Module H Flashcards
Step 2: customer order transaction file submitted for automated processing
System accesses the customer master file, using the customer
name/number to ensure sale is made to approved customer
Program then accesses inventory master file to verify current
Inventory items are available at current prices
Automated processing of sales transaction, 3 steps
1 customer order
2 customer order transaction file
3 automated transaction processing system
Automated processing sales transaction step 3, 3 things
1 Computerized system processes order using price from inventory
Master file and quantity from customer order
2 prepares shipping document and sales invoice
3 updates sales transaction file
What 5 circumstances must be considered by audit team for information technology environments?
1 possibility of input errors
2 existence of systematize rather that random processing errors
3 lack of audit trail
4 possibility of inappropriate access to computer files and programs
5 reduced human involvement in processing transactions
The possibility of input errors
The need for client personnel to convert/enter info into electronic
Format introduces possibility of errors
Existence or systematic rather than random processing errors
technology systems handle all transactions in an identical Manner
Can Result in accounting system erroneously processing all
Transactions
Lack of an audit trail
Audit team can’t see a paper trail because all info is directly
Entered into computer system
And processing is completed electronically producing only a
Hard copy of the final result
3 major phases in audit team’s evaluation of internal control
1 understanding
2 assessment
3 testing
Understanding 2
1 obtain understanding of controls established by client related
To automated processing of transactions
2 document controls established by client related to automated
Processing of transactions
Assessment
Consider controls established by client related to automated processing of transactions in preliminary assessment of control risk
Testing 3
1 identify controls related to automated processing of transactions
To be tested and degree of compliance required
2 perform test of those controls
3 evaluate degree of compliance with stated criteria and perform
Planned substantive procedures
Major issue introduced in automated processing of transactions is The need for audit team to understand, consider and evaluate IT controls…
that have been designed to mitigate risk of material misstatement
At assertion level
General controls
Apply to all applications of accounting info system
Ex. Processing transactions across various cycles
Automated application controls
Controls applied to specific business activities within an accounting
Info system
To address management assertions regarding the financial
Statements
Ex. Processing transactions within the revenue cycle
Because general controls apply to all applications of an accounting information system, the effectiveness of these controls has…
A pervasive effect on the entity’s automated processing of
Transactions
4 categories of general controls
1 program development controls
2 program change controls
3 computer operations controls
4 access to programs and data controls
objectives of program development controls, are to provide reasonable assurance that:
acquisition or development of computer programs and software is…3
1 properly authorized
2 conducted in accordance with entity policies
3 supports entity’s financial reporting requirements
objectives of program development controls, are to provide reasonable assurance that:
Appropriate users participate in…
Software acquisition or program development process
objectives of program development controls, are to provide reasonable assurance that:
Programs and software are tested and…
Validated prior to being placed into operation
objectives of program development controls, are to provide reasonable assurance that:
All software and programs have…
Appropriate documentation
Systems development life cycle (SDLC)
Important program development control used by entity
Process to plan, develop and implement new accounting Information systems (or database)
Effective systems development life cycle SDLC controls ensure that the entity:
Follows established policies and procedures for…
Acquiring or developing software or programs
Effective systems development life cycle SDLC controls ensure that the entity:
Involves users in the design of…
Programs, selection of prepackaged software and programs
And testing of programs
Effective systems development life cycle SDLC controls ensure that the entity:
Tests and validates new programs and…
Develops proper implementation and “back out” plans
Prior to placing programs into operation
Back out plans
Plans to cancel the results of processing
in the event of an error or program failure
Effective systems development life cycle SDLC controls ensure that the entity:
Periodically reviews policies and procedures for acquiring and developing software or programs for continued…
Appropriateness
and modifying these policies and procedures if necessary
Documentation for SDLC, why does the audit team evaluate controls over the documentation? 2
1 gain understanding of system and determine whether
documentation is adequate to support proper use of programs
2 determine whether client personnel follow standards
Of utmost importance is whether the client has established…2
1 systems development
2 Documentation standards
Program change controls, these controls are implemented by the entity to provide reasonable assurance that requests and modifications to existing programs are:
Are properly…3
1 authorized
2 conducted in accordance with entity policies
3 support entities financial reporting requirements
Program change controls, these controls are implemented by the entity to provide reasonable assurance that requests and modifications to existing programs are:
Involve appropriate users in the…
Program modification process
Program change controls, these controls are implemented by the entity to provide reasonable assurance that requests and modifications to existing programs are:
Are tested and…
Validated prior to being placed into operation
Program change controls, these controls are implemented by the entity to provide reasonable assurance that requests and modifications to existing programs are:
Have been appropiately…
Documented
Program change controls parallel those relating to…
Program development
Computer operations controls,
Are concerned with providing reasonable assurance that:
processing of transactions through…
accounting info system is in accordance with entity’s objectives
Computer operations controls,
Are concerned with providing reasonable assurance that:
Processing failures are resolved and do…
Not affect/delay processing of other transactions within the batch
Computer operations controls,
Are concerned with providing reasonable assurance that:
Actions are taken to facilitate…
The backup and recovery of important data when need arises
Systems analysts, 3 job functions
1 examine requirements for information
2 evaluate the existing system
3 design new/improved accounting info systems (with
specifications and documentation)
Programmers, 2 job functions
1 prepare flow harts and code the logic of computer programs
Required by accounting info system designed by systems analyst
2 prepare program documentation
Computer operators, job function
Operate computer for each accounting application system
According to written operating procedures found in computer
Operation instructions
Data conversion operators, job function
Prepare data for machine processing
by converting manual data into machine readable form or
Directly entering transactions into the system using remote
Terminals
Librarians, job function
Maintain control over…2
1 system and program documentation
2 data files and programs using processing transactions
Control group, 3 job functions
1 ensures the integrity of data
2 monitors the accuracy of processing and output
3 controls distribution of output to appropriate user groups
Separation of duties performed by systems analysts, programmers and computer operators is an important…
2) Otherwise what would this be considered?
