Chapter 8 Flashcards
Definition of Hardware and Software?
Hardware -
Digital computer and peripheral equipment
Software -
Various programs and routines for operating the system
Advantages and disadvantages of IT-Based Systems
- May enhance reliability of financial information
- Process transactions uniformly
- Reduce human errors
May increase certain risks
Program defects may result in all transactions being processed incorrectly
Errors/fraud may not be as easily detectable
Systems possesses one or more of the following elements:
- Batch processing
- Online capabilities
- Database storage
- IT networks
- End user computing
The principle hardware component is known as the (CPU)
Central Processing Unit
- Uses a series of on and off circuits to communicate (binary language)
Application software includes programs designed to perform a specific data processing task. True or false?
True
Describe peripheral devices
Devices for inputting information (e.g., input terminals, scanners, electronic cash registers, bar code readers)
Devices for secondary storage (e.g., magnetic tape, magnetic disk, optical disk drives)
Devices for information output (e.g., display terminals, printers)
Define batch processing
Input data gathered and processed periodically in discrete groups. Often more efficient than other types of systems, but do not always provide up-to-minute information.
Example: Accumulate all of a day’s sales transactions and process them as a “batch” at end of day
Define IT Networks
Computers linked together through telecommunication links that enable computers to communicate information back and forth. Allows distributed data processing - resources, data, and programs shared by a large number of users based on their specifications (LAN and WAN)
Disadvantages of Database storage
Redundant information stored in several files
Increased storage costs
May cause data inconsistencies due to file discrepancies
Describe the three methods used to establish networks
Internet – exchange of information through remote locations
Intranet – internet software for use in closed networks
Extranet – intranets that include external business partners
Names of two types of Online Systems
Online transaction processing (OLTP):
- Process various types of transactions
- Individual transactions entered directly from the originators at remote locations
Online analytical processing (OLAP)
-Enables user to query a system for various analyses
Examples: Data warehouses, decision support systems, expert systems
Define End User Computing
User departments are responsible for the development and execution of certain IT applications. Involves a decentralized processing system – user department generates and uses its own information.
(non-programmers can create working applications to better integrate themselves into computing environment for problem-solving)
Define Electronic Data Interchange (EDI)
enable company and customers/suppliers to exchange business data electronically over a private line of communication (more secure than the internet) – must have strong IT controls to ensure privacy (e.g., firewalls, data encryption)
More automation reduces potential for human errors and increases potential for systematic errors. True or false?
True
Is audit trail necessary in printed form?
Not often in printed form, but definitely still necessary.
Define an End-user Application
designed with end user in mind for a specific, custom purpose. NOT a personal computer.
IT Responsibilities can be broken down into (there are a ton!)
Information systems Management
Systems Analysis
Application Programming
Database Administration
Data entry
IT Operations
Program and File Librarians
Data control
Telecommunication Specialists
systems Programming
Define Telecommunication Specialists
Responsible for maintaining and enhancing IT networks (including monitoring for improper access)
Which IT responsibility supervises the operation of the department and report to vice president of finance/controller, or serve on vice president level as CIO reporting directly to president
Information Systems Management
Which IT responsibility reviews and tests all input procedures, monitors processes, reviews exception reports, reprocesses exceptions, and reviews and distributes IT logs (also reviews operator intervention and library usage logs)?
Data Control
History shows the person responsible for frauds in many situations set up the system and controlled its modifications. True or False?
True, so segregation of duties.
Programming separate from controlling data entry
Computer operator from functions having custody or detailed knowledge of programs
Define IT Operations
Run and monitor central computers, maintain detailed log of all operator intervention (NOTE: vital for IT operations to be separate from programming to prevent unauthorized program changes)
Which responsibility is defined as follows: Prepare and verify input data for processing (today, typically done by user departments)
Data Entry
Which responsibility is responsible for designing the information system?
Systems Analysis
Organizational controls is NOT effective in mitigating collusion, true or false?
True
What is internal auditing in IT interested in?
evaluating the overall efficiency and effectiveness of information systems operations and related controls throughout the company
Computer operators ____ (should or should not) have access to programming.
should not
Describe Programmed Control Activities
written into programs to ensure accuracy of input and processing
Adequate security controls to safeguard hardware, files, and programs against loss, damage, and unauthorized access. True or false?
True
Examples: User ID and password controls – changed and updated for personnel changes regularly with a log of failed access attempts; Data transmission controls to prevent access/changes to transmitted network information – e.g., encryption, private network lines; Physical controls – e.g., employee badges, locks
How might one control unauthorized changes to data, introduction of unauthorized data or programs, unauthorized viewing of data, and viruses?
