Auditing with Technology Flashcards
(34 cards)
What is a primary advantage of using generalized audit software packages to audit the FS of a client that uses a computer system?
Auditor may access info on computer files while having a limited understanding of the client’s hardware and software features. Generalized audit software allows auditor to test client’s data, not the software or hardware.
What can using generalized audit software lead to?
Can lead to increase or decrease in the use of either substantive tests of transactions or analytical procedures. It will not necessarily reduce the level of tests of controls.
When should a test of controls be omitted?
If controls appear adequate, the auditor tests them UNLESS 1 - the costs of testing are expected to exceed the savings in substantive tests or 2 - the controls are redundant to other internal control activities (ex: if the controls duplicate operative controls existing elsewhere in the system).
What does the test data approach do?
It uses a set of dummy transactions developed by the auditor and processed by the client’s computer programs to determine whether the controls which the auditor intends to test to restrict control risk are operating effectively. It tests the procedures contained within the program, NOT the accuracy of input or validity of output (parallel simulation method).
What is parallel simulation?
It allows the auditor to process all client transactions. The electronic nature and speed of computer allows auditors to greatly expand the population at little cost. It tests validity of output more directly.
What is the best approach to extracting evidence in electronic form?
Use generalized audit software to extract evidence from client databases. This is an effective approach for interfacing with and extracting.
What is code review?
Involves actual analysis of the logic of a computer program’s processing routines. The primary advantage is that the auditor obtains a detailed understanding of the program.
What is comparison review?
Code comparison program is used to compare source and or object codes of a controlled copy of a program currently being used to process data.
What are extended records?
Attaches additional audit data which would not otherwise be saved to regular historic records and thereby helps to provide a more complete audit trail.
A technique for continuous or concurrent testing.
What is test data?
It is a set of dummy transactions developed by the auditor and processed by the client’s computer programs to determine whether the controls which the auditor intends to test to restrict control risk are operating effectively using the test data technique.
What is a check digit
A check digit while normally placed at the end of an account number, may be placed consistently in any position in the account when adequate computer programming exists (math calc of the check digit can be performed regardless of placement)
What is the purpose of generalized computer audit package
Can be used for audits of clients that use different computer equipment and file formats. They are a very generalized input output program. They are used to assist the auditor in related tests of controls, but cannot be used as a substitute for the testing.
Auditing by testing input and output of a computer system instead of the program will…
not detect program errors which do not show up in the output sampled. Portions of the program may contain errors which are not reflected in the output. Ex: if a loop in a program is not used in any app, it is not tested and any errors in the loop cannot be detected.
What is a benefit of IT used for internal control?
Enhanced timeliness of info
Not benefits - potential loss of data, recording of unauthorized transactions, processing of unusual or nonrecurring transactions.
What does a join command do?
Combines various tables or parts of tables
In what order are controls usually tested?
Begin by considering general control procedures. Since the effectiveness of specific app controls is often dependent on the existence of effective general controls over all computer activities, this is an efficient approach.
Next auditor would look at programmed, application, or output controls.
What are embedded audit modules?
They are programmed routines incorporated directly into an application program that will help auditors perform audit functions such as calculations and to allow continuous monitoring.
Parallel simulation and controlled reprocessing are more effective in an environment that does not involve continuous auditing.
What are problems with the use of test data for computer audit purposes
Test data approach - difficult to design test data that incorporates all potential variations in transactions
Test data may be commingled with live data causing operating problems for client
Test data approach - program used to process test data may differ from the one used in actual operations.
What procedures can and cannot be performed using a generalized audit software package?
Can - selecting sample items of inventory, analyzing data from inventory, and recalculating balances in inventory reports
Software cannot observe the inventory.
When would an auditor expect to find an entity that has implemented automated controls to reduce risks of misstatement?
When transactions are high volume and recurring due to nature and volume.
While automated controls can be developed in all cases, it is not as easy to develop if misstatements/errors are difficult to predict or define or when transactions are large, unusual or nonrecurring requiring judgment.
What is destructive updating and what is necessary?
In an online computer system, this is destructive of transaction files. Auditing of the balances in accounts where transactions are periodically destroyed requires a well documented audit trail for the auditor.
What are audit hooks
Describes a method of retaining selected or all transaction files for the auditor. Audit hooks have to be used during the year (prior to the destruction of transaction files to be feasible).
Detection risk vs inherent risk
Inherent risk - can be indicated by environment, the level assessed need not be difficult to determine
Detection - auditors accept a certain level, its level should not be difficult to determine because of irretrievable audit evidence
What is data manipulation language?
Composed of commands used to maintain and query a database, including updating, inserting in, modifying and querying (asking for data).