General control
2) serious weakness in general control
Anyone who designs an accounting information system should not…
Do technical programming work
Only computer operators should have access to…
Equipment
Computer operations controls for files and data used in processing:
The files used in automated processing are appropriate
Accomplished through use of external labels on portable files
And use of header and trailer labels on internal records
Computer operations controls for files and data used in processing:
Files are secured and protected from loss
Accomplished by storing them in fireproof and waterproof
Locations
Also storage of back up files at offsite locations
3 Computer operations controls for files and data used in processing
1 files used in automated processing are appropriate
2 files are appropriately secured and protected from loss
3 files can be reconstructed from earlier versions of info used in
Processing
Computer operations controls for files and data used in processing:
Files can be reconstructed from earlier versions of info used in processing
Accomplished by creating and implementing policies to retain
Prior versions of files for specified time periods
Access to programs and data controls
Provides reasonable assurance that access to programs and
Data is granted only to authorized users
The most common form of control related to access is…
The use of passwords
3 areas where separation of duties should occur
1 authorization to execute transactions
2 recording of transactions
3 custody of related assets
With increasing ability of employees to access systems remotely, physical security controls are becoming…
Less effective in restricting access to programs and data
Assertion: Accuracy, 3
For information technology
Ensuring accuracy of data and testing computer programs
Prior to implementation
Increases probability that transactions are processed properly
Ex. Program development controls, program change controls,
Computer operations controls
Assertion: Occurrence,3
For information technology
Restricting inappropriate access to programs and data
reduces probability that fictitious transactions are entered into
The system and processed
Ex. Computer operations control (separation of duties), access
To program and data controls
Program development, 2 examples
1 Use of systems development life cycle (SDLC) for authorization,
User involvement, testing/validation of new programs
2 appropriate documentation for new programs
Program development, objective
Programs developed and software acquired by entity are consistent
With entity’s objectives
Program change, objective
Modifications to existing programs are authorized and are
consistent with entity’s objectives
4 objectives of computer operations
1 transactions are processed in accordance with entity’s objectives
2 appropriate files and records are used in processing transactions
3 files are appropriately secured/protected from loss
4 files can be reconstructed from previous versions
Automated application controls
Applied to specific business activities within the accounting info
System to achieve financial reporting objectives
Automated application controls are specific to…
Each cycle (revenue and collection, acquisition and expenditure)
Automated application controls, function
Designed to ensure proper recording of activities and prevent/
Detect fraud and error for transactions within the cycles
3 categories of automated application controls
1 input controls
2 processing controls
3 output controls
Input controls
Designed to provide reasonable assurance that data for
processing by the computer department
Has been properly authorized and accurately entered or converted
For processing
Input controls also provide the opportunity for entity personnel to…
Correct and resubmit data initially rejected as erroneous
Input control:
data entry and formatting controls 3
Controls related to design of data entry interface to provide
Familiar consistent format
And reduce frequency of input errors by personnel
Ex. Pull down menus, standardized formats and screens
Standardized formats and screens
Increase user familiarity with various fields
And reduce data are inadvertently input in incorrect field
Input control:
Authorization and approval controls
Only properly authorized and approved input should be accepted
For processing
Digitized signature
An approved encrypted password that releases a transaction
By assigning a special code to it
Online editing and site verification (data entry and formatting control)
Ability of personnel to review input prior to submitting it for
Processing within the system
Input control:
Check digits
Check digit is an extra number tagged onto the end of a basic Identification number (such as employee ID or account number)
Check digits are used to detect…
Coding errors or keying errors (such as transportation of digits)
Input control:
Record counts
Known # of records entered can be compared to count of
Records produced by data conversion device
Ex. Number of sales transactions or count of records
Record counts: differences between the manual counts of transactions and the number of transactions processed indicate that transactions…
May have been Inputted more than once
Input control:
Batch totals
Sum of important quantity, Used the same way as record counts
(Ex. Total sales dollars in a batch of invoices)
