Acct 460 ch 3,4,7

Telecommuting

A significant number of employees in the United States work from home, using some type of network connection to the office.

Reasonableness tests

compare the reports and other results with test data or other criteria.

Reasonableness Check

compares the value in a field with those fields to which it is related to determine whether the value is reasonable. For example, pay rate could be compared with a job category code.

Which of the following terms is not associated with a financial statement auditor's requirement to maintain independence? Objectivity Neutrality Professional skepticism Competence

competence

Which of the following is the most significant disadvantage of auditing around the computer rather than through the computer? The time involved in testing processing controls is significant. The cost involved in testing processing controls is significant. A portion of the audit trail is not tested. The technical expertise required to test processing controls is extensive.

a portion of the audit trail is not tested

Which programmed input validation check determines whether the appropriate type of data, either alphabetic or numeric, was entered? Completeness check Validity check Reasonableness check Field check

The programmed input validation check that determines whether the appropriate type of data, either alphabetic or numeric, was entered is a d. field check. A field check is intended to ensure that only numeric data is entered in numeric fields and only alphabetic data is entered in alphabetic fields.

Which programmed input validation makes sure that a value was entered in all of the critical fields? Completeness check Validity check Reasonableness check Field check

The programmed input validation which verifies that a value was entered in all of the critical fields is a a. completeness check. When a user is completing an input screen, a completeness check would not allow the user to finish the input and move to the next screen or step until all critical fields contain a value.

Smart Card

The use of passwords can be strengthened by the use of a smart card that the user carries. The smart card is plugged into the computer's card reader and helps authenticate that the user is valid. The smart card is a credit card-sized device with an integrated circuit that displays a constantly changing ID code. The user enters her password, and then the smart card displays an ID that she uses to log in. The smart card typically changes the user ID every 5 minutes or so.

IT resources

These include people, application systems, technology, facilities, and data

Cost Benefit

This is why controls must have a benefit greater than their cost. For example, a company could have all employees searched as they leave at the end of their shifts in order to discourage inventory theft. However, the cost of this intrusion in terms of its impact on employee morale and turnover may be greater than the savings from theft avoidance.

System Development Life Cycle (SDLC)

a system development process that controls the initiation, approval, development, and maintenance of those changes. This process, called the system development life cycle, or SDLC

backup data

a copy of data files made at a specific point in time that can be used to restore data

Private Could

a form of cloud computing

Generalized audit software can be used to examine the consistency of data maintained on computer files perform audit tests of multiple computer files concurrently verify the processing logic of operating system software process test data against master files that contain both real and fictitious data

examine the consistency of data maintained on computer files

Sign Check

examines a field to determine that it has the appropriate sign, positive or negative. All of these checks examine a field or fields against some preestablished expected values.

Field Check

examines a field to determine whether the appropriate type (alpha or numeric) of data was entered. If the wrong data type is entered, the application should reject that data and alert the user with an error message. There are some fields, such as inventory part numbers, that might be a combination of alpha and numeric data.

Compensating Control

that lessens the risk of negative effects when other controls are lacking. Supervision as a compensating control is appropriate in larger organizations, too, where there may be situations in which it is difficult to fully segregate duties.

Processing Integrity

System processing is complete, accurate, timely, and authorized.

In entering client contact information in the computerized database of a telemarketing business, a clerk erroneously entered nonexistent area codes for a block of new clients. This error rendered the block of contacts useless to the company. Which of the following would most likely have led to discovery of this error at the time of entry into the company's computerized system? Limit check Validity check Sequence check Record count

(CMA Adapted) (SO 1) In entering client contact information in the computerized database of a telemarketing business, a clerk erroneously entered nonexistent area codes for a block of new clients. This error rendered the block of contacts useless to the company. The control that would most likely have led to the discovery of this error at the time of entry into the company's computerized system is a b. validity check. A validity check can examine the data entered and alert the user to an invalid entry.

A company's cash custody function should be separated from the related cash record keeping function in order to physically safeguard the cash establish accountability for the cash prevent the payment of cash disbursements from cash receipts minimize opportunities for misappropriations of cash

A company's cash custody function should be separated from the related cash recordkeeping function in order to d. minimize opportunities for misappropriations of cash. A lack of segregation of duties makes it possible for assets to be stolen, and the related records may be manipulated to conceal the theft.

Code of Ethics

A company's developing and adhering to a code of ethics should reduce opportunities for managers or employees to conduct fraud. This will only be true, however, if top management emphasizes this code of ethics and disciplines or discharges those who violate it. Managers who emphasize and model ethical behavior are more likely to encourage ethical behavior in their employees. The management obligations of stewardship and reporting point to the need to maintain accurate and complete accounting systems and to protect assets. To fulfill these obligations, management must maintain internal controls and enforce

Internal Controls

A company's plans to (1) safeguard the company's assets and (2) improve the accuracy and reliability of accounting information

Wide Area Network (WAN)

A group of LANs connected to each other to cover a wider geographic area

AICPA Trust services Principles describe five categories of IT risks and controls. Which of these five categories would best be described by the statement, "The system is protected against unauthorized access"? Security Confidentiality Processing integrity Availability

AICPA Trust Services Principles describe five categories of IT risks and controls. Of the five given categories, the one best described by the statement "The system is protected against unauthorized access" is a. security. Availability means that the system is available for operation and use as committed or agreed. Processing integrity means that system processing is complete, accurate, timely, and authorized. Confidentiality means that information designated as confidential is protected as committed or agreed.

The AICPA Trust Services Principles identify five categories of risks and controls. Which category is best described by the statement, "Information processes could be inaccurate, incomplete, or not properly authorized"? Security Availability Processing integrity Confidentiality

AICPA Trust Services Principles identify five categories of risks and controls. c. Processing integrity is the category best described by the statement, "Information processes could be inaccurate, incomplete, or not properly authorized."

Assurance Services

Accounting services that improve the quality of information

Audit completion/reporting phase

After the tests of controls and substantive audit tests have been completed, auditors evaluate all the evidence that has been accumulated and draw conclusions based on this evidence.

An IT governance committee has several responsibilities. Which of the following is least likely to be a responsibility of the IT governance committee? Develop and maintain the database and ensure adequate controls over the database. Develop, monitor, and review security policies. Oversee and prioritize changes to IT systems. Align IT investments to business strategy.

An IT governance committee has several responsibilities. The option least likely to be a responsibility of the IT governance committee is to a. develop and maintain the database and ensure adequate controls over the database. This is a description of the responsibilities of the database administrator, not the IT governance committee.

Auditing with the computer

Auditors can use their own computer systems and audit software to help conduct the audit.

Program Mapping

Auditors count the number of times a program statement is executed to determine whether program code has been bypassed. Efficient because it uses actual data. May require special technical expertise to consider all paths of program logic.

Test data method

Auditors develop fictitious data that appears authentic, and process this "test data" separately, using client's computer system or a nonclient computer. Little technical expertise required. Used during normal processing, and well‐suited for performing tests of controls in batch systems. Risk of data contamination if test data is not properly removed after the testing. Time consuming to design test data to include both authentic and illogical data. Tests only anticipated problems. Provides only a static test of controls.

parallel simulation

Auditors develop program like client's application, then use it to process a copy of actual data. Independent test that allows for large sample sizes. Moderate technical expertise required. Practicality depends on the complexity of the application. Conducted at a particular point of time.

Integrated test facility

Auditors develop test data and process simultaneously with actual data. Very effective for simple applications. Used during normal processing. Provides ongoing tests of controls. Risk of data destruction. Time consuming. Less effective for complex applications.

Program Tracing

Auditors follow transactions through all processing steps in sequence, using a nonclient computer. Efficient because it uses actual data. May require special technical expertise to consider all paths of program logic.

Embedded audit module

Auditors insert tests within application. May be used periodically or continuously. Identifies processing problems as they occur. Lacks objectivity because it cannot identify unanticipated activity.

COSO describes five components of internal control. Which of the following terms is best described as "policies and procedures that help ensure management directives are carried out and management objectives are achieved"? Risk assessment Information and communication Control activities Control environment

COSO describes five components of internal control. c. "Control activities" is the term that is best described as "policies and procedures that help ensure management directives are carried out and management objectives are achieved." Control activities involve authorization, segregation, security of assets and records, adequate documentation, and independent checks. Policies and procedures of the organization establish the appropriate authorizations, segregations, security of assets and records, adequate documentation, and independent checks.

Financial statement audits are required to be performed by government auditors CPAs internal auditors IT auditors

CPAs

Computer-assisted audit techniques (CAATs)

Computer programs that allow auditors to test computer files and databases.

