Information Technology Flashcards
When is an audit of IT NOT required?
Controls are redundant to another department
The system does not appear to be reliable and testing controls would not be an efficient use of time
Costs exceed benefit
When can an audit of IT be performed without directly interacting with the system?
System isn’t complex or complicated
System output is detailed
What is the role of a Database Administrator?
Maintains database
Restricts access
Responsible for IT internal control
What is the role of a Systems Analyst?
Recommends changes or upgrades
Liaison between IT and users
What is the role of the data Librarian?
Responsible for disc storage
Holds system documentation
What is the benefit of Generalized Audit Software in an audit?
Uses computer speed to quickly sort data and files- which leads to a more efficient audit
Compatible with different client IT systems
Extracts evidence from client databases
Tests data without auditor needing to spend time learning the IT system in detail
Client-tailored or commercially produced
What is a Relational Database?
Group of related spreadsheets
Retrieves information through Queries
What is a Data Definition Language?
A language that defines a database and gives information on database structure.
It maintains tables- which can be joined together.
It establishes database constraints.
What functions are performed by a Data Manipulation Language?
Maintains and queries a database
Auditor needs information- so client uses DML to get the information needed
What functions are performed by a Data Control Language?
A Data Control Language controls a database and restricts access to the database.
What are Check Digits?
A numerical character consistently added to a set of numbers.
It makes it more difficult for a fraudulent account to be set up or go undetected.
What is the purpose of a Code Review?
A Code Review tests a program’s processing logic.
Advantageous because auditor gains a greater understanding of the program.
What is the purpose of a Limit Test?
Examines data and looks for reasonableness using upper and lower limits to determine if data fits the correct range.
Did anyone score higher than 100%?
What is the Test Data Method?
Auditor processes data with client’s computer - fake transactions are used to test program control procedures.
Each control needs to only be tested once
Problem with this method - fake data could combine with real data.
How can Operating Systems Logs be utilized during an audit?
Auditor can review logs to see which applications were run and by whom.
What is the purpose of Access Security Software?
Helpful in online environments
Restricts computer access - may use encryption.
How can Library Management Software assist with an audit?
Library Management Software logs any changes to system/applications etc.
How can Embedded Audit Modules in software be utilized in an audit?
Assist with audit calculations
Enable continuous monitoring in an audit environment that is changing
Weakness: requires implementation into the system design
Example: SCARF - Collects information based on some criteria and can be analyzed at a later time (necessary because the audit environment is continually changing)
What is an Audit Hook?
An Audit Hook is an application instruction that gives auditor control over the application.
What is the purpose of Transaction Tagging?
Transaction Tagging allows logging of company transactions and activities.
How do Extended Records assist in audit trail creation?
Extended Records add audit data to financial records.
How does Real Time Processing affect an audit?
Destroys prior data when updated
aka Destructive Updating
Requires well-documented Audit Trail
What is the risk of auditing System outputs versus Application outputs?
If the auditor only audits the outputs of a computer system and doesn’t also audit the software applications- an error in the applications could be missed.
What is a Compiler?
Software that translates source program (similar to English) into a language that the computer can understand
How is Parallel Simulation utilized during an audit?
Client data is processed using Generalized Audit Software (GAS)
Sample size can be expanded without significantly increasing the audit cost
GAS output compared to client output
What does auditing internal control in a company’s IT environment accomplish?
Plan the rest of audit- Shorter audit trails that may expire- Less documentation
Assess the level of Control Risk - Unauthorized access to systems or data is more difficult to catch
Systems access controls adds another layer to separation of duties analysis
Focus should be on the general controls- new systems development- current systems changes- and program or data access control or computer ops control changes
When would an auditor most likely assess control risk at the maximum in an electronic data processing environment?
Note: Assessed control risk at the maximum level means that there is a high risk that controls will NOT catch a misstatement. In other words, controls are bad
In this situation, control risk would be assessed at max when fixed asset transactions are few in number, but large in dollar amount
What would be a major reason for maintaining an audit trail for a computer system?