Totals allow input errors to be detected prior to submission
For processing, ensure all transactions entered only once
Input control:
Hash total
Similar to batch total but not meaningful for accounting records
(Ex. Sum of invoice numbers)
Allow input errors to be detected prior to submission, and all
Transactions are entered only once
Input control:
Valid character tests
Input controls used to check input fields when they are supposed
To have numbered
Or alphabetic characters when they are supposed to have
alphabetic characters
Input control:
Valid sign tests
Similar to valid character tests
Signed data fields are checked for appropriate positive or negative
Signs
Input control:
Missing data tests
Evaluate fields to verify whether any are blank when they must
Contain data for the record entry to be correct
Input control:
Sequence tests
Normally applied to evaluate input data for numerical sequence
Of documents when sequence is important for processing
Can check for missing documents in prenumbered series
Input control:
Limit and reasonableness tests
Determine whether data values exceed or fall below some
Predetermined limit
Ex. Payroll application can have a limit test to flag or reject
Any weekly payroll time record of 50 or more hours
Input control:
Error correction and resubmission procedures
These policies and procedures ensure identification of input
Errors on a timely basis
And correction and resubmission by appropriate personnel
For processing
Processing controls
Designed to provide reasonable assurance that data processing
Has been performed accurately
without any omission or duplicate processing of transactions
The most fundamental (yet important) processing control a client can implement is…
Periodically testing and evaluating the processing accuracy of its programs
Processing control:
File and operator controls
Ensure proper files are used in applications,
external and internal labels can be used to identify files
Systems software should produce log at records time and be
Reviewed by personnel
Processing control:
Run-to-run totals
Movement of data from one department to another is controlled
Run-to-run totals can be…
Record counts, batch totals or hash totals obtained at end
Of one processing run
Runs
Sequential processing operations
Control totals
Record counts, batch totals, hash totals and run-to-run totals
Processing control:
Control total reports
Control totals should be calculated during processing operations
And summarized in report
Total should be reconciled by entity personnel
Processing control:
Limit and reasonableness tests
Programmed to ensure illogical conditions don’t occur
(Ex. Depreciating an asset below 0, calculating negative inventory
Quantity)
Important and should generate error reports for supervisor
Review
Processing control:
Error correction and resubmission procedures
Controls related to identification of errors/unusual conditions
Encountered in processing transactions on timely basis
Correction and resubmission for processing should be implemented
As transactions are processed
Output controls
Represent final check of accuracy of results of automated
Transaction processing
Designed to provide reasonable assurance that only authorized
Persons receive output
Output controls are concerned with…
Detecting errors rather than preventing errors
Preventing errors is the focus of…
Input and processing controls
Output control:
Review of output for reasonableness
Individual knowledgeable about nature of transactions and
Processing should perform overall review of output for
reasonableness
Helps detect systematic errors
Ex. Employee gets paid 10 times their normal salary
Output control:
Control total reports
Control totals produced as output should be compared
And reconciled to input and run-to-run control totals
Independent data control group should be responsible for
Reviewing output control totals and investigating differences
Output control:
Master file changes
Master files are updated during transaction processing
Any changes should be authorized by entity and reported
In detail to user department
Output distribution
Systems’ output should only be distributed to persons authorized
To receive the output
A distribution list should be maintained and used to deliver
Report copies
Management assertions for technology:
Accuracy 2
Input of individual transactions and data is accurate
Processing transactions is accurate
Management assertions for technology:
Completeness
All transactions are entered
Management assertions for technology:
Occurrence
Transactions are entered only once
How audit team assesses control risk of IT environment 4
1 identify types of misstatements that can occur in significant
Accounting applications
2 identify points in flow of transactions where specific types of
Misstatements could occur
3 identify specific control procedures designed to prevent/detect
Misstatements
4 evaluate design of control procedures to determine whether
The design suggests a low control risk and whether controls are
Cost effective
4 methods of testing operating effectiveness of controls
1 inquiry
2 observation
3 document examination
4 reperformance
Type of general control: program development
Method of testing?
Examine documentation related to development of programs
Type of general control: program change
Method of testing?