COBIT

Control Objectives for Information Technology.9 COBIT is extremely important guidance for those who design or audit IT systems. The AICPA and the Canadian Institute of Chartered Accountants have jointly developed IT control guidelines, related to COBIT, commonly referred to as the Trust Service Principles.10 This guidance addresses risks and opportunities of information technology, and the most recent version became effective in 2006.

Which of the following is not a condition in the fraud triangle? Rationalization Incentive Conversion Opportunity

Conversion is not a condition in the fraud triangle. Incentive, opportunity, and rationalization make up the fraud triangle.

Check Fraud

Credit card fraud and check fraud involve the customer's use of stolen or fraudulent credit cards and checks

Credit Card Fraud

Credit card fraud and check fraud involve the customer's use of stolen or fraudulent credit cards and checks

Redundancy Tests

Counting the number of entries (record counts) or the order of documents in a series (sequence verification). Useful for determining whether application records are complete or if any items are incorrectly included more than once. Also ensures that processing takes place only when all fields within the data file are filled in. Tested by comparing system‐generated counts with counts/listings prepared by auditors.

There are many possible indirect benefits to management when management fraud occurs. Which of the following is not an indirect benefit of management fraud? Delayed exercise of stock options Delayed cash flow problems Enhanced promotion opportunities Increased incentive‐based compensation

Delayed exercise of stock options is not an indirect benefit of management fraud. When managers conduct fraud, they are expecting indirect benefits such as delayed cash flow problems, enhanced promotion opportunities, and increased compensation. However, delaying stock option exercise is not a benefit.

WEP (Wired Equivalent Privacy)

Depending on the equipment used, WEP employs 64‐, 128‐, or 256‐bit encryption methods. The encryption is symmetric in that both the sending and receiving network nodes must use the same encryption key. Because WEP has proven to be susceptible to hacking, the industry has developed a new wireless network security system called wireless protected access, or WPA,

Which of the following is not an example of employee fraud? Skimming Larceny Kickbacks Earnings management

Earnings management is not an example of employee fraud. Earnings management is a type of management fraud. The other answers are examples of employee fraud.

Larceny

Fraudsters may also steal the company's cash after it has been recorded in the accounting records. Consider an example of an employee responsible for making the bank deposit who steals the cash after it has been recorded in the accounts receivable records. This type of fraud is uncommon because the fraudster is likely to be caught, since the accounting records provide evidence of collecting cash. Larceny is typically detected when performing a reconciliation of cash accounts (to the accounts receivable or payable records) or when preparing the bank reconciliation.

Segregation of Duties

For any transaction, there are usually three key functions: authorization of the transaction, recording the transaction, and custody of the related asset(s). Ideally, management should separate these three functions by assigning each function to a different person or department within the organization. The person or department authorizing a transaction should neither be responsible for recording it in the accounting records nor have custody of the related asset. To understand the possible effect of not segregating these duties, consider a payroll example. If a foreman were allowed to hire employees, approve their hours worked, and also distribute the paychecks, then authorization would not have been segregated from custody of the checks. This would give a dishonest foreman the perfect opportunity to make up a fictitious employee and collect the paycheck. However, if paychecks were distributed to employees by someone other than the foreman, the opportunity for this kind of payroll theft would be reduced.

Fraudulent Financial Reporting

Fraud perpetrated by management by preparing misleading financial statements.

Specific Authorization

If any transaction is an exception to these payment methods, as in the case of the customer paying with an out‐of‐state check, the transaction requires specific authorization. Specific authorization means that explicit approval is needed for a transaction to be completed.

Computer Fraud

In addition to the frauds described in previous sections, organizations must also attempt to prevent or detect fraudulent activities involving the computer. Again, there are so many different kinds of computer fraud that it is not feasible to describe all the possibilities in this chapter. In some cases, the computer is used as a tool to more quickly and efficiently conduct a fraud that could be conducted without a compute

Fraud Triangle

In order for a fraud to be perpetrated, three conditions must exist An incentive to commit the fraud. Some kind of incentive or pressure typically leads fraudsters to their deceptive acts. Financial pressures, market pressures, job‐related failures, or addictive behaviors may create the incentive to commit fraud. Opportunity to commit the fraud. Circumstances may provide access to the assets or records that are the objects of fraudulent activity. Only those persons having access can pull off the fraud. Ineffective oversight is often a contributing factor. Rationalization of the fraudulent action. Fraudsters typically justify their actions because of their lack of moral character. They may intend to repay or make up for their dishonest actions in the future, or they may believe that the company owes them as a result of unfair expectations or an inadequate pay raise.

Auditing around the computer

In such cases, the use of IT systems does not have a great impact on the conduct of the audit, since the auditor can perform audit testing in essentially the same manner as would be done for a manual system.

confidentiality risks

Information designated as confidential is protected as committed or agreed.

three critical actions that an organization can undertake to assist in the prevention or detection of fraud and errors

Maintain and enforce a code of ethics. Maintain a system of accounting internal controls. Maintain a system of information technology controls.

Management of an Internet retail company is concerned about the possibility of computer data eavesdropping and wiretapping, and wants to maintain the confidentiality of its information as it is transmitted. The company should make use of data encryption redundant servers input controls password codes

Management of an Internet retail company is concerned about the possibility of computer data eavesdropping and wiretapping, and wants to maintain the confidentiality of information as it is transmitted. The company should make use of a. data encryption. Since encryption renders data unreadable, it prevents eavesdropping and makes wiretapping useless.

Run-to-run control totals

Many input controls also serve as processing controls. Control totals, limit and range tests, and reasonableness and sign tests can prevent or detect processing errors. Control totals such as record counts, batch totals, and hash totals can be reconciled during stages of processing to verify the accuracy and completeness of processing. This reconciliation of control totals at various stages of the processing is called

Hash totals

Mathematical sums of data that are meaningless to the financial statements (such as vendor numbers or check numbers), but useful for controlling the data and especially for detecting possible missing items. Tested by comparing system‐generated totals with totals computed by auditors

Financial totals

Mathematical sums of dollar amounts or item counts. Useful because they typically identify the amount of a journal entry made in the financial accounting system. Tested by comparing system‐generated totals with totals computed by auditors.

Which of the following best describes what is meant by the term "generally accepted auditing standards"? Procedures used to gather evidence to support the accuracy of a client's financial statements Measures of the quality of an auditor's conduct in carrying out professional responsibilities Professional pronouncements issued by the Auditing Standards Board Rules acknowledged by the accounting profession because of their widespread application

Measures the quality if an auditors conduct in carrying out professional responsibilities

A company has the following invoices in a batch: Invoice no. Product I.D. Quantity Unit price 401 H42 150 $30.00 402 K56 200 $25.00 403 H42 250 $10.00 404 L27 300 $5.00 Which of the following numbers represents a valid record count? 1 4 70 900

Of the numbers presented, the one that represents a valid record count is b. 4. This represents the number of records (invoices) included for processing in the batch.

Which of the following is a general control to test for external access to a client's computerized systems? Penetration tests Hash totals Field checks Program tracing

Penetration tests

Online Privacy

Personal information obtained as a result of e‐commerce is collected, used, disclosed, and retained as committed or agreed.

Proper segregation of duties calls for separation of the functions of authorization, execution, and payment authorization, recording, and custody custody, execution, and reporting authorization, payment, and recording

Proper segregation of duties calls for separation of the functions of b. authorization, recording, and custody.

Public Cloud

Provides cloud services to just about anyone

Which of the following is not a common form of employee fraud? Inventory theft Expense account fraud Payroll fraud Refund fraud

Refund fraud is not a common form of employee fraud. Refund fraud is a form of customer fraud, not employee fraud.

Refund Fraud

Refund fraud occurs when a customer tries to return stolen goods to collect a cash refund.

Internal controls that apply overall to the IT system are called overall controls technology controls application controls general controls

SO 1) Internal controls that apply overall to the IT system are called d. general controls. There are two categories of IT internal controls. General controls apply overall to the IT system, such as passwords, encryption of data, and physical security controls. Application controls are input, processing, and output controls applied to each specific IT application system.

SOC reports

SOC 1 reports address internal controls over financial reporting. Type I reports contain management's assessment and the auditor's opinion on the operating design of internal controls over financial reporting. Type II reports extend the Type I report by also evaluating the operating effectiveness of internal controls. SOC 2 reports consider controls over compliance and operations, including the Trust Services Principles of security, availability, processing integrity, confidentiality, and privacy of a service provider's systems. Type I or Type II conclusions may apply in the same manner as for SOC 1 reports. SOC 3 reports are unaudited but contain an auditing firm's conclusion on the elements of the Trust Services Principles.

