Chapter 11

Organizing the audit team and the physical examination of assets are components of which two separate audit stages?

planning; collective audit evidence

The information systems audit objective that pertains to having management's authorization and approval is known as

program modifications

The auditor's objective is to seek ________ that no material error exists in the information audited

reasonable assurance

the auditor's objective is to seek _________ that no material error exists in the information audited

reasonable assurance

Increasing the effectiveness of internal controls would have the greatest effect on

reducing control risk

An auditor manually calculates accumulated depreciation on a delivery van and compares her calculation with the accounting records. The auditor is performing

reperformance

The evidence collection method that examines all supporting documents to determine the validity of a transaction is called

review of documentation

control risk is defined as the

risk that a material misstatement will get through the internal control structure and into the financial statements

The ________ to auditing provides auditors with a clear understanding of possible errors and irregularities and the related risks and exposures

risk-based approach

the evidence collection method that considers the relationships and trends among information to detect items that should be investigated further is called

vouching

How is a financial audit different from an information systems audit?

Financial audits examine the reliability and integrity of accounting records in terms of financial and operating information. An information systems (IS) audit reviews the general and application controls of an AIS to assess its compliance with internal control policies and procedures and its effectiveness in safeguarding assets. Although the AIS may generate accounting records and financial information, it is important that the AIS itself be audited to verify compliance with internal controls and procedures

Describe some of the important uses of CAATs

Here are some of the important uses of CAATs: Querying data files to retrieve records meeting specified criteria; Creating, updating, comparing, downloading, and merging files; Summarizing, sorting, and filtering data; Accessing data in different formats and converting the data into a common format; Examining records for quality, completeness, consistency, and correctness; Stratifying records, selecting and analyzing statistical samples;Testing for specific risks and identifying how to control for that risk;Performing calculations, statistical analyses, and other mathematical operations; Performing analytical tests, such as ratio and trend analysis, looking for unexpected or unexplained data patterns that may indicate fraud;Identifying financial leakage, policy noncompliance, and data processing errors; Reconciling physical counts to computed amounts, testing clerical accuracy of extensions and balances, testing for duplicate items; Formatting and printing reports and documents; Creating electronic work papers.S

Briefly describe tests that can be used to detect unauthorized program modifications

Review procedures for requesting, approving, programming, and testing changes. Review or observe specific testing and implementation procedures. Compare source code from the approved and tested program with the program code currently in use. Randomly and without notice, use the source code from the approved and tested program to reprocess transactions, and compare the results with the operational system results. Write new code designed to replicate the approved and tested code and use parallel simulation to reprocess transactions, and compare the results with the operational system result

Auditors have several techniques available to them to test computer-processing controls. An audit technique that immediately alerts auditors of suspicious transactions is known as

an audit hook

An auditor calculates the current ratio of the company to determine its ability to pay off its current financial obligation. This is an example of

analytical review

an auditor calculates the current ratio of the company to determine its ability to pay off its current financial obligation. this is an example of

analytical review

What is not a typical responsibility of an external auditor?

assisting in the design and implementation of an AIS, preparation of the company's financial statements, helping management to improve organizational effectiveness

Audit routines that notify auditors of questionable transactions, often as they occur is an example of

audit hooks

The purpose of ________ is to determine why, how, when, and who will perform the audit

audit planning

the purpose of ________ is to determine why, how, when, and who will perform the audit

audit planning

How could auditors determine if unauthorized program changes have been made?

by using a source code comparison program

The auditor uses ________ to continuously monitor the system and collect audit evidence while live data are processed.

concurrent audit techniques

Verifying the accuracy of certain information, often through communication with third parties, is known as

confirmation

the ______ audit examines the reliability and integrity of accounting records

financial

Which type of work listed below is not typical of internal auditors?

financial statement audit

The ________ audit reviews the general and application controls of an AIS to assess its compliance with internal control policies and procedures and its effectiveness in safeguarding assets.

information systems

A system that employs various types of advanced technology has more ________ risk than traditional batch processing

inherent

Inserting a dummy entity in a company's system; processing test transactions to update that will not affect actual records is an example of

integrated test facility

Describe the five commonly used concurrent audit techniques

(1) Integrated test facility - Inserting a dummy entity in a company's system; processing test transactions to update them will not affect actual records. (2) Snapshot technique - Marking transactions with a special code, recording them and their master file records before and after processing, and storing the data to later verify that all processing steps were properly executed. (3) System control audit review file (SCARF) - Using embedded audit modules to continuously monitor transactions, collect data on transactions with special audit significance, and store the data to later identify and investigate questionable transactions. (4) Audit hooks - Audit routines that notify auditors of questionable transactions, often as they occur. (5) Continuous and intermittent simulation (CIS) - Embedding an audit module in a DBMS that uses specified criteria to examine all transactions that update the database

Describe the difference between concurrent audit techniques and embedded audit modules.

