Computer Audit Exam 1
T/F: The physical layer in the IT environment is typically in scope for a financial statement audit?
False
True or False: Customers don't have any say on what is shown on the SOC Report.
False
True or False: Outsourcing service has the benefit of completely outsourcing risk.
False
True or False: The auditor of the user entity that relies on the SOC report in order to form an opinion of the user entities financial statements is the service auditor.
False
True or false: It is generally advisable for compensating controls to be implemented permanently.
False
True or false: The physical component of an IT system is the most critical component to be investigated in a financial statement audit to ensure that they are protected from environment threats like theft, fire, water, power shortages. Etc
False (usually out of scope for financial statement audit)
True or False: IT General Controls are procedures that are applied to each application or system individually.
False, those are application controls. ITGC's have a pervasive influence over all programs
Why do companies outsource IT functions?
First, it can lower the cost. Some companies are lack of resources to support the IT functions. The outsourcing can also help businesses focus on core competencies, especially for small companies that don't have lots of specialized resources. Last, it can mitigate risk and improve security.
What determines what systems will be tested during an IT audit?
If the systems are in-scope, and financially significant
What are the 2 components of risk?
Inherent risk -the susceptibility of misstatement Control risk -the risk that the designed controls wont effectively mitigate the inherent risk.
Name three reasons companies outsource IT?
Lower cost, lack of resources, focus the business on core competencies, or risk mitigation
What's the difference between outsourcing and off-shoring?
Outsourcing is contracting the operation of specific business functions or knowledge-related work with an external service provider. Off-shoring is relocating activities that were previously managed in the domestic country.
List several examples of IT services that are commonly outsourced.
Payroll services, IT assistance, database storage, application development, onboarding/HR, change management...
List three types of controls.
Preventative, detective, and monitoring
program development or program change? An IT Director reviews all changes made to production code on a weekly basis
Program Change
program development or program change? XYZ Company receives the "unapplied cash receipts" report on a weekly basis. An employee submitted a request to generate the report on a daily basis. In addition, he would like to see the information sorted alphabetically as opposed to by dollar volume.
Program Change
program development or program change? ABC Company uses a self-developed application for inventory movements and product costing. They installed new equipment for monitoring inventory levels. The inventory manager sent a request to the IT department to add new programs and modify existing programs. The IT department has estimated the project to take 700 hours over the course of the next 7 months.
Program Development
program development or program change? User acceptance testing is required before code is moved to production
Program Development
controls restricting developers accessing production code would fall under what control domain?
Program change
Why would a company have a SOC 2 and SOC 3 report?
The SOC 2 report contains sensitive information relating to controls that could be harmful if unintended parties got ahold of it. By having a SOC 3 report, companies can publicly display that they have a SOC report for marketing purposes without revealing potential control weaknesses or vulnerabilities.
What should a company consider before deciding to outsource IT functions?
The safety and security of data, availability of applications when needed, the amount of control over access to data the company retains, and compliance with federal/global regulations should be considered.
What sort of procedures are used to test design of relevant controls?
The test of design should be predicated upon inquiries, inspections and observations. Inquiries allow for a breakdown of the control from relevant parties within the organization. It can help guide in the understanding of the control in question. Inspection allows for manual verification on whether or not the control is functioning properly. This involves examination of records/documents in digital or physical format. Observation allows for verification of the control while performing a real organizational process.
You were just hired by a hot, new start-up company. Due to limited resources, the accounting department you will be working with is severely understaffed. Why does this pose a threat to controls within the company? What can the company do to mitigate this risk?
This is a risk because it may not allow for proper segregation of duties. Fewer accountants implies that each accountant will likely have to take on more roles, and some of these roles may end up conflicting. In order to make up for these deficiencies, management should implement rigorous compensating controls in areas lacking proper segregation of duties until more personnel can be hired.
Why would a company outsource IT services?
To save costs and obtain services from a company that specializes in a particular service. Additionally, outsourcing helps mitigate risk and gives the original company the ability to focus more on its core competencies.
What are the two categories of applications according to the GTAG?
Transactional Applications & Support Applications
What is the difference between SOC 1 Type 1 and SOC 1 Type 2? Which is more practical?
Type 1 reports focus on control design at a single point in time, while Type 2 reports go several steps further by testing operating effectiveness (as well as control design) over a period of time. Type 2 is more practical because there isn't much applicable use for the controls measured on one specific day.
What are some common types of application controls?
input controls, processing controls, output controls, integrity controls and management trails.