Limit Tests

Scanning entries for reasonable limits, such as predetermined limits on check amounts or a customer's credit. Useful in preventing errors and unauthorized processing. Tested by comparing programmed limits with company policies.

Field Checks

Scanning entries to determine that data exist in the proper alpha or numeric format. Useful in preventing processing errors due to unrecognized data. Tested by comparing the data format with program code.

Validation checks

Scanning entries to verify whether there is missing or bogus information. Entries are reviewed for valid dates and labeling, records are reviewed for reasonable values and sequences, and fields are reviewed for valid limits or missing data. Tested by comparing programmed information with predetermined values documented in the program code.

Segregation of duties is a fundamental concept in an effective system of internal controls. Nevertheless, the effectiveness of this control can be compromised through which situation? A lack of employee training Collusion among employees Irregular employee reviews The absence of an internal audit function

Segregation of duties is a fundamental concept in an effective system of internal controls. Nevertheless, the effectiveness of this control can be compromised through b. collusion among employees. When employees who perform segregated duties work together, they can circumvent controls and perpetrate fraud.

IT outsourcing

Some companies may rely on external, independent computer service providers to handle all or part of their IT needs. This is known as IT outsourcing. IT outsourcing creates a challenge for auditors, who must gain an adequate understanding of risks and controls that are located at an independent service center. However, the service center will likely have its own auditors who monitor, test, and/or report on internal controls. This third‐party report can be used as audit evidence about the effectiveness of internal controls. Alternatively, auditors may choose to conduct testing at the service center's business location, or perform audit tests around the client's computer.

Which of the following is not a part of generally accepted auditing standards? General standards Standards of fieldwork Standards of information systems Standards of reporting

Standards of information systems

Kickbacks

Taking illegal payments for services made.

Sarbanes-Oxley Act

The Act was intended to reform accounting, financial reporting, and auditing functions of companies that are publicly traded in stock exchanges. One requirement is that public companies adopt and disclose a code of ethics for directors, officers, and employees. Documenting and adhering to a code of ethics should reduce opportunities for managers or employees to conduct fraud. This will only be true, however, if top management emphasizes this code of ethics and disciplines or discharges those who violate the code. Exhibit 3‑3 presents the type of concepts that are usually found in a business organization's code of ethics. Establishing and maintaining a culture where ethical conduct is recognized, valued, and exemplified by all employees. This includes Obeying applicable laws and regulations that govern business Conducting business in a manner that is honest, fair, and trustworthy Avoiding all conflicts of interest Creating and maintaining a safe work environment Protecting the environment

Information and Communication

The COSO internal control framework requires that an organization create and use an information and communication system that includes the following factors: The system obtains or generates and uses relevant quality information to support the functioning of internal control. The system internally communicates information, including objectives and responsibilities for internal control. The system communicates with external parties regarding matters affecting the functioning of internal control.

The careful and responsible oversight and use of the assets entrusted to Management is called: the control environment stewardship preventive controls security

The careful and responsible oversight and use of the assets entrusted to management is called b. stewardship.

Which control activity is intended to serve as a method to confirm the accuracy or completeness of data in the accounting system? Authorization Segregation of duties Security of assets Independent checks and reconciliations

The control activity intended to serve as a method to confirm the accuracy or completeness of data in the accounting system is d. independent checks and reconciliations. Independent checks and reconciliations on performance are important aspects of control activities. They usually involve the reconciliation, or comparison, of two sets of records, such as a bank reconciliation's comparison of the bank statement with the company's cash records.

Which control total is the total of field values that are added for control purposes, but not added for any other purpose? Record count Hash total Batch total Field total

The control total which is the total of field values added for control purposes, but not added for any other purpose, is a b. hash total. As an example, a hash total might be the total of all Social Security numbers, a field that would not be summed for any purpose other than control.

Which of the following is not considered a cause of information risk? Management's geographic location is far from the source of the information needed to make effective decisions. The information is collected and prepared by persons who use the information for very different purposes. The information relates to business activities that are not well understood by those who collect and summarize the information for decision makers. The information has been tested by internal auditors and a CPA firm.

The information has been tested by internal auditors and a CPA firm

The most difficult type of misstatement to discover is fraud that is concealed by over‐recording the transactions nonrecorded transactions recording the transactions in subsidiary records related parties

The most difficult type of misstatement to discover is fraud that is concealed by b. nonrecorded transactions. If there is no record of the fraud, it is especially difficult to detect.

data preparation procedures

The procedures to collect and prepare source documents

Auditors should develop a written audit program so that all material transactions will be included in substantive testing substantive testing performed prior to year end will be minimized the procedures will achieve specific audit objectives related to specific management assertions each account balance will be tested under either a substantive test or a test of controls

The procedures will achieve specific audit objectives related to specific management assertions

The review of amounts charged to the company from a seller that it purchased from is called a vendor audit seller review collusion customer review

The review of amounts charged to the company from a seller that it purchased from is called a a. vendor audit. A vendor audit involves the examination of vendor records in support of amounts charged to the company. Since many vendor contracts involve reimbursement for labor hours and other expenses incurred, the company can review supporting documentation for these expenses incurred by its vendor

The risk of an unauthorized user gaining access is likely to be a risk for which of the following areas? Telecommuting workers Internet Wireless networks All of the above

The risk of an unauthorized user gaining access is likely to be a risk for d. all of the above. Each of these areas of an IT system is a potential entry point for unauthorized users.

Availability

The risk related to availability is system or subsystem failure due to hardware or software problems. An example of a risk that can cause interruptions to the system would be a virus that causes the system to slow down or fail. Internal controls can be implemented to limit the chances of failure and thereby help improve availability of the system to process information and support ongoing business.

Confidentiality

The risk related to confidentiality is that confidential information about the company or its business partners may be subject to unauthorized access during its transmission or storage in the IT system. Examples of confidential information are banking information and price lists. Most companies do not wish to allow their bank account numbers or price lists to be available to competitors or other external parties. Controls can be implemented to limit unauthorized access to confidential information.

Processing Integrity

The risk related to processing integrity could be inaccurate, incomplete, or improperly authorized information. An example of this type of risk would be an error in entering hours worked for a worker's pay. The person keying hours worked into the payroll software might accidentally type an incorrect number of hours. Controls should be implemented to reduce erroneous, incomplete, or unauthorized transactions or data.

Security

The risk related to security is unauthorized access, which may be both physical access and logical access. An example of unauthorized physical access would be a person breaking into the computer room and damaging computer equipment. An example of logical access would be an unauthorized hacker stealing data such as credit card numbers. Internal controls must be designed and implemented to limit both types of unauthorized access.

The risk that an unauthorized user would shut down systems within the IT system is a(n) security risk availability risk processing integrity risk confidentiality risk

The risk that an unauthorized user would shut down systems within the IT system is an b. availability risk. The shutdown of all or part of the IT system would make the IT system unavailable for use as intended, and it is therefore an availability risk.

availability

The system is available for operation and use as committed or agreed.

Security

The system is protected against unauthorized (physical and logical) access.

Loss of audit trail visibility

Various risks are created by the existence of IT‐based business processes. For example, because the details of transactions are often entered directly into the computer system, there may be no paper documentation maintained to support the transactions.

Disaster recovery plan

Whereas BCP is proactive planning, DRP is a more reactive plan to restore business operations to normal after a disaster occurs. Disaster recovery plans should include all plans necessary to continue IT operation after a disaster. Although disaster recovery planning has been an important concept in IT systems for many years, there was much more activity regarding disaster recovery planning after the New York City terrorist attacks in September 2001. Those events reminded companies that catastrophes happen very unexpectedly and can cause IT systems to be damaged or destroyed.

Which of the following audit objectives relates to the management assertion of existence? A transaction is recorded in the proper period. A transaction actually occurred (i.e., it is real). A transaction is properly presented in the financial statements. A transaction is supported by detailed evidence.

a transaction actually occurred

Which of the following is generally an external computer fraud, rather than an internal computer fraud? Spoofing Input manipulation Program manipulation Output manipulation

a. Spoofing is generally an external computer fraud, rather than an internal computer fraud. Spoofing occurs when a person, through a computer system, pretends to be someone else. Internet spoofing is the most dangerous to the accounting and control system.

Programmers

actually write the software, using a programming language.