Firewalls, physical control over terminals, password systems, data encryption, antivirus software
If Use of IT does not significantly impact audit trail, audit ____ (through/around) the computer
around (manual testing to compare with computer output)
How might one control unauthorized access?
Physical Controls/Segregation of Duties
How might one control Destruction or infrastructure of data
Segregation of Duties/ program and user controls
How might one control Unauthorized changes?
Controls over access, segregation of duties, testing of programs, backup copies
If much of audit trail is eectornically embedded, audit ____ (through/around) the computer
Through
Define a Generalized Audit Software
programs are computer programs that can be used to test reliability of client’s programs and perform other audit procedures digitally. Pretty much automate substantive procedures
Define the “Tagging and Tracing Approach”
Auditor inserts an audit module in the
client’s application system to identify
specific types of transactions. Allows auditors to continuously audit
transactions processed by the client, unlike
the other two methods which contain irregular testing
Auditors processing their own “dummy” test data using the client’s system simultaneously. This approach if known as the
Test Data Approach -
- Test data should include all relevant conditions that the auditor wants tested.
- Application programs tested by the auditors’ test data must be the same as
those the client used throughout the year. - Test data must be eliminated from the client’s records.
Sometimes o The auditor uses auditor-controlled generalized audit software to perform parallel operations to the client’s software by using the same data files. This is known as the
Parallel Simulation Approach
Once auditor has access to client records, can apply substantive procedures to them using generalized audit software to
- Examine client’s records for overall quality, completeness, and valid conditions
- Rearrange data and perform analyses
- Select audit samples
- Compare data on separate files
- Compare results of audit procedures with client’s records
The auditor’s auditing of the inputs and outputs of the system without verification of the processing of the data is which type of audit technique?
Auditing around the computer
Processing fictitious and real data separately through the entity’s IT system is which type of audit technique?
Test Data Method
Program written by the auditor to perform a specific task for a particular entity is which type of audit technique?
Custom Audit Software
How might audit software be used to observe the physical count or make appropriate test counts?
By determining which items are to be counted from the inventory files
How might audit software be used to compare the client’s physical count data to inventory records?
By comparing the quantity of each item counted to the quantity on hand in inventory file
How might audit software be used to Test the mathematical accuracy of inventory?
By multiplying the inventory quantity by the cost per unit to verify the total cost
How might audit software be used to confirm existence located in public warehouses?
By listing said items and printing their confirmations
How might audit software be used to test purchase and sales cutoff?
Extract a sample of items for which the date of the purchase is on, or immediately before, date of physical count
How might audit software be used to perform a lower-cost-or-market test by obtaining a list of current costs per item from vendors
Compare the current costs per unit to the cost per unit in the inventory file; print out extended value of item, user the lover of the two unit costs, and add extended amounts
How might one mitigate destruction of data?
Program and user controls
How might one mitigate unauthorized changes?
Controls over access and backup companies
How might one mitigate destruction of infrastructure or data?
Physical and user controls
How might one mitigate introduction of unauthorized data or programs
firewalls and password systems
How might one mitigate unauthorized access to data or programs?
physical controls over terminals and testing of user programs and applications
Can firewalls be used to mitigate the risk of viruses in electronic commerce?
Yes
Can Controls over Access be used to mitigate the risk of unauthorized changes to computer programs?
Yes
Backup copies can be used to mitigate risk of _____
destruction of data
PHysical controls may be used to mitigate the risk of unauthorized access in computer operations
true
The computer operator may also be the librarian without adversely affecting control over a computer system.. True or false?
False
Programs designed to perform specific data processing tasks are known as application software. True or false?
true
A weakness in internal control would exist if the data control group also operated the computer.True or False?
true
Data stored on a device with direct access must be stored sequentially. True or false?
False
Application control activities include controls over making changes to programs and systems
False. Application control activities include both programmed control activities, which are written into the computer programs, and manual follow-up activities performed on the exception reports that are generated by the system
Segregation of duties is not a feasible method to help establish control over computer systems. True or False?
False
A limit test is a program control that is used to test the reasonableness of a particular transaction. True or False?
True
Back‑up copies of files and records should be filed conveniently with the originals. True or false?
False. Should be filed at a separate location
Microcomputers are generally operated by end user personnel. True or false?
true
An echo check is an example of a control that is performed by a user. True or false?
false. Echo check is a Message acknowledgment technique in which in which the receiving device sends a message that verifies a transmission back to the sending device.
