IT (Computer) Auditing

Question 1

List some controls that can be put in place/built in hardware and systems software.

Answer 1

1. Parity check. 2. Echo check. 3. Diagnostic routines. 4. Boundary protection.

Question 2

List the IT duties that should be segregated (in connection with “organization and operation”).

Answer 2

1. Systems analyst 2. Programmer 3. Operator 4. Librarian 5. Security.

Question 3

List the types of physical safeguards used to protect the data files.

Answer 3

1. File labels 2. File protection rings 3. File protection plans.

Question 4

List some internal control implications associated with an IT environment.

Answer 4

1. Segregation of duties may be undermined (a disadvantage) 2. Audit trail may be lacking (a disadvantage) 3. Computer processing is uniform (an advantage).

Question 5

Define “general controls.”

Answer 5

Controls that have pervasive effects on all the specific computer processing applications.

Question 6

List the five categories of general controls.

Answer 6

1. Organization and operation 2. Systems development and documentation 3. Hardware and systems software 4. Access 5. Data and procedures.

Question 7

What is the purpose of missing data checks?

Answer 7

To determine whether there are any omissions from fields in which data should have been present.

Question 8

Define “record count.”

Answer 8

A counting mechanism in an IT system that keeps track of the number of records processed to determine that the appropriate number was accounted for.

Question 9

What is the purpose of validity checks?

Answer 9

To determine whether the data under review are recognized as legitimate possibilities.

Question 10

Define “check digit.”

Answer 10

An arithmetic manipulation of a numeric field that captures the information content of that field and then gets “tacked” onto the end of that numeric field.

Question 11

What is the purpose of limit tests?

Answer 11

To determine whether the data under review are all within some predetermined range.

Question 12

What is the objective of input application controls?

Answer 12

To ensure that the input of data is accurate and as authorized.

Question 13

List the three types of control totals.

Answer 13

1. Batch totals 2. Hash totals 3. Record count.

Question 14

Define “hash totals.”

Answer 14

An arbitrary total that has no meaningful interpretation outside the context in which it was created. It is used only to validate the integrity of that data that is being examined.

Question 15

List some examples of logic checks.

Answer 15

1. Limit tests 2. Validity checks 3. Missing data checks 4. Check digits.

Question 16

What is the purpose of output application controls?

Answer 16

To ensure the output data (and the distribution of any related reports) is accurate and as authorized.

Question 17

Define “application controls.”

Answer 17

Information processing controls that apply to the processing of specific computer applications (controls around input, processing, and output).

Question 18

What is the purpose of processing application controls?

Answer 18

To ensure the processing of data is accurate and as authorized.

Question 19

Define “batch totals.”

Answer 19

The sum of a particular field in a collection of items used as a control total to ensure that all data has been entered into a system.

Question 20

What is Data Mining Software?

Answer 20

Commercially available software (such as ACL or Idea) used to access a client’s electronic data and perform a broad range of audit tasks (such as performing analytical procedures and sampling for confirmation work, etc.).

Question 21

What is the purpose of test data procedures?

Answer 21

To process known errors to see if the client’s system catches them. The auditor only needs to include those errors that are important to the auditor (that is, the auditor need not include every possible type of error). There may be a danger of contaminating the client’s database with the test data.

Question 22

Define “generalized audit software.”

Answer 22

Audit software designed to access and test data files of many audit clients. Such audit software is not unique to a specific audit client.The cost is usually expensive to develop, but that cost can be spread over many audit clients. The cost per client may justify that large initial cost of development.

Question 23

Define “tagging transactions.”

Answer 23

The process of adding an electronic tagging to specific client transactions and tracing them through the client’s system.

Question 24

Define “Integrated Test Facility (ITF).”

Answer 24

A fictitious division or department within the client created for the purpose of processing the “dummy” (test) data along with the client’s “live” data.

Question 25

Define “parallel simulation.”

Answer 25

The processing of the client’s actual data using the auditor’s software and then comparing the auditor’s output to the client’s output for agreement.

Question 26

Define “customized audit software.”

Answer 26

Programs specifically written to access the files of a particular client. The cost might be modest, but the benefits are limited to the specific client for whom the software was written.

Question 27

Define “database system.”

Answer 27

A set of interconnected files that eliminates the redundancy associated with maintaining separate files for different subsets of the organization.

Question 28

Define “On-line Processing.”

Answer 28

The processing of data whereby the user is in direct communication with the computer’s central processing unit.

Question 29

Define “Real Time Processing.”

Answer 29

The processing of data whereby the data files are immediately updated.

Question 30

Define “Value Added Network (VAN).”

Answer 30

A network maintained by an independent company that facilitates Electronic Data Interchange (EDI) transactions between the buying and selling companies.

Question 31

Define “local area network (LAN).”

Answer 31

A network of hardware and software interconnected throughout a building or campus.

Question 32

Define “Electronic Data Interchange (EDI).”

Answer 32

Direct computer-to-computer communication between a buyer and seller designed to achieve greater efficiency and less paperwork (a paper audit trail may not even exist).

Question 33

Define “Distributed Systems.”

Answer 33

A network of remote computers connected to the main system, allowing simple processing functions to be delegated to the employees at the remote sites.

Question 34

Define “Service Organization.”

Answer 34

Independent organizations to whom an entity may outsource the processing of its transactional data.