Chapter 8 Flashcards by Saahib Singh

Definition of Hardware and Software?

Hardware -
Digital computer and peripheral equipment

Software -
Various programs and routines for operating the system

How well did you know this?

Not at all

Perfectly

Advantages and disadvantages of IT-Based Systems

May enhance reliability of financial information
- Process transactions uniformly
- Reduce human errors

May increase certain risks
Program defects may result in all transactions being processed incorrectly
Errors/fraud may not be as easily detectable

How well did you know this?

Not at all

Perfectly

Systems possesses one or more of the following elements:

Batch processing
Online capabilities
Database storage
IT networks
End user computing

How well did you know this?

Not at all

Perfectly

The principle hardware component is known as the (CPU)

Central Processing Unit

Uses a series of on and off circuits to communicate (binary language)

How well did you know this?

Not at all

Perfectly

Application software includes programs designed to perform a specific data processing task. True or false?

True

How well did you know this?

Not at all

Perfectly

Describe peripheral devices

Devices for inputting information (e.g., input terminals, scanners, electronic cash registers, bar code readers)
Devices for secondary storage (e.g., magnetic tape, magnetic disk, optical disk drives)
Devices for information output (e.g., display terminals, printers)

How well did you know this?

Not at all

Perfectly

Define batch processing

Input data gathered and processed periodically in discrete groups. Often more efficient than other types of systems, but do not always provide up-to-minute information.

Example: Accumulate all of a day’s sales transactions and process them as a “batch” at end of day

How well did you know this?

Not at all

Perfectly

Define IT Networks

Computers linked together through telecommunication links that enable computers to communicate information back and forth. Allows distributed data processing - resources, data, and programs shared by a large number of users based on their specifications (LAN and WAN)

How well did you know this?

Not at all

Perfectly

Disadvantages of Database storage

Redundant information stored in several files

Increased storage costs

May cause data inconsistencies due to file discrepancies

How well did you know this?

Not at all

Perfectly

Describe the three methods used to establish networks

Internet – exchange of information through remote locations

Intranet – internet software for use in closed networks

Extranet – intranets that include external business partners

How well did you know this?

Not at all

Perfectly

Names of two types of Online Systems

Online transaction processing (OLTP):

Process various types of transactions
Individual transactions entered directly from the originators at remote locations

Online analytical processing (OLAP)
-Enables user to query a system for various analyses

Examples: Data warehouses, decision support systems, expert systems

How well did you know this?

Not at all

Perfectly

Define End User Computing

User departments are responsible for the development and execution of certain IT applications. Involves a decentralized processing system – user department generates and uses its own information.

(non-programmers can create working applications to better integrate themselves into computing environment for problem-solving)

How well did you know this?

Not at all

Perfectly

Define Electronic Data Interchange (EDI)

enable company and customers/suppliers to exchange business data electronically over a private line of communication (more secure than the internet) – must have strong IT controls to ensure privacy (e.g., firewalls, data encryption)

How well did you know this?

Not at all

Perfectly

More automation reduces potential for human errors and increases potential for systematic errors. True or false?

True

How well did you know this?

Not at all

Perfectly

Is audit trail necessary in printed form?

Not often in printed form, but definitely still necessary.

How well did you know this?

Not at all

Perfectly

Define an End-user Application

designed with end user in mind for a specific, custom purpose. NOT a personal computer.

How well did you know this?

Not at all

Perfectly

IT Responsibilities can be broken down into (there are a ton!)

Information systems Management

Systems Analysis

Application Programming

Database Administration

Data entry

IT Operations

Program and File Librarians

Data control

Telecommunication Specialists

systems Programming

How well did you know this?

Not at all

Perfectly

Define Telecommunication Specialists

Responsible for maintaining and enhancing IT networks (including monitoring for improper access)

How well did you know this?

Not at all

Perfectly

Which IT responsibility supervises the operation of the department and report to vice president of finance/controller, or serve on vice president level as CIO reporting directly to president

Information Systems Management

How well did you know this?

Not at all

Perfectly

Which IT responsibility reviews and tests all input procedures, monitors processes, reviews exception reports, reprocesses exceptions, and reviews and distributes IT logs (also reviews operator intervention and library usage logs)?

Data Control

How well did you know this?

Not at all

Perfectly

History shows the person responsible for frauds in many situations set up the system and controlled its modifications. True or False?

True, so segregation of duties.

 Programming separate from controlling data entry
 Computer operator from functions having custody or detailed knowledge of programs

How well did you know this?

Not at all

Perfectly

Define IT Operations

Run and monitor central computers, maintain detailed log of all operator intervention (NOTE: vital for IT operations to be separate from programming to prevent unauthorized program changes)

How well did you know this?

Not at all

Perfectly

Which responsibility is defined as follows: Prepare and verify input data for processing (today, typically done by user departments)

Data Entry

How well did you know this?

Not at all

Perfectly

Which responsibility is responsible for designing the information system?