Benford's Law

also known as the first‐digit law, was named for a physicist, Frank Benford, who discovered a specific, but nonuniform pattern in the frequency of digits occurring as the first number in a list of numbers. Benford found that the number 1 is likely to be the leading digit approximately one‐third of the time, and the number 2 is the leading digit about 18 percent of the time. The number 9, on the other hand, is a leading digit in less than 5 percent of occurrences. Benford's Law applies to large data sets of naturally occurring numbers and is therefore useful to auditors in evaluating possible errors or fraud in sales and accounts receivable balances, accounts payable and disbursements balances, income tax data, and more

Off-site backup

an additional copy of the backup files stored in an off‐site location

Which of the following statements regarding an audit program is true? An audit program should be standardized so it may be used on any client engagement. The audit program should be completed by the client company before the audit planning stage begins. An audit program should be developed by the internal auditor during the audit's completion/reporting phase. An audit program establishes responsibility for each audit test by requiring the signature or initials of the auditor who performed the test.

an audit program establishes responsibility for each audit test by requiring the signature or initials of the auditor who performed the test

Systems Analyst

analyze and design IT systems,

General Controls

apply overall to the IT accounting system; they are not restricted to any particular accounting application. An example of a general control is the use of passwords to allow only authorized users to log in to an IT‐based accounting system. Without regard to processing data in any specific application, passwords should be employed in the IT system.

Record Counts

are a simple count of the number of records processed. The records can be counted prior to and after input, and the totals should agree.

Generally Accepted Auditing Standards (GAAS)

are broad guidelines for an auditor's professional responsibilities. These 10 standards are divided into 3 categories that include general qualifications and conduct of an auditor (general standards), guidelines for performing the audit (standards of fieldwork), and requirements for the written report communicating the results of the audit (standards of reporting).

Management assertions

are claims regarding the condition of the business organization in terms of its operations, financial results, and compliance with laws and regulations. The role of the auditors is to analyze the underlying facts to decide whether information provided by management is fairly presented.

Application Controls

are computerized controls over application programs. Since any company may use many different computer programs in its day‐to‐day business, there may be many different types of application controls to consider in an audit. Auditors test the company's systems documentation to be sure that adequate details exist for all application programs. The details should include a list of all applications critical to the information being audited, along with supporting source code that is kept up to date in the IT library. Backup copies should be stored off‐site. In addition to testing systems documentation, auditors should test the three main functions of the computer applications, including input, processing, and output.

Preventive Controls

are designed to avoid errors, fraud, or events not authorized by management. Preventive controls intend to stop undesirable acts before they occur. For example, keeping cash locked in a safe is intended to prevent theft

Operations Personnel

are employees who are responsible for processing operating data

Input Controls

are intended to ensure the accuracy and completeness of data input procedures and the resulting data.

Processing controls

are intended to ensure the accuracy and completeness of processing that occurs in accounting applications.

Output Controls

are intended to help ensure the accuracy, completeness, and security of outputs that result from application processing.

control totals

are subtotals of selected fields for an entire batch of transactions. For a batch of similar transactions, such as payroll transactions for a pay period, control totals can be calculated before the data is processed. For example, the total number of hours worked on all time cards can be summed.

General controls

are the automated controls that affect all computer applications, the reliability of application controls is considered only after general controls have been tested.

Corrective Controls

are those steps undertaken to correct an error or problem uncovered via detective controls. For example, if an error is detected in an employee's time card, there must be an established set of steps to follow to assure that it is corrected. These steps would be corrective controls.

Hash totals

are totals of fields that have no apparent logical reason to be added. For example, the summation of all Social Security numbers in a batch of payroll transactions would provide a control total for comparison, but the total would have no other practical use.

batch total

are totals of financial data, such as total gross pay or total federal tax deducted.

application controls

are used specifically in accounting applications to control inputs, processing, and outputs. Application controls are intended to ensure that inputs and processing are accurate and complete and that outputs are properly distributed, controlled, and disposed. An example of an input application control is a validity check. Within a specific accounting application, such as payroll, the system can use programmed input controls to reduce input errors

Control Activities

as the policies and procedures that help ensure that management directives are carried out and that management objectives are achieved. A good internal control system must include control activities that occur at all levels and in all functions within the company, including controls over technology. The internal control framework requires that an organization accomplish the following: Develop control activities that contribute to the mitigation of risks. Develop general controls over technology (this concept is discussed in Chapter 4). Deploy control activities through policies that establish expectations and procedures to put those policies into action. The control activities include a range of actions that should be deployed through the company's policies and procedures. These activities can be divided into the following categories: Authorization of transactions Segregation of duties Adequate records and documents Security of assets and documents Independent checks and reconciliations

operational audits

assess operating policies and procedures for efficiency and effectiveness.

completeness check

assesses the critical fields in an input screen to make sure that a value is in those fields. For example, when a new employee is processed, a Social Security number must be entered. The completeness check scans only to make sure that a value has been entered; it cannot ensure that the correct value was entered

Materiality

auditors estimate the monetary amounts that are large enough to make a difference in decision making. Materiality estimates are then assigned to account balances so that auditors can decide how much evidence is needed. Transactions and account balances that are equal to or greater than the materiality limits will be carefully tested. Those below the materiality limits are often considered insignificant (if it is unlikely that they will impact decision making) and therefore receive little or no attention on the audit. Some of these items with immaterial balances may still be audited, though, especially if they are considered areas of high risk

Two-factor authentication

based on something the user has, the token, and something the user knows, the password. A hacker located several hundred miles away from the organization would not have access to the smart card or token.

Which programmed input validation check compares the value in a field with related fields to determine whether the value is appropriate? Completeness check Validity check Reasonableness check Completeness check

c. A reasonableness check is the programmed input validation check that compares the value in a field with related fields to determine whether the value is appropriate. An example would be that pay rate could be compared with job category code to make sure that the pay rate is reasonable.

Which of the following is not a control intended to authenticate users? User log‐in Security token Encryption Biometric devices

c. Encryption is not a control intended to authenticate users. Encryption can render data unreadable and useless to those without the encryption key, but it does not prevent unauthorized users from accessing the IT system. User logins, security tokens, and biometric devices do authenticate users and are intended to prevent unauthorized access.

Fraud

can be defined as the theft, concealment, and conversion to personal gain of another's money, physical assets, or information. Notice that this definition includes concealment. In most cases, a fraud includes altering accounting records to conceal the fact that a theft occurred.

Governmental auditors

conduct audits of government agencies or income tax returns. CPA firms represent the interests of the public by performing independent audits of many types of business organizations.

Management Fraud

conducted by one or more top‐level managers within the company, is usually in the form of fraudulent financial reporting. Oftentimes, the chief executive officer (CEO) or chief financial officer (CFO) conducts fraud by misstating the financial statements through elaborate schemes or complex transactions. Managers misstate financial statements in order to receive such indirect benefits as the following: Increased stock price. Management usually owns stock in the company, and it benefits from increased stock price. Improved financial statements, which enhance the potential for a merger or initial public offering (IPO), or prevent negative consequences due to noncompliance with debt covenants or decreased bond ratings. Enhanced chances of promotion, or avoidance of firing or demotion. Increased incentive‐based compensation such as salary, bonus, or stock options. Delayed cash flow problems or bankruptcy. Management fraud may involve overstating revenues and assets, understating expenses and liabilities, misapplying accounting principles, or any combination of these tactics. While there are numerous examples of management fraud, two examples are presented next.

Certified Fraud Examiner (CFE)

considered experts in the detection of fraud.

Audit Programs

contain the list of related procedures to accomplish evidence gathering. GAAS requires the auditor to write an audit program for each audit. Audit procedures can be accomplished with different types of evidence and auditors typically use a combination of evidence to accomplish their audit objectives.

authority table

contains a list of valid, authorized users and the access level granted to each one. For instance, one user within the payroll area may need to both read and write data, while another may need only read access.

Rounding Errors tests

determine whether significant errors exist due to the way amounts are rounded and summarized.

Compliance Audits

determine whether the company has complied with regulations and policies established by contractual agreements, governmental agencies, company management, or other high authority.

Financial Statement audits

determine whether the company has prepared and presented its financial statements fairly, and in accordance with established financial accounting criteria.

database administrator

develops and maintains the database and ensures adequate controls over data within the database

In an audit of financial statements in accordance with generally accepted auditing standards, an auditor is required to document the auditor's understanding of the client company's internal controls search for weaknesses in the operation of the client company's internal controls perform tests of controls to evaluate the effectiveness of the client company's internal controls determine whether controls are appropriately operating to prevent or detect material misstatements

document the auditors understanding of the client company's internal control

Sequence Check

ensures that the batch of transactions is sorted in order, but does not help find missing transactions because it checks only sequence, not completeness. In any particular pay period, there may be employees who will not be paid, perhaps because they are on a monthly, rather than bi‐weekly, pay period, or because they are on unpaid leave. The sequence check just skips over the missing employee number and verifies only that the remaining employees in the batch are sorted in the correct order

External Audit

performed by independent auditors who are objective and neutral with respect to the company and information being audited.

