Chapter 8 Flashcards Preview

Audit > Chapter 8 > Flashcards

Flashcards in Chapter 8 Deck (102):
1

Definition of Hardware and Software?

Hardware -
Digital computer and peripheral equipment

Software -
Various programs and routines for operating the system

2

Advantages and disadvantages of IT-Based Systems

- May enhance reliability of financial information
-Process transactions uniformly
-Reduce human errors

May increase certain risks
Program defects may result in all transactions being processed incorrectly
Errors/fraud may not be as easily detectable

3

Systems possesses one or more of the following elements:

-Batch processing
-Online capabilities
-Database storage
-IT networks
-End user computing

4

The principle hardware component is known as the (CPU)

Central Processing Unit



- Uses a series of on and off circuits to communicate (binary language)

5

Application software includes programs designed to perform a specific data processing task. True or false?

True

6

Describe peripheral devices

Devices for inputting information (e.g., input terminals, scanners, electronic cash registers, bar code readers)
Devices for secondary storage (e.g., magnetic tape, magnetic disk, optical disk drives)
Devices for information output (e.g., display terminals, printers)

7

Define batch processing

Input data gathered and processed periodically in discrete groups. Often more efficient than other types of systems, but do not always provide up-to-minute information.

Example: Accumulate all of a day’s sales transactions and process them as a “batch” at end of day





8

Define IT Networks

Computers linked together through telecommunication links that enable computers to communicate information back and forth. Allows distributed data processing - resources, data, and programs shared by a large number of users based on their specifications (LAN and WAN)

9

Disadvantages of Database storage

Redundant information stored in several files

Increased storage costs

May cause data inconsistencies due to file discrepancies

10

Describe the three methods used to establish networks

Internet – exchange of information through remote locations

Intranet – internet software for use in closed networks

Extranet – intranets that include external business partners

11

Names of two types of Online Systems

Online transaction processing (OLTP):
-Process various types of transactions
-Individual transactions entered directly from the originators at remote locations

Online analytical processing (OLAP)
-Enables user to query a system for various analyses

Examples: Data warehouses, decision support systems, expert systems

12

Define End User Computing

User departments are responsible for the development and execution of certain IT applications. Involves a decentralized processing system – user department generates and uses its own information.

(non-programmers can create working applications to better integrate themselves into computing environment for problem-solving)

13

Define Electronic Data Interchange (EDI)

enable company and customers/suppliers to exchange business data electronically over a private line of communication (more secure than the internet) – must have strong IT controls to ensure privacy (e.g., firewalls, data encryption)

14

More automation reduces potential for human errors and increases potential for systematic errors. True or false?

True

15

Is audit trail necessary in printed form?

Not often in printed form, but definitely still necessary.

16

Define an End-user Application

designed with end user in mind for a specific, custom purpose. NOT a personal computer.

17

IT Responsibilities can be broken down into (there are a ton!)

Information systems Management

Systems Analysis

Application Programming

Database Administration

Data entry

IT Operations

Program and File Librarians

Data control

Telecommunication Specialists

systems Programming

18

Define Telecommunication Specialists

Responsible for maintaining and enhancing IT networks (including monitoring for improper access)

19

Which IT responsibility supervises the operation of the department and report to vice president of finance/controller, or serve on vice president level as CIO reporting directly to president

Information Systems Management

20

Which IT responsibility reviews and tests all input procedures, monitors processes, reviews exception reports, reprocesses exceptions, and reviews and distributes IT logs (also reviews operator intervention and library usage logs)?

Data Control

21

History shows the person responsible for frauds in many situations set up the system and controlled its modifications. True or False?

True, so segregation of duties.

 Programming separate from controlling data entry
 Computer operator from functions having custody or detailed knowledge of programs

22

Define IT Operations

Run and monitor central computers, maintain detailed log of all operator intervention (NOTE: vital for IT operations to be separate from programming to prevent unauthorized program changes)

23

Which responsibility is defined as follows: Prepare and verify input data for processing (today, typically done by user departments)

Data Entry

24

Which responsibility is responsible for designing the information system?

Systems Analysis

25

Organizational controls is NOT effective in mitigating collusion, true or false?

True

26

What is internal auditing in IT interested in?

evaluating the overall efficiency and effectiveness of information systems operations and related controls throughout the company

27

Computer operators ____ (should or should not) have access to programming.

should not

28

Describe Programmed Control Activities

written into programs to ensure accuracy of input and processing

29

Adequate security controls to safeguard hardware, files, and programs against loss, damage, and unauthorized access. True or false?

True

Examples: User ID and password controls – changed and updated for personnel changes regularly with a log of failed access attempts; Data transmission controls to prevent access/changes to transmitted network information – e.g., encryption, private network lines; Physical controls – e.g., employee badges, locks

30

How might one control unauthorized changes to data, introduction of unauthorized data or programs, unauthorized viewing of data, and viruses?