Systems Analysis

How well did you know this?

Not at all

Perfectly

Organizational controls is NOT effective in mitigating collusion, true or false?

True

What is internal auditing in IT interested in?

evaluating the overall efficiency and effectiveness of information systems operations and related controls throughout the company

Computer operators ____ (should or should not) have access to programming.

should not

Describe Programmed Control Activities

written into programs to ensure accuracy of input and processing

Adequate security controls to safeguard hardware, files, and programs against loss, damage, and unauthorized access. True or false?

True Examples: User ID and password controls – changed and updated for personnel changes regularly with a log of failed access attempts; Data transmission controls to prevent access/changes to transmitted network information – e.g., encryption, private network lines; Physical controls – e.g., employee badges, locks

How might one control unauthorized changes to data, introduction of unauthorized data or programs, unauthorized viewing of data, and viruses?

Firewalls, physical control over terminals, password systems, data encryption, antivirus software

If Use of IT does not significantly impact audit trail, audit ____ (through/around) the computer

around (manual testing to compare with computer output)

How might one control unauthorized access?

Physical Controls/Segregation of Duties

How might one control Destruction or infrastructure of data

Segregation of Duties/ program and user controls

How might one control Unauthorized changes?

Controls over access, segregation of duties, testing of programs, backup copies

If much of audit trail is eectornically embedded, audit ____ (through/around) the computer

Through

Define a Generalized Audit Software

programs are computer programs that can be used to test reliability of client’s programs and perform other audit procedures digitally. Pretty much automate substantive procedures

Define the "Tagging and Tracing Approach"

Auditor inserts an audit module in the client’s application system to identify specific types of transactions. Allows auditors to continuously audit transactions processed by the client, unlike the other two methods which contain irregular testing

Auditors processing their own “dummy” test data using the client’s system simultaneously. This approach if known as the

Test Data Approach - 1. Test data should include all relevant conditions that the auditor wants tested. 2. Application programs tested by the auditors’ test data must be the same as those the client used throughout the year. 3. Test data must be eliminated from the client’s records.

Sometimes o The auditor uses auditor-controlled generalized audit software to perform parallel operations to the client’s software by using the same data files. This is known as the

Parallel Simulation Approach

Once auditor has access to client records, can apply substantive procedures to them using generalized audit software to

- Examine client’s records for overall quality, completeness, and valid conditions - Rearrange data and perform analyses - Select audit samples - Compare data on separate files - Compare results of audit procedures with client’s records

The auditor’s auditing of the inputs and outputs of the system without verification of the processing of the data is which type of audit technique?

Auditing around the computer

Processing fictitious and real data separately through the entity’s IT system is which type of audit technique?

Test Data Method

Program written by the auditor to perform a specific task for a particular entity is which type of audit technique?

Custom Audit Software

How might audit software be used to observe the physical count or make appropriate test counts?

By determining which items are to be counted from the inventory files

How might audit software be used to compare the client's physical count data to inventory records?

By comparing the quantity of each item counted to the quantity on hand in inventory file

How might audit software be used to Test the mathematical accuracy of inventory?

By multiplying the inventory quantity by the cost per unit to verify the total cost

How might audit software be used to confirm existence located in public warehouses?

By listing said items and printing their confirmations

How might audit software be used to test purchase and sales cutoff?

Extract a sample of items for which the date of the purchase is on, or immediately before, date of physical count

How might audit software be used to perform a lower-cost-or-market test by obtaining a list of current costs per item from vendors

Compare the current costs per unit to the cost per unit in the inventory file; print out extended value of item, user the lover of the two unit costs, and add extended amounts

How might one mitigate destruction of data?

Program and user controls

How might one mitigate unauthorized changes?

Controls over access and backup companies

How might one mitigate destruction of infrastructure or data?

Physical and user controls

How might one mitigate introduction of unauthorized data or programs

firewalls and password systems

How might one mitigate unauthorized access to data or programs?

physical controls over terminals and testing of user programs and applications

Can firewalls be used to mitigate the risk of viruses in electronic commerce?

Yes

Can Controls over Access be used to mitigate the risk of unauthorized changes to computer programs?

Yes

Backup copies can be used to mitigate risk of _____

destruction of data

PHysical controls may be used to mitigate the risk of unauthorized access in computer operations

true

The computer operator may also be the librarian without adversely affecting control over a computer system.. True or false?

False

Programs designed to perform specific data processing tasks are known as application software. True or false?

true

A weakness in internal control would exist if the data control group also operated the computer.True or False?

true

Data stored on a device with direct access must be stored sequentially. True or false?

False

Application control activities include controls over making changes to programs and systems

False. Application control activities include both programmed control activities, which are written into the computer programs, and manual follow-up activities performed on the exception reports that are generated by the system

Segregation of duties is not a feasible method to help establish control over computer systems. True or False?

False

A limit test is a program control that is used to test the reasonableness of a particular transaction. True or False?

