Chapter 8 Flashcards Preview

Audit > Chapter 8 > Flashcards

Flashcards in Chapter 8 Deck (102):

Definition of Hardware and Software?

Hardware -
Digital computer and peripheral equipment

Software -
Various programs and routines for operating the system


Advantages and disadvantages of IT-Based Systems

- May enhance reliability of financial information
-Process transactions uniformly
-Reduce human errors

May increase certain risks
Program defects may result in all transactions being processed incorrectly
Errors/fraud may not be as easily detectable


Systems possesses one or more of the following elements:

-Batch processing
-Online capabilities
-Database storage
-IT networks
-End user computing


The principle hardware component is known as the (CPU)

Central Processing Unit

- Uses a series of on and off circuits to communicate (binary language)


Application software includes programs designed to perform a specific data processing task. True or false?



Describe peripheral devices

Devices for inputting information (e.g., input terminals, scanners, electronic cash registers, bar code readers)
Devices for secondary storage (e.g., magnetic tape, magnetic disk, optical disk drives)
Devices for information output (e.g., display terminals, printers)


Define batch processing

Input data gathered and processed periodically in discrete groups. Often more efficient than other types of systems, but do not always provide up-to-minute information.

Example: Accumulate all of a day’s sales transactions and process them as a “batch” at end of day


Define IT Networks

Computers linked together through telecommunication links that enable computers to communicate information back and forth. Allows distributed data processing - resources, data, and programs shared by a large number of users based on their specifications (LAN and WAN)


Disadvantages of Database storage

Redundant information stored in several files

Increased storage costs

May cause data inconsistencies due to file discrepancies


Describe the three methods used to establish networks

Internet – exchange of information through remote locations

Intranet – internet software for use in closed networks

Extranet – intranets that include external business partners


Names of two types of Online Systems

Online transaction processing (OLTP):
-Process various types of transactions
-Individual transactions entered directly from the originators at remote locations

Online analytical processing (OLAP)
-Enables user to query a system for various analyses

Examples: Data warehouses, decision support systems, expert systems


Define End User Computing

User departments are responsible for the development and execution of certain IT applications. Involves a decentralized processing system – user department generates and uses its own information.

(non-programmers can create working applications to better integrate themselves into computing environment for problem-solving)


Define Electronic Data Interchange (EDI)

enable company and customers/suppliers to exchange business data electronically over a private line of communication (more secure than the internet) – must have strong IT controls to ensure privacy (e.g., firewalls, data encryption)


More automation reduces potential for human errors and increases potential for systematic errors. True or false?



Is audit trail necessary in printed form?

Not often in printed form, but definitely still necessary.


Define an End-user Application

designed with end user in mind for a specific, custom purpose. NOT a personal computer.


IT Responsibilities can be broken down into (there are a ton!)

Information systems Management

Systems Analysis

Application Programming

Database Administration

Data entry

IT Operations

Program and File Librarians

Data control

Telecommunication Specialists

systems Programming


Define Telecommunication Specialists

Responsible for maintaining and enhancing IT networks (including monitoring for improper access)


Which IT responsibility supervises the operation of the department and report to vice president of finance/controller, or serve on vice president level as CIO reporting directly to president

Information Systems Management


Which IT responsibility reviews and tests all input procedures, monitors processes, reviews exception reports, reprocesses exceptions, and reviews and distributes IT logs (also reviews operator intervention and library usage logs)?

Data Control


History shows the person responsible for frauds in many situations set up the system and controlled its modifications. True or False?

True, so segregation of duties.

 Programming separate from controlling data entry
 Computer operator from functions having custody or detailed knowledge of programs


Define IT Operations

Run and monitor central computers, maintain detailed log of all operator intervention (NOTE: vital for IT operations to be separate from programming to prevent unauthorized program changes)


Which responsibility is defined as follows: Prepare and verify input data for processing (today, typically done by user departments)

Data Entry


Which responsibility is responsible for designing the information system?

Systems Analysis


Organizational controls is NOT effective in mitigating collusion, true or false?



What is internal auditing in IT interested in?

evaluating the overall efficiency and effectiveness of information systems operations and related controls throughout the company


Computer operators ____ (should or should not) have access to programming.

should not


Describe Programmed Control Activities

written into programs to ensure accuracy of input and processing


Adequate security controls to safeguard hardware, files, and programs against loss, damage, and unauthorized access. True or false?