Firewalls, physical control over terminals, password systems, data encryption, antivirus software

31

If Use of IT does not significantly impact audit trail, audit ____ (through/around) the computer

around (manual testing to compare with computer output)

32

How might one control unauthorized access?

Physical Controls/Segregation of Duties

33

How might one control Destruction or infrastructure of data

Segregation of Duties/ program and user controls

34

How might one control Unauthorized changes?

Controls over access, segregation of duties, testing of programs, backup copies

35

If much of audit trail is eectornically embedded, audit ____ (through/around) the computer

Through

36

Define a Generalized Audit Software

programs are computer programs that can be used to test reliability of client’s programs and perform other audit procedures digitally. Pretty much automate substantive procedures

37

Define the "Tagging and Tracing Approach"

Auditor inserts an audit module in the
client’s application system to identify
specific types of transactions. Allows auditors to continuously audit
transactions processed by the client, unlike
the other two methods which contain irregular testing

38

Auditors processing their own “dummy” test data using the client’s system simultaneously. This approach if known as the

Test Data Approach -

1. Test data should include all relevant conditions that the auditor wants tested.

2. Application programs tested by the auditors’ test data must be the same as
those the client used throughout the year.

3. Test data must be eliminated from the client’s records.



39

Sometimes o The auditor uses auditor-controlled generalized audit software to perform parallel operations to the client’s software by using the same data files. This is known as the

Parallel Simulation Approach

40

Once auditor has access to client records, can apply substantive procedures to them using generalized audit software to

-Examine client’s records for overall quality, completeness, and valid conditions
-Rearrange data and perform analyses
-Select audit samples
-Compare data on separate files
-Compare results of audit procedures with client’s records

41

The auditor’s auditing of the inputs and outputs of the system without verification of the processing of the data is which type of audit technique?

Auditing around the computer

42

Processing fictitious and real data separately through the entity’s IT system is which type of audit technique?

Test Data Method

43


Program written by the auditor to perform a specific task for a particular entity is which type of audit technique?

Custom Audit Software

44

How might audit software be used to observe the physical count or make appropriate test counts?

By determining which items are to be counted from the inventory files

45

How might audit software be used to compare the client's physical count data to inventory records?

By comparing the quantity of each item counted to the quantity on hand in inventory file

46

How might audit software be used to Test the mathematical accuracy of inventory?

By multiplying the inventory quantity by the cost per unit to verify the total cost

47

How might audit software be used to confirm existence located in public warehouses?

By listing said items and printing their confirmations

48

How might audit software be used to test purchase and sales cutoff?

Extract a sample of items for which the date of the purchase is on, or immediately before, date of physical count

49

How might audit software be used to perform a lower-cost-or-market test by obtaining a list of current costs per item from vendors

Compare the current costs per unit to the cost per unit in the inventory file; print out extended value of item, user the lover of the two unit costs, and add extended amounts

50

How might one mitigate destruction of data?

Program and user controls

51

How might one mitigate unauthorized changes?

Controls over access and backup companies

52

How might one mitigate destruction of infrastructure or data?

Physical and user controls

53

How might one mitigate introduction of unauthorized data or programs

firewalls and password systems

54

How might one mitigate unauthorized access to data or programs?

physical controls over terminals and testing of user programs and applications

55

Can firewalls be used to mitigate the risk of viruses in electronic commerce?

Yes

56

Can Controls over Access be used to mitigate the risk of unauthorized changes to computer programs?

Yes

57

Backup copies can be used to mitigate risk of _____

destruction of data

58

PHysical controls may be used to mitigate the risk of unauthorized access in computer operations

true

59

The computer operator may also be the librarian without adversely affecting control over a computer system.. True or false?

False

60

Programs designed to perform specific data processing tasks are known as application soft­ware. True or false?

true

61

A weakness in internal control would exist if the data control group also operated the computer.True or False?

true

62

Data stored on a device with direct access must be stored sequentially. True or false?

False

63

Application control activities include controls over making changes to programs and systems

False. Application control activities include both programmed control activities, which are written into the computer programs, and manual follow-up activities performed on the exception reports that are generated by the system

64

Segregation of duties is not a feasible method to help establish control over computer systems. True or False?

False

65

A limit test is a program control that is used to test the reasonableness of a particular transaction. True or False?

True

66

Back‑up copies of files and records should be filed conveniently with the originals. True or false?

False. Should be filed at a separate location

67

Microcomputers are generally operated by end user personnel. True or false?

true

68

An echo check is an example of a control that is performed by a user. True or false?

false. Echo check is a Message acknowledgment technique in which in which the receiving device sends a message that verifies a transmission back to the sending device.