Validity Check

examines a field to ensure that the data entry in the field is valid compared with a preexisting list of acceptable values. For example, there may be only two choices for acceptable values for a field named Pay Type: "hourly" and "salary." The application can be preprogrammed to check input into that field to make sure it is either "h" or "s." Any other values should be rejected as not valid, and the user should see an error message on the screen if the data is not valid.

Range Check

has both an upper and a lower limit. Some fields, such as quantity requested, may logically suggest that the entry cannot be less than 1.

Limit Check

has only an upper limit; for example, hours worked cannot exceed a value of 70 hours per week.

COSO report

has provided the standard definition and description of internal control accepted by the accounting industry. The framework has been updated and expanded in 2013 to provide various clarifications and enhancements to its internal control guidance. According to the COSO report, there are five interrelated components of internal control: the control environment, risk assessment, control activities, information and communication, and monitoring. Each of these components is discussed next.

Risk assessment is a process designed to identify possible circumstances and events that may affect the business establish policies and procedures to carry out internal controls identify and capture information in a timely manner test the internal controls throughout the year

identify possible circumstances and events that may affect the business

uninterruptible power supply (UPS)

includes a battery to maintain power in the event of a power outage in order to keep the computer running for several minutes after a power outage

Which of the following is most likely to be an attribute unique to the financial statement audit work of CPAs, compared with work performed by attorneys or practitioners of other business professions? Due professional care Competence Independence A complex underlying body of professional knowledge

independence

Which of the following computer assisted auditing techniques allows fictitious and real transactions to be processed together without client personnel being aware of the testing process? Test data method Embedded audit module Integrated test facility Parallel simulation

integrated test facility

The primary objective of compliance testing in a financial statement audit is to determine whether procedures have been updated regularly financial statement amounts are accurately stated internal controls are functioning as designed collusion is taking place

internal controls are functioning as designed

Balancing tests

involve a comparison of different items that are expected to have the same values, such as comparing two batches or comparing actual data against a predetermined control total.

Tests of controls

involve audit procedures designed to evaluate both general controls and application controls.

Vendor Audit

involve the examination of vendor records in support of amounts charged to the company. Since many vendor contracts involve reimbursement for labor hours and other expenses incurred, the company can review supporting documentation for these expenses incurred by its vendor. This could reveal whether or not the vendor is honest in reporting expenses, and may be the basis for continuing or terminating the business relationship.

Run-to- run totals

involve the recalculation of amounts from one process to the next to determine whether data have been lost or altered during the process.

Auditing through the computer

involves directly testing the internal controls within the IT system. It is sometimes referred to as "the white box approach" because it requires auditors to understand the computer system logic. This approach requires auditors to evaluate IT controls and processing so that they can determine whether the information generated from the system is reliable. Auditing through the computer is necessary under the following conditions: The auditor wants to test computer controls as a basis for evaluating risk and reducing the amount of substantive audit testing required. The auditor is required to report on internal controls in connection with a financial statement audit of a public company. Supporting documents are available only in electronic form.

Monitoring

involves the ongoing review and evaluation of the system. For example, your home may have a heating system with a thermostat. The thermostat constantly measures temperature and turns the heat on or off to maintain the desired temperature. Thus, the thermostat is a control system. However, due to wear and tear or other changes, the thermostat and heater may begin to malfunction. To keep them operating at peak effectiveness, there must be periodic checks on the thermostat and heating system to make sure they are working correctly. The same is true of an internal control system in an organization. To keep the controls operating effectively, management must monitor the system and attempt to improve any deficiencies. This is especially important as organizations undergo changes. Employee and management turnover, new business processes or procedures, and market changes may all affect the functionality of internal controls.

Misappropriation of Assets

involves theft of any item of value. It is sometimes referred to as a defalcation, or internal theft, and the most common examples are theft of cash or inventory. Restaurants and retail stores are especially susceptible to misappropriation of assets because their assets are readily accessible by employees

Misstatement of financial records

involves theft of any item of value. It is sometimes referred to as a defalcation, or internal theft, and the most common examples are theft of cash or inventory. Restaurants and retail stores are especially susceptible to misappropriation of assets because their assets are readily accessible by employees

Management Override

involves top management's circumvention of the systems or internal controls that are in place

Secure Sockets Layer (SSL)

is a communication protocol built into Web server and browser software that encrypts data transferred on that website. If you have ever ordered products on a website, you were probably using SSL technology to encrypt personal data such as your credit card number. You can determine whether such sites use SSL technology by examining the URL address. Most website addresses begin with http:// preceding the URL, but SSL addresses begin with https:// preceding the URL.

computer log

is a complete record of all dates, times, and uses for each user. Any abnormalities in log‐in or use can be examined in more detail to determine any weaknesses in log‐in procedures. Also, the log‐in procedures and logs establish nonrepudiation of users.

Local Area Netowrk (LAN)

is a computer network covering a small geographic area. In most cases, LANs are within a single building or a local group of buildings. Most LANs are sets of personal computers or workstations that are connected in order to share data and devices such as printers. Typically, the LAN is connected to a larger computer, the server, where data and some programs reside and are shared over the LAN. A group of LANs connected to each other to cover a wider geographic area is called a wide area network, or WAN.

Reconciliation

is a detailed report assessing the correctness of an account balance or transaction record that is consistent with supporting information and the company's policies and procedures. Account balance details and supporting information may be derived from applications outputs. In order to enhance controls, reconciliations should be performed by independent company personnel—those who were not involved with the tasks of initiating or recording the transactions within the accounts being reconciled.

business continuity planning

is a proactive program for considering risks to the continuation of business and developing plans and procedures to reduce those risks. Since such a large number of organizations rely on IT systems to operate, the continuation of IT systems is an integral part of business continuity. BCP is a broad type of planning that focuses on key personnel, resources, and activities critical to business continuation. Two parts of business continuity are related to IT systems: A strategy for backup and restoration of IT systems, to include redundant servers, redundant data storage, daily incremental backups, a backup of weekly changes, and off‐site storage of daily and weekly backups A disaster recovery plan

Reconciliation

is a procedure that compares records from different sources. For instance, a bank reconciliation compares independent bank records with company records to ensure the accuracy and completeness of cash records. Similarly, a comparison of physical assets with records occurs when a company takes a physical count of inventory and compares the results to the inventory records. Any differences are recorded as adjustments to inventory and result in correct inventory records. Recalculation of amounts can help uncover math or program logic errors. For example, recalculating price times quantity may uncover errors in invoices that were caused by either human error or bad program logic. Analysis of reports is the examination of a report to assess the accuracy and reliability of the data in that report. A manager who regularly reviews reports is likely to notice errors that crop up in the reports; the manager may not always notice such errors, but many times will. Finally, review of batch totals is an independent check to assure the accuracy and completeness of transactions processed in a batch. Batch processing occurs when similar transactions are grouped together and processed as a group. For example, time cards can be collected from all employees within a department and processed simultaneously as a batch. In batch processing, it is possible to calculate a batch total, which is merely a summation of key items in the batch (such as hours worked), and compare this batch total along various stages of processing. If at some stage of processing the batch totals no longer match, this means that an error has occurred in processing.

authentication of users

is a process or procedure in an IT system to ensure that the person accessing the IT system is a valid and authorized user.

Password

is a secret set of characters that identifies the user as the authentic owner of that associated user ID. Passwords should be at least eight characters in length and contain at least one nonalphanumeric character. Such passwords would be difficult to guess. For example, a password such as xEq7f$23

Virus

is a self‐replicating piece of program code that can attach itself to other programs and data and perform malicious actions such as deleting files or shutting down the computer. A worm is a small piece of program code that attaches to the computer's unused memory space and replicates itself until the system becomes overloaded and shuts down.

General authorization

is a set of guidelines that allows transactions to be completed as long as they fall within established parameters. In the example of a grocery or department store, the established guidelines are that the checkout clerk can process anyone through the line as long as the customer pays by cash, credit card, debit card, or an in‐state check.

Trojan Horse program

is a small, unauthorized program within a larger, legitimate program, used to manipulate the computer system to conduct a fraud. For example, the rogue program might cause a certain customer's account to be written off each time a batch of sales or customer payments are processed.

Database Management System (DBMS)

is a software system that manages the interface between many users and the database.

Trap door alteration

is a valid programming tool that is misused to commit fraud. As programmers write software applications, they may allow for unusual or unique ways to enter the program to test small portions, or modules, of the system. These entrance ways can be thought of as hidden entrances, or trap doors. Before the program is placed into regular service, the trap doors should be removed, but a programmer may leave a trap door in place in order to misuse it to commit fraud.