The following would be reasons for maintaining an audit trail for a computer system:
- Deterrent to fraud
- Monitoring purposes
- Query answering
What controls would an auditor most likely be concerned with in a distributed data processing system?
Note: A distributed data processing system is a decentralized system - means people can access the system from different places
In this situation, an auditor would be most concerned with access controls
What activities would an auditor initially focus on if they anticipates assessing control risk at a low level in a computerized environment?
Note: Assessed control risk at a low level means that there is a low risk that controls will NOT catch a misstatement. In other words, controls are good
In this situation, the auditor would initially focus on general control activities since these are the foundation of the company. If the general controls are bad; then all other controls are bad also
What types of client IT systems generally can be only audited by directly testing the IT programs of the systems?
(Auditing through the computer)
The following situations would require an auditor to audit through the computer:
- A system that affects a number of essential master files and produces a limited output
- A system that updates a few essential master files and produces no printed output other than final balances
- A system that performs relatively complicated processing and produces very little detailed output
What are the various types of Computerized Audit Tools (CAAT) for test of controls?
Test of controls can be divided into the following categories of technique:
- Program analysis
a. Code review
b. Comparison programs
c. Flowcharting software
d. Program tracing and mapping
e. Snapshot
- Program testing
a. Test data
b. Integrated test facility (ITF)
c. Parallel simulation
d. Controlled reprocessing
- Continuous testing
a. Embedded audit modules & audit hooks
b. Systems control audit review files (SCARF)
c. Extended records
d. Transaction tagging
- Review of operating systems and other systems
a. Job accounting data/operating systems logs
b. Library management software
c. Access control & security software
What are techniques for program analysis?
Program analysis includes:
a. Code review
b. Comparison programs
c. Flowcharting software
d. Program tracing and mapping
e. Snapshot
Techniques for program analysis allow the auditor to gain an understanding of the client’s program. Because these techniques ordinarily are relatively time-consuming and require a high level of computer expertise, they are infrequently used in financial statement audits
What is code review?
One technique of Program analysis:
a. Code review
b. Comparison programs
c. Flowcharting software
d. Program tracing and mapping
e. Snapshot
Code review is a technique that involves actual analysis of the logic of the program’s processing routines.
The primary advantage is that the auditor obtains a detailed understanding of the program
Difficulties with the approach include the fact that it is extremely time-consuming, it requires a very high level of computer expertise, and difficulties involved with making certain that the program being verified is in fact the program in use throughout the accounting period
What are comparison programs?
One technique of Program analysis:
a. Code review
b. Comparison programs
c. Flowcharting software
d. Program tracing and mapping
e. Snapshot
Comparison programs allow the auditor to compare computerized files. For example, they can be used in a program analysis to determine that the auditor has the same version of the program that the client is using
What is flowcharting software?
One technique of Program analysis:
a. Code review
b. Comparison programs
c. Flowcharting software
d. Program tracing and mapping
e. Snapshot
Flowcharting software is used to produce a flowchart of a program’s logic and may be used both in mainframe and microcomputer environments.
A difficulty involved is that the flowcharts of large programs become extremely involved
What is program tracing and mapping?
One technique of Program analysis:
a. Code review
b. Comparison programs
c. Flowcharting software
d. Program tracing and mapping
e. Snapshot
Program tracing is a technique in which each instruction executed is listed along with control information affecting that instruction
Program mapping identifies sections of code that can be “entered” and thus are executable
These techniques allow an auditor to recognize logic sequences or dormant section of code that may be a potential source of abuse
The techniques are infrequently used because they are extremely time-consuming
What is a snap shot?
One technique of Program analysis:
a. Code review
b. Comparison programs
c. Flowcharting software
d. Program tracing and mapping
e. Snapshot
The snap shot technique in essence “takes a picture” of the status of program execution, intermediate results, or transaction data at specified processing points in the program processing
This technique helps an auditor analyze the processing logic of specific programs
What are techniques for program testing?
