Unit 6: Computer Controls and IT Auditing

Question 1

What are the four areas of business ethics?

Answer 1

Equity
Rights
Honesty
The Exercise of Corporate Power

Question 2

In the case of ethical responsibility, define proportionality.

Answer 2

The benefit from a decision must outweigh the risks. There must be no alternative decision that provides the same or greater benefit with less risk.

Question 3

Define computer ethics

Answer 3

Analysis of the nature and social impact of computer technology and the corresponding formulation and justification of policies for the ethical use of such technology. Includes details about software as well as hardware and concerns about networks connecting computers as well as computers themselves.

Question 4

What are the three levels of computer ethics?

Answer 4

Pop - the exposure to stories and reports found in the popular media regarding the good or bad ramifications of computer technology. Society at large needs to be aware of such things as computer viruses and computer systems designed to aid handicapped persons.

Para - taking a real interest in computer ethics cases and acquiring some level of skill and knowledge to the field

Theoretical - of interest to multidisciplinary researchers who apply the theories of philosophy, sociology, and psychology to computer science with the goal of bringing some new understanding to the field.

Question 5

What does Section 406 of the Sarbanes-Oxley Act (SOX) (2002) require?

Answer 5

Section 406 of SOX requires public companies to disclose to the SEC whether they have adopted a code of ethics that applies to the organization’s chief executive officer (CEO), CFO, controller, or persons performing similar functions. If the company has not adopted such a code, it must explain why.

Question 6

The SEC has ruled that compliance with Section 406 necessitates a written code of ethics that addresses what ethical issues?

Answer 6

Conflicts of Interest

Full and Fair Disclosures - Overly complex and misleading accounting techniques were used to camouflage questionable activities that lie at the heart of many recent financial scandals. The objective of this rule is to ensure that future disclosures are candid, open, truthful, and void of such deceptions.

Legal Compliance

Internal Reporting of Code Violations

Accountability

Question 7

What are the four broad objectives of the internal control system?

Answer 7

1) To safeguard assets of the firm

2) To ensure the accuracy and reliability of accounting records and information

3) To promote efficiency in the firm’s operations

4) To measure compliance with management’s prescribed policies and procedures

Question 8

What are the four modifying assumptions that guide designers and auditors of internal controls?

Answer 8

1) Management Responsibility - this concept holds that the establishment and maintenance of a system of internal control is a management responsibility

2) Reasonable Assurance - the internal control system should provide reasonable assurance that the four broad objectives of internal control are met in a cost-effective manner. This means that no system of internal control is perfect and the cost of achieving improved control should not outweigh its benefits.

3) Methods of Data Processing - Internal Controls should achieve the four broad objectives regardless of the data processing method used. The control techniques used to achieve these objectives will, however, vary with different types of technology.

4) Limitations - Every system of internal control has limitations on its effectiveness. These include:

the possibility of error - no system is perfect

circumvention - personnel may circumvent the system through collusion or other means

management override - management is in a position to override control procedures by personally distorting transactions or by directing a subordinate to do so

changing conditions - conditions may change over time and render existing controls ineffective

Question 9

What are the three layers of the preventive-detective-corrective control model (PDC)?

Answer 9

Preventive Controls:
-first line of defense
-passive techniques designed to reduce frequency of occurrence of risks

Detective Controls:
-second line of defense
-devices, techniques, and procedures designed to identify and expose risks that have eluded preventive controls
-reveal specific types of errors by comparing actual occurrences to pre-established standards
-identify anomalies and draw attention to them

Corrective Controls:
-actions taken to reverse the effects of errors detected in the previous step

Question 10

What management responsibilities are codified in Sections 302 and 404 of SOX?

Answer 10

Section 302 requires that corporate mangement (including the CEO) to certify financial and other information contained in the organization’s quarterly and annual reports. The rule also requires corporate management to certify internal controls on a quarterly and annual basis

Section 404 requires the management of public companies to assess the effectiveness of the organization’s internal controls over financial reporting

Question 11

What is the Committee of Sponsoring Organizations of the Treadway Commission (COSO)?

