Auditing - Appendix H Information Technology and the Auditor
Frauds that get past prevention controls should be discovered by controls.
detection
Which of the following is NOT an administrative level control? Multiple choice question. Program testing after modification Access control software and passwords Rotation of computer duties Security checks on personnel
Access control software and passwords
Which of the following is NOT a processing control? Multiple choice question. Computer prompting Audit trail Data comparisons Control totals Transaction logs
Computer prompting
Which of the following is both an output and a processing control? Multiple choice question. Master file changes Control total reports Run-to-run totals Limit and reasonableness tests
Control total reports
True or false: All passwords should be at least six characters long to make hacking by computer-generated algorithms difficult.
False
True or false: Small entities often fail to separate the functions of programming and operations due to indifference with respect to internal control. True false question.TrueFalse
False
True or false: The process of identifying the points in the flow of transactions where specific types of misstatements could occur is virtually the same in both manual and and IT processing environments. True false question. True False
False
Which type of controls are designed to provide reasonable assurance that data received for processing by the computer department have been properly authorized and accurately entered or converted for processing? Multiple choice question. Input Output Processing Authorization
Input
Which of the following is both an input and a processing control? Multiple choice question. Run-to-run totals Limit and reasonableness tests Data entry and formatting controls Valid character tests
Limit and reasonableness tests
Which of the following are NOT processing controls? Multiple select question. Run-to-run totals Control total reports Missing data tests Master file changes
Missing data tests Master file changes
Which of the following statements is correct? Multiple choice question. When forming the IT testing plan, only entirely automated controls need to be tested. Manual control activities that rely on a system generated report get special consideration when forming the IT audit testing plan. Only purely manual control activities can be ignored in the IT audit testing plan.
Only purely manual control activities can be ignored in the IT audit testing plan.
Which type of controls are concerned with detecting rather than preventing errors? Multiple choice question. Reasonableness Output Input Processing
Output
Which type of controls are similar in nature to input controls? Multiple choice question. Reasonableness Authorization Processing Output
Processing
Which of the following is NOT a program development control? Multiple choice question. All software and programs have appropriate documentation. Programs and software are tested and validated prior to being placed in operations. Processing failures are resolved on a timely basis. Programs and software support the entity's financial reporting requirements.
Processing failures are resolved on a timely basis.
Which of the following is NOT a computer operations control? Multiple choice question. Transactions are processed in accordance with the entity's objectives. Programs and software support the entity's financial reporting requirements. Actions are taken to facilitate backup and recovery of data when needed. Processing failures are resolved on a timely basis.
Programs and software support the entity's financial reporting requirements.
Which of the following is NOT an input control? Multiple choice question. Run-to-run totals Check digits Batch totals Data entry and formatting controls
Run-to-run totals
Which of the following is NOT a typical end-user computing environment control issue that audit teams must consider? Multiple choice question. Lack of program documentation and testing Limited computer knowledge Separation of programming and operations functions Lack of physical security
Separation of programming and operations functions
Which of the following is NOT a technical control? Multiple choice question. Range checks Transaction logging reports Transaction limit amounts Data encryption
Transaction limit amounts
Which of the following is NOT a physical control? Multiple choice question. Preprinted limits on documents Data backup storage Transaction logging reports Controlled access
Transaction logging reports
Which of the following is NOT a data entry control in end-user computing environments? Multiple choice question. Online editing and sight verification Transaction logs Access restriction to input devices Standard screens and computer prompting
Transaction logs
True or false: When a user entity employs a service organization for specialized processing, the user entity's auditors must still evaluate controls related to the service organization's computerized processing for the user entity.
True
Experts have two definitions related to computer chicanery: computer and computer .
abuse, fraud
The use of information technology by a perpetrator to achieve a gain at the expense of a victim is called computer or computer .
abuse, fraud
Individuals employed by the entity and limitations or limits on the nature and scope of activities they perform are the focus of level controls.
administrative
In an IT environment, a chain of evidence and documentation known as a(n) _________ _________ does not exist.
audit trail
Controls applied to specific business activities within an accounting information system to achieve financial reporting objectives are called controls.
automated application
Providing reasonable assurance that processing failures do not affect or delay the processing of other transactions is one objective of _ _controls.
computer operations
Computer operations controls are implemented for files and data used in processing with the major objectives of ensuring files ______. Multiple select question. can be reconstructed from earlier versions of processing information used in automated processing are appropriate are free from input and output errors are appropriately secured and protected from loss
can be reconstructed from earlier versions of processing information used in automated processing are appropriate are appropriately secured and protected from loss
Extra numbers tagged onto the end of basic ID numbers designed to detect coding or keying errors are called
check digits
Rotation of assigned tasks, proper supervision, and required vacations are all important controls when there is inadequate separation of duties.
compensating
"The science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media" is the FBI definition of
computer forensics
Impeaching a president, terrorist tracking and child pornographer prosecution have all been helped by
computer forensics
Having an appropriate disaster recovery plan to ensure files are secured and protected from loss is a major objective of _ _ controls
computer operations
Having an appropriate disaster recovery plan to ensure files are secured and protected from loss is a major objective of _____ _____ controls.
