General Computer Controls Flashcards

Question

List the advantages of a purchased system

Answer 1

1. Immediate installation 2. Pre-determined costs, often cheaper 3. Criteria reviewed at demonstration before buying therefore reduce risk 4. Usually de-bugged and error-free 5. Documentation sold with package 6. Supplier usually offer training 7. Supplier support 8. Continual upgrade with new version at reasonable cost

Answer 2

1. Not tailor-made to requirements 2. Pre-written and not adaptable for changes 3. Processing speed and storage space not always sufficient 4. Written to supplier standards 5. Often overseas, not cater for SA requirements 6. Manual often inadequate and low quality

Answer 3

1. Plan 2. Prepare for conversion 3. Control by data control group 4. Testing after conversion 5. System documentation updated 6. Back up new system/files 7. Post implementation review

Answer 4

1. Date and time schedules prepared 2. Cut-off point determined 3. Conversion method defined

Answer 5

1. Preparation of standing data files on the new system 2. Balancing files on the old system 3. Training staff 4. Prepare premises 5. Authorization of data to be transferred

Answer 6

1. Balancing of files on new with balances in old - control totals 2. Print-out of converted data and compare with source data/report from the old system 3. Follow up items on exception reports 4. Approval by users

Answer 7

1. Approval documents 2. Application documents, including course codes 3. File documentation, including file layouts 4. Operation documentation (instruction/ manuals) 5. Documentation concerning testing 6. Approval at various stages

Answer 8

1. Record investigation, development, design and approval 2. Provide basis of communication between systems analysts and Programmers 3. As processing manual 4. Source references 5. For review and change to system 6. Staff training 7. Basis of evaluation of internal controls

Answer 9

1. Project authorization 2. Project management 3. Determine user needs 4. Purchase of hardware and software 5. Standards in respect of system development and programming 6. System specification and programming 7. Testing of system 8. Approval 9. Training 10. System documentation 11. Back ups 12. Conversion 13. Post implementation review 14. Long term plan

Answer 10

1. System development plan 2. Steering committee conduct feasibility study and define selection criteria 3. Result from requests by users and management 4. Feasibility study 5. Authorization after analyzing user needs and performing proper system analysis 6. System specification should be developed regardless of any specific technology hardware which may be available 7. Project authorized before commencement by computer steering committee

Answer 11

1. Project team made up of management and user computer staff 2. Development in stages 3. Functions of the system analysis and programmers are to be defined 4. Deadlines and time schedules must be prepared for each task and stages of the project 5. Formal plan of action and development

Answer 12

1. Changes to a system after implementation to correct errors or meet the changing needs of users 2. Requests for changes/ corrections promptly completely carried out 3. Only authorized changes should be made 4. Compliance with standard 5. Controls over program changes 6. Testing and final approval 7. Changes made to test version not live version 8. Changes fully documented 9. Changes backed up and stored in program library 10. Train users 11. Post-implementation review

Answer 13

1. Division of duties, review and virus protection are met 2. Level of responsibility determined 3. Division of duties

Answer 14

1. Separate IT department 2. Computer department segregated from user department 3. Within the computer environment 4. Management 5. Supervision and review 6. Staff policies 7. All computer output to be reviewed by user department 8. Controls against viruses 9. Email policy to be in place

Answer 15

1. Computer department not to to originate or authorize transactions 2. Computer department not to have control over non-computer assets 3. Computer department not to authorize master file changes 4. User department to review all master file changes 5. User department to maintain independent control totals 6. User department to have custody over stationery

Answer 16

1. Employment of honest qualified, competent reliable IT staff 2. Rotation of IT staff duties 3. IT staff must regularly take leave 4. Scheduling of work 5. Training and career development 6. Supervision and review 7. Cancellation of access on dismissal

Answer 17

1. Procedures designed to restrict access to on-line terminals, devices, programs and data 2. User authorization 3. User authentication 4. Program security 5. Data file security 6. Access to terminals and files 7. Access through other electronic devices