Program testing includes:
a. Test data
b. Integrated test facility (ITF)
c. Parallel simulation
d. Controlled reprocessing
Program testing involves the use of auditor-controlled actual or simulated data. The approach provides direct evidence about the operation of programs and programmed controls
What is test data?
One technique of Program testing:
a. Test data
b. Integrated test facility (ITF)
c. Parallel simulation
d. Controlled reprocessing
Test data is a set of dummy transactions that is developed by the auditor and processed by the client’s computer programs to determine whether the controls which the auditor intends to test (not necessarily all controls) to restrict control risk are operating effectively
Some of these dummy transactions may include errors to test effectiveness of programmed controls and to determine how transactions are handled (i.e. time tickets with invalid job numbers). When using test data, each control generally need only be tested once
Several problems include:
a. Making certain the test data is NOT included in the client’s accounting records
b. Determining that the program tested is actually used by the client to process data
c. Adequately developing test data for every possible control
d. Developing adequate data to test key controls may be extremely time-consuming
What is an integrated test facility (ITF)?
One technique of Program testing:
a. Test data
b. Integrated test facility (ITF)
c. Parallel simulation
d. Controlled reprocessing
The integrated test facility introduces dummy transactions into a system in the midst of live transactions and is usually built into the system during the original design
One way to accomplish this is to incorporate a simulated or subsidiary into the accounting system with the sole purpose of running test data through it. The test data approach is similar and therefore its limitations are also similar, although the test approach does not run simultaneously through the live system
The running of dummy transactions in the midst of live transactions makes the task of keeping the two transaction types separate more difficult
What is parallel simulation?
One technique of Program testing:
a. Test data
b. Integrated test facility (ITF)
c. Parallel simulation
d. Controlled reprocessing
Parallel simulation processes actual client data through an auditor’s generalized audit software program and frequently, although not necessarily, the auditor’s computer. After processing the data, the auditor compares the output obtained with output obtained from the client
The method verifies processing of actual transactions (as opposed to test data and ITF that use dummy transactions) and allows the auditor to verify actual client results
This method allows an auditor to simply test portions of the system to reduce the overall time and concentrate on key controls
The limitations of this method include:
a. The time it takes to build an exact duplicate of the client’s system
b. Incompatibility between the auditor and client software
c. Tracing differences between the two sets of outputs to differences in the programs may be difficult
d. The time involved in processing large quantities of data
What is controlled reprocessing?
One technique of Program testing:
a. Test data
b. Integrated test facility (ITF)
c. Parallel simulation
d. Controlled reprocessing
Controlled reprocessing is a variation of parallel simulation, but processes actual client data through a copy of the client’s application program
As with parallel simulation, this method uses actual transactions and the auditor compares the output with output obtained from the client
Limitations of this method include:
a. Determining that the copy of the program is identical to that currently being used by the client
b. Keeping current with changes in the program
c. The time involved in reprocessing large quantities of data
What are techniques for continuous (or concurrent) testing?
Continuous testing includes:
a. Embedded audit modules & audit hooks
b. Systems control audit review files (SCARF)
c. Extended records
d. Transaction tagging
Advanced computer systems, particularly those utilizing EDI, sometimes do not retain permanent audit trials, thus requiring capture of audit data as transactions are processed
Such systems may require audit procedures that are able to identify and capture audit data as transactions as they occur
What are embedded audit modules?
One technique of Continuous testing:
a. Embedded audit modules & audit hooks
b. Systems control audit review files (SCARF)
c. Extended records
d. Transaction tagging
Embedded audit modules are programmed routines incorporated into an application program that are designed to perform an audit function such as a calculation, or logging activity
Because embedded audit modules require that the auditor be involved in system design of the application to be monitored, this approach is often not practical
What are audit hooks?
One technique of Continuous testing:
a. Embedded audit modules & audit hooks
b. Systems control audit review files (SCARF)
c. Extended records
d. Transaction tagging
An audit hook is an exit point in an application program that allows an auditor to subsequently add an audit module (or particular instructions) by activating the hook to transfer control to an audit module
What are Systems control audit review files (SCARF)?
