Auditing with Technology

Question 1

Check digits should be placed?

Answer 1

Consistently in any position.

Question 2

Define General and Application Controls

Answer 2

General Controls have widespread impact on specific applications.

Appliation Controls affect particular data processing tasks (payroll, disbursments, etc.)

Question 3

5 Categories of General Controls

Answer 3

1. Organization and Operation (SOD)
2. Systems Development and Documentation
3. Hardware and Software (built-in controls)
4. Access
5. Data and Procedures

Question 4

5 Categories of General Controls

• Organization and Operation (SOD)
  
  • Systems Analyst
  • Systems Programmer
  • Computer Operator
  • Data Librarian
  • Security Analyst

Answer 4

• Systems Analyst - designs the system
• Systems Programmer - designs the code to run the system
• Computer Operator - actually runs the system
• Data Librarian - custody of programs and data
• Security Analyst - safeguards system (including program and data files)

Question 5

5 Categories of General Controls

• Hardware and Software (Built-in Controls)
  
  • Built-in
    
    • Parity Check
    • Echo Check
    • Diagnostic Runs
    • Boundary Protection
  • Operating System

Answer 5

• Parity Check - Especially related to transmissions of information between system hardware components. A “bit” added to each character so that the loss of any portion of the data might be detected.
• Echo Check - Especially related to transmissions of information over the phone lines. A signal that what was “sent” was, in fact, “received.”
• Diagnostics - That check internal operations of hardware components (usually when booting up the system).
• Boundary Protection - For running multiple jobs concurrently.
• Operating System - Controls and instructions built into the software that runs the hardware.

Question 6

In building an electronic data interchange (EDI) system, what process is used to determine which elements in the entity’s computer system correspond to the standard data elements?

Answer 6

Mapping

In an EDI system, a standard format is adopted. Mapping is the process by which the elements in the client’s computer system are related to the standard data elements.

Question 7

Which of the following passwords would be most difficult to crack?

1. OrCa!FlSi
2. language
3. 12 HOU.S.E 24
4. pass56word

Answer 7

OrCa!FlSi

Guidelines for choosing a “secure” password include the following:

• the password should be at least seven characters in length;
• the password should include special characters, such as punctuation marks or symbols;
• the password should be a mixture of uppercase and lowercase letters;
• the password should be unique.

12 HOU.S.E 24 is incorrect because the password includes blank spaces. It also includes a recognizable word and does not follow at least two of the guidelines.

Question 8

Which of the following are essential elements of the audit trail in an electronic data interchange (EDI) system?

1. Network and sender/recipient acknowledgments.
2. Message directories and header segments.
3. Contingency and disaster recovery plans.
4. Trading partner security and mailbox codes.

Answer 8

Network and sender/recipient acknowledgments.

Network and sender/recipient acknowledgments document the trail of accounting data (and transactions) through the system. In doing so, they serve as essential elements of the audit trail in an EDI system.

Question 9

Test Data Approach when testing a computerized accounting system.

Answer 9

A set of dummy transactions is developed by the auditor and processed by the client’s computer programs to determine whether the controls which the auditor intends to test (not necessarily all controls) to restrict control risk are operating effectively. Some of these dummy transactions may include errors to test the effectiveness of programmed controls and to determine how transactions are handled (e.g., time tickets with invalid job numbers). When using test data, each control generally need only be tested once. Several possible problems include:

• Making certain the test data is not included in the client’s accounting records.
• Determining that the program tested is actually used by the client to process data.
• Adequately developing test data for every possible control.
• Developing adequate data to test key controls may be extremely time-consuming.

Question 10

Embedded Audit Modules

Answer 10

Embedded audit modules continuously monitor transaction activity and collect data on auditor-designated transactions. They must be inserted into the client’s system and thus would require that the auditor be involved with the system design of the application to be monitored. This is sometimes viewed as a disadvantage.

Question 11

Parallel Simulation

Answer 11

Parallel simulation is a computer-assisted auditing technique in which an auditor-written or auditor-controlled program is used to process client data. The results are then compared to those obtained using the client’s program and differences are investigated. This technique enables the auditor to test controls in and processing performed by a client program.

One advantage of using PS is that the size of the sample can be greatly expanded at relatively little additional cost.

Limitations include:

• The time it takes to build an exact duplicate of the client’s system
• Incompatibility between auditor and client software
• Tracing differences between the two sets of outputs to differences in the programs may be difficult
• The time involved in processing large quantities of data

Question 12

WebTrust

Answer 12

Web Trust is an assurance service developed jointly by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants to facilitate electronic commerce. It provides assurance that a website meets certain standards of business practice.

Question 13

An auditor may use a “join” command in a database query to combine?

1. Queries.
2. Attributes from a single table.
3. Users so as to allow dual access to several tables.
4. Tables or parts of tables.

Answer 13

Tables or parts of tables.

Use of the “join” term is well established in information technology as consisting of the combination of various tables, or portions thereof.

Question 14

When computer control procedures leave no visible evidence indicating the procedures have been performed, what should auditor’s approach be?

Answer 14

The auditor should test these controls by reviewing transactions submitted for processing and comparing them with the related output. The objective is to determine that no transactions tested with unacceptable conditions went unreported and without appropriate resolution. This procedure can be undertaken by submitting actual client live data or dummy transactions.

Question 15

Continuous Testing of Controls within a Computerized System

Answer 15

1. Embedded Audit Modules (EAM) and Audit Hooks - requires more involvement of the auditor in the system design.
   
   • Audit Hook is an exit point in an application program that allows an auditor to subsequently add an audit module (or particular instructions) by activating the hook to transfer control to an audit module.
2. Systems Control Audit Review Files (SCARF) - generated by an EAM
3. Extended Records - attaches additional audit data which would not otherwise be saved to regular historic records and thereby helps to provide a more complete audit trail.
4. Transaction Tagging - an identifier providing a transaction with a special designation is added to the transaction record. allows logging of transactions or snapshot activities.

Question 16

An audit technique which involves actual analysis of the logic of a computer program’s processing routines is referred to as

1. Code review.
2. Comparison review.
3. Extended records.
4. Test data.

Answer 16

Code review.

Code review involves the actual analysis of the logic of a computer program’s processing routines. The primary advantage is that the auditor obtains a detailed understanding of the program.

Question 17

Which of the following is an advantage of using a value-added network for EDI transactions?

1. Making corroborative inquiries.
2. Observing the separation of duties of personnel.
3. Reviewing transactions submitted for processing and comparing them to related output.
4. Reviewing the run manual.

Answer 17

Reviewing transactions submitted for processing and comparing them to related output.

When computer control procedures leave no visible evidence indicating the procedures have been performed, the auditor should test these controls by reviewing transactions submitted for processing and comparing them with the related output. The objective is to determine that no transactions tested with unacceptable conditions went unreported and without appropriate resolution. This procedure can be undertaken by submitting actual client live data or dummy transactions.