Information Technology

Question 1

When is an audit of IT NOT required?

Answer 1

Controls are redundant to another department

The system does not appear to be reliable and testing controls would not be an efficient use of time

Costs exceed benefit

Question 2

When can an audit of IT be performed without directly interacting with the system?

Answer 2

System isn’t complex or complicated

System output is detailed

Question 3

What is the role of a Database Administrator?

Answer 3

Maintains database

Restricts access

Responsible for IT internal control

Question 4

What is the role of a Systems Analyst?

Answer 4

Recommends changes or upgrades

Liaison between IT and users

Question 5

What is the role of the data Librarian?

Answer 5

Responsible for disc storage

Holds system documentation

Question 6

What is the benefit of Generalized Audit Software in an audit?

Answer 6

• Uses computer speed to quickly sort data and files- which leads to a more efficient audit
• Compatible with different client IT systems
• Extracts evidence from client databases
• Tests data without auditor needing to spend time learning the IT system in detail
• Client-tailored or commercially produced

Question 7

What is a Relational Database?

Answer 7

Group of related spreadsheets

Retrieves information through Queries

Question 8

What is a Data Definition Language?

Answer 8

A language that defines a database and gives information on database structure.

It maintains tables- which can be joined together.

It establishes database constraints.

Question 9

What functions are performed by a Data Manipulation Language?

Answer 9

Maintains and queries a database

Auditor needs information- so client uses DML to get the information needed

Question 10

What functions are performed by a Data Control Language?

Answer 10

A Data Control Language controls a database and restricts access to the database.

Question 11

What are Check Digits?

Answer 11

A numerical character consistently added to a set of numbers.

It makes it more difficult for a fraudulent account to be set up or go undetected.

Question 12

What is the purpose of a Code Review?

Answer 12

A Code Review tests a program’s processing logic.

Advantageous because auditor gains a greater understanding of the program.

Question 13

What is the purpose of a Limit Test?

Answer 13

Examines data and looks for reasonableness using upper and lower limits to determine if data fits the correct range.

Did anyone score higher than 100%?

Question 14

What is the Test Data (Test Deck) Method?

Answer 14

• Auditor processes their input data OFFLINE with client’s computer - fake transactions are used to test program control procedures - while still in auditor’s control
• Only transactions that interest the auditor are tested
• Each control needs to only be tested once
• Consist of only those valid and invalid conditions that interest the auditor
• Processed with the client’s computer and results are compared with the auditor’s predetermined results
• Advantage: live computer files are not affected

Question 15

How can Operating Systems Logs be utilized during an audit?

Answer 15

Auditor can review logs to see which applications were run and by whom.

Question 16

What is the purpose of Access Security Software?

Answer 16

Helpful in online environments

Restricts computer access - may use encryption.

Question 17

How can Library Management Software assist with an audit?

Answer 17

Library Management Software logs any changes to system/applications etc.

Question 18

How can Embedded Audit Modules in software be utilized in an audit?

Answer 18

• Assist with audit calculations
• Enable continuous monitoring in an audit environment that is changing
• Weakness: requires implementation into the system design

Question 19

What is an Audit Hook?

Answer 19

An Audit Hook is an application instruction that gives auditor control over the application.

Question 20

What is the purpose of Transaction Tagging?

Answer 20

Transaction Tagging allows logging of company transactions and activities.

Question 21

How do Extended Records assist in audit trail creation?

Answer 21

Extended Records add audit data to financial records.

Question 22

How does Real Time Processing affect an audit?

Answer 22

Destroys prior data when updated

aka Destructive Updating

Requires well-documented Audit Trail

Question 23

What is the risk of auditing System outputs versus Application outputs?

Answer 23

If the auditor only audits the outputs of a computer system and doesn’t also audit the software applications- an error in the applications could be missed.

Question 24

What is a Compiler?

Answer 24

Software that translates source program (similar to English) into a language that the computer can understand

Question 25

How is Parallel Simulation utilized during an audit?

Answer 25

• Client live data is re-processed using Generalized Audit Software (GAS) and them compared to client output
• Sample size can be expanded without significantly increasing the audit cost
• Controlled processing: auditor observes an actual processing run and compares the actual results to expected results based on AUDITOR’s program
• Controlled re-processing: auditor uses an archived copy of the program to re-process transactions (Client’s program reprocessed on auditors).

Question 26

What does auditing internal control in a company’s IT environment accomplish?

Answer 26

Plan the rest of audit- Shorter audit trails that may expire- Less documentation

Assess the level of Control Risk - Unauthorized access to systems or data is more difficult to catch

Systems access controls adds another layer to separation of duties analysis

Focus should be on the general controls- new systems development- current systems changes- and program or data access control or computer ops control changes

Question 27

What are manual controls?

Answer 27

• Internal controls performed by people
• Suitable when judgment & discretion are required (large, nonrecurring, and unusual transactions)
• Monitor automated controls
• Can be easily ignored, overridden, subject to human control, and less consistent than automated controls

Question 28

What are automated controls?

Answer 28

• Performed using IT
• For high volume/recurring transactions
• Not subject to same level of authorization as manual controls and may not be well-documented

Question 29

What are some IT benefits?

Answer 29

• Ability to process large volumes of transactions
• Timeliness/availability
• Data analysis
• Reduction of risk that controls will be circumvented
• Segregation of duties
• Monitoring of entity’s policies, procedures, performance
• Processing consistency improved
• Integration of audit procedures in programs

Question 30

What are some IT risks?

Answer 30

• Potential reliance on inaccurate systems (systematic errors)
• Unauthorized access to data (remote access)
• Unauthorized changes to data, systems or programs
• Failure to make changes/updates
• Inappropriate manual intervention
• Potential loss of data

Question 31

How are duties segregated in an IT environment?

Answer 31

Control team
Operator
Programmer
Analyst (system)
Librarian

Question 32

How does a computerized environment affect the audit trail?

Answer 32

• Paper audit trails are reduced
• Tests should be performed continually
• Electronic audit trails should be present, which are just as effective as paper trails

Question 33

What are manual audit procedures?

Answer 33

“Auditing around the computer”

• Auditor does not test program, but rather, tests data and process it independently and then compares the results to the program results
• Good for batch systems
• Risks: insufficient, paper based evidence and insufficient audit procedures

Question 34

What are computer assisted audit techniques procedures (CAAT) ?

Answer 34

“Auditing through the computer”

• Emphasis on input/processing stages of transaction processing
• Transaction Tagging
• Embedded Audit Modules
• Test Data
• Integrated Test Facility
• Parallel Simulation

Question 35

What is Transaction Tagging?

Answer 35

Electronically tagging transactions and following them in client’s system

Question 36

What is an Integrated Test Facility?

Answer 36

• Test data is co-mingled with live data (simulated files)
• Test data processed to dummy accounts for separation
• Client personnel are not informed of tests
• Data is processed through simulated files and provide the auditor with information about the operating effectiveness of controls
• Auditor’s input data processed ONLINE