Auditors use concurrent audit techniques to continually monitor the system and collect audit evidence while live data are processed during regular operating hours. Concurrent audit techniques use embedded audit modules, which are program code segments that perform audit functions, report test results, and store the evidence collected for auditor review. Concurrent audit techniques are time-consuming and difficult to use but are less so if incorporated when programs are developed.

Audit tests and procedures traditionally have been performed on a sample basis. Do options exist for auditors to test significantly more (or all) transactions?

Computer assisted audit techniques (CAATS) allow auditors to automate and simplify the audit process. Large amounts of data can be examined by software, created from auditor-supplied specifications. Two popular CAATS packages are Audit Control Language (ACL) and Interactive Data Extraction and Analysis (IDEA). Auditors can also use concurrent audit techniques to identify and collect information about certain types of transactions in real-time. Examples of concurrent audit techniques are embedded audit modules, integrated test facility, system control audit review file (SCARF), snapshot technique, audit hooks and continuous and intermittent simulation (CIS).

During the evidence evaluation stage of an operational audit, the auditor measures the system against generally accepted accounting principles (GAAP)

False

One of the advantages of CAATS software is that it can replace the auditor's judgment in specific areas of an audit

False

There is a direct relationship between inherent risk and detection risk

False

auditors have the ability to change inherent risk

False

audits have the ability to chance control risk

False

Explain the differences between each type of audit risk

Inherent risk is the threat faced just by conducting business in a chosen way. For example, a business with multiple locations in several foreign countries faces more threats than a business with a single location. Control risk is the threat that a company has inadequate, nonexistent or unenforced policies and procedures to prevent errors and fraud from getting into the system and being reflected in the financial statements. Detection risk is the threat that errors or fraud get into the system and audit procedures do not identify the errors or fraud

What is a test data generator?

It is an application that prepares data that can be used for auditing the effectiveness of computer processing.

Describe the concept of materiality and provide an example

Materiality is the amount of an error, fraud, or omission that would affect the decision of a prudent user of financial information. Determining materiality, what is and is not important in an audit, is a matter of professional judgment. Materiality is more important to external audits, where the emphasis is fairness of financial statement, than to internal audits, where the focus is on adherence to management policies. Students' answers may vary depending on their examples.

describe how audit evidence can be collected

Since the audit effort revolves around the identification, collection, and evaluation of evidence, most audit effort is spent in the collection process. To identify, collect, and evaluate evidence, several methods have been developed to assist in the effort. These methods include: 1) the observation of the activities being audited; 2) a review of documentation to gain a better understanding of the AIS; 3) discussions with employees about their jobs and how procedures are carried out; 4) the creation and administration of questionnaires to gather data about the system; 5) physical examination of tangible assets; 6) confirmation of the accuracy of certain information; 7) reperformance of selected calculations; 8) vouching for the validity of a transaction by examination of all supporting documentation; and, 9) analytical review of relationships and trends among information to detect items that should be further investigated. It is important to remember that only a sample of evidence is collected for audit purposes, as it is not feasible to perform audit procedures on the entire set of activities, records, assets, or documents that are under the review process in an audit.

Describe the disadvantages of test data processing

The auditor must spend considerable time developing an understanding of the system and preparing an adequate set of test transactions. Care must be taken to ensure that test data does not affect the company's files and databases. The auditor can reverse the effects of the test transactions or process the transactions in a separate run using a copy of the file or database. However, a separate run removes some of the authenticity obtained from processing test data with regular transactions. Also, since the reversal procedures may reveal the existence and nature of the auditor's test to key personnel, it can be less effective than a concealed test.

How and to whom does an auditor communicate the audit results?

The auditor prepares a written report summarizing the findings and recommendations, with references to supporting evidence in working papers. The report is presented to management, the audit committee, the board of directors, and other appropriate parties. The auditor then follows up later to determine if recommendations were implemented.