Answer 18

Programmed controls and user controls

Answer 19

1. Terminal controls -limit access to specific applications 2. Identification of users 3. Authorization of users 4. Authorization of use 5. Use access control software 6. Monitoring access and processing 7. Communication line and networks 8. Password control 9. Restrict access 10. Data to be encrypted 11. Establish separate systems for vulnerable and sensitive applications 12. Program library control 13. Utilities control 14. User programming controls 15. Terminals and other electronic devices

Answer 20

1. Unique login ID 2. Passwords 3. Access cards 4. Biometric data

Answer 21

1. Device disconnect after 5 mins of inactivity 2. Terminal is disconnected and shut down after 3 unsuccessful attempts to gain access 3. Investigation to each disconnection 4. Simultaneous log on by one user at more than one terminal is prohibited 5. Restricted hours of operation 6. Polling by central computer of remote devices to ID unauthorized users

Answer 22

1. Passwords and their identification numbers 2. Verify user's computer serial number 3. Verify user's Internet protocol (IP) address 4. Use of biometric data 5. Magnetic card

Answer 23

1. Log-on IDs 2. Passwords - required to sign on and off - limit access to system/ part of system - limit access to certain terminals - limit processing/access to certain time of day

Answer 24

1. Passwords structured for authorized levels of access 2. Multi-level passwords 3. One time passwords 4. Introduce a system of system owners

Answer 25

1. Maximum length 2. Mix of alphabet and numerical and other characters 3. Not obvious or easily guessed 4. Not shown on screen 5. Changed regularly - forced by system 6. Confidentiality emphasized to users 7. Rejects identical password used already 8. Cancelled immediately on resignation/dismissal 9. Cancelled after specific period of inactivity 10. Cancelled after a number of unsuccessful attempts to gain access 11. Changes to passwords should be logged and reviewed

Answer 26

1. Terminals locked in visible area and in lockable terminal room with access control 2. Computer hardware situated in lockable room with constant supervision and review and physically secured 3. Use of terminal logs to control over processing 4. Distributed processing 5. All logs and activity register should be regularly reviewed and followed up by independent person 6. Screening and training of staff before access 7. Controls allowing circumvention of access controls in case of emergency

Answer 27

1. Proper operation of the system and procedures applied correctly and consistently 2. Duties of IT controllers to be defined 3. Scheduling of processing 4. Set-up of execution of programs 5. Use correct programs 6. Use correct data files 7. Operating procedures 8. Recovery procedures

Answer 28

1. Emergency plan and written instructions for error correction 2. Backup of data after processing stored on separate premises

Answer 29

1. Monitor and review of functioning of the hardware 2. Standardized procedures and operating instructions 3. User manuals 4. Division of duties 5. Supervision and review 6. Rotation of duties 7. Maintenance of system and manual logs with regular follow up by management

Answer 30

1. Ensure installed or developed and maintained in an authorized and effective manner 2. Acquisition, development of and changes to system software 3. Security over system software 4. Database system - access controls 5. Networks - programmed controls 6. Processing by users on PCs - control of software

Answer 31

1. Ensure continuity of processing, be preventing system interruption or limiting to a minimum 2. Physical environment controls 3. Emergency plan and disaster recovery procedures 4. Back ups 5. Other controls

Answer 32

1. Protection against elements - fire (extinguisher) - water (away from taps) - power (uninterrupted power supply) - environment (air conditioned, constant humidity, dust free)

Answer 33

1. Back up data files regularly on rotation basis 2. store copies of backup files on separate premises 3. Removable media is stored in fireproof facilities 4. Arrange for hardware back up facilities 5. On-line back ups 6. Retention of data, records and files for required time

Answer 34

1. Physical security 2. Proper system development including selection of suppliers and testing the system 3. Maintenance of hardware 4. Adequate insurance 5. Cable protection 6. Uninterrupted power supply 7. Prevention of viruses 8. No over-reliance on staff 9. Logical access controls 10. Personnel controls affecting security and continuity

Answer 35

Application controls are control over the input, processing and output of financial information to ensure that the information is valid, complete and accurate. It includes programmed and user controls.