69

Distributed data processing systems have data communication capabilities. True or false??

true

70

Internal file labels are printed labels that are placed on the inside of a tape container. True or false?

False. For magnetic tapes, internal labels that are machine-readable are used in conjunction with gummed-paper external labels to prevent operators from accidentally processing the wrong file

71

Advanced computer systems do not generally produce audit trails. True or False?

False, advanced computer systems actually make it easier to find audit trail

72


Using test data is primarily a substantive procedure approach. True or false?

false

73

Elimination of data redundancy is a chief advantage of a database system. True or false?

true

74

Substantive procedures and tests are

Tests of account balances and transactions designed to detect any material misstatements in the financial statements. The nature, timing, and extent of substantive procedures are determined by the auditors' assessment of risks and their consideration of the client's internal control.

75

The objective of the auditor's consideration of internal control is different for a client with a computer system. True or false?

False

76


Distributed data processing by a client requires that an auditor use computer-assisted audit techniques. True or false?

False

77

Generalized computer audit software is used for both substantive procedures and tests of controls. True or falsse?

True

78

Which of the following is not a characteristic of a batch processed IT system??

Data input, followed by machine processing.
correct

Posting of a transaction, as it occurs, to several files, without intermediate printouts.

Production of numerous printouts.

The collection of like transactions which are sorted and processed sequentially against a master file.

Posting of a transaction, as it occurs, to several files, without intermediate printouts.

79

The computer flags any transmission for which the control field value did not match with that of an existing file record. This is an example of a

validity test

80

define an Integrated Test Facility, a process data using simulated files provides an auditor with information about the operating effectiveness of controls

An integrated test facility is a subsystem of dummy records and files built into the regular IT-based system. These dummy files permit test data to be processed simultaneously with regular (live) input without adversely affecting the live data files or output.

81

The program analysis technique involves examination of the details of the processing steps for tagged transactions. True or false?

false. Program analysis techniques have been developed that can generate computer-made flowcharts of other programs. A trained auditor can examine the flowcharts to test the logic of application programs and to ensure that the client's program documentation describes the program that is actually being used.

82

Computer programmers have access to input data.

Is this compatible with good internal control in an information systems department?

Np

83

Which of the following is an example of application control activities in IT systems?

Documentation procedures

hardware controls

programmed control activities

controls over access to equipment and data files

programmed control activities

84

Computer programmers have unsupervised access to computer terminals.

Is this compatible with good internal control in an information systems department?

No

85

Computer operators have detailed knowledge of computer programs.
Is this compatible with good internal control in an information systems department?

No

86

Computer librarians have physical control of program documentation. Is this compatible with good internal control in an information systems department?

Yes

87

Is this considered a test of control?

Examination of organization charts to determine whether electronic data processing department responsibilities are properly separated to afford effective control.

No

88

Is this considered a test of control?

Examination of the systems manuals to determine whether existing procedures are satisfactory.

No, part of obtaining understanding of computer system

89

Define the EXTRANET

suppliers or business partners, or customers

90

Considered a test of control?

Examination of the machine room log book to determine whether control activity information is properly recorded

yes

91

What is the IT process called when data processing is performed concurrently with a particular activity and the results are available soon enough to influence the particular course of action being taken or the decision being made?

Real-Time Processing

92

computers talking to computers is a part of

e-commerce

93

The auditors may decide not to perform tests of the controls within the computerized portion of the client's internal control. Which of the following would not be a valid reason for choosing to omit such tests?

The controls appear adequate.

There appear to be major weaknesses in the control system that would preclude reliance on the stated procedures.

The controls duplicate operative controls existing elsewhere in the system.

The time and dollar costs of testing exceed the time and dollar savings in substantive testing if the tests show the controls operating effectively

The controls appear adequate.

94

Would the documentation of client’s IT-based system depend on the complexity of system?

Yes, once again they are

Narrative
Systems flowchart
Program flowchart
Internal control questionnaires


95

Test of control?

Examination of systems flowcharts to determine whether they reflect the current status of the system

No

96

When testing it controls, always consider unauthorized access and equipment failure as high-risk areas.
True or false?

True

97

What are risks to Hardware and Data?

1. Reliance too much on hardware and software
2. Unauthorized access
3. Data loss
4. Systematic vs Random errors (glitches)

98

Is the Data administrator also responsible for integrity of the data?

Yes

99

CPU is key hardware component. Brain of the computer. True or false?

true

100

The main purpose of input validation is

to test if something was correctly input.

101

Auditors start with testing general controls because their effectiveness directly impacts application control effectiveness. True or false?

True

102

An IT specialist is more likely needed in which steps of the audit process?

Step 1 – Consider IT system in planning
Step 2 – Obtain an understanding of the client’s IT environment