AUD Study - Ch. 7 Auditing IT Systems
Bisk CPA Review Ch. 7 Auditing IT Systems
Terms in this set (164)
What does an IT based or EDP based system include?
Hardware, software, documentation, personnel, data, and controls
What are two ways that transactions may be processed?
batch or online
What is batch processing?
transactions to be processed are accumulated in groups before processing and are then processed as a batch
What is online processing?
transactions are processed and the file is updated as the transactions occur
What is real time processing?
System that operates in real time; the data is processed fast enough to get the response back in time to influence the process
What is an integrated system?
All files affected by a transaction are updated in one transaction processing run, rather than having a separate run for each file
What is block time?
client rents a certain block of computer time from an outside party
What is time-sharing?
a number of users share a computer system; each may have a terminal that it can use to access a CPU located outside of the client
What are general controls?
Relate to all or many computerize accounting applications and often include control over the development, modification, and maintenance of computer programs and control over the use of and changes to data maintained on computer files
What are application controls?
Relate to specific computerized accounting applications i.e. input, processing, and output controls for an accounts payable application
What is EDI?
electronic data interchange
What is image processing?
paper documents are scanned into electronic images for electronic storage and retrieval
What is data mining?
distillation of previously unknown information from raw data; identifies unexpected relationships
What are the attributes of paper audit evidence versus electronic audit evidence?
Difficulty of alteration, prima facie credibility, completeness of documents, evidence of approvals, ease of use, and clarity
What are several examples of special IT systems?
OLRT systems, Personal Computer Systems, Distributed Systems, Service Centers, and Time-sharing systems
What are distributed systems?
a network of computer sites where small computers are connected to the main computer system
What is the IT Service Center mnemonic?
T for transmission, E for error correction, A for audit trail, M for master file changes, O is for output, and S for security
What is transmission in a service center?
document counts, hash totals, financial totals may be used to control the transmission of data to and from the client's office
What is error correction in a service center?
client should receive an error listing that identifies all of the errors that occurred in the system and then correction, review, and approval procedures should be established and used
What is audit trail in a service center?
an audit trail must be maintained and this is done through proper filing and sequencing of original transaction documents, and also through periodic printouts of journal and ledger balances
What are master file changes in a service center?
a printout of all master file changes should be sent to the client
What is output in a service center?
Must be restricted to the client, output distribution list and control tests on samples of output may be used
What is security in a service center?
Service center must have adequate controls to protect the client's data
What is GC 1?
segregation of functions between the IT department and users
What is GC 2?
provision for general authorization over the execution of transactions (prohibiting the IT department from initiating or authorizing transactions)
What is GC 3?
part of proper internal control is the segregation of functions within the IT department.
What is the IT department function segregation mnemonic?
C is for control group, O is for operators, P is for programmer, A is for analyst, and L is for librarian
What is the duty of the control group?
they are responsible for internal control within the IT department
What is the duty of the operators?
convert data into machine readable form
What is the duty of the programmer?
develops and writes the computer programs; responsible for debugging of programs; writes the run manual
What is the duty of the analyst?
designs the overall system and prepares the system flowchart
What is the duty of the librarian?
keeps track of program and file use; maintains storage of all data and backups; control access to programs
What is input preparation?
process of converting the input data into machine-readable form
What are the input methods?
key-to-tape, key-to-disk, and optical character recognition
What are the duties of computer operations?
they physically run the equipment which includes loading the program and data into the computer at the correct time, mounting tapes and disks on the appropriate tape and disk drives and dealing with problems that occur during processing
What are the duties of applications programmers?
Write, test, and debug the application programs from the specifications provided by the systems analyst
What are the duties of systems programmers?
implement, modify, and debug the software necessary to make the hardware operate
What are the duties of systems analysis?
investigate a business system and decide how the computer can be applied which includes designing the system, deciding what the programs will do, and determining how the outputs should appear
What is the responsibility of the database administrator?
responsible for maintaining the database and restricting its access to authorized personnel
What is GC 4?
the procedures for system design should require active participation by representatives of the users and the accounting department and internal auditors
What is GC 5?
Each system should have written specifications that are reviewed and approved by an appropriate level of management and users in applicable departments
What is GC 6?