Emergency Power Supplies (EPS)

is an alternative power supply that provides electrical power in the event that a main source is lost. An example of an EPS is a gasoline‐powered generator.

internal auditors

is an employee of the company that he or she audits. Most large companies have a staff of internal auditors who perform compliance, operational, and financial audit functions at the request of management. Some internal auditors achieve special certification as certified internal auditors (CIAs).

Self-checking digit

is an extra digit added to a coded identification number, determined by a mathematical algorithm. For example, if a vendor number is to be 6453, then an extra digit is added to the end to make it 64532, where the "2" is generated by a mathematical formula. For any data entry tasks, the vendor number 64532 is always used. During an edit run, the computer recomputes the same formula to ensure that the self‐checking digit still equals 2. If the data entry person accidentally typed 65432 rather than 64532, the self‐checking digit would not match and the input could be flagged as erroneous.

Employee Fraud

is conducted by non-management employees. This usually means that an employee steals cash or assets for personal gain. While there are many different kinds of employee fraud, some of the most common are as follows: Inventory theft. Inventory can be stolen or misdirected. This could be merchandise, raw materials, supplies, or finished goods inventory. Cash receipts theft. This occurs when an employee steals cash from the company. An example would be the theft of checks collected from customers. Accounts payable fraud. Here, the employee may submit a false invoice, create a fictitious vendor, or collect kickbacks from a vendor. A kickback is a cash payment that the vendor gives the employee in exchange for the sale; it is like a business bribe. Payroll fraud. This occurs when an employee submits a false or inflated time card. Expense account fraud. This occurs when an employee submits false travel or entertainment expenses or charges an expense account to cover the theft of cash.

Forensic Auditing

is designed specifically for finding and preventing fraud and is used for companies where fraud is known or believed to exist. Some accountants who work on forensic audits become certified fraud examiners (CFEs)

Firewall

is hardware, software, or a combination of both that is designed to block unauthorized access. All data traveling between the internal network and the Internet should pass through the firewall first. The firewall examines all data passing through it, and if the firewall detects unauthorized attempts to pass data, it prevents the flow of such data.

Denial of Service Attack

is intended to overwhelm an intended target computer system with so much bogus network traffic that the system is unable to respond to valid network traffic. A hacker takes advantage of the automated, repetitive nature of computers to accomplish a DoS attack by taking control of one or more computers on a network and using those computers to continually send bogus network traffic to a target computer. If the hacker can take over several computers and force each of them to send bogus traffic to one targeted computer system, the targeted system becomes overwhelmed. Attacks such as these that use several computers to attack one computer are called distributed denial of service attacks, or DDoS attacks. DDoS attacks are often used to distract the target company's security measures so that data theft can be undertaken.

Audit evidence

is proof of the fairness of financial information. The techniques used for gathering evidence include the following: Physically examining or inspecting assets or supporting information Obtaining written confirmation from an independent source Reperforming tasks or recalculating information, either manually or electronically Observing activities Making inquiries of company personnel Analyzing financial relationships and making comparisons to determine reasonableness The various phases of the audits typically include a combination of these techniques.

information risk

is the chance that information available to decision makers may be inaccurate. Information risk may be reduced through the use of information that has been audited. Auditors rely on both manual and computer controls to reduce information risk. Computer controls often compensate for weaknesses in manual controls.

Electronic Data Interchange (EDI)

is the company‐to‐company transfer of standard business documents in electronic form. EDI is widely used by businesses to buy and sell goods and materials. Rather than mailing copies of purchase orders and invoices, companies send these kinds of standard business documents back and forth electronically. To conduct EDI with business partners, a company must use a dedicated network, a value added network, or the Internet. The specific details and advantages of EDI are explained in a later chapter on e‐business.

Source Document

is the paper form used to capture and record the original data of an accounting transaction

Encryption

is the process of converting data into secret codes referred to as cipher text. Encrypted data can only be decoded by those who possess the encryption key or password. Encryption renders the data useless to those who do not possess the correct encryption key.

Penetration Testing

is the process of legitimately attempting to hack into an IT system to find whether weaknesses can be exploited by unauthorized hackers. Penetration testing is sometimes done by the IT staff within an organization, but more often an outside consultant with experience in penetration testing is hired to complete the tests.

Operating System

is the software that controls the basic input and output activities of the computer. The operating system provides the instructions that enable the CPU to read and write to disk, read keyboard input, control output to the monitor, manage computer memory, and communicate between the CPU, memory, and disk storage. In large computer systems, the operating system manages memory and CPU functions so that multiple users or multiple applications do not interfere with each other. The operating system handles computer data in binary form, which means that data is in sets of 0 or 1 data bits. That is, data such as dollar balances or passwords is being transmitted or stored in the operating system in binary form—sets of 0 and 1 values. Any knowledgeable person who understands binary data and who gains access to the operating system may be able to scan memory for things such as passwords, employee data, and other sensitive data. Such a person could also manipulate or destroy data. The operating system can be an entry point for unauthorized users or hackers.

Hacking

is the term commonly used for computer network break‐ins. Hacking may be undertaken for various reasons, including industrial espionage, credit card theft from online databases, destruction or alteration of data, or merely thrill‐seeking. Regardless of the purpose of the break‐in, tremendous damage can be done to a company in terms of immediate financial loss or loss of customer confidence. A hacker usually gains access to a network through the various network connections that most businesses and organizations have. Most companies are connected to networks for many reasons, such as to conduct Internet commerce, to connect various geographic locations of the same company, to allow telecommuting for employees who work at home, and to connect to the computer systems of vendors or customers. The existence of any of these types of network connections opens an opportunity for hackers to violate that connection. This is the paradox faced in today's computer world. To operate efficiently, organizations need to connect to networks, but such connections increase security risks exponentially.

Substantive testing

is very different from testing controls. Substantive tests evaluate whether information is correct, whereas control tests determine whether the information is managed under a system that promotes correctness.

information systems audit and control association (ISACA)

issues Information Systems Auditing Standards (ISASs) that provide guidelines for conducting the IT audit. These standards address audit issues unique to a company's information systems environment, including control and security issues.

Foreign Corrupt Practices Act

makes it illegal for US firms and their representatives to engage in corrupt practices overseas

Nonrepudiation

means that a user cannot deny any particular act that he or she did on the IT system. That is, if a user logged in and changed data fraudulently, the log‐in procedures and logs help establish undeniably which user took the action. Nonrepudiation is extremely important in verifying sales to customers. A danger is that a customer could log in via the company website, place an order that is subsequently received, and then deny that he or she initiated the transaction. Log‐in of customers and computer logs help establish nonrepudiation of sales transactions.

Professional Skepticism

means that the auditors should not automatically assume that their clients are honest, but must have a questioning mind and a persistent approach to evaluating evidence for possible misstatements. Misstatements may result from error or fraud, and auditors have equal responsibility for searching for both causes of material misstatements.

Reasonable Assurance

means that the controls achieve a sensible balance of reducing risk when compared with the cost of the control. It is not possible for an internal control system to provide absolute assurance, because there are factors that limit the effectiveness of controls, such as the following: Flawed judgments are applied in decision making. Human error exists in every organization. Controls can be circumvented or ignored. Controls may not be cost beneficial. No matter how well an internal control system is designed, it is limited by the fact that humans sometimes make erroneous judgments and simple errors or mistakes. Even when a person has good intentions, an error in judgment or a mistake, such as simply forgetting to do a step that provides an internal control, can cause harm. For example, it would be easy for a supervisor to simply forget to sign time cards for a particular pay period.

Log In

means to make the computer recognize you in order to create a connection at the beginning of a computer session.

Defalcation

misappropriation of money or funds held by an official, trustee, or other fiduciary.

Detective Controls

must be included in an internal control system. Detective controls help employees to uncover or discover errors, fraud, or unauthorized events. Examples of detective controls include matching physical counts to inventory records, reconciling bank statements to company records, and matching an invoice to its purchase order prior to payment. When these types of activities are conducted, it becomes possible to detect problems that may exist.

User ID

must be unique for each user

Which of the following audit procedures is most likely to be performed during the planning phase of the audit? Obtain an understanding of the client's risk assessment process. Identify specific internal control activities that are designed to prevent fraud. Evaluate the reasonableness of the client's accounting estimates. Test the timely cutoff of cash payments and collections.

obtain an understanding of the clients risk assessment process

Customer Fraud

occurs when a customer improperly obtains cash or property from a company, or avoids a liability through deception. Although customer fraud may affect any company, it is an especially common problem for retail firms and companies that sell goods through Internet‐based commerce. Examples of customer fraud include credit card fraud, check fraud, and refund fraud.