Explain why the auditor's role in program development and acquisition should be limited

The auditor's role in any organization systems development should be limited only to an independent review of systems development activities. The key to the auditor's role is independence; the only way auditors can maintain the objectivity necessary for performing an independent evaluation function is by avoiding any and all involvement in the development of the system itself. If auditor independence is impaired, the audit itself may be of little value and its results could easily be called into question. The auditors could be basically reviewing their own work

Name and describe the different types of audits

The financial audit N this audit examines the reliability and integrity of accounting records (both financial and operating information). The information systems audit N this audit reviews the general and application controls of an AIS and assesses its compliance with internal control policies and procedures and effectiveness in safeguarding assets. The operational or management audit N this audit conducts an evaluation of the efficient and effective use of resources, as well as an evaluation of the accomplishment of established goals and objectives.

describe the risk-based audit approach

The risk-based audit approach has four steps that evaluate internal controls. This approach provides a logical framework for conducting an audit of the internal control structure of a system. The first step is to determine the threats facing the AIS. Threats here can be defined as errors and irregularities in the AIS. Once the threat risk has been established, the auditor should identify the control procedures that should be in place to minimize each threat. The control procedures identified should either be able to prevent or detect errors and irregularities within the AIS. The next step is to evaluate the control procedures. This step includes a systems review of documentation and also interviewing the appropriate personnel to determine whether the needed procedures are in place within the system. The auditor can then use tests of controls to determine if the procedures are being satisfactorily followed. The fourth step is to evaluate weaknesses found in the AIS. Weaknesses here means errors and irregularities not covered by the AIS control procedures. When such deficiencies are identified, the auditor should see if there are compensating controls that may counterbalance the deficiency. A deficiency in one area may be neutralized given control strengths in other areas. The ultimate goal of the risk-based approach is to provide the auditor with a clear understanding of errors and irregularities that may be in the system along with the related risks and exposures. Once an understanding has been obtained, the auditor may provide recommendations to management as to how the AIS control system can be improved.

When doing an information systems audit, auditors must review and evaluate the program development process. What errors or fraud could occur during the program development process?

There can be unintentional errors due to misunderstood systems specifications, incomplete specifications, or poor programming. Developers could insert unauthorized code instructions into the program for fraudulent purposes.

Auditors have the ability to change detection risk

True

Embedded audit molecules can be used to continually monitor the system and collect audit evidence

True

auditors often use reperformance to test a company's internal control

True

there is an inverse relationship between control risk and detection risk

True

A type of software that auditors can use to analyze program logic and detect unexecuted program code is

a mapping program

________ can determine whether the necessary control procedures are in place

a systems review

a) What is test data processing? b) How is it done? c) What are the sources that an auditor can use to generate test data?

a) Test data processing is a technique used to examine the integrity of the computer processing controls. b) Test data processing involves the creation of a series of hypothetical valid and invalid transactions and the introduction of those transactions into the system. The invalid data may include records with missing data, fields containing unreasonably large amounts, invalid account numbers, etc. If the program controls are working, then all invalid transactions should be rejected. Valid transactions should all be properly processed. c) The various ways test data can be generated are: A listing of actual transactions. The initial transactions used by the programmer to test the system. A test data generator program that generates data using program specifications

Auditing involves the

collection, review, and documentation of audit evidence.

When a control deficiency is identified, the auditor should inquire about

compensating controls

An organization that has an antiquated accounting information system has more ________ risk than an organization that has a more advanced system.

control

an organization that has an antiquated accounting information system has more __________ risk than an organization that has a more advanced system

control

The possibility that a material error will occur even though auditors are following audit procedures and using good judgment is referred to as

detection risk

Who generally receives the findings and conclusions of an operational audit?

management

Which statement below is incorrect regarding program modifications?

only material program changes should be thoroughly tested and documented

The scope of a(n) ________ audit encompasses all aspects of systems management

operational

a(n) _______ audit is concerned with the economical and efficient and economical use of resources and the accomplishment of established goals and objectives

operational or management

The information systems audit objective that pertains to protect computer equipment, programs, communications, and data from unauthorized access, modification, or destruction is known as

overall security

When programmers are working with program code, they often employ utilities that are also used in auditing. For example, as program code evolves, it is often the case that variables defined during the early part of development become irrelevant. The occurrences of variables that are not used by the program can be found using

scanning routines

Using embedded audit modules to continuously monitor transactions, collect data on transactions with special audit significance, and store the data to later identify and investigate questionable transactions is an example of

system control audit review file

The ________ procedure for auditing computer process controls uses a hypothetical series of valid and invalid transactions

test data processing

An auditor sets an embedded audit module to flag all credit transactions in excess of $5,000. The flag causes the system state to be recorded before and after each transaction is processed. The auditor is using

the snapshot technique

With regards to an accounting information system, a financial audit is most concerned with

the system's output

Which of the following is not one way CAATS could be used?

to process electronic transactions

What is the purpose of an information systems audit?

to review and evaluate the internal controls that protect the system