Distributed data processing systems have data communication capabilities. True or false??
true
Internal file labels are printed labels that are placed on the inside of a tape container. True or false?
False. For magnetic tapes, internal labels that are machine-readable are used in conjunction with gummed-paper external labels to prevent operators from accidentally processing the wrong file
Advanced computer systems do not generally produce audit trails. True or False?
False, advanced computer systems actually make it easier to find audit trail
Using test data is primarily a substantive procedure approach. True or false?
false
Elimination of data redundancy is a chief advantage of a database system. True or false?
true
Substantive procedures and tests are
Tests of account balances and transactions designed to detect any material misstatements in the financial statements. The nature, timing, and extent of substantive procedures are determined by the auditors’ assessment of risks and their consideration of the client’s internal control.
The objective of the auditor’s consideration of internal control is different for a client with a computer system. True or false?
False
Distributed data processing by a client requires that an auditor use computer-assisted audit techniques. True or false?
False
Generalized computer audit software is used for both substantive procedures and tests of controls. True or falsse?
True
Which of the following is not a characteristic of a batch processed IT system??
Data input, followed by machine processing. correct Posting of a transaction, as it occurs, to several files, without intermediate printouts. Production of numerous printouts. The collection of like transactions which are sorted and processed sequentially against a master file.
Posting of a transaction, as it occurs, to several files, without intermediate printouts.
The computer flags any transmission for which the control field value did not match with that of an existing file record. This is an example of a
validity test
define an Integrated Test Facility, a process data using simulated files provides an auditor with information about the operating effectiveness of controls
An integrated test facility is a subsystem of dummy records and files built into the regular IT-based system. These dummy files permit test data to be processed simultaneously with regular (live) input without adversely affecting the live data files or output.
The program analysis technique involves examination of the details of the processing steps for tagged transactions. True or false?
false. Program analysis techniques have been developed that can generate computer-made flowcharts of other programs. A trained auditor can examine the flowcharts to test the logic of application programs and to ensure that the client’s program documentation describes the program that is actually being used.
Computer programmers have access to input data.
Is this compatible with good internal control in an information systems department?
Np
Which of the following is an example of application control activities in IT systems?
Documentation procedures
hardware controls
programmed control activities
controls over access to equipment and data files
programmed control activities
Computer programmers have unsupervised access to computer terminals.
Is this compatible with good internal control in an information systems department?
No
Computer operators have detailed knowledge of computer programs.
Is this compatible with good internal control in an information systems department?
No
Computer librarians have physical control of program documentation. Is this compatible with good internal control in an information systems department?
Yes
Is this considered a test of control?
Examination of organization charts to determine whether electronic data processing department responsibilities are properly separated to afford effective control.
No
Is this considered a test of control?
Examination of the systems manuals to determine whether existing procedures are satisfactory.
No, part of obtaining understanding of computer system
Define the EXTRANET
suppliers or business partners, or customers
Considered a test of control?
Examination of the machine room log book to determine whether control activity information is properly recorded
yes
What is the IT process called when data processing is performed concurrently with a particular activity and the results are available soon enough to influence the particular course of action being taken or the decision being made?
Real-Time Processing
computers talking to computers is a part of
e-commerce
The auditors may decide not to perform tests of the controls within the computerized portion of the client’s internal control. Which of the following would not be a valid reason for choosing to omit such tests?
The controls appear adequate. There appear to be major weaknesses in the control system that would preclude reliance on the stated procedures.
The controls duplicate operative controls existing elsewhere in the system.
The time and dollar costs of testing exceed the time and dollar savings in substantive testing if the tests show the controls operating effectively
The controls appear adequate.
Would the documentation of client’s IT-based system depend on the complexity of system?
Yes, once again they are
Narrative
Systems flowchart
Program flowchart
Internal control questionnaires
Test of control?
Examination of systems flowcharts to determine whether they reflect the current status of the system
No
When testing it controls, always consider unauthorized access and equipment failure as high-risk areas.
True or false?
True
What are risks to Hardware and Data?
- Reliance too much on hardware and software
- Unauthorized access
- Data loss
- Systematic vs Random errors (glitches)
Is the Data administrator also responsible for integrity of the data?
Yes
CPU is key hardware component. Brain of the computer. True or false?
true
The main purpose of input validation is
to test if something was correctly input.
Auditors start with testing general controls because their effectiveness directly impacts application control effectiveness. True or false?
True
An IT specialist is more likely needed in which steps of the audit process?
Step 1 – Consider IT system in planning
Step 2 – Obtain an understanding of the client’s IT environment