Developers don't have access to migrate changes to production is considered under which general IT control considerations by IT area? A. Access Security B. System change control C. Data Center and Network Operations
B. System change control
What are the correct terminology to describe the relationship between companies and auditors for the following: Deloitte -> Switchfast Technologies (IT Managed Services Provider for Apple) -> Apple -> EY (Apple's auditor) (a) Service Auditor -> Service Organization -> User Organization -> User Auditor (b) User Auditor -> Service Auditor -> Service Organization -> User Organization (c) User Organization -> User Auditor -> Service Auditor -> Service Organization (d) Service Organization -> User Organization -> User Auditor -> Service Auditor
(a) Service Auditor -> Service Organization -> User Organization -> User Auditor
Which of the following would result in an independence conflict: (a) If a single auditing firm was the user auditor and the service auditor (b) If a single auditing firm was user auditor and the service auditor for a IT control system that the auditing firm created a SOC report for. (c) None of the above (d) All of the above
(c) None of the above
Who is the intended user for a SOC 3 and what is the reason for this version of SOC? (a) The intended user is the company's auditors; materiality testing for the financial statements (b) The intended user is for vendors; for user seeks assurance for informational handling (c) The intended user is the public; largely for advertising purposes
(c) The intended user is the public; largely for advertising purposes
What are the 5 technology layers?
-Application (Highest) -Data Management -Operating System -Network -Physical
What are the four most common types of application controls?
-Input controls -data transmission/processing controls, -output controls, -and access controls
When concluding on risks during an audit, what are the 3 different deficiency classifications?
-Material Weakness (MW) -Significant Deficiency (SD) -Deficiency (D)
What are the 4 basic elements of IT?
-Network - Operating System -Database - and Application
Name 2 goals of documentation
-Understand the nature of the procedures performed, evidence obtained and conclusions reached -Understand the timing of the procedures performed, evidence obtained and conclusions reached -Understand the extent of the procedures performed, evidence obtained and conclusions reached -Understand the results of the procedures performed, evidence obtained and conclusions reached -Determine who performed the work -Determine the date the work was completed
List two types of deficiency in design of controls.
1) Control necessary to meet the control objective is missing. 2) Existing control is not properly designed so that even if control operates as designed, control objective would not be met.
Why do companies use IT?
1) Ensure timeliness, availability, and accuracy of information. 2) Reduce the risk that controls will be circumvented 3) Enhance the ability to achieve effective segregation of duties by implementing security controls 4) Consistently apply predefined business rules 5) Enhance the ability to monitor the performance of the entity's activities
List three reasons that a company may choose to outsource
1. for cost effectiveness 2. for use of another's expertise 3. to focus on core competencies 4. for use of better/specialized resources 5. for risk mitigation
Please list out the four phases of the IT Audit Plan Development Process.
1.Understand the Business 2.Define the IT Universe 3.Perform the Risk Assessment 4.Formalize the Audit Plan
Which of these are not a best practice of a well controlled security management environment? A)IT personnel should perform user functions B).Security management responsibilities should be properly segregated from development C).IT management responsibility should not include security management D).System administration users should not have business process or financial control responsibility
A (IT personnel should NOT perform user functions)
Which is a best practice for security management? a. IT personnel should perform no user functions b. Developers should create the security framework to ensure effectiveness c. System Administrators should be allowed to enable changes to secure financials d. Security and IT management should be combined
A) IT personnel should perform no user functions
Which of the following testing techniques has the highest level of comfort? A) Reperformance B) Inspection C) Observation D) Inquiry
A) Reperformance
Susceptibility of an assertion to a misstatement, due to error or fraud, that could be material, individually or in combination with other misstatements, before consideration of any related controls is? A- Inherent Risk B- Risk associated with controls C- Residual risk D- Strategic risk
A- Inherent Risk
Which of the following is an example of application security detective control? A. Periodic Access Review B. Weekly Terminations Review by IT C. Users are granted roles appropriate to their job function D. Password configuration
A. Periodic Access Review
Which of these is not a common network component? -Firewall -Intrusion detection -Router -Switch / hub -Remote access -Server -Client
All of the following are common network components.
