Computer Audit Exam 1
Recordkeeping:
creating and maintaining records
Asset Custody
access to and/or control of physical assets
Reconciliation
assurance that transactions are appropriate and accurate
Network
-Establishes a layer of logical security for all resources within the organization. -includes information technology that provides system connectivity. It is the functions and features of network server facilities, including network administration functions and groups.
Why do companies use Information technology (IT)?
-IT's enables an entity's internal control to do the following: Consistently apply predefined business rules and perform complex calculation in processing large volumes of transactions or data − Enhance the timeliness, availability, and accuracy of information − Enhance the ability to monitor the performance of the entity's activities and its policies and procedures − Reduce the risk that controls will be circumvented − Enhance the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems
Operating system
-Manages communications (input/output) between hardware and applications. We also refer to this as the server. -The type of computer architecture, the operating system and subsystems, the system support processes, utilities and the systems on which application systems are built and processed are all important components of the operating system layer.
Data Management
...includes the database management system (DBMS), data dictionaries, database gateways and related utilities. In this layer, the actual data and other objects are stored and maintained by the DBMS. This layer includes the data administration, replication, synchronization, referential integrity and other related strategies.
What are the benefits of user- developed applications? (UDA)
1) Easy to develop and use 2) configurable and flexible 3) Readily available tools
What are the benefits of application controls?
1) Reliability of controls: reduces likelihood of errors due to manual intervention 2) Benchmarking of controls: Reliance on IT controls can lead to concluding that the application controls are effective year to year without retesting 3) Time and cost savings: Normally, application controls take less time to test and only require testing once as long as the ITGCs are effective with no noted issues
What are the phases of an IT Internal audit?
1) Scope & plan the IT Internal Audit 2) Update understanding of the IT environment 3) Evaluate ITGC design effectiveness 4) Evaluate ITGC design effectiveness 5) Evaluate design/operating effectiveness of activity-level controls 6) Evaluate and interpret IT-related findings 7) Wrap-up
Design Testing: When does a deficiency in design exist?
1. A control necessary to meet the control objective (i.e., a control that addresses the risk) is missing. 2. An existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met (i.e., the risk would not be addressed).
What are the key processes for IT security administration?
1. Establish effective security environment 2. Manage internal user access 3. Manage remote and third-party access 4. Monitor access to IT systems
When auditors test controls, the nature of these tests should consist of which of the following?
A. Inquiry B. Inspection C. Observation D. All of the above
What are the five types of UDA controls?
Access controls Input controls Output controls Development, change, and testing controls Versioning, backup, and archival controls
What are the technology layers of the IT environment?
Answer: Application, Data Management, Operating System, Network, Physical
Which of the following is Not a General Control? A. Vendor management B. Disaster recovery C. Input controls D. Application system maintenance
Answer: C. Input Controls is an example of Application Control Refer to Class 4 PwC slide Examples of General Control and Application Control
A report is produced weekly identifying all of the goods that customers have failed to pay off within 90 days. The report is used to identify what items needs to be written off. A manager reviews the list at the end of each week.
Answer: Control. Explanation: The indication that the manager reviews the list makes it a control. Had that not been mentioned, one would identify it as a process.
Which of the following is NOT a benefit of using User-Developed Applications?: UDAs are quicker to develop and use — can circumvent standard IT development request process. They are more configurable and flexible — users can modify UDAs as they see fit and reconfigure these to meet business needs as necessary. Increased Data Security - UDA tools and applications are more secure due to constant user reconfiguration as IT environment adapts They are readily available tools — generally UDAs are tools and applications already available to end users that can be customized without going through the costly and timely software selection process.
Answer: Increased Data Security. −Data on UDAs can be stored without appropriate access controls (e.g., public network drives). This creates security concerns.
Question: In 2-3 sentences, explain the analogy provided comparing program development and program change to the construction of a house.
Answer: Program Development can be thought of as the activities that involved in the building of the house. On the other hand, program changes moreso relate to the maintenance of said house after construction is complete. Major changes, such as adding another floor, or a pool would be also comparable to a program development, as fundamental advancements or substantial changes fit this category.
. Versioning should be employed in spreadsheet changes is a preventative measure of a spreadsheet control. (True/ False)
B. False (it's a detective control)
Program changes objective/ considerations
Changes to existing systems/applications are authorized, tested, approved, properly implemented, and documented Approvals of both IT and business unit management An appropriate program change - development methodology Testing Documentation Interfaces to other systems Data migration Training Emergency changes
How often do the application controls need to be tested? Why ?
