SIM Week 1-3 Flashcards
a tool used by auditors to
determine irregularities from the given data.
CAATS or Computer-Assisted Audit Techniques
What is the meaning of CAATs
Computer-Assisted Audit Techniques
are tools used by auditors as part of
their audit procedures to process data of audit significance contained in an entity’s computer
systems.
Computer-Assisted Audit Techniques
True or False:
Advantage of CAATS
a. Independently access the data stored on a computer system without dependence on
the client
b. Test the reliability of client software
c. Decrease the accuracy of audit tests
d. Perform audit tests less efficiently, which in the long-term will result in a more costeffective audit.
A. True
B. True
C. False
D. False
True or False
Disadvantages of CAATS
CAATs can be expensive and time consuming to set up, the software must either be
purchased or designed (in which case specialist IT staff will be needed);
True
True or False
Disadvantages of CAATS
Client permission and cooperation are very easy to obtain
False
True or False
Disadvantages of CAATS
Potential compatibility with the client’s computer system
False
True or False
Disadvantages of CAATS
The audit team may not have sufficient IT skills and knowledge to create the complex
data extracts and programming required
True
True or False
Disadvantages of CAATS
The audit team may not have the knowledge or training needed to understand the
results of the CAATs
True
True or False
Disadvantages of CAATS
Data may be corrupted or lost during the application of CAATs.
True
Three Classifications of CAATs
- Audit Software
- Test Data
- Other techniques
generic term used to describe computer programs designed to carry
out tests of control and/or substantive procedures
Audit Software
consist of pre-prepared generalized programs used by auditors and are not
‘client specific
Package Programs
These programs are usually ‘client specific’ and may be used to carry out tests of
control or substantive procedures
Purpose written programs
Programs used in any event the audit firm’s audit plan should ensure that provision is made to ensure
that specified programs are appropriate for a client’s system and the needs of the
audit.
Purpose written programs
used to re-perform computerized control procedures or perhaps to carry out an aged analysis of trade receivable (debtor) balances.
Purpose written programs
These programs are integral to the client’s accounting system; however, they may
be adapted for audit purposes
Enquiry programs
used to test the existence and effectiveness of controls built into an
application program used by an audit client. As such, dummy transactions are
processed through the client’s computerized system. The results of processing are
then compared to the auditor’s expected results to determine whether controls are
operating efficiently and systems’ objectiveness are being achieved.
Audit test data
To avoid the risk of corrupting a client’s account system, by processing test data with
the client’s other ‘live’ data, auditors may instigate special ‘test data only’ processing
runs for audit test data. The major disadvantage of this is that the auditor does not
have total assurance that the test data is being processed in a similar fashion to the
client’s live data. To address this issue, the auditor may therefore seek permission
from the client to establish an _________
Integrated test facilities
Common CAATs Software
a. Spreadsheets (ActiveData for Excel)
b. Access
c. SAS
d. Generalized Audit Software (e.g. ACL, Arbutus, EAS)
e. Business Intelligence ( e.g. Crystal Reports and Business Objects)
Threats to Accounting Information Systems
a. Natural and Political Disasters
b. Software and Hardware Error
c. Unintentional Acts
d. Intentional Acts or Computer Crimes
Fraud Triangle
IRO
Intentional
Rationalization
Opportunity
Approaches to Computer Fraud
- Auditing around the computer (black-box approach)
2. Auditing through the computer (white-box approach
the auditors test the reliability of the information generated by the
system. The auditors will calculate the expected result of such information give and
compared it to the output generated by the system. If the expected result of the auditor
is the same with the generated output of the system, the auditor will assume the
effectiveness of the system.
Auditing around the computer (black-box approach)
The auditor does not need thorough knowledge of the system’s internal logic and the
systems are not interrupted for the purpose of auditing. This is only effective if the
company has a simple system application
Auditing around the computer (black-box approach)
In this approach, the auditor will need thorough understanding of the system of the
company. Test cases may be created to test the effectiveness of system’s logic and
controls of the system.
Auditing through the computer (white-box approach)
the auditor uses a set of input data, valid or invalid, to
validate the system.
Test data technique
the auditor writes a computer program to reprocess the
past data of the firm and generate results. The result from simulation will be
compared to actual results of the company’s system to validate the system.
Parallel simulation
the auditor will create fictitious situations through
the systems within the normal operations in order to test the reliability of the
system.
ITF or integrated test facility
this is a programmed audit module added to
the company’s system that enables auditor to collect data over online
transactions. This requires computer programming skills to auditors.
EAM or embedded audit module
Computer Fraud:
most simple and safe common types of computer abuses.
This is also termed as data diddling and often adopted by persons who are authorized
a certain data for specific purpose like entry, examination, encoding, or transmitting
data.
False data entry
when a person get the password and identification
of the authorized user and use it to access computer systems and damage the security
of the information.
Impersonation
his a program the create instructions to perform unauthorized act or
functions. This is one of the most difficult to identify the perpetrators.
Trojan horses
unnoticed because of low value. The
rounding off of value downward is not noticed easily because per rounding off the
value involved is very low and manual computation for verification is quite
cumber-some. The fractions of rounding off are then automatically accumu-lated in
some other account that can be accessed by the abuser without hurdles.
Salami techniques
where an unauthorized access of information
is obtained through with the exchange of information and authentication through the
server information.
Piggybacking
It is a utility program generally to authorized emergency access due
to inaccessibility of the system to authorized users. Therefore, it acts as the
master key that bypasses the normal security routines.
Super-zapping
It involves searching trash copies or carbon papers of computer listings.
Some software has temporary files that are overwritten that may copied by
unauthorized users
Scavenging
During the development of software, programmers leave breaks in the
code as debugging aids that may remain inad-vertently or intentionally in the final
programs. These unexpected and incomplete instructions in program code and
unused param-eters in the code may be misused for Trojan Horses or for false data
entry.
Trapdoors
It is set of instructions that are executed when a given condition is
satisfied. Sometimes, programmers include instructions in the code that would
perform unauthorized functions.
Logic bomb
also called a wire spying – is also a threat to security of computer
networks.
Wiretapping
a self-replicating program that runs and spreads by modifying other programs
or files.
Virus
self-replicating, self-propagating, self-contained program that uses
networking mechanisms to spread itself.
Worm
unauthorized copying of data files
Data leakage
theft of storage media such as floppy disks, cartridge tapes,
USBs, CDs, etc.
Theft of storage media
sending unsolicited information in bulk.
spam
the prevention of authorized access to resources or
delaying the time-critical operations.
Denial-of-service (DoS)
software secretly installed in the system to gather information of the
organization.
Spyware
sending a network packet that appears to come from original source
Spoofing
manipulating someone to take certain action that may not be in
that best person’s interest.
Social engineering
a collection of software robots that overruns computers to act automatically
in response to the bot-herder’s control inputs through the Internet.
Botnet