Answer 36

1. Validity 2. Completeness 3. Accuracy

Answer 37

1. Unauthorized data entered 2. Error in creation of data 3. Data lost during input 4. Data added or altered 5. Error in correction and re-entering of rejected data 6. Corruption of data during capture or transfer

Answer 38

1. Sequential numbering 2. Matching by computers 3. Field presence checks

Answer 39

1. Stationery control | 2. Examination of processing logs for missing input entries

Answer 40

1. Matching transaction with data on files by computer 2. Edit checks(validation checks) to test accuracy of data 3. Batch input and processing

Answer 41

1. Formatting checks - numerical/alphanumeric 2. Sign check - positive/negative 3. Screen check - checking of accuracy by users 4. Screen prompt - "are you sure?" 5. Validity/existence - field size, codes etc 6. Limit and reasonableness check - comparison with predetermined values 7. Check digits - accuracy of codes 8. Control totals - batch processing and comparison 9. Dependency check - check interdependence of data in respect of other fields 10. Field presence - all critical input fields are present 11. Field size check - overflow of fields 12. Specific character - space in the right place 13. Arithmetic check 14. Logic check

Answer 42

1. Review by user/senior staff 2. Batch input and process 3. Use well designed documents to minimize error 4. Staff training

Answer 43

1. Access controls 2. Authorization of transactions 3. Authorization of changes to data 4. Transaction generated by computer 5. Validation tests

Answer 44

1. Segregation of duties, staff training and staff recruitment policies 2. Authorization of transactions by user 3. Review authorization procedures 4. Authorization of changes to data

Answer 45

1. Control totals and reconciliation | 2. Batch processing - balancing batch totals

Answer 46

1. Control totals and reconciliation 2. Batch processing - senior independent person to check for errors 3. Reviewing of output reports by users 4. Regular back ups during and after processing 5. Adequate error correction procedures

Answer 47

1. Data altered during processing 2. Calculative or accounting errors 3. Logic, precision rounding errors 4. Incorrect program or data file 5. Incorrect values or internal tables in program 6. Data corrupted during transmission 7. Equipment malfunction

Answer 48

1. Reconciliation of control totals 2. Sequential testing by computer 3. Reconciliation of accounts/balances 4. Logs of processing 5. Edit tests by computer programs 6. Control over transmission of data

Answer 49

1. Reconciliation of control totals 2. Sequential testing by the computers checked by senior independent person 3. Reconciliation of accounts/balances 4. Logs of processing checked and reviewed regularly 5. Break point re-runs 6. Processing errors reported and corrected 7. Adequate back up procedure

Answer 50

1. Control over computer hardware 2. Edit checks by computer program 3. Produce exception report for review by management 4. Reconciliation and balance of control totals and control accounts 5. Batch controls where data is processed in batches as opposed to online real time processing

Answer 51

1. Exception report, reconciliation and batch processing 2. Operator's manual and user instruction 3. Supervision a d review by competent staff

Answer 52

1. Access control over transactions and standing data during processing 2. Librarian function to ensure correct program and file version used 3. Files should have internal or external label and program should be identified with version numbers 4. Computer monitor and prints abnormal activities 5. Record of comparison and matching by the computer 6. Computer generate adequate audit trails

Answer 53

1. Authorization of override if incorrect version is detected 2. Authorize manual intervention if the system breaks down 3. User logs for monitoring unscheduled processing

Answer 54

A sequentially numbered audit trail of master file changes is produced

Answer 55

Reconciliation of changes with the list/register of requests for changes and follow-up of outstanding items

Answer 56

Access controls and levels of authorization on the system

Answer 57

Written authorization of changes by senior management and checking of changes to master files

Answer 58

Master file is protected by: - encryption - library control - record counts - reconciliations

Answer 59

The whole master file is reviewed regularly by management.