Examples: User ID and password controls – changed and updated for personnel changes regularly with a log of failed access attempts; Data transmission controls to prevent access/changes to transmitted network information – e.g., encryption, private network lines; Physical controls – e.g., employee badges, locks


How might one control unauthorized changes to data, introduction of unauthorized data or programs, unauthorized viewing of data, and viruses?

Firewalls, physical control over terminals, password systems, data encryption, antivirus software


If Use of IT does not significantly impact audit trail, audit ____ (through/around) the computer

around (manual testing to compare with computer output)


How might one control unauthorized access?

Physical Controls/Segregation of Duties


How might one control Destruction or infrastructure of data

Segregation of Duties/ program and user controls


How might one control Unauthorized changes?

Controls over access, segregation of duties, testing of programs, backup copies


If much of audit trail is eectornically embedded, audit ____ (through/around) the computer



Define a Generalized Audit Software

programs are computer programs that can be used to test reliability of client’s programs and perform other audit procedures digitally. Pretty much automate substantive procedures


Define the "Tagging and Tracing Approach"

Auditor inserts an audit module in the
client’s application system to identify
specific types of transactions. Allows auditors to continuously audit
transactions processed by the client, unlike
the other two methods which contain irregular testing


Auditors processing their own “dummy” test data using the client’s system simultaneously. This approach if known as the

Test Data Approach -

1. Test data should include all relevant conditions that the auditor wants tested.

2. Application programs tested by the auditors’ test data must be the same as
those the client used throughout the year.

3. Test data must be eliminated from the client’s records.


Sometimes o The auditor uses auditor-controlled generalized audit software to perform parallel operations to the client’s software by using the same data files. This is known as the

Parallel Simulation Approach


Once auditor has access to client records, can apply substantive procedures to them using generalized audit software to

-Examine client’s records for overall quality, completeness, and valid conditions
-Rearrange data and perform analyses
-Select audit samples
-Compare data on separate files
-Compare results of audit procedures with client’s records


The auditor’s auditing of the inputs and outputs of the system without verification of the processing of the data is which type of audit technique?

Auditing around the computer


Processing fictitious and real data separately through the entity’s IT system is which type of audit technique?

Test Data Method


Program written by the auditor to perform a specific task for a particular entity is which type of audit technique?

Custom Audit Software


How might audit software be used to observe the physical count or make appropriate test counts?

By determining which items are to be counted from the inventory files


How might audit software be used to compare the client's physical count data to inventory records?

By comparing the quantity of each item counted to the quantity on hand in inventory file


How might audit software be used to Test the mathematical accuracy of inventory?

By multiplying the inventory quantity by the cost per unit to verify the total cost


How might audit software be used to confirm existence located in public warehouses?

By listing said items and printing their confirmations


How might audit software be used to test purchase and sales cutoff?

Extract a sample of items for which the date of the purchase is on, or immediately before, date of physical count


How might audit software be used to perform a lower-cost-or-market test by obtaining a list of current costs per item from vendors

Compare the current costs per unit to the cost per unit in the inventory file; print out extended value of item, user the lover of the two unit costs, and add extended amounts


How might one mitigate destruction of data?

Program and user controls


How might one mitigate unauthorized changes?

Controls over access and backup companies


How might one mitigate destruction of infrastructure or data?

Physical and user controls


How might one mitigate introduction of unauthorized data or programs

firewalls and password systems


How might one mitigate unauthorized access to data or programs?

physical controls over terminals and testing of user programs and applications


Can firewalls be used to mitigate the risk of viruses in electronic commerce?



Can Controls over Access be used to mitigate the risk of unauthorized changes to computer programs?



Backup copies can be used to mitigate risk of _____

destruction of data


PHysical controls may be used to mitigate the risk of unauthorized access in computer operations



The computer operator may also be the librarian without adversely affecting control over a computer system.. True or false?



Programs designed to perform specific data processing tasks are known as application soft­ware. True or false?



A weakness in internal control would exist if the data control group also operated the computer.True or False?



Data stored on a device with direct access must be stored sequentially. True or false?



Application control activities include controls over making changes to programs and systems

False. Application control activities include both programmed control activities, which are written into the computer programs, and manual follow-up activities performed on the exception reports that are generated by the system


Segregation of duties is not a feasible method to help establish control over computer systems. True or False?



A limit test is a program control that is used to test the reasonableness of a particular transaction. True or False?



Back‑up copies of files and records should be filed conveniently with the originals. True or false?

False. Should be filed at a separate location


Microcomputers are generally operated by end user personnel. True or false?



An echo check is an example of a control that is performed by a user. True or false?

false. Echo check is a Message acknowledgment technique in which in which the receiving device sends a message that verifies a transmission back to the sending device.