Answer 11

A joint initiative of the five private sector organizations listed on the left and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.

Control framework endorsed by the PCAOB and the SEC

Question 12

What are the five components of the COSO Internal Control Framework?

Answer 12

The Control Environment

Risk Assessment

Information and Communication - By gaining an understanding of the process and following a transaction through the system an auditor can assess how the system processes information (transaction processing) and communicates the results (reporting). Testing a single transaction would not qualify as testing of the control environment , ensuring monitoring or showing how management assesses risk. It would help in gaining an understanding of what information is in the system and how it is reported.

Monitoring

Control Activities

Question 13

What is the grandfather-father-son (GFS) technique?

Answer 13

A back-up technique employed by systems that use sequential master files (whether tape or disk). It is an integral part of the master file update process.

The process begins when the current master file (the father) is processed against the transaction file to produce a new updated master file (the son). Note that the son is a physically different file from the father. With the next batch of transactions, the son becomes the current master file (the new father), and the original father becomes the backup file (grandfather). This procedure is continued with each new batch of transactions, creating several generations of backup files. When the desired number of backup copies is reached, the oldest backup file is erased (scratched). If the current master file is destroyed or corrupted, it is reconstructed by processing the most current backup file against the corresponding transaction file.

Question 14

The COSO model identifies two broad groupings of IT controls. What are they?

Answer 14

Application controls - ensure the validity, completeness, and accuracy of financial transactions; application specific

General controls - not application specific, apply to all systems; include controls over IT governance, IT infrastructure, network and operating system security, database access, program changes

Question 15

What is the most common access point for perpetrating computer fraud?

Answer 15

At the data collection stage

Question 16

What are the two classes of data processing fraud?

Answer 16

Program Fraud

Operations Fraud - misuse or theft of the firm’s computer resources; often involves using the computer to conduct personal business

Question 17

In terms of organizational structure controls, what three types of operational tasks should be separated?

Answer 17

Segregate the task of transaction authorization from transaction processing.

Segregate record keeping from asset custody.

Divide transaction-processing tasks among individuals so that fraud will require collusion between two or more individuals.

Question 18

Why should Systems Development be kept separate from Computer Operations?

Answer 18

The segregation of systems development (both new systems development and maintenance) and operations activities is of great importance. The responsibilities of these groups should not be commingled. Systems development and maintenance professionals acquire (by in-house development and purchase) and maintain systems for users. Operations staff should run these systems and have no involvement in their design and implementation. Consolidating these functions invites fraud. With detailed knowledge of an application’s logic and control parameters along with access to the computer operations, an individual could make unauthorized changes to application logic during program execution. Such changes may be temporary (on the fly) and will disappear with little or no trace when the application terminates.

Question 19

Why is poor-quality systems documentation a chronic IT problem?

Answer 19

Poor-quality systems documentation is a chronic IT problem and a significant challenge for many organizations seeking SOX compliance. There are at least two explanations for this phenomenon. First, documenting systems is not as interesting as designing, testing, and implementing them. Systems professionals much prefer to move on to an exciting new project rather than document one just completed.

The second possible reason for poor documentation is job security. When a system is poorly documented, it is difficult to interpret, test, and debug. Therefore, the programmer who understands the system (the one who coded it) maintains bargaining power and becomes relatively indispensable. When the programmer leaves the firm, however, a new programmer inherits maintenance responsibility for the undocumented system. Depending on its complexity, the transition period may be long and costly.

Question 20

How does having the original programmer of a system also in charge of maintenance an invitation for program fraud?

Answer 20

When the original programmer of a system is also assigned maintenance responsibility, the potential for fraud is increased. Program fraud involves making unauthorized changes to program modules for the purpose of committing an illegal act. The original programmer may have successfully concealed fraudulent code among the thousands of lines of legitimate code and the hundreds of modules that constitute a system. For the fraud to work successfully, however, the programmer must be able to control the situation through exclusive and unrestricted access to the application’s programs. The programmer needs to protect the fraudulent code from accidental detection by another programmer performing maintenance or by auditors testing application controls. Therefore, having sole responsibility for maintenance is an important element in the duplicitous programmer’s scheme. Through this maintenance authority, the programmer may freely access the system, disabling fraudulent code during audits and then restoring the code when the coast is clear. Frauds of this sort may continue for years without detection.

