Bec IT General and Application control
What are SOC 1 reports?
Reports intended to meet the needs of user entities and user auditors considering the controls at the service organization and their impact on the user entities' financial statements.
IT general controls are primarily concerned with the segregation of what 3 duties
1. Authorization 2. Recording 3. Custody
What are 4 types of input controls?
1. Field checks 2. Validity Checks 3. Limit tests 4. Check digits
What are the risks of IT from the auditors perspective? (CAFOML)
1. Over reliance 2. Access 3. Changes in programs 4. Failure to change 5. Manual intervention 6. loss of data
What are two examples of Hardware controls?
1. Parity Checks 2. Echo checks
What are the additional control risks associated with personal computers?
1. Personal computers are small and portable making them easier to steal or damage. 2. Data and software are more accessible and individuals can have more readily access to unauthorized records and modify, copy, or destroy, data and software.
What are the 3 types of application controls?
1. Preventative controls 2. Detective controls 3. Corrective controls
What are examples of audit software packages?
1. Programs to access client files 2. Source code comparison programs 3. Parallel simulation programs 4. programs to produce spreadsheets
What are the 3 types of control totals
1. Record count 2. Financial total 3. hash total
Auditors are concerned by 2 main risks
1. Unauthorized access 2. Audit trail
From the auditors perspective what are the benefits of IT? (CCAMTS)
1. consistency 2. Timeliness 3. Analysis 4. Monitoring 5. Circumvention 6. Segregation of duties
What are the controls that can be employed in a microcomputer environment?
1. maintain an inventory listing of all microcomputer equipment and the purposes for which it is used. 2. Keyboard locks can be built into the CPUs of microcomputers so that unauthorized users will not have access. 3. Microcomputers and monitors can be secured to desks or fixtures to discourage theft. 4. Passwords that are changed periodically limit the access of unauthorized users to sensitive data. 5. Periodic backup of data on microcomputers enables recovery in the case of alteration or destruction of data. 6. sensitive information can be maintained in offline storage and kept in locked cabinets to prevent unauthorized access.
What are field checks?
A field check is performed when data is validated as to the correct length, character types, and format accepted.
What is a generalized audit software package?
A generalized audit software package is a series of programs that can be used for general processes such as record selection, matching, recalculation, and reporting.
What is an embedded audit module?
A module stores in the DBMS so that info wanted by the auditor during annual engagements can be easily accessed
What is a source code comparison program
A source code comparison program are used to detect unauthorized changes made by the client in programs that the auditor is testing. For example after the auditor has verified the proper functioning of a copy of the payroll program provided to them by the client for testing, this program would compare the tested program with one being used by the client to process an actual payroll period.
What is a parity check
A special bit is added to each character that can detect if the hardware loses a bit during the internal movement of a character.
What is an Audit trail?
An audit trail is an electronically visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source.
What are application controls designed to do?
Application controls are designed to ensure the proper recording of transactions and to prevent or detect errors and fraud for transactions within these cycles.
Why to auditor extensively rely on application controls
Because application controls are related to specific transactions, auditors extensively rely on these controls to mitigate the risk of material misstatement for account balances or classes of transactions.
Why are auditors most concerned with unauthorized access to computer systesm?
Because unauthorized access to computer systems can cause more damage to the accounting system as a whole than in a manual system where it is difficult for one person to access all the different records of the system.
Custody
Control clerks and librarians obtain and review the output from computers to review exception reports indicating inappropriate functioning of the computer, send printouts and other output to the appropriate destinations and maintain disks, tapes, or other storage units of data. These personnel should not have the ability to create or alter programs or to operate the computers that generate the information.
What are application controls
Controls applied to specific business activities within a computerized processing system to achieve financial reporting objectives.
Recording
Data input clerks and computer operators have the role of entering information into the computer and running the programs
What are validity checks?
Data is compared with a list of acceptable entries to be sure it matches one of them.
Why is access a particularly important general control associated with Networks
Data is distributed widely in Networks.
What are preventative controls
Designed to prevent errors and fraud
What are edit checks
Edit checks are examples of detective controls which verify that each individual data entry is appropriate and generate a list of rejected transactions for review by the control clerk.
How can an auditor test the procedures for password protection
Entering invalid passwords to see that they are rejected and verifying that valid passwords only provide compatible access.
What is a major security risk associated with unauthorized access?
Failure to remove user accounts when a n employee leaves a client is a major security risk.
What are Hardware controls?
Hardware controls are built into the processing equipment by the manufacturer and provide reasonable assurance that data are not altered or modified as they are transmitted within the system.