True

Back‑up copies of files and records should be filed conveniently with the originals. True or false?

False. Should be filed at a separate location

Microcomputers are generally operated by end user personnel. True or false?

true

An echo check is an example of a control that is performed by a user. True or false?

false. Echo check is a Message acknowledgment technique in which in which the receiving device sends a message that verifies a transmission back to the sending device.

Distributed data processing systems have data communication capabilities. True or false??

true

Internal file labels are printed labels that are placed on the inside of a tape container. True or false?

False. For magnetic tapes, internal labels that are machine-readable are used in conjunction with gummed-paper external labels to prevent operators from accidentally processing the wrong file

Advanced computer systems do not generally produce audit trails. True or False?

False, advanced computer systems actually make it easier to find audit trail

Using test data is primarily a substantive procedure approach. True or false?

false

Elimination of data redundancy is a chief advantage of a database system. True or false?

true

Substantive procedures and tests are

Tests of account balances and transactions designed to detect any material misstatements in the financial statements. The nature, timing, and extent of substantive procedures are determined by the auditors' assessment of risks and their consideration of the client's internal control.

The objective of the auditor's consideration of internal control is different for a client with a computer system. True or false?

False

Distributed data processing by a client requires that an auditor use computer-assisted audit techniques. True or false?

False

Generalized computer audit software is used for both substantive procedures and tests of controls. True or falsse?

True

Which of the following is not a characteristic of a batch processed IT system?? Data input, followed by machine processing. correct Posting of a transaction, as it occurs, to several files, without intermediate printouts. Production of numerous printouts. The collection of like transactions which are sorted and processed sequentially against a master file.

Posting of a transaction, as it occurs, to several files, without intermediate printouts.

The computer flags any transmission for which the control field value did not match with that of an existing file record. This is an example of a

validity test

define an Integrated Test Facility, a process data using simulated files provides an auditor with information about the operating effectiveness of controls

An integrated test facility is a subsystem of dummy records and files built into the regular IT-based system. These dummy files permit test data to be processed simultaneously with regular (live) input without adversely affecting the live data files or output.

The program analysis technique involves examination of the details of the processing steps for tagged transactions. True or false?

false. Program analysis techniques have been developed that can generate computer-made flowcharts of other programs. A trained auditor can examine the flowcharts to test the logic of application programs and to ensure that the client's program documentation describes the program that is actually being used.

Computer programmers have access to input data. Is this compatible with good internal control in an information systems department?

Which of the following is an example of application control activities in IT systems? Documentation procedures hardware controls programmed control activities controls over access to equipment and data files

programmed control activities

Computer programmers have unsupervised access to computer terminals. Is this compatible with good internal control in an information systems department?

Computer operators have detailed knowledge of computer programs. Is this compatible with good internal control in an information systems department?

Computer librarians have physical control of program documentation. Is this compatible with good internal control in an information systems department?

Yes

Is this considered a test of control? Examination of organization charts to determine whether electronic data processing department responsibilities are properly separated to afford effective control.

Is this considered a test of control? Examination of the systems manuals to determine whether existing procedures are satisfactory.

No, part of obtaining understanding of computer system

Define the EXTRANET

suppliers or business partners, or customers

Considered a test of control? Examination of the machine room log book to determine whether control activity information is properly recorded

yes

What is the IT process called when data processing is performed concurrently with a particular activity and the results are available soon enough to influence the particular course of action being taken or the decision being made?

Real-Time Processing

computers talking to computers is a part of

e-commerce

The auditors may decide not to perform tests of the controls within the computerized portion of the client's internal control. Which of the following would not be a valid reason for choosing to omit such tests? The controls appear adequate. There appear to be major weaknesses in the control system that would preclude reliance on the stated procedures. The controls duplicate operative controls existing elsewhere in the system. The time and dollar costs of testing exceed the time and dollar savings in substantive testing if the tests show the controls operating effectively

The controls appear adequate.

Would the documentation of client’s IT-based system depend on the complexity of system?

Yes, once again they are Narrative Systems flowchart Program flowchart Internal control questionnaires

Test of control? Examination of systems flowcharts to determine whether they reflect the current status of the system

When testing it controls, always consider unauthorized access and equipment failure as high-risk areas. True or false?

True

What are risks to Hardware and Data?

1. Reliance too much on hardware and software 2. Unauthorized access 3. Data loss 4. Systematic vs Random errors (glitches)

Is the Data administrator also responsible for integrity of the data?

Yes

CPU is key hardware component. Brain of the computer. True or false?

true

The main purpose of input validation is

to test if something was correctly input.

Auditors start with testing general controls because their effectiveness directly impacts application control effectiveness. True or false?

True

An IT specialist is more likely needed in which steps of the audit process?

Step 1 – Consider IT system in planning | Step 2 – Obtain an understanding of the client’s IT environment

Chapter 8 Flashcards

(102 cards)