IT CONTROLS Flashcards
1
Q
Automated programmed controls
(Completeness)
General
A
Screen aids:
- Mandatory fields
- Error messages
- Terms and conditions
- field presence check
- screen formatting or dialogue
Programme checks:
- Missing data checks
- Error message
-Sequential numbering
-Link PO to forms for completion
-Matching test or sequence test and generate exception report
Report on missing numbers
Exception report, followed up and review
-Run to run totals (number of doc processed)
General (from one system to the next)
- Use of run-to-run totals, whereby the total daily invoices are recorded is compared to the total of the individual orders transmitted.
- Send / receipt transmission checks are performed on all messages sent by the Gift-IT system to the Brand-IT server.
- Sequence checks performed on the sales transaction numbers generated by the Gift-IT system (as the system should sequentially numbers all sales transactions)
- Private key encryption techniques (e.g. digital signatures or passwords) should be used to ensure the integrity of the messages transmitted.
- The sales clerk should review and follow up on reports containing exceptions identified by the foregoing programmed controls
- Forms should be linked to PO to ensure that all information is complete.
- At the end of each day a batch report should be extracted from both Gift-IT sales and Brand-IT to confirm that all orders have been completed.
- There should be an automatic time-out facility (after a period of inactivity),
- There should be automatic disabling of the debtors account number after three unsuccessful attempts to gain access.
- Automatic calculation of the VAT to ensure that no human error occurs in the calculation
- The screen/website layout (screen formatting) should be user-friendly to facilitate the input of the order details / have screen prompts/dialogue to guide the customer through the process
- If any errors are detected by the programmed input controls, an error message should be displayed on the screen, enabling the customer to correct the mistake promptly.
2
Q
(Validity) Controls
A
- Authorisation by senior employee
- Only restricted number of computers used for EFT
- Controls and identification data
- Multilevel passwords
- Dial and dial back
- Error messages
- Match client details to existing client data
- Access controls eg passwords etc., logout after unsuccessful attempts
- Violations automatically logged
- Followed up by management
- Least privilege basis
- Segregation of duties
- Use firewalls
- physical controls eg locks etc.
- Reconciliations performed
- Confirmation to serve as audit trail
- Range test (value in field)
- Acknowledgement of receipt
- System should automatically log onto prenumbered listing details amendment
- Read only access restricted to manger station and ID
- Encryption to ensure confidentiality of data
- Record incoming and outgoing transaction
- Automatic timeout after being inactive
- Dropdown list for contract prices
- Supporting documents should be obtained Different sales personnel/manager must agree the details captured on the system to the supporting
- Documentation supplied by the client and authorised (Review or segregation of duties)
- An automatic timeout of the contract application after a specified period of time of being inactive.
- The system forces the user to log-out after three unsuccessful password attempts.
- Greying of fields/Minimum entry of data of information like the fridge to be manufactured should be selected from the database and the description and cost of the fridge will automatically be inserted
- Dropdown list for standard contract prices / all fridge available to be manufactured etc., included in the masterfile.
- The system automatically blocks the generation of a contract if a valid, sequential asset number are not selected and matched to the transaction / can’t select a fridge which is already linked to a contract.
- Alpha-numeric tests performed on the VAT, period, cost and the user must immediately correct
- The system should provide an error message when logging on, indicating that an old or incorrect version of the file/program is used for processing.
- System log must record all incoming and outgoing transaction as all unsuccessful attempts
- Match client details to existing client data (if already a client) to assess validity thereof
3
Q
(Accuracy) Controls
A
- Test calculations and mathematical accuracy
- Proper application and general controls to safeguard accuracy and confidentiality
- Agree amounts
- Drop down menus
- Validity testing
- Batch totals
- Formatting tests (numeric /alphanumeric)
- Screen prompts
- Existence checks
- Check digits (accuracy of codes)
- Control totals (total amount may not exceed amount in suspense account)
- Field size tests
- Reasonable tests
- Data echo tests (description from MF as entering information)
- Sign tests (Amount paid should be positive)
- Exception reports
- Reconciliations
- VAN to meet standards of EDI protocol
4
Q
General controls
A
(General monitoring)
- Clear IT governance policy
- Mngt should support IT and operations
- Database, regularly backed up, kept off site
- General and application controls tested regularly
- Segregation of duties
- Service legal agreement for outsourcing: responsibilities of the service provider;
(Physical security measures)
- Secured server in a restricted access (locks)
- Computer terminals located at a visible area
- Database administratior reviews for unusual changes
(Programmed controls)
- ID login and password
- Passwords changed regularly
- Access rights on least privilege basis
- Data encryption
- Firewalls
- Activity logs and access violations
- Logs reviewed and followed up
Screen layout/ design Logout after inactivity Access rights built in system Regular background check on staff Supervision and review
- Due to the fact that it is stated that the breach “surprised them”, it is evident that the weaknesses in these general controls had never been identified as a risk which is a concern as to the functioning of the Committee.