Answer 60

1. Output reports should be sequentially numbered

Answer 61

1. IT control group to follow up missing numbers 2. Review of output reports by users 3. Reconciliation of input to output by the IT control group 4. Sequence check on page numbers or document numbers 5. End of report message 6. Page counts 7. Reviewing of report by users for missing/duplicated items

Answer 62

1. Logs, listing activities and output produced, maintained by computer system regularly reviewed by IT control group for unauthorized output

Answer 63

1. Distribution list of authorized users, listing to whom output is to be sent 2. Distribution schedule 3. Distribution controlled by the IT control group 4. Distribution register in which user sign for receipt 5. Review of report by users

Answer 64

1. Reconciliation of output to input by user department for accuracy of processing 2. Review of output by IT users for obvious errors 3. physical checking of accuracy of calculation by users 4. Review and follow up of items in exception reports by an independent control group 5. Scrutiny (review) of processed information by users for accuracy 6. Checking by users of the accuracy of posting from subsidiary ledgers to general ledger

Answer 65

Control over online output - access controls to limit access to information on screen - users should log out or log off when the terminal or device are not in use - terminal or device to be disconnected automatically if not used for a specific period - user should be forced to log on after system interruption to prevent data from remaining on the screen - simultaneous log-on by users prohibited

Answer 66

1. Only authorized users have access to terminals 2. Restrictions on which printers can be used for confidential reports 3. Controls over stationery used for confidential reports

Answer 67

1. Engagement consideration - knowledge and skills required 2. Planning - understand the computer environment and internal control system 3. Consider risks in the system

Answer 68

1. Standard approach for development and maintenance of application programs 2. Data ownership 3. Access to database 4. Division of duties 5. Data resource management 6. Database recovery

Answer 69

1. The extent to which database are used to process accounting data 2. Type and materiality of transaction processed 3. Nature of files and programs used 4. Adequacy of general controls and application controls 5. Access control and security 6. Standards and procedures for development and maintenance of application programs in database 7. How data resources are managed 8. Job descriptions, standards 9. Controls and procedures to ensure security, integrity and accuracy of data 10. Availability of audit facilities within the database system

Answer 70

1. Generate test data 2. Test access controls 3. Print audit trails 4. Test the integrity of the database 5. Provide access to enable the use of CAATs 6. Obtain information which is necessary for audit purposes

Answer 71

1. The entity's use and attitude towards information technology 2. The use of information technology in relation to the industry 3. Changes and intended changes to the computer system 4. Changes and intended changes to non-financial system which will impact on the reporting function

Answer 72

1. The organization structure 2. The extent to which the computer is used in each financial application 3. Complexity of processing 4. Availability of data 5. The hardware and software utilized 6. The layout and organization of facilities 7. Processing methods in use 8. Where information is processed 9. By whom 10. Overview of manual and computer controls 11. Extent of audit trails 12. Complexity of system 13. The need for CAATs 14. The extent to which the client depends on the computer system 15. Intended changes to the system

Answer 73

1. Absence of input documentation 2. Lack of visible audit trails 3. Staff may have limited experience with computers 4. Segregation of duties 5. New system not functioning properly when first introduced 6. Lack of transaction audit trails 7. Absence of report 8. Potential errors and irregularities 9. Lack of human intervention to identify errors 10. Automatic initiation and generation of transactions 11. Dependence on programmed controls

Answer 74

1. Obtain understanding of the system 2. Consider implication of any new system 3. Combined (reliance can be placed on general and application controls) or substantive approach 4. Nature of audit procedure dependent test of controls

Answer 75

1. Presence of controls which manages significant risks 2. Situation where sufficient audit evidence cannot be obtained from substantive procedure/testing alone 3. Large volume of information 4. No input documentations 5. Dependency on computerized controls 6. Complexity 7. System generate items 8. Integration 9. Lack of audit trails 10. Short retention of data

Answer 76

1. Perform a review of general and application controls 2. Decide on specific controls to be tested 3. Perform test of general control environment 4. Perform test on application controls 5. Evaluate the tests of controls

Answer 77

1. Detailed flow-chart, diagrams, notes, etc 2. Detailed internal control questionnaire 3. Enquiry with client staff 4. Full system walk through

Answer 78

1. Are the controls performed? 2. How well are the controls performed? 3. By whom are the controls performed? 4. Are the controls performed consistently throughout the year? 5. Conclude on which controls to rely on.

Answer 79

1. Timing - detailed testing of transactions - detailed testing to verify balances - analytical review procedures 2. Extent - reduced if control is sound 3. Timing - influenced by result of tests of controls

Answer 80

CAATs are computer assisted audit techniques. | They are used to test computerized controls.