Which of the following is not true about UDA? A. UDAs are more configurable and flexible B. UDAs consist of spreadsheets, query tools, scripts and databases developed by IT C. UDAs are common because they are easily customizable D. UDA can circumvent standard IT development request process
B. UDAs consist of spreadsheets, query tools, scripts and databases developed by IT
3- Which of the following is not a type of control: A- Preventive B- Corrective C- Monitoring D- Detective
B- Corrective
Less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting is? A- Material Weakness B- Significant Deficiency C- Deficiency D- Minor deficiency
B- Significant Deficiency
Which of the following is a program development? A) Batch processing B) Database administration C) Data conversion D) Backups
C) Data conversion
Which of the following IT environment layers is associated with the incorrect word? A).Application -> single function / multi-function B). Data Management -> database C).Network -> VPN D).Operating System -> WAN
C).Network -> VPN
The best practices of a well-controlled Security Management environment include ALL of the following EXCEPT: A. IT personnel should perform no user functions B. Security Management responsibilities should be properly segregated from development C. IT management responsibility should include Security Management D. System administration users should not have business process or financial control responsibility.
C. IT management responsibility should NOT include Security Management
Why is the distinction between purchasing an application vs. developing an application significant for identifying application controls?
COTS applications are typically associated with lower risk because they are designed by specialized companies; since the products designed by these companies are implemented and maintained by thousands of customers, the stakes are high for the performance of the system. Ultimately, the businesses that create these applications have more resources, expertise, and incentive than companies developing smaller applications for internal use, so their systems are usually more secure.
Which of the following is not a component of the technology layers of an organization: A- Applications B- Operating System C- Data Management D - Network Administrator
D - Network Administrator
Which of the following tasks CANNOT be performed by Robotics Process Automation? A) Open email and attachments B) Collect social media statistics C) Log into web/enterprise applications D) Test general IT Controls
D) Test general IT Controls
Which of the following is not a best practice for IT infrastructure controls: A- Programs are scheduled B- Outcomes are monitored C- Unauthorized program execution is prevented D- Unauthorized access is prevented
D- Unauthorized access is prevented
Which technology layer is responsible for direct control and management of hardware and basic system operations? A. Application B. Network C. Physical D. Operating System
D. Operating System
Which one of the statements is INCORRECT regarding SOC reports? A. SOC 1 reports provide information about controls at a service organization relevant to internal control over financial reporting. B. A company can use SOC 3 to demonstrate a commitment to data security and privacy and therefore can be used for marketing purpose C. A Type II SOC 1 report provides assurance regarding controls placed in operation and tests of operating effectiveness for a period of time D. SOC 1 reports are required for ALL public entities.
D. SOC 1 reports are required for ALL public entities. -not required by highly recommended to have.
What are data altering utilities and why is it important to identify them during the audit process?
Data altering utilities are applications, systems or tools that provide the ability to directly change data without using the in-scope application. It is important to be aware of these utilities as they could allow direct changes to data that circumvent established manual and automated controls.
In phase 1 of the IT Audit Process, the scope and plan is defined and refined through what?
Discussions with client personnel and evaluation of the client's IT environment and financial reporting risk.
Which of the following risk factors should a company consider when making its outsourcing decision? A. Quality B. Public opinion C. Language, geographical, and time zone barriers D. None of the above E. All of the above
E. All of the above
What is the value of SOC reporting?
Externally, benefits of SOC reporting include responding to existing customer demand for greater assurance on controls and the ability to demonstrate trustworthiness. Internally, SOC reporting allows for a reduction of coordination with your customers' auditors and provides an independent evaluation of processes and controls leading to gap identification.
What are the four components of Segregation of Duties?
Record keeping, custody, reconciliation, and authorization
What are some potential benefits of relying on application controls?
Reliability Benchmarking Time and cost savings
In order of most to least assurance, rank tests of control design: Reperformance, inquiry, inspection, observation
Reperformance, inspection, observation, inquiry
What are the purpose of SOC 1, 2, and 3 reports, respectively?
SOC 1: Provides information about controls at a service organization relevant to internal control over financial reporting.SOC 2: Provides information about internal control at the service organization related to security, availability, processing integrity, confidentiality, or privacy.SOC 3: Provides information about the service organization's achievement of the Trust Services Criteria.
What is the purpose of SOC for cybersecurity and why might some companies be slow to produce one?
SOC for cybersecurity is meant to communicate relevant useful information about the effectiveness of an entity's cybersecurity risk management program. Because this is meant to cover enterprise-wide cybersecurity risk management and not limited to a certain scope, preparing a SOC for cybersecurity report is a huge and expensive undertaking.
What are the three phases of the IT Audit Process?