Systems testing should be a joint effort of users and IT personnel and should include both the manual and computerized phases of the system
What is GC 7?
final approval should be obtained prior to placing a new system into operation
What is GC 8?
all master file and transaction file conversions should be controlled to prevent unauthorized changes and to provide accurate and complete results
What is GC 9?
After a new system has been placed in operation, all program changes should be approved before implementation to determine whether they have been authorized, tested, and documented
What is GC 10?
Management should require various levels of documentation and establish formal procedures to define the system at appropriate levels of detail
What are hardware controls?
controls that are built into the computer
What is an echo check?
the cpu sends a signal to activate an input or output device in a certain manner, the device then sends a signal back to verify activation
What is a hardware check?
computer checks to make sure the equipment is functioning properly
What is boundary protection?
Keeps several files or programs separate when they share a common storage
What is the characteristic of physical access controls?
Only authorized personnel should have access to the facilities housing IT equipment, files and documentation
What is GC 13?
access to program documentation should be limited to those persons who require it in the performance of their duties
What is GC 14?
access to data files and programs should be limited to those individuals authorized to process or maintain particular systems
What is GC 15?
access to computer hardware should be limited to authorized individuals
What are external file labels?
human-readable labels attached to the outside of a secondary storage device, indicating the name of the file, expiration date, etc...
What are internal labels?
labels that are in machine-readable form
What are two examples of internal file labels?
the header label and the trailer label
What is a header label?
appears at the beginning of the file and contains such info as the file name, ID number, and the tape reel number
What is a trailer label?
appears at the end of the file and contains such info as a count of the number of the records in the file and an end of file code
What is a file protection ring?
a plastic ring that must be attached to a reel of magnetic tape before the tape drive will write on the tape
What are examples of file protection plans?
duplicate files, disk reconstruction plan, and grandparent-parent-child retention concept
What is a disk dump?
when a copy of the contents of the disk is made on magnetic tape periodically
What are backup facilities regularly referred to?
hot or cold sites
What is AC 1?
Only properly authorized and approved input, prepared in accordance with management's general or specific authorization, should be accepted for processing by IT
What is AC 2?
the system should verify all significant codes used to record data
What is AC 3?
conversion of data into machine-sensible form should be controlled
What are the common errors in conversion?
keying errors and the losing or dropping of records
What is the record or document count?
counting the number of transactions processed
What is the limit or reasonableness test?
a particular field of an input transaction record is checked to be sure it is not greater (or smaller) than a pre-specified amount, or that it is within a pre-specified range of acceptable values
What is the valid field and or character test?
particular field is examined to be sure it is of the proper size and composition
What is the valid number or code test?
verifies that a particular number or code is one of those that is recognized by the system
What is sequence check?
if the input records should be in some particular sequence, the computer can be programmed to verify the sequence
What is the missing data test?
verifies that all of the data fields actually contain data
What is the valid transaction test?
computer can be programmed to verify that a particular transaction is an appropriate type for a particular file
What is the valid combination of fields test?
a check to be sure a certain combination of fields is reasonable
What is the check digit test?
a digit added to the same place in a piece of numeric data to permit the numeric data to be checked for accuracy during input, processing, or output
What is the valid sign test?
a particular field can be checked to be sure it has the proper sign
What is an error log?
a computer-prepared list of those transactions that were not processed because of some error condition
What is AC 4?
movement of data between one processing step and another , or between departments, should be controlled
What is AC 5?
the correction of all errors detected by the application system and the resubmission of corrected transactions should be reviewed and controlled
What is AC 6?
control totals should be produced and reconciled with input control totals
What is AC 7?
controls should prevent processing the wrong file, detect errors in file manipulation, and highlight operator-caused errors
What is AC 8?
limit and reasonableness checks should be incorporated within programs
What is AC 9?
run-to-run controls should be verified at appropriate points in the processing
What is AC 10?
output control totals should be reconciled with input and processing controls
What is AC 11?
output should be scanned and tested by comparison to original source documents
What is AC 12?
systems output should be distributed only to authorized users
What is the around the computer auditing approach?
the auditor concentrates on input and output - if those are correct then what went on within the computer also must be correct
What systems are appropriate for auditing around the computer?
simple systems that provide extensive printouts of processing i.e., systems that provide a good audit trail
What is the through the computer auditing approach?