Common benchmarking rotation is 3-year period. The concept of not testing every year if GITCs are effective and no major issues/changes are noted.
What is the definition of compensating controls?
Compensating controls are alternative activities and actions that mitigate the risk or risks that the original SOD element was designed to address
Access to programs and data
Control objective: Logical access to system resources is restricted to properly authorized individuals. Controls in this area directly affect segregation of duties and an organization's ability to manage who is authorized to initiate transactions and/or modify data transactions. Considerations; Establish effective security environment Manage internal user access Manage remote and third-party access Monitor access to IT systems
Computer Operations
Control objective: System/application processing is appropriately authorized and scheduled and that deviations and/or problems from scheduled processing are identified and resolved Considerations: establish effective program execution environment, schedule production programs, execute authorized programs, monitor program execution, back up and storage of data
Program Changes
Control objective: changes to existing systems/applications are authorized, tested, approved, properly implemented, and documented Considerations: approvals of both IT and business unit management, an appropriate program change-development methodology, testing, documentation, interfaces to other systems, data migration, training, emergency changes
IT Control Environment
Control objective: have a generally pervasive effect on controls Considerations: knowledge & skills of IT resources, IT is aligned with the business, IT resources of the organization are used responsibly, appropriateness of reporting lines for key IT personnel, turnover management in key IT functions, overall IT risk management activites
Access to programs and data
Control objective: logical access to system resources is restricted to properly authorized individuals; controls in this area directly affect segregation of duties & an organization's ability to manage who is authorized to intiate transactions and/or modify data transactions Considerations: establish effective security environment, manage internal user access, manage remote and 3rd-party access, monitor access to IT systems
Program Development
Control objective: new systems/applications are authorized, tested, approved, properly implemented, and documented Considerations: authorization/approvals of both IT and business unit management, an appropriate development methodology is put into practice, testing, documentation, interfaces to other systems, data migration, training
Many factors come into play when companies implement IT into their operations. What are some things that can go wrong in an IT environment? B. Report logic is incorrectly applying parameters C. Report logic is incorrectly gathering source data D. Recording of unauthorized or nonexistent transactions
E. All of the Above
Application
Enables users to store/retrieve data in a logical, meaningful manner and apply predefined business rules to that data
Phase 4 of IT audit
Evaluate ITFC operating effectiveness IT Internal Audit process covers our responsibilities for detailed testing of controls
Which of the following is applicable to UDA? A. Not subject to standard balancing control or change management procedures. B. Limited input, output controls and documentation around UDA design. C. Data on UDAs cannot be stored without appropriate access controls. D. UDA can be stored on end-user workstations and may not be readily available and may not subject to backup policies. E. A,B F. A,B,C G. A,B,D
G. A,B,D
Phase 3 of IT audit process
IT Internal Auditor evaluates whether IT General Controls are effectively designed.\When evaluating design effectiveness, the IT internal audit team gathers documentation to assess whether the control is suitably designed to prevent, or detect and correct material misstatements on a timely basis. Inquiry alone does not provide sufficient audit evidence to detect a material misstatement or to test the operating effectiveness of internal control.
What are some risks of using user-developed applications (UDAs)?
Increased complexity of UDAs Data security concerns Data integrity concerns Inability of business unit to support these tools
4 Main Control Testing Techniques
Inquiry Observation Inspection Re-performance
Test the design of relevant controls
Inquiry -seeking information from knowledgeable persons in financial or nonfinancial roles within the company or outside the company. 2. Inspection -examining records or documents, whether internal or external, in paper form, electronic form, or other media, or physically examining an asset. 3. Observation -looking at a process or procedure being performed by others.
When a new program is developed or modified, who's role is it to initiate change requests and participate in testing the program?
It is the User Communities role to initiate change requests and participate in user acceptance testing (UAT).
IT Control Environment Consider
Knowledge and skills of IT resources IT is aligned with the business IT resources of the organization are used responsibly Appropriateness of reporting lines for key IT personnel Turnover management in key IT functions Overall IT risk management activities Strategic planning activities
List three common causes of segregation of duties conflicts.
Lack of understanding of application security architecture Lack of management oversight and review Organizational structure
What are the four criteria that each compensating control must meet before being considered for validity?