Answer 81

1. Audit softwares 2. Purpose written softwares 3. Utilities 4. System management programs

Answer 82

1. Test data 2. Control and reprocessing 3. Program code analysis 4. Simulation 5. Embedded audit routine

Answer 83

1. Create simulated data by auditor and capture on the system for processing, results are checked against preprepared results. 2. Used to test controls and processing of data 3. Test data should include valid and invalid data 4. Auditor should ensure that test data runs in client's computer and on correct version of program 5. Major risks of test data are: - lack of surprise element - program subjected to test data may not be program used throughout the year - possible corruption of live data

Answer 84

1. Snapshot 2. Integrated test facility 3. Online audit 4. Evolving techniques

Answer 85

1. Used as substantive procedures to access, retrieve, manipulate data from computerized information system

Answer 86

1. Used for re-perform casts and calculations 2. Perform investigations and analysis 3. Select samples 4. Extract summaries 5. Perform comparison

Answer 87

1. Substantive testing of detailed transactions and balances 2. Analyzing and selecting samples from a large volume of transactions 3. Analytical procedures

Answer 88

1. Assist in achieving audit efficiency by saving time 2. Reduction in audit costs 3. Improving the quality of the audit 4. Better knowledge of the computerized information system is developed 5. Able to deal with large volumes 6. Audit staff develop improved expertise 7. Reduced reliance on client computer personnel 8. Improved client service

Answer 89

1. Computer knowledge, competence and experience 2. Availability of CAATs And computer facilities 3. Impracticality of human/manual testing 4. Effectiveness and efficiency 5. Timing of testing 6. Other considerations

Answer 90

1. Ease of use 2. Require limited technical knowledge 3. Cost effective 4. Adaptable and flexible to meet auditor's need 5. Developed and run under audit supervision 6. Machine independent 7. Audit-oriented 8. Readily available 9. Good supplier support

Answer 91

1. Determine the objectives of applications of CAATs 2. Determine the contents and accessibility of the entity's file 3. Define transactions to be tasted 4. Define the procedures to be performed 5. Define the output requirement 6. Arrange with client personnel for copies of the relevant data to be available 7. Identify audit and computer staff to assist in the design and application of CAATs 8. Estimate the costs and benefits 9. Control the application of CAATs 10. Administration of computer knowledge and facilities 11. Execute the application of CAATs 12. Reconcile all data used by CAAT with accounting records 13. Evaluate the results 14. Document the use off CAATs in working papers

Answer 92

1. Participate in design and testing 2. Check program coding 3. Ensure that the software will run on the client operating system 4. Run audit software on small test files before running on main system 5. Ensure that the correct version of client files are used 6. Obtain evidence such as reconciliation to prove that the software functioned as planned 7. Ensure scrutiny over data and CAAT output

Answer 93

1. Checking of the sequence of test data runs 2. Test runs with small quantities of data 3. Comparison of processed results with own preprepared results 4. Confirmation that the correct version of the program was used 5. Confirmation that the program on which the test data was run is the same as the one used throughout the period

Answer 94

1. Eliminating manual casting cross-casting and other routine calculations may save time 2. Calculations, comparisons and other data manipulations are more accurately performed 3. Analytical calculations may be more efficiently perform 4. The Scope of analytical procedures may be broadened 5. Audit sampling may be more efficient 6. Working papers may be generated and are easily stored and Accessed 7. Graphic capabilities may allow the auditor to generate display and evaluate various financial and non-financial relationship graphically 8. Staff morale and productivity improved by reducing time spent on clerical tasks 9. Client personnel may not need to manually prepare as many schedules and otherwise spend as much time assisting the auditor 10. Computer generated working papers are generally more legible and Consistent

Answer 95

1. Limiting of client access 2. Programs and data file security 3. Security of client data 4. Staff 5. General

Answer 96

1. Absence of established security policy 2. Distribution of various input device throughout the entity increases the risk of unauthorized used and input 3. Increased risk of unauthorized use of the computer such as unauthorized changes 4. Network have greater risk 5. Greater dependence on validation checks performed at time of entry 6. There is an increased risk of lost transactions owing to interruption of processing