Auditor places emphasis on the input data and the processing of the data; while output is ignored the auditor reasons that if the input is correct and the processing is correct, then output must becorrect
What is the WET in the auditing through the computer mnemonic?
W is for writing own program, E is for embedded audit modules, T is for tagging
What is CUP in the auditing through the computer mnemonic?
C is for client prepared program, U is for utility programs and routines, P is for program comparison
What is TRIPP in the auditing through the computer mnemonic?
T is for test data or deck, R is for review of program logic, I is for integrated test facitility, P is for parallel simulation, P is for program tracing
What is writing own program?
auditor writes a program for the specific substantive test to be performed
What is embedded audit modules?
sections of program code are included in the client's application program to collect audit data for the auditor
What is tagging?
selected transaction are tagged at the auditor's discretion, as they are processed additional documentation is generated so that the auditor can see how the transactions hare handled as they are processed
What is a client prepared program?
auditor may be able to use the programs that the internal audit staff use; they must be tested first to examine integrity
What are utility programs?
standard programs are furnished by the computer manufacturer for performing common data processing functions
What is program comparison?
auditor controlled copy of the program is compared with the program the client is using currently
What is test data/deck?
auditor prepares a series of fictitious transactions some of which are valid and some of which contain errors that should be detected by the controls the auditor wants to test
What is the integrated test facility or mini-company approach?
Auditor creates fictitious entity within the client's actual data files which is processed for the entity as part of the client's regular data processing
What is the advantage of ITF over test data?
auditor introduces fictitious data throughout the period thus allowing for a continuous auditing approach and it is processed along with the client's other "live" data
What is program tracing?
this prints a listing of the program instructions or steps that were executed in processing a transaction
What is GAS or Generalize audit software?
Set of programs or routines specifically designed to perform certain data processing functions that are useful to the auditor
What is an ad hoc report?
nonstandardized report composed when the need arises
What is an application program?
designed to perform the processing of a specific application
What is a bit?
binary digit representing the smallest unit of data possible
What is a byte?
a group of bits that represents a single character whether alphabetic or numeric
What is a central processing unit or CPU?
primary hard component; the actual processing of data occurs in the CPU; it contains primary storage, a control unit, and an arithmetic/logic unit
What is the primary storage?
portion of the CPU that holds the program, data, and results during processing; contains the data and program steps that are being processed by the CPU and is divided into RAM and ROM
What is RAM?
random access memory
What is ROM?
read only memory
What is the control unit?
portion of the CPU that controls and directs the operations of the computer; it interprets the instructions from the program and directs the computer system to carry them out
What is the arithmetic/logic unit?
portion of the CPU that has special cicuitry for performing arithmetic calculations and logical operations
What is cloud computing?
delivery of computing resources as a metered service over the internet
What is a cold site?
location where equipment and power is available in the event of disaster at the primary location but requiring considerable effort to get an operational system functioning
What are collaborative computing applications?
a program that allows several people to have access to the same information and attempts to track the authors of changes; also known as groupware or shareware
What is CPA SysTrust?
an attestation service developed in pat by the AICPA that is designed to provide assurance on whether a system's controls are operating effectively and allow the system to function reliably
What is CPA WebTrust?
a symbol appearing on a Web site that indicates that the organization meets joint Canadian Institute of Chartered Accountants and AICPA business practice disclosures, transaction integrity, and information protection criteria
What is a database?
structured set of interrelated files combined to eliminate redundancy of data items within the files and to establish logical connections between data items
What are decision tables?
decision tables emphasize the relationships among conditions and actions, and present decision choices; they often supplement flowcharts
What is document management?
electronic document storage and retrieval
What is input editing?
editing before processing
What is output editing?
editing after processing
What is electronic data interchange?
electronic communication among entities such as financial institutions and customer vendor partners
What is enterprise resource planning software?
large multimodule applications that manage a business' different aspects, from traditional accounting to inventory management and advanced planning and forecasting
What is extranet?
a password protected intranet, usually for established vendors and customers
What is a field?
group of related characters
What is a file?
group of related records
What does heuristic mean?
signifies able to change; is used to describe a computer program that can modify itself in response to the user
What is a hot site?
location where a functioning system is planned for use with minimal preparation in the event of a disaster at the primary work location
What is an optical character recognition scanner?
a device to sense printed information through the use of light sensitive devices
What is intranet