Examine documentation related to proper authorization for program changes and implementation of those changes
Type of general control: computer operations
Method of testing? 2
1 observe separation of duties of systems analysts, programmers,
Computer operators
2 examine documentary evidence regarding use of backup
And file reconstruction techniques
Type of general control: access to programs and data
Method of testing? 2
1 examine documentary evidence related to authorization for
accessing programs and data
2 observe the use of passwords required to access programs
And data
Type of automated application control: input
Method of testing? 2
1 inquire, observe or examine documentary evidence regarding
The use of various input controls
2 examine documentary evidence related to the resolution
Of errors identified by input controls
Type of automated application control,
Method of testing-Processing:
Inquire, observe, or examine documentary evidence that the client…
Periodically tests programs for processing accuracy
Type of automated application control,
Method of testing-Processing:
Through reperformance, test the…
Client’s programs for processing accuracy
Type of automated application control,
Method of testing-Processing:
Inquire, observe, or examine documentary evidence regarding use of…
Various processing controls
Type of automated application control,
Method of testing-Processing:
Examine documentary evidence related to the resolution of…
Errors or unusual conditions identified during processing
Type of automated application control,
Method of testing-Output:
Inquire, observe, or examine documentary evidence that the client…
Reviews output for reasonableness
Type of automated application control,
Method of testing-Output:
Examine documentary evidence related to use of control…
Total reports and reconciliation of those reports to input and
Run-to-run totals
Type of automated application control,
Method of testing-Output:
Examine documentary evidence related to authorization for…
Changes in master file information
Type of automated application control,
Method of testing-Output:
Observe, inquire, or inspect documentary evidence related to limited…
Distribution of output to identified users
End users
Individuals who use personal computers, laptops, tablets
And other portable computing devices
End user computing environments introduce the 4 control issues that the audit team must consider
1 lack of separation of duties
2 lack of physical security
3 lack of program documentation and testing
4 limited computer knowledge
Lack of program documentation and testing
Because users often modify or adapt existing programs for
Their own use,
End user computing environments are often characterized by
A lack of appropriate program documentation and testing
Limited computer knowledge
Extensive reliance on packaged software and utility programs
In end user environments
May result in personnel having limited computer knowledge
Computer operations controls
Involve limiting concentration of functions (separation of duties)
Establish proper supervision over individuals performing these
Functions
With respect to separation of duties, 2 compensating controls that increase the likelihood of accurate processing
1 comparison of manual control totals with totals from computer
Output
2 careful inspection of output for accuracy
Usefulness of computer operations controls:
Joint operation of…
Computerized processing by 2 or more individuals
Usefulness of computer operations controls:
Rotation of…
Assigned duties among individuals
Usefulness of computer operations controls:
Comparisons of computer use time to…
Averages or norms and investigation of excess usage
Usefulness of computer operations controls:
Proper supervision of…
Computer operations
Usefulness of computer operations controls:
Required…
Vacations for all individuals
In end user computing environments, the most important controls are those over…
Online data entry (accounting transactions)
3 data entry controls
1 restrictions on access to input devices
2 standard screens and computer prompting
3 online editing and sight verification
Restrictions on access to input devices 3
1 locking terminals
2 requiring use of passwords for access
3 using automatic terminal log off
4 important processing controls, to ensure appropriate processing of data
1 transaction logs
2 control totals
3 data comparisons
4 audit trail
Transaction logs
Transaction entry through terminal should be captured
automatically in computerized log
Transaction logs for each terminal should be summarized into
Equivalent batch totals
Control totals
Master files should contain records that accumulate the number
Of records and batch totals
Update processing should automatically change these control
Records
Data comparisons
Summary of daily transactions and the master file control
Totals from computer
Should be compared to manual control totals maintained
By accounting department
Audit trail
Transaction logs and periodic dumps of master files should
Provide audit trail and means for recovery
Service organizations
Because of lack of expertise and cost benefit analysis entities
May outsource specialized data processing to service organizations
Computer abuse AKA Computer fraud
Use of information technology by perpetrator to achieve gain
At expense of victim
Prevention controls
Keep errors and frauds from entering the system
Detection controls
Designed to discover frauds, should they get past the prevention
Controls
Damage-limiting controls
Designed to limit damage if fraud does occur
Administrative level controls
Affect the management of an entity’s computer resources
Limit nature and scope of activities personnel can perform
Physical controls
Affect computer equipment and related documents
Technical controls example
Encrypting data
Computer forensics
Science of acquiring, preserving, retrieving and presenting data
That have been processed electronically
and stored in computer database
Using computer forensics, when computer hard drives are used
as storage media evidence can be…
retrieved even when data is deleted
