should be made with software companies, to provide technical support in event of difficulty.
_ Make agreement with other entities to use their infrastructure and equipment in case of disaster.