Spoofing

occurs when a person, through a computer system, pretends to be someone else. There are two kinds of spoofing that are currently prevalent: Internet spoofing and e‐mail spoofing. Internet spoofing is the most dangerous to the accounting and control systems, because a spoofer fools a computer into thinking that the network traffic arriving is from a trusted source. Within the Internet, each computer server is identified by a unique Internet protocol (IP) address. Any network traffic between computers is broken into small "packets" of data. Each packet includes the IP addresses of both the sender and receiver of the packet. In spoofing, the originating IP address is intentionally changed to make it appear that the packet is coming from a different IP address. Many computer systems include a security system that accepts packets only from known and trusted sources—essentially, an address book of trusted IP addresses. A spoofer circumvents that system by pretending that the packet originates from a trusted source. These packets can contain malicious data such as viruses, or programs that capture passwords and log‐in names. While e‐mail spoofing is not typically as problematic as Internet spoofing is to the direct financial interests of most business organizations, it is nevertheless a source of irritation and inconvenience at the workplace. E‐mail spoofing might flood employees' e‐mail boxes with junk mail but usually does not result in defrauding their company. E‐mail spoofing is usually used in an attempt to scam consumers. For example, a bank customer might get an e‐mail that looks as if it comes from the customer service department, asking recipients to provide confidential information such as their log‐in and password. With these fake e‐mails, the sender is hoping that unsuspecting customers will reply and divulge confidential information that will allow the spoofer to commit fraud. This type of fraud must be controlled by consumers and police authorities; internal control systems within a company can do little to prevent e‐mail spoofing.

Collusion

occurs when two or more people work together to commit a fraud. Collusion can occur between employees, employees and customers, or employees and vendors. Collusion between employees within a company is the most difficult to prevent or detect because it compromises the effectiveness of internal controls. This is true because collusion can make it much easier to conduct and conceal a fraud or theft even when segregation of duties is in place. For example, if a warehouse employee stole inventory and an accounting clerk covered it up by altering the inventory records, the fraud would be difficult to detect.

Vendor Fraud

occurs when vendors obtain payments to which they are not entitled. Unethical vendors may intentionally submit duplicate or incorrect invoices, send shipments in which the quantities are short, or send lower‐quality goods than ordered. Vendor fraud may also be perpetrated through collusion. For example, an employee of a company could make an agreement with a vendor to continue the vendor relationship in the future if the employee receives a kickback.

Auditing Standards Board (ASB)

of the American Institute of CPAs (AICPA) was the primary standard‐setting body prior to the PCAOB. The ASB has issued Statements on Auditing Standards (SASs) that have historically been widely used in practice and will continue to be the standards applicable to nonpublic companies.

Letter of Representations

often considered the most significant single piece of audit evidence, because it is a signed acknowledgment of management's responsibility for the reported information. In this letter, management must declare that it has provided complete and accurate information to its auditors during all phases of the audit.

Redundant Array of Independent Disks (RAID)

often set up such that two or more disks are exact mirror images. If one disk drive fails, the mirror image on a second drive can serve in its place. In addition to the backup files on a RAID, the organization should maintain daily and weekly incremental backups

Which of the following types of audits is most likely to be conducted for the purpose of identifying areas for cost savings? Financial statement audits Operational audits Regulatory audits Compliance audits

operational audits

Continuous auditing

or continuous monitoring, is a process of constant evidence‐gathering and analysis to provide assurance on the information as soon as it occurs or shortly thereafter. It can be performed by management and/or auditors.

Generalized Audit Software (GAS)

or data analysis software (DAS) to perform audit tests on electronic data files taken from commonly used database systems. These computerized auditing tools make it possible for auditors to be much more efficient in performing routine audit tests such as: Mathematical and statistical calculations Data queries Identification of missing items in a sequence Stratification and comparison of data items Selection of items of interest from the data files Summarization of testing results into a useful format for decision making

Which of the following computer assisted auditing techniques processes actual client input data (or a copy of the real data) on a controlled program under the auditor's control to periodically test controls in the client's computer system? Test data method Embedded audit module Integrated test facility Parallel simulation

parallel simulation

Service Set Identifier (SSID)

password that is passed between the sending and receiving nodes of a wireless network. Most wireless network equipment sets a default SSID of "any" so that any wireless equipment can connect to it. For example, if you have a laptop computer with wireless network equipment built in, it theoretically can connect to any similarly equipped networks if the same SSID is used in the laptop and other network nodes. However, security is improved if "any" is changed to a unique SSID that only those within the organization use. Using a unique SSID makes it more difficult for an outsider to access the wireless network.

Data analysis Software (DAS)

perform audit tests on electronic data files taken from commonly used database systems. These computerized auditing tools make it possible for auditors to be much more efficient in performing routine audit tests such as: Mathematical and statistical calculations Data queries Identification of missing items in a sequence Stratification and comparison of data items Selection of items of interest from the data files Summarization of testing results into a useful format for decision making

Independent auditors are generally actively involved in each of the following tasks except preparation of a client's financial statements and accompanying notes advising client management as to the applicability of a new accounting standard proposing adjustments to a client's financial statements advising client management about the presentation of the financial statements

preparation of a clisent's financial statements and accompanying notes

Authorization

refers to an approval, or endorsement, from a responsible person or department in the organization that has been sanctioned by top management. Every transaction that occurs must be properly authorized in some manner. For example, some procedure should be followed to determine when it is allowable to purchase goods, or when it is permissible to extend credit.

Risk

refers to the likelihood that errors or fraud may occur. Risk can be inherent in the company's business (due to such things as the nature of operations, the nature of data available, the economy, or management's strategies), or it may be caused by weak internal controls

Vulnerability Assessment

s the process of proactively examining the IT system for weaknesses that can be exploited by hackers, viruses, or malicious employees. When an organization engages in vulnerability assessment by using manual testing or automated software tools, it can identify weaknesses before they become network break‐ins and attempt to fix these weaknesses before they are exploited.

Independent Checks

serve as a method to confirm the accuracy and completeness of data in the accounting system. While there are many procedures that accomplish independent checks, examples are as follows: Reconciliation Comparison of physical assets with records Recalculation of amounts Analysis of reports Review of batch totals

Trust Services Principles

set forth guidance for CPAs who provide assurance services for organizations. Risk and controls in IT are divided into five categories in the Trust Services Principles, as follows: Security. The risk related to security is unauthorized access, which may be both physical access and logical access. An example of unauthorized physical access would be a person breaking into the computer room and damaging computer equipment. An example of logical access would be an unauthorized hacker stealing data such as credit card numbers. Internal controls must be designed and implemented to limit both types of unauthorized access. Availability. The risk related to availability is system or subsystem failure due to hardware or software problems. An example of a risk that can cause interruptions to the system would be a virus that causes the system to slow down or fail. Internal controls can be implemented to limit the chances of failure and thereby help improve availability of the system to process information and support ongoing business. Processing integrity. The risk related to processing integrity could be inaccurate, incomplete, or improperly authorized information. An example of this type of risk would be an error in entering hours worked for a worker's pay. The person keying hours worked into the payroll software might accidentally type an incorrect number of hours. Controls should be implemented to reduce erroneous, incomplete, or unauthorized transactions or data. Online privacy. The risk in this area is that personal information about customers may be used inappropriately or accessed by those either inside or outside the company. An example is the theft of credit card numbers when orders are placed through the company website. Internal controls should be implemented to limit the chance of personal information being misused. Confidentiality. The risk related to confidentiality is that confidential information about the company or its business partners may be subject to unauthorized access during its transmission or storage in the IT system. Examples of confidential information are banking information and price lists. Most companies do not wish to allow their bank account numbers or price lists to be available to competitors or other external parties. Controls can be implemented to limit unauthorized access to confidential information.

Control Environment

sets the tone of an organization and influences the control consciousness of its employees. The control environment is the foundation for all other components of internal control, and it provides the discipline and structure of all other components. Control environment factors include: The integrity and ethical values of the entity's people Management's oversight responsibility, including its philosophy and operating style The way management establishes structure and assigns authority and responsibility The way management develops its people and demonstrates commitment to competence The board of directors demonstrates independence from management and exercises oversight of internal control The organization holds individuals accountable for their internal control responsibilities. In each of these areas, management could establish an operating style that is either risky or more conservative.

IT auditors

specialize in information systems assurance, control, and security, and they may work for CPA firms, government agencies, or with the internal audit group for any type of business organization. Some IT auditors achieve special certification as certified information systems auditors

Suppose that during the planning phase of an audit, the auditor determines that weaknesses exist in the client's computerized systems. These weaknesses make the client company susceptible to the risk of an unauthorized break‐in. Which type of audit procedures should be emphasized in the remaining phases of this audit? Tests of controls Penetration tests Substantive tests Rounding errors tests

substantive tests

Intrusion Detection

systems are specific software tools that monitor data flow within a network and alert the IT staff to hacking attempts or other unauthorized access attempts. An intrusion detection system can be thought of as the burglar alarm for the IT system in that it alerts the appropriate users of break‐ins.