Meet the intent and rigor of the original compliance requirement Repel a controls violation attempt or provide similar level of defense as the original control activity Be above and beyond other compliance requirements Be commensurate with the additional risk imposed by not adhering to the compliance requirement.
Program Development control objective/ considerations
New systems/applications are authorized, tested, approved, properly implemented, and documented Authorization/approvals of both IT and business unit management An appropriate development methodology is put into practice Testing Documentation Interfaces to other systems Data migration Training
Risk Associated with the Control (RAWC)
Risk that a control may not be effective The risk that, if not effective, a material weakness would result
Phase 1 of IT audit process:
Scope and plan IT audit support. The scope and plan is defined and refined through: Discussions with client personnel. Evaluation of the client's IT environment and financial reporting risks.
Database
Stores the data used by the applications
Inherent Risk
Susceptibility of an assertion to a misstatement, due to error or fraud, that could be material, individually or in combination with other misstatements, before consideration of any related controls
Computer operations
The control objective: System/application processing is appropriately authorized and scheduled and that deviations and/or problems from scheduled processing are identified and resolved. Considerations: Establish effective program execution environment Schedule production programs Execute authorized programs Monitor program execution Back up and storage of data
Factors that affect the risk associated with a control include:
The nature and materiality of misstatements that the control is intended to prevent or detect • Whether there have been changes in the volume or nature of transactions that might adversely affect control design or operating effectiveness • Whether the account has a history of errors • The competence of the personnel who perform the control or monitor its performance and whether there have been changes in key personnel who perform the control or monitor its performance • Whether the control relies on performance by an individual or is automated (i.e., an automated control would generally be expected to be lower risk if relevant information technology general controls are effective) • The complexity of the control and the significance of the judgments that must be made in connection with its operationDe
Physical Layer of IT Environment
The physical component ensures the hardware housing critical systems and data are protected from physical and environmental threats such as theft, fire, water, power shortages, etc.
Phase 2 of the IT audit process
The second phase of the IT Internal Audit Process helps refine the scope of the IT Auditor's work.
List three types of common process level segregation of duties conflicts.
Users have the ability to add vendors and control payments Payroll and employee administration capabilities Input and review performed by same person
Data Center andNetwork Operations
Who has access to data center/network operations center • How such access is controlled/reviewed • How computer batch processing monitored and errors resolved • Who has access to update batch jobs • How data is backed up and how often
Company's business process
designed to: a. Develop, purchase, produce, sell and distribute a company's products or services b. Record information, including accounting and financial reporting information c. Ensure compliance with laws and regulations relevant to the financial statements
role of the Business Owner
approve the change requests that the user community initiates. The Business Owner must also authorize the transfer to the live environment.
Intraconflicts:
conflicts that arise from a security role being defined with excessive, conflicting privileges
Extraconflicts
conflicts that arise from multiple security roles being assigned to a user account such that the cumulative privileges of the user are excessive and conflicting
the Production Control/Librarian
is responsible for moving the code between the development, test, and production, environments.
The Application Support Manage
manages the activities of the application developers.
The Application Develope
modifies the program code and performs testing.
Application controls
procedures which are applied to each application or system individually i.e., three-way match in an accounts payable system
Applicaiton controls
procedures which are applied to each application or system individually (i.e three-way match in an accounts payable system)
ITGCs (IT General Controls)
procedures which has a pervasive influence over all the programs and systems within a single computer enviornment (i.e assignment of access rights)
IT General Controls (ITGCs
procedures which have a pervasive influence over all the programs and systems within a single computer environment i.e., assignment of access rights
The System Administrator
responsible for identifying, testing, and applying updates to the system software.
Authorization
reviewing and approving transactions
Business risk
risk that a company will not achieve it's management objectives.
Control risk
risk that a control will not detect a material misstatement related to management's assertion due to error or fraud
Audit risk
risk that an audit will not produce an accurate results
Residual risk
risk that remain after taken controls into consideration
Inherent risk
the underlying risk of an activity without consideration of control
System Change Control
• How are changes and data conversions are tested and approved prior to change being implemented into "live" production environment • Segregation of duties is maintained (developers do not have access to migrate changes to production)
Access Security
• Who has access, including privileged access, to IT systems • How access is provisioned, removed, reviewed and administered • How authentication is configured