One technique of Continuous testing:
a. Embedded audit modules & audit hooks
b. Systems control audit review files (SCARF)
c. Extended records
d. Transaction tagging
A SCARF is a log, usually created by an embedded audit module, used to collect information for subsequent review and analysis
The auditor determines the appropriate criteria for review and the SCARF selects that type of transaction, dollar limit, or other characteristic
What are extended records?
One technique of Continuous testing:
a. Embedded audit modules & audit hooks
b. Systems control audit review files (SCARF)
c. Extended records
d. Transaction tagging
This technique attaches additional data that would not otherwise be saved to regular historic records and thereby helps to provide a more complicated audit trial. The extended record information may subsequently be analyzed
What is transaction tagging?
One technique of Continuous testing:
a. Embedded audit modules & audit hooks
b. Systems control audit review files (SCARF)
c. Extended records
d. Transaction tagging
Tagging is a technique in which an identifier providing a transaction with a special designation is added to the transaction record. The tag is often used to allow logging of transactions or snapshot of activities
What are techniques for review of operating systems and other systems software?
Review of operating systems and other systems include:
a. Job accounting data/operating systems logs
b. Library management software
c. Access control & security software
Systems software may perform controls for computer systems. Related audit techniques range from user-written programs to the use of purchasing operating systems monitoring software
What are job accounting data/operating systems logs?
One technique of Review of operating & other systems software:
a. Job accounting data/operating systems logs
b. Library management software
c. Access control & security software
These logs, created by either the operating system itself or additional software packages that track particular functions, include reports of the resources used by the computer system
Because these logs provide a record of the activity of the computer system, the auditor may be able to use them to review the work processed, to determine whether unauthorized applications were processed, and to determine that authorized applications were processed properly
What is Library management software?
One technique of Review of operating & other systems software:
a. Job accounting data/operating systems logs
b. Library management software
c. Access control & security software
This software logs changes in programs, program modules, job control language, and other processing activities
Auditors may review these logs
What are access control and security software?
One technique of Review of operating & other systems software:
a. Job accounting data/operating systems logs
b. Library management software
c. Access control & security software
This software supplements the physical and control measures relating to the computer and is particularly helpful in online environments or in systems with data communications because of difficulties of physically securing computers
Access control and security software restricts access to computers to authorized personnel through techniques such as only allowing certain users with “read-only” access or through use of encryption
An auditor may perform tests of the effectiveness of the use of such software
When would an auditor most likely introduce test data into a computerized payroll system to test controls?
An auditor would most likely do this when they are trying to test controls related to discovery of invalid employee I.D. numbers because with test data, you are testing the controls built into the computer
Which computer-assisted auditing technique allows fictitious and real transactions to be processed together without the client operating personnel being aware of the testing process?
Integrated test facility allows the auditor to run dummy data through the client’s system with real transactions without the client knowing
In which situation would an auditor LEAST likely use computer software?
An auditor would not use computer software to assess computer control risk because a computer can do practically anything EXCEPT make human decisions.
Assessing control risk is a decision that the auditor makes, NOT the computer. Also, when doing substantive testing, you would do audit procedures that addresses the assertions of whatever account that your auditing.
Now, an auditor can program a computer to do some type of calculation or algorithm to compute control risk, but the point is that the auditor has to tell or direct the computer to do this. The computer cannot just tell you whether controls or operating effectively or if an account balance is fairly stated at year-end; this all requires the decision of an auditor
What computer audit technique is used when dummy transactions are developed by the auditor and processed by the client’s computer programs, generally for batch processing system?
Test Data computer audit technique is used
What computer audit technique may include a simulated division of subsidiary into the accounting system with the purpose of running fictitious transactions through it?
Integrated Test Facility computer audit technique is used because fictitious transactions are used
What computer audit technique uses a generalized audit software package prepared by the auditors?
Parallel simulation