Planning phase

the auditor must gain a thorough understanding of the company's business and financial reporting systems. In doing so, auditors review and assess the risks and controls related to the business, establish materiality guidelines, and develop relevant tests addressing the assertions and objectives

Stewardship

the careful and responsible oversight and use of the assets entrusted to management. This requires that management maintain systems which allow it to demonstrate that it has appropriately used these funds and assets.

Earnings Management

the practice of using flexibility in accounting rules to manipulate the apparent profitability of the firm

Privacy

the state or condition of being free from being observed or disturbed by other people.

Internal Theft

the taking of company assets by employees

Industrial Espionage

the theft of proprietary company information, by digging through the trash of the intended target company. However, it would probably be more efficient for a hacker to gain access to the information through the target company's computer system

Software Piracy

the unlawful copying of software programs

Salami Technique

to alter a program to slice a small amount from several accounts and then credit those small amounts to the perpetrator's benefit. For example, a program that calculates interest earned can be altered to round down to the lower 10‐cent amount; that small excess of interest earned can be deposited to the perpetrator's account. Although it would take many transactions of this type to be of much benefit, the nature of interest calculation is such that it occurs frequently on many accounts; therefore, the amount of the fraud benefit could build quickly.

antivirus software

to avoid destruction of data programs and to maintain operation of the IT system, an organization must employ antivirus software, which continually scans the system for viruses and worms and either deletes or quarantines them. Antivirus software renders virus and worm program code harmless.

Authenticity tests

to evaluate whether the computer systems used to access programs and data files are limited to authorized employees according to the company's authority tables.

Audit Trail Tests

trace transactions through the application to ensure that the reporting is a correct reflection of the processing and inputs.

Internal Auditing and Assurance Standards Board (IAASB)

was established by the International Federation of Accountants (IFAC) to set International Standards on Auditing (ISAs) that contribute to the uniform application of auditing practices on a worldwide basis. ISAs are similar to SASs; however, ISAs tend to extend SASs because of their usefulness in audits of multinational companies. Although auditors have a primary responsibility to comply with standards issued within their own countries, ISAs are useful in expanding those requirements in order to meet different needs in other countries where the audited information may also be used.

biometric device

use some unique physical characteristic of the user to identify the user and allow the appropriate level of access to that user. Examples of physical characteristics being used in biometric devices are fingerprint matching, retina scans, voice verification, and face verification. Of these methods, fingerprint recognition is the most widely used technology.

Symmetric Encryption

uses a single encryption key that must be used to encrypt data and also to decode the encrypted data. The sender of the data and the receiver must have the same encryption key. However, it is difficult for the sender to communicate the encryption key to the receiver without compromising the key.

Public Key Encryption

uses both a public key and a private key. The public key, which can be known by everyone, is used to encrypt the data, and a private key is used to decode the encrypted data. Knowing which public encryption method a receiver uses enables the sender to use that public key to encrypt the data, and the receiver will use her private key to decode the data.

IT governance committee

usually made up of top executives. Its function is to govern the overall development and operation of IT systems. The committee, which would include officers such as the chief executive officer (CEO), chief financial officer (CFO), chief information officer (CIO), and the heads of business units such as the vice president of marketing, has several important responsibilities, including the following: Align IT investments to business strategy. Investing funds and resources in the most beneficial IT systems should enhance the long‐range goal of achieving the business strategy. Budget funds and personnel for the most effective use of the IT systems. Oversee and prioritize changes to IT systems. Within organizations, many user groups will concurrently request improvements or changes to their subsystem within the IT system. The IT governance committee will appoint a steering committee to prioritize these requests according to the best match to the business strategy and the feasibility of designing, developing, and implementing the necessary changes. Develop, monitor, and review all IT operational policies. The organization should maintain policies and descriptions of procedures for operating and developing its IT systems. Develop, monitor, and review security policies. The organization should maintain policies and descriptions of procedures related to security. For example, the organization should have established procedures to monitor and follow up on security breaches to the IT system.

Virtual Private Network (VPN)

utilizes tunnels, authentication, and encryption within the Internet network to isolate Internet communications so that unauthorized users cannot access or use certain data. A VPN is employed when the employee connects to the IT system through a public network such as the Internet. A VPN uses the Internet—it is therefore not truly private, but virtually private.

Mathematical accuracy tests

verify whether system calculations are correct. Completeness tests, redundancy tests, and limit tests, introduced earlier, check for inclusion of the correct data. Many other procedures, previously described as input control tests, can be performed again during applications processing to check for the possibility of lost or unprocessed data.

internal auditing standards board (IASB)

was established by the Institute of Internal Auditors (IIA) to issue standards that pertain to attributes of internal audit activities, performance criteria, and implementation guidance.

Public Company Accounting Oversight Board (PCAOB)

was organized in 2003 for the purpose of establishing auditing standards for public companies in the United States. These standards serve as interpretations of GAAS and guidelines for quality control within CPA firms. The PCAOB was established by the Sarbanes-Oxley Act, which was created in response to several major corporate accounting scandals, including those affecting Enron, WorldCom, and others.

Population Testing

where continuous auditing techniques are used to evaluate 100 percent of the population, often in real time. This means that auditors review all transactions instead of a sample of transactions. Population testing is becoming more widespread, as many auditors now have the capability to connect electronically with their clients' accounting information systems.

Skimming

where the organization's cash is stolen before it is entered into the accounting records. This type of theft is the most difficult to discover, since there is no internal record of the cash. For example, consider the case of a ticket agent in a movie theater who accepts cash from customers and permits those customers to enter the theater without a ticket. The cash collected could be pocketed by the agent, and there would be no record of the transaction.

Risk assessment

whereby it considers existing threats and the potential for additional risks and stands ready to respond should these events occur. Management must develop a systematic and ongoing way to do the following: Specify the relevant objectives to enable the identification and assessment of risks relating to objectives. Identify the risks (both internal and external, and due to both fraud or error), and determine how the risks should be managed. Consider the potential for fraud in assessing risks. Identify and assess changes that could significantly affect the system of internal control.

Sampling

whereby they choose and test a limited number of items or transactions and then draw conclusions about the information as a whole on the basis of the results.

Vulnerability assessments

which analyze a company's control environment for possible weaknesses. For example, auditors may send test messages through a company's system to find out whether encryption of private information is occurring properly. Special software programs are available to help auditors identify weak points in a company's security measures.

WPA (Wireless Protected Access)

which has improved encryption and user authentication. With the improved encryption method, WPA can check to see whether encryption keys have been tampered with. WEP is based on a computer‐specific address, which is easy for hackers to determine and misuse; A wireless network that uses WPA, on the other hand, requests connection to the network via an access point. The access point then requests the user identity and transmits that identity to an authentication server. Thus, WPA authenticates the computer and the user.

Qualified Opinion

which identifies certain exceptions to an unqualified opinion.

Penetration tests

which involve various methods of entering the company's system to determine whether controls are working as intended. For example, auditors may search for weaknesses in a company's firewall by attempting unauthorized access to the system.

Batch Totals

which is merely a summation of key items in the batch (such as hours worked), and compare this batch total along various stages of processing. If at some stage of processing the batch totals no longer match, this means that an error has occurred in processing.

Adverse Opinion

which notes that there are material misstatements presented

Security Token

which plugs into the USB port and thereby eliminates the need for a card reader. Otherwise, the purpose and use of the security token are the same as those of a smart card. Exhibit 4‑3 shows the size and portability of a USB security token

Audit trail

which presents verifiable information about the accuracy of accounting records. If accurate, sufficient documentation is maintained, then an audit trail can be established, which can re‐create the details of individual transactions at each stage of the business process in order to determine whether proper accounting procedures for the transaction were performed.

User Profile

which should be established for every authorized user, determines each user's access levels to hardware, software, and data according to the individual's job responsibilities. For example, an employee who enters payroll data does not need access to sales data, so this user's access to sales data should be restricted.

Disclaimer

which states that the auditors are unable to reach a conclusion.

Unqualified opinion

which states that the auditors believe the financial statements are fairly and consistently presented in accordance with GAAP or IFRS.

Certified Public Accountant (CPA)

who have extensive knowledge of generally accepted accounting principles (GAAP) in the United States and/or International Financial Reporting Standards (IFRS).

Redundant Servers

wo or more computer network or data servers that can run identical processes or maintain the same data. If one of the servers fails, a redundant server functions in its place