Scope and plan IT audit support Update understanding of IT environment Evaluate ITGC design effectiveness Evaluate ITGC operating effectiveness Evaluate design/operating effectiveness of activity-level controls Evaluate and interpret IT-relate finding Wrap up
What is the purpose of SOC 1? a) For a user and its auditor performing a financial audit b) For a user performing vendor risk management activities c) To provide general distribution
a) For a user and its auditor performing a financial audit
Which of the following is NOT true about the benefits of application controls: A) generally, application controls are more costly and time consuming to test than general controls, so they should only be tested once, if possible. b) Reliable controls reduce the likelihood of manual intervention errors. c) Sufficient general IT controls can mitigate the need to retest application controls. d) Benchmarking gives auditors a way of checking whether applications need to undergo full testing, as long as no other significant changes have occurred and controls have been fully tested at some point in the past 3 years.
a) Generally, application controls are more costly and time consuming to test than general controls, so they should only be tested once, if possible.
2. Which of the following statements is INCORRRECT? :a. Developers not having access to migrate changes to production falls under Access Security b. System change control refers to the idea that data conversions are appropriately tested before they are implemented into production c. Computer and batch processing errors are resolved under data center and network operations d. Implementing appropriate access safety is important for updating batch jobs.
a. Developers not having access to migrate changes to production falls under Access Security
What is one best practice of a well-controlled security management environment?
any of the following: IT personnel should perform no user functions, Security Management responsibilities should be properly segregated from development, IT management responsibility should not include Security Management, System administration users should not have business process or financial control responsibility.
Which sections of the SOC report structure are NOT present on SOC 3 Reports? (Select all that apply) a) Auditor's Report b) Other information provided by management c) Description of the Systems d) Management Assertion e) Control Matrix
b) Other information provided by management e) Control Matrix
IT is paramount within an organization for the following reasons EXCEPT: a. Allows for the availability of information in a timely manner b. Sporadically apply certain business processes that requires elaborate calculations and transactions c. lowers the risk of duties not being separated. d. Reveals valuable, accurate information that enables management to monitor performance
b. Sporadically apply certain business processes that requires elaborate calculations and transactions
Which of the following is not an IT environment technology layer? a) Network b) Data Management c) Administration d) Physical
c) Administration
Which of the following is an example of a Data Transmission/Processing control? a) Data Validation b) Segregation of Duties c) Automated calculations d) General Ledger Posting
c) Automated calculations
Which of the following is NOT TRUE about best practices for benchmarking controls? a) The IT auditor should look at whether change management has occurred in the control in determining whether to benchmark the control or not b) Common benchmarking is a 3 year rotation c) Benchmarking a control means there are no procedures performed by the auditor concerning the control d) Benchmarking of controls is a benefit of application controls
c) Benchmarking a control means there are no procedures performed by the auditor concerning the control
Which of the following is an example of a general IT control? a) Transaction logging b) Data edits c) Change management d) Validity checks
c) Change management
Which of the following actions are NOT a violation of segregation of duties if performed by the same person? a) Create vendors and order product b) Maintain HR master data and process paychecks c) Create vendors and process/edit sales orders d) Create GL account group and post to GL without review
c) Create vendors and process/edit sales orders
Which of the following is not the responsibility of the Board of Directors? a) Set the strategic direction b) Understand how management assigns responsibilities c) Ensure day-to-day verification of IT processes and controls d) Oversee transformation and enterprise alignment
c) Ensure day-to-day verification of IT processes and controls
Which of these is not a general IT control consideration for Access Security? a) Who has access to IT systems b) How access is provisioned, removed, reviewed and administered c) Who has access to update batch jobs d) How authentication is configured
c) Who has access to update batch jobs
Which of the following factors suggests that the risk associated with a given control is low: a. changes in system may be vulnerable due to inactive access controls b. user access privileges are reviewed on an annual basis c. user access privileges are reviewed on a quarterly basis d. access controls appropriately enforce segregation of duties, but there have been deficiencies historically
c. user access privileges are reviewed on a quarterly basis
Which of the following could be a UDA? a) Simple calculations b) Macros c) Complex spreadsheets that gather financial data d) All of the above e) None of the above
d) All of the above
Which is NOT a phase in the IT audit process? a. Evaluate ITGC design effectiveness b. Evaluate and interpret IT related findings c. Evaluate ITGC operating effectiveness d. Evaluate ITGC security effectiveness
d. Evaluate ITGC security effectiveness
In order to conclude on a control, what 2 things do you have to test?
design effectiveness and operating effectiveness
Application developed by the client are (lower/higher) risk than off-the-shelf applications?
higher -bc client can manipulate their own applications