- This is concerning considering that the Brand-IT system is a significant part of Indlovu’s operations (ie. a significant system)
- regular training, especially when a new threat (virus) occurs
5
Q
Application controls
A
(Orders made by customers)
- Create profile with valid email address
- Agreement to terms and conditions
- Activation email to activate account
- Access controls (email address and passwords)
- Passwords controls
- Locked after 3 unsuccessful attempts
- Validity of address
- Limit and character check to verify contact details
- Limit and character checks over credit cards
- Link with credit cards companies to verify user
- Screen errors/ aids (screen dialogue;prompts)
- Exception reports generated for possible anomalies and should be reviewed by mngt
- Field presence check
- Screen checks
- screen layout and form( user friendly)
- Agree to terms and conditions
- Compile daily report (Customer ID, address, VAT charge)
- Exception report (incomplete, non existing ID)
- Review and follow up with management
- Minimum keying in of information (drop down list)
- Edit and validation checks
- missing data check/ mandatory field input
- Alphanumeric formatting check (date formatted)
- Field size check (Interest rate)
- Arithmetic check (depreciation)
- Review of captured data
- The FMSS generates a weekly report which contains an exception report section which highlights no VAT charged to a contract for the month and the report is reviewed by the accounting manager and who follows up on any unusual activity.
- Log-on authentication through unique logon IDs linked to passwords for each employee (including sales personnel) authorised to access the FMSS.
- that all assets are identifiable and verifiable (serial number )
- The use of standard data in the system increases the validity of transactions
- Automatically updates the general ledger which removes human intervention and therefore increases validity.
6
Q
CAATS
Assist in audit procedure: Inventory
A
-Concern is in relation to valuation
-Extract a listing of all inventory at year end
-Sampling of inventory items by:
Randomized sample
Stratify inventory
Sort inventory value
-Cast listing for mathematical accuracy
-Extract listing with negative amounts
-Reperform calculations
7
Q
Design key controls
A
- Programmed controls to test accuracy
- Alphanumeric test
- Echo tests to confirm selection
- system to authentically confirm with banks
- system should generate quotes
- Accept terms and conditions
- Masterfile controls
- Exception reports
- Management review all exception
- IT general controls
- User controls
- Segregation of duties
- Background and integrity check of staff
- Complaints line for irregularities
8
Q
Data CAATs
Substantive procedures
A
- Exception report (blank, expired)
- Extract a statistical sample (signed contract)
- Generate report (duplicates)
- Extract listings
- Compare (existence), verify
- Data CAATs to calculate (negative, duplicates, missing, blank, Nil, over certain value or under certain value, past certain date)
- Consider round amounts
- Cast and cross cast data
- Stratify/ Sort/Filter/ Summarize data
- Select audit samples
- Calculate ratios
- Perform analytical procedures
- Recalculate
- Request management to extract
9
Q
System CAATs
A
Extract a report
- Test data
- Reprocessing (claims not delivered)
- Embedded audit routine (logging calculations)
- Simulation (paid older than 4 months)
- Programme code analysis (relate to age of claims)
- Run test data
- False data
- Actual data
- Compare to expected results
10
Q
TEST OF CONTROLS
A
CAVR (Restriction of access)
- Using data interrogation software
- By using CAATs attempt to
- Inspect activity logs
- System walkthrough
- Develop test data
- Download an exception report
- Observe
- Attempt to… and see if…
- Do test counts
- Review programme changes
- Reperform
- Select a sample
- Discuss exceptions and process followed if someone on leave
- Enquire on process taken
- Note exception and follow up with management for review
BACKGROUND:
- Attempt to override firewalls
- Enquire to prevent unauthorized access
- Read and discuss
- Inspect user access profiles, copy of password policy
Occurrence:
- Create fictitious profile to verify
- Attempt to finalize by not
- Attempt to complete by using an invalid
- Using CAATs
- Select invoices from sales ledger and follow through to (invoice, credit pmt, dispatch note)
- Verify
Remember the WHY part!
- To confirm that controls are operating effectively
- No unnecessary goods are purchased
- It indeed has been requested by….
- Inspect that the correct costs have been allocated by the system to the correct account.
- Through inspection of the log of changes (daily activity report) to the system verify that no changes occurred to the application controls over allocation/calculations throughout the period.
11
Q
Controls over system/recording etc
Completeness and accuracy
A
- Use run to run totals
- Send or receipt transmission checks
- Sequence checks
- Encryption techniques
- Review and follow up
- Review to confirm
- Reconciliation of total value
- Run to run totals balancing performed by system
- Sequential numbering
- Document complaints and follow up
- Edit checks
- Random spot checks
12
Q
Design KEY CONTROLS
A
- Programmed controls (edit checks) CAV
- Masterfile amendment controls
- Exception reports
- Management review
- IT general control
- User control (SOG, staff integrity background, complaints line)
13
Q
Responsibility of external auditors for detecting weakness in the system of internal controls
A
- primary objective of auditor is to express an opinion
- ISA 315 par 12 and A59
- External auditor required to obtain sufficient appropriate understanding of control activities to assess RoMM
- Auditor is required to evaluate the design and implementation of entity’s controls responding to significant risk
14
Q
How data can be manipulated
A
- Inflating revenue allocated elsewhere
- Change period to more months thus increasing revenue
- Change calculation of revenue by overriding formula
- Recalculate random sample
- Use CAATs to extract a log of all changes
- Include revenue in current period from future or past period
- The start and end dates of contracts could be changed to increase period of contract thus increasing revenue
- Revenue could be recognized for contracts that have ended
- Include fictitious
- Include duplicates
- Include expired
- include terminated
- Translate at incorrect spot rate
- Not consider discounts
- Not exclude VAT
15
Q
Business continuity risks company is exposed to with regards to integrated nature
A
- Communication connection
- Downtime or crashes
- Service provider could suspend operations
- Corruption of data and transmission of data
- Security attacks
- Unauthorized access to entire system
- Unauthorized changes
- Database not functioning correctly
-Fines or lawsuits
Since system is integrated and highly automated - remain undetected
- cause financial loss
- loss of client base
- if section is not working, whole system could be affected
