Chapter 8: Consideration of Internal Control in an Information Technology Environment
A log that consists of suggestions for changes in programs is called a(n) __________(1) __________(2) log. (Enter only one word per blank.)
(1) change (2) request
When a client's IT-based system is relatively simple and produces hard-copy documents and records, the auditor can audit around the computer and use more __________(1) procedures to reduce __________(2) risk to an acceptable level. (Enter only one word per blank.)
(1) substantive (2) detection
An information technology control activity that is performed to test the accuracy and completeness of IT reports is called a(n) __________(1) control activity. (Enter only one word per blank.)
(1) user
A program that has the ability to attach itself to a legitimate program and modify other programs and systems is called a software __________(1). (Enter only one word per blank.)
(1) virus
A service organization's Type ______ report provides information on the suitability of the design of controls. -1 -2
-1
A service organization's Type ______ report provides information on the operating effectiveness of controls. -2 -1
-2
Identify the ways that auditors may access and analyze client records. -Download the client's data to be analyzed on the auditors' computer -Obtain a copy of the client's records that may be analyzed on the auditors' computer -Use the auditors' generalized audit software on the client's IT-based system -Use the client's generalized audit software on the client's IT-based system
-Download the client's data to be analyzed on the auditors' computer -Obtain a copy of the client's records that may be analyzed on the auditors' computer -Use the auditors' generalized audit software on the client's IT-based system
True or false: The integration of functions in an IT-based system diminishes the importance of internal controls. -True -False
-False
True or false: User control activities are more efficient than application control activities. -True -False
-False
Which of the following statements are true of an IT-based system? -In an IT-based system, segregation of duties is no longer an issue. -In an IT-based system, controls are written into the computer program. -In an IT-based system, the importance of internal control is diminished due to the integration of functions. -In an IT-based system, work normally divided among many employees may be performed electronically.
-In an an IT-based system, controls are written into the computer program. -In an IT-based system, work normally divided among many employees may be performed electronically.
Auditors consider IT control most in which of the following stages of the audit? -Planning the audit including the audit strategy -Forming an opinion and issuing the audit report -Obtaining an understanding of the client
-Obtaining an understanding of the client
When performing a financial statement audit, the auditors' consideration of IT controls relate most directly to which of the following steps? -Complete the audit -Plan the audit including an overall audit strategy -Perform further audit procedures -Assess the risks of material misstatement -Obtain an understanding of the client
-Perform further audit procedures -Assess the risks of material misstatement -Obtain an understanding of the client
Identify substantive procedures that can be performed with audit software. -Select random audit samples -Rearrange data and perform analyses -Examine the client's records for quality, completeness, and valid conditions -Confirm all client data is accurate providing proof that the financial statements present fairly in all respects
-Select random audit samples -Rearrange data and perform analyses -Examine the client's records for quality, completeness, and valid conditions
Identify which responsibilities fall in the application systems roles. -Systems analysis -Data entry -Application programming -Telecommunications
-Systems analysis -Application programming
Auditing around the computer is ______. -acceptable when the system is relatively simple -acceptable when auditors lack understanding of the IT processing activities -never acceptable -always acceptable
-acceptable when the system is relatively simple
General control activities include activities to control ______. -access to programs and data -output of programs and data -the development of new programs -changes to existing programs
-access to programs and data -the development of new programs -changes to existing programs
A log that consists of suggestions for changes in programs is called a ______ log. -change request -data interchange -database
-change request
General control activities include activities to control ______. -changes to existing programs -the development of new programs -output of programs and data -access to programs and data
-changes to existing programs -the development of new programs -access to programs and data
The role of internal auditors in an IT environment include all of the following tasks except ______. -day-to-day maintenance of the controls -testing the controls to ensure they are operating properly -participation in the design of the IT-based system
-day-to-day maintenance of the controls
The role of internal auditors in an IT environment include all of the following tasks except ______. -participation in the design of the IT-based system -day-to-day maintenance of the controls -testing the controls to ensure they are operating properly
-day-to-day maintenance of the controls
A type of control activity that applies to a number of IT applications is called a(n) ______ control activity. -application -user -general
-general
IT-based systems are documented with the help of system flowcharts or specially designed __. -video recording of controls -written narrative -internal control questionnaire
-internal control questionnaire
To test the effectiveness of general controls for development of new programs and systems, the auditors may ______. -examine input controls by accounting for the serial sequence of source documents -interview personnel that developed the program -inspect the documentation of the tests performed before the program was implemented
-interview personnel that developed the program -inspect the documentation of the tests performed before the program was implemented
A test of the reasonableness of a field of data, using a predetermined upper and/or lower limit is called a ______ test. -limit -self-checking number -validity
-limit
General control activities include all of the following except ______. -development of new programs -manual checks of computer output -access to programs -IT operations and controls
-manual checks of computer output
User control activities appraise the reliability of ______ from the information systems department by extensive review and testing. -both input and output -output -input
-output
User control activities appraise the reliability of ______ from the information systems department by extensive review and testing. -output -both input and output -input
-output
The role of internal auditors in an IT environment include ______. -maintaining day-to-day maintenance of the controls -participation in the design of the IT-based system -testing controls to ensure they are operating properly
-participation in the design of the IT-based system -testing controls to ensure they are operating properly
To test general controls over program changes the auditors may ______. -review input controls by testing the serial sequence of source documents in selected batches -inspect exception reports generated by the system and review the way in which exceptions were handled -review documentation of changes to the log of manager approvals
-review documentation of changes to the log of manager approvals
Computer-based fraud is commonly performed by the person that ______. -set up the system and controls the modifications -prepares and verifies input data for processing -maintains and enhances IT networks and network connections
-set up the system and controls the modifications
A significant risk in the use of decentralized computer is the possibility of ______, which can cause loss of data and programs. -unauthorized use -software viruses -management fraud
-software viruses
Auditors document their understanding of IT-based system controls by using ______. -written narrative -video recording of controls -systems flowcharts -internal control questionnaires
-systems flowcharts -internal control questionnaires
In a computerized system ______. -the computer operator should not have detailed knowledge of the programs -the programming function should control data entry -controls are in place that make segregation of duties unnecessary
-the computer operator should not have detailed knowledge of the programs
A comparison of data against a master file or table for accuracy is called a ______ test. -validity -self-checking number -limit
-validity
Match the information system roles with the responsibilities listed. Systems analyst Data entry Program and file library Data control -Reviews and tests all input procedures, monitors processing, and reviews exception reports -Prepare and verify input data for processing -Design the information systems based on the needs of the various user departments -Protect computer programs, master files, transaction tapes, and other records
Systems analyst -Design the information systems based on the needs of the various user departments Data entry -Prepare and verify input data for processing Program and file library -Protect computer programs, master files, transaction tapes, and other records Data control -Reviews and tests all input procedures, monitors processing, and reviews exception reports