IT Auditing Flashcards
List the IT duties that should be segregated (in connection with “organization and operation”).
Systems analyst Programmer Operator Librarian Security.
List some controls that can be put in place/built in hardware and systems software.
Parity check
Echo check
Diagnostic routines
Boundary protection.
List some internal control implications associated with an IT environment.
1-Segregation of duties may be undermined (a disadvantage)
2-Audit trail may be lacking (a disadvantage)
3-Computer processing is uniform (an advantage).
List the general controls of IT
Overall computer environment:
- Personnel Policies (systems or authorization=development/maintenance by analysts, application programmer; operations or custody=input is data entry, output is control clerk)
- File Security (back up, lock out, read only)
- Business Continuity Planning
- Computer Facilities (fire/insurance)
- Access Controls
Define “check digit.”
Numbers with no obvious meaning applied from formula to make it difficult for someone to invent a fake number if they don’t know the formula
Define “hash totals.”
An arbitrary total that has no meaningful interpretation outside the context in which it was created. It is used only to validate the integrity of that data that is being examined.
List the three types of control totals.
Batch totals
Hash totals
Record count.
Define “batch totals.”
The sum of a particular field in a collection of items used as a control total to ensure that all data has been entered into a system.
What is the purpose of validity checks?
To determine whether the data under review are recognized as legitimate possibilities.
Define “Integrated Test Facility (ITF).”
Dummy division and fictitious transactions ran along with client data (Use auditor and client data in the client’s computer system)
* Another use of ITF is embedded audit modules
Define “parallel simulation.”
The processing of the client’s actual data using the auditor’s software and then comparing the auditor’s output to the client’s output for agreement.
What is the purpose of test data procedures?
To process known errors to see if the client’s system catches them. The auditor only needs to include those errors that are important to the auditor (that is, the auditor need not include every possible type of error). There may be a danger of contaminating the client’s database with the test data.
Define “Distributed Systems.”
A network of remote computers connected to the main system, allowing simple processing functions to be delegated to the employees at the remote sites.
Define “Electronic Data Interchange (EDI).”
Direct computer-to-computer communication between a buyer and seller designed to achieve greater efficiency and less paperwork (a paper audit trail may not even exist).
Define “Value Added Network (VAN).
A network maintained by an independent company that facilitates Electronic Data Interchange (EDI) transactions between the buying and selling companies.
