Unit 6 - Module 12 Flashcards

1
Q

Under Section 404 of Sarbanes Oxley, management is required to provide an annual report addressing the following points:

A

Describe the flow of transactions, including IT aspects, in sufficient detail to identify points at which a misstatement could arise.

Using a risk-based approach, assess both the design and operating effectiveness of selected internal controls related to material accounts.Footnote

Assess the potential for fraud in the system and evaluate the controls designed to prevent or detect fraud.

Evaluate and conclude on the adequacy of controls over the financial statement reporting process.

Evaluate entity-wide (general) controls that correspond to COSO internal control framework.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

general computer controls

A

Specific activities performed by persons or systems designed to ensure that business objectives are met.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

information technology controls

A

Include controls over IT governance, IT infrastructure, security, and access to operating systems and databases, application acquisition and development, and program changes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Information Technology Control Relationship

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The General Model for Accounting Information Systems

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Program fraud

A

Techniques such as creating illegal programs that can access data files to alter, delete, or insert values into accounting records; destroying or corrupting a program’s logic using a computer virus; or altering program logic to cause the application to process data incorrectly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Operations fraud

A

Misuse or theft of the firm’s computer resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Database management fraud

A

Altering, deleting, corrupting, destroying, or stealing an organization’s data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

scavenging

A

Searching through the trash of the computer center for discarded output.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

eavesdropping

A

Listening to output transmissions over telecommunications lines.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Organizational Chart of a Centralized Information Technology Function

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Tests of controls include

counting cash.
completing questionnaires.
counting inventory.
confirming accounts receivable.
A

completing questionnaires.

The correct answer is “completing questionnaires.” Tests of controls include completing questionnaires. The Sarbanes-Oxley Act requires that management certify that the financial statements are correct. In order to ensure that the financial statements are, in fact correct, accounting processes and information systems will be built with checks, balances and controls. Auditors will use questionnaires to guide their approach to testing the controls in the system. Questions include topics such as “Is fraud awareness training carried out?” and “Do particularly critical or sensitive activities require two levels of authority?”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Control risk is

  • the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts.
  • associated with the unique characteristics of the business or industry of the client.
  • the probability that the auditor will render an unqualified opinion on financial statements that are materially misstated.
  • the risk that errors not detected or prevented by the control structure will also not be detected by the auditor.
A

the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts.

The correct answer is “the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts.” Control risk is the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts. Auditors assess the level of control risk by performing tests of internal controls. An auditor could create test transactions, including some with incorrect total values, which are processed by the application in a test run. The results of the test will indicate that price extension errors are not detected and are being incorrectly posted to the AR file.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which is the most critical segregation of duties in the centralized IT function?

data preparation from data control
data control from data librarian
data operations from data librarian
systems development from computer operations
A

systems development from computer operations

The correct answer is “systems development from computer operations.” The most critical segregation of duties in the centralized IT function is systems development and computer operations. Access to the data center must be very carefully controlled to comply with SOX. This includes both physical and electronic access. Once the system is turned over to operations, developers lose their access to the live system. Should an error occur, the developers will diagnose the error in their development copy or in a test system. When the error is corrected, the update will be turned over to operations for installation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Segregation of duties in the computer-based information system includes

performing independent verifications by the computer operator.
separating the programmer from the computer operator.
preventing management override.
separating the inventory process from the billing process.
A

separating the programmer from the computer operator.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Systems development is separated from data processing activities because failure to do so

-results in master files being inadvertently erased.
-weakens database access security.
-allows programmers access to make unauthorized changes to applications during execution.
-results in inadequate documentation.

A

allows programmers access to make unauthorized changes to applications during execution.

The correct answer is “allows programmers access to make unauthorized changes to applications during execution.” Systems development is separated from data processing activities because failure to do so allows programmers access to make unauthorized changes to applications during execution. Consolidating these functions invites fraud. With detailed knowledge of an application’s logic and control parameters along with access to the computer operations, an individual could make unauthorized changes to application logic during program execution. Such changes may be temporary (in real-time) and will disappear with little or no trace when the application terminates.