Distributed data processing systems have data communication capabilities. True or false??



Internal file labels are printed labels that are placed on the inside of a tape container. True or false?

False. For magnetic tapes, internal labels that are machine-readable are used in conjunction with gummed-paper external labels to prevent operators from accidentally processing the wrong file


Advanced computer systems do not generally produce audit trails. True or False?

False, advanced computer systems actually make it easier to find audit trail


Using test data is primarily a substantive procedure approach. True or false?



Elimination of data redundancy is a chief advantage of a database system. True or false?



Substantive procedures and tests are

Tests of account balances and transactions designed to detect any material misstatements in the financial statements. The nature, timing, and extent of substantive procedures are determined by the auditors' assessment of risks and their consideration of the client's internal control.


The objective of the auditor's consideration of internal control is different for a client with a computer system. True or false?



Distributed data processing by a client requires that an auditor use computer-assisted audit techniques. True or false?



Generalized computer audit software is used for both substantive procedures and tests of controls. True or falsse?



Which of the following is not a characteristic of a batch processed IT system??

Data input, followed by machine processing.

Posting of a transaction, as it occurs, to several files, without intermediate printouts.

Production of numerous printouts.

The collection of like transactions which are sorted and processed sequentially against a master file.

Posting of a transaction, as it occurs, to several files, without intermediate printouts.


The computer flags any transmission for which the control field value did not match with that of an existing file record. This is an example of a

validity test


define an Integrated Test Facility, a process data using simulated files provides an auditor with information about the operating effectiveness of controls

An integrated test facility is a subsystem of dummy records and files built into the regular IT-based system. These dummy files permit test data to be processed simultaneously with regular (live) input without adversely affecting the live data files or output.


The program analysis technique involves examination of the details of the processing steps for tagged transactions. True or false?

false. Program analysis techniques have been developed that can generate computer-made flowcharts of other programs. A trained auditor can examine the flowcharts to test the logic of application programs and to ensure that the client's program documentation describes the program that is actually being used.


Computer programmers have access to input data.

Is this compatible with good internal control in an information systems department?



Which of the following is an example of application control activities in IT systems?

Documentation procedures

hardware controls

programmed control activities

controls over access to equipment and data files

programmed control activities


Computer programmers have unsupervised access to computer terminals.

Is this compatible with good internal control in an information systems department?



Computer operators have detailed knowledge of computer programs.
Is this compatible with good internal control in an information systems department?



Computer librarians have physical control of program documentation. Is this compatible with good internal control in an information systems department?



Is this considered a test of control?

Examination of organization charts to determine whether electronic data processing department responsibilities are properly separated to afford effective control.



Is this considered a test of control?

Examination of the systems manuals to determine whether existing procedures are satisfactory.

No, part of obtaining understanding of computer system


Define the EXTRANET

suppliers or business partners, or customers


Considered a test of control?

Examination of the machine room log book to determine whether control activity information is properly recorded



What is the IT process called when data processing is performed concurrently with a particular activity and the results are available soon enough to influence the particular course of action being taken or the decision being made?

Real-Time Processing


computers talking to computers is a part of



The auditors may decide not to perform tests of the controls within the computerized portion of the client's internal control. Which of the following would not be a valid reason for choosing to omit such tests?

The controls appear adequate.

There appear to be major weaknesses in the control system that would preclude reliance on the stated procedures.

The controls duplicate operative controls existing elsewhere in the system.

The time and dollar costs of testing exceed the time and dollar savings in substantive testing if the tests show the controls operating effectively

The controls appear adequate.


Would the documentation of client’s IT-based system depend on the complexity of system?

Yes, once again they are

Systems flowchart
Program flowchart
Internal control questionnaires


Test of control?

Examination of systems flowcharts to determine whether they reflect the current status of the system



When testing it controls, always consider unauthorized access and equipment failure as high-risk areas.
True or false?



What are risks to Hardware and Data?

1. Reliance too much on hardware and software
2. Unauthorized access
3. Data loss
4. Systematic vs Random errors (glitches)


Is the Data administrator also responsible for integrity of the data?



CPU is key hardware component. Brain of the computer. True or false?



The main purpose of input validation is

to test if something was correctly input.


Auditors start with testing general controls because their effectiveness directly impacts application control effectiveness. True or false?



An IT specialist is more likely needed in which steps of the audit process?

Step 1 – Consider IT system in planning
Step 2 – Obtain an understanding of the client’s IT environment