computer operations
Record counts, batch totals, hash totals and run-to-run totals should be calculated during processing operations and summarized in a(n) report.
control totals
Restrictions on access to input devices and standard screens and computer prompting are examples of controls in end-user computing environments.
data entry
In determining whether an audit team can rely on IT controls, auditors must determine the scope of the IT testing plan completed by carefully identifying each of the IT ____________
dependencies or dependency
Audit professionals generally categorize ___________ level controls as either general controls or application controls.
entity
Within a client's IT environment, there are essential, general IT controls that apply to all applications that are called _____ level controls.
entity
When computerized processing is used ______. Multiple choice question. transaction errors are virtually eliminated the auditor needs to be able to test for the occurrence of random errors errors will result in all similar transactions being processed incorrectly
errors will result in all similar transactions being processed incorrectly
The assessment process that needs to be undertaken for IT controls is ______ the assessment process that needs to be taken for manual controls.
essentially the same as
Whether the entity should purchase, develop or modify a system is determined during the analysis stage of the SDLC.
feasibility
A log that records time and use statistics for specific computer applications is an example of a(n) ______ control. Multiple choice question. authorization and approval data entry and formatting limit and reasonableness file and operator
file and operator
A safe and secure computing environment that allows the operating controls to operate effectively is provided by the ______ IT controls.
general
Controls that apply to all applications of an accounting information system are called ______ controls.
general
Totals that allow input errors to be detected prior to submission for processing but are not meaningful for accounting records are called totals.
hash
Controls that provide the opportunity for entity personnel to correct and resubmit data initially rejected as erroneous are called __ controls.
input
Controls that provide the opportunity for entity personnel to correct and resubmit data initially rejected as erroneous are called controls.
input
In an information technology environment, audit teams need to be concerned with ______ errors. Multiple select question. random processing input systematic processing
input systematic processing
Automated application controls are organized under three categories, _ controls, _ controls and _ controls.
input, processing, output
Compensating controls include ______. Multiple select question. investigation of excess computer usage required vacation separation of duties rotation of duties
investigation of excess computer usage required vacation rotation of duties
When scoping the IT audit procedures that need to be completed, auditors need to be concerned with ______ Multiple choice question. the full range of control activities implemented by management key control activities being relied on the mitigate the RMM only those control activities deemed important by the IT auditors
key control activities being relied on the mitigate the RMM
An important program development control is the entity's use of the systems development __ __ process.
life cycle
IT dependencies must be tested for ______. Multiple select question. purely manual control activities that do not rely on a system generated report manual control activities that rely on a system generated report entirely automated controls
manual control activities that rely on a system generated report entirely automated controls
Reasonable assurance that only authorized persons have access to files produced by the system is one concern of controls.
output
The most common form of control related to access is the use of ______.
passwords
Placing computer devices out of the way of casual traffic is an example of a(n) control.
physical
When evaluating tests of controls within an IT environment, auditors need to consider the ______. Multiple select question. possible occurrence of random errors possibility of temporary transactions trails potential for increased management supervision potential for errors and frauds
possibility of temporary transactions trails potential for increased management supervision potential for errors and frauds
Errors and frauds are kept from entering the system by controls.
prevention
Data comparisons and audit trails are examples of controls.
processing
Periodically testing and evaluating the accuracy of programs is the most fundamental control a client can implement.
processing
The objectives of _________ _________ controls parallel are to provide reasonable assurances regarding modifications to existing programs.
program change
Having reasonable assurance that appropriate users participate in the software acquisition process is an objective of _ _ controls.
program development
An important general control is the separation of duties performed by system analysts, ______ and ______ ______
programmers, computer operators
An individual knowledgeable about the nature or transactions and processing should perform an overall review of the output for
reasonableness
Which of the following is NOT a method of testing the operating effectiveness of controls? Multiple choice question. observation reconciliation reperformance inquiry inspection of documents
reconciliation
User entities may outsource specialized data processing to other companies referred to as
service organizations
Emergency change requests and the migration of new programs into operations, ______. Multiple select question. should occur within the SDLC process should be subject to standard approval procedures after they are made require appropriate documentation should be migrated by appropriate individuals
should be subject to standard approval procedures after they are made require appropriate documentation should be migrated by appropriate individuals
Data encryption, reasonableness checks and password software are examples of controls.
technical
The major phases that need to be completed in order to determine whether an audit team can rely on IT controls are ______ Multiple select question. discussing the IT controls with the manager in charge testing the IT controls understanding the IT controls and processes that need to be tested determining the scope of the IT testing plan by identifying each IT dependency
testing the IT controls understanding the IT controls and processes that need to be tested determining the scope of the IT testing plan by identifying each IT dependency
Multiple Choice Question One important difference in assessing control risk in an IT environment is in identifying ______. Multiple choice question. whether the design of control procedures suggest a low control risk the types of misstatements that can occur in significant accounting applications the points in the flow of transactions where misstatements could occur specific control procedures designed to prevent or detect misstatements
the points in the flow of transactions where misstatements could occur
The identification of IT applications and systems typically occurs during the _______ of each financial reporting process.
walkthrough