Question 21

What do auditors use to guide their approach to testing the controls in a system?

Answer 21

Tests of controls include completing questionnaires. The Sarbanes-Oxley Act requires that management certify that the financial statements are correct. In order to ensure that the financial statements are, in fact correct, accounting processes and information systems will be built with checks, balances and controls. Auditors will use questionnaires to guide their approach to testing the controls in the system. Questions include topics such as “Is fraud awareness training carried out?” and “Do particularly critical or sensitive activities require two levels of authority?”

Question 22

What is control risk?

Answer 22

Control risk is the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts. Auditors assess the level of control risk by performing tests of internal controls. An auditor could create test transactions, including some with incorrect total values, which are processed by the application in a test run. The results of the test will indicate that price extension errors are not detected and are being incorrectly posted to the AR file.

Question 23

What are the three categories of application controls relevant to financial reporting?

Answer 23

Input Controls

Processing Controls

Output Controls

Question 24

Define an Access Test

Answer 24

Access tests verify that individuals, programmed procedures, or messages (e.g., electronic data interchange [EDI] transmissions) attempting to access a system are authentic and valid. Access tests include verifications of user IDs, passwords, valid vendor codes, and authority tables.

Question 25

Define a Validity Test

Answer 25

Validity tests ensure that the system processes only data values that conform to specified tolerances. Examples include range tests, field tests, limit tests, and reasonableness tests. Validity tests also apply to transaction approvals, such as verifying that credit checks and AP three-way-matches are properly performed by the application.

Question 26

Define an Accuracy Test

Answer 26

Accuracy tests ensure that mathematical calculations are accurate and posted to the correct accounts. Examples include recalculations of control totals and reconciliations of transaction postings to subsidiary ledgers.

Question 27

Define a Completeness Test

Answer 27

Completeness tests identify missing data within a single record and entire records missing from a batch. The types of tests performed are field tests, record sequence tests, and recalculation of hash totals and financial control totals.

Question 28

Define a Redundancy Test

Answer 28

Redundancy tests determine that an application processes each record only once. Redundancy tests include reviewing record counts and recalculation of hash totals and financial control totals.

Question 29

Define an Audit Trail Test

Answer 29

Audit trail tests ensure that the application creates an adequate audit trail. Tests include obtaining evidence that the application records all transactions in a transaction log (journal), posts data values to the appropriate accounts, produces complete transaction listings, and generates error files and reports for all exceptions.

Question 30

Define the Black Box Approach

Answer 30

An approach that does not require the auditor to create test files or to obtain a detailed knowledge of the application’s internal logic. Instead, auditors can analyze flowcharts and interview knowledgeable personnel in the client’s organization to understand the functional characteristics of the application.

One advantage of this technique is that the application need not be removed from service and tested directly. Black box testing is feasible for applications that are relatively simple, with inputs and outputs that are easily reconciled. More complex applications, however, often draw input data from multiple sources, perform a variety of complex operations, and produce multiple outputs. These applications demand more intensive through-the-computer testing to provide the auditor with evidence of application integrity.

Question 31

Management is required to provide external auditors with documented evidence of functioning controls related to selected material accounts in a report on control effectiveness. How is this evidence obtained?

Answer 31

The internal audit department documents this evidence.

Question 32

After completing the annual audit for a publicly traded company, an external auditor issues a qualified opinion about the effectiveness of internal controls.
What is the implication of this finding?

Answer 32

“The auditor identified at least one material weakness in internal controls.” The standard for the audit opinion on internal controls is high. The auditor cannot issue an unqualified opinion if one material weakness in internal control is detected.

Question 33

Which controls do organizations use to ensure the completeness, accuracy, and validity of financial transactions?

Answer 33

Application controls

Question 34

What is programmed into a network-level firewall to accept or deny access requests?

Answer 34

Filtering rules