IT Auditing Flashcards
What are the increased risks involving information technology?
- No automatic judgment or discretion
- No physical trace or “natural” audit trail for online transactions
- High concentration of duties leads to a poor separation of duties
Control activities to look for when auditing IT:
General Controls
Application Controls
Refer to the system that is built around IT.
General Controls
Any weakness in general controls will have a _______ effect on the entire system.
Pervasive
When auditing IT, which duties should be separate for general controls?
- Separate IT from users of output
- IT Department should never authorize or initiate transactions
- IT Department only processes transactions
There must be procedures to review, test, approve, and document…
- Systems & changes to systems
- Programs & changes to programs
Hardware/Software controls such as firewalls, virus protections, and anti-hacking software are all part of…
General Controls
Types of General Controls
Hardware/Software Controls Access Controls IT Department's Separation of Duties Changes made to systems & programs Physical Safeguards
Proper Separation of Duties within IT consists of…
C - Control Group O - Operations P - Programmers A - Analysts L - Librarians
Group of employees that are responsible for I/C within IT
Control Group
Employee that keeps the mater files, the programs, & the documentation
Librarian
Application Controls consist of what types of controls?
- Input
- Processing
- Output
Ensures all transactions are properly initiated, authorized, and approved. Includes things such as control totals, record counts, & hash totals.
Input Controls
are an input control. They are a nonsense total; for example, the sum of the digits of an invoice number. A hash total is similar to a control total and is used to verify processing (or output) compared to input.
Hash Totals
a specific type of input control, consisting of a single digit at the end of an identification code that is computed from the other digits in a field. If the identification code is mis-keyed, a formula or algorithm will reveal that the check digit is not correct, and the field will not accept the entry.
Check Digit
controls that apply to all systems components, processes, and data for an organization or IT environment. The objectives are to ensure the proper development and implementation of applications, as well as integrity of programs, data files, and computer operations.
General IT Controls
refers to the transactions and data relating to each computer-based application system and are, therefore, specific to each such application.
Application Controls
What are the objectives of Application Controls?
The objectives of application controls, which may be manual or programmed, are to ensure the completeness and accuracy of the records and the validity of the entries made therein.
Application controls consist of…
input controls, processing controls, and output controls.
an edit check of logical correctness of the relationships among the values in an input data set, or the value of an input item with the values of a related data item in a master file.
Reasonableness Check
used to edit data during input or processing to validate data. The data is above an amount, below an amount, or between two amounts.
A limit test or limit check
an organization or segment of an organization that provides services to user entities that are relevant to those user entities’ internal control over financial reporting.
Service Organization
Report on management’s description of a service organization’s internal control system and the suitability of DESIGN of controls.
Service Organization: Type 1 Report
As an auditor, you cannot use a Type 1 report as…
a basis for reducing your assessed level of control risk
Report on management’s description of a service organization’s internal control system and the suitability of DESIGN & OPERATING EFFECTIVENESS of controls.
Service Organization: Type 2 Report
Which type of report would be suitable for an auditor to lower the assessed level of control risk?
Type 2 Report