What are input controls
Input controls are designed to provide reasonable assurance that data received for processing by the computer department has been properly authorized and accurately entered or converted for processing.
What are integrated test facilities designed to prevent?
Integrated test facilities are designed to prevent the client from providing fake programs for the auditor to verify.
What is cybersecurity?
Measures designed to protect computers against unauthorized access or attack
If an auditor has verified that a computer program is working properly will they have to test individual transactions to be sure the computer is following directions consistenly?
No because they are not subject to random errors.
What are limit tests
Numbers are compared to limits that have been set for acceptability.
Check digits
Numbers with no obvious meaning, such as identification numbers, are often designed so that one of the digits is determined by a formula applied to the rest of the number.
What is the significance of access, when evaluating internal control in an IT environment
One of the main risks associated with IT is unauthorized access to company data, so maintaining a strong set of I/C relating to access is a significant when evaluating IT's general controls
What are output controls?
Output controls represent the final check on the results of computerized processing. Output controls are concerned with detecting errors rather than preventing them.
What should be required to access data and programs?
Passwords or identification numbers (biometrics) and different levels of password authority should apply so that individuals only gain access to the programs and files that are compatible with their assigned responsibilities.
What is the most fundamental processing control a client can implement?
Periodically testing and evaluating the processing accuracy of its programs.
What are are processing controls?
Processing controls are designed to provide reasonable assurance that data processing has been performed accurately without any omission or duplicate processing of transactions.
What are SOC 2 reports
THey report on controls at a service organization relevant to security, availability, processing, integrity, confidentiality, or privacy.
Who released the framework for improving critical infrastructure cybersecurity
The National Institute of Standards and Technology (NIST).
What is controlled reprocessing?
The auditor supervises the entry of actual client data into the client program to reproduce the results of a previous run of the program by the client. After verifying that the results are identical to the previous run, the auditor knows that the program is the actual one used and can enter the test data into it at a separate time.
Authorization
The development of new programs and changes to existing programs should be performed by systems analysts and programmers. These personnel should not be involved in the supervision of computer operations or the control and review of output. Systems analysts work with operating systems and compilers
What is one of the main problems associated with the embedded audit module?
The modules should be included in the design of the system itself, forcing the outside auditor to be involved in consulting on the design, and may impair the auditor's independence.
What should be periodically reviewed to detect computer-related fraud?
The systems access log
What is the approach used for direct use techniques?
The test data approach
What is a financial total
The total dollar amount of entries that are financial in nature
what is a record count
The total number of records entered into the program during a period.
What is a hash total
The total values which cannot be meaningfully added together, but which serve as a way to verify the correct entry of these values.
What are detective controls?
They are designed to detect errors and fraud
What is a parallel simulation program?
They are programs that duplicate common functions of client software that can be used to perform a parallel simulation.
What are SOC 1 type 1 reports
They report on the fairness of the presentation of management's description of the service organization's system and the suitability of the design of the controls to achieve the related control objectives.
What are SOC 1 type 2 reports
They report on the fairness of the presentation of of management's description of the service organization's system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
What is an Echo check
Transmitted data is returned to the sender for verification (it echoes back to the sender)
What are SOC 3 reports?
Trust services criteria for general use reports. They are similar to SOC 2 reports but they do not seek or have knowledge required to make effective use of the detail in a SOC 2 report.
What is the auditors greatest concern associated with IT controls
Unauthorized access to computer systems.
What must the auditor do if they wish to verify a client program for which there is no appropriate equivalent available for the auditor?
When the auditor wishes to verify a unique program the auditor must use techniques involving direct use of the program.
When using batch processing of data what will the data input clerk often prepare to compare?
When using batch processing of data, the data input clerk will often prepare manual control totals to be compared with computer generated totals of entered information in order to ensure accuracy of inputs.
Can an audit of a computerized system rely more heavily on internal control structure and reduce the need for substantive testing?
Yes, because the auditor is not concerned with whether the computerized system is following procedure, but rather what the actual procedures are.
3. Corrective controls
allow individual users to follow up on detected errors and fraud
what is an integrated test facility?
it puts fake transactions in with real transactions which are processed together without client employees knowing it
How should output controls be designed?
output controls should be designed to provide reasonable assurance that only authorized persons receive output or have access to files produced by the system.
What are audit software package programs designed to access client files
programs designed to access client files are used for testing purposes. They may be used to access a company's inventory file so the auditor can calculate the company's inventory turnover ratio
What is the test data approach?
the auditor develops similar transaction to enter into the client's program.
What is the primary advantage of IT as it relates to an audit?
the primary advantage of IT as it relates to the audit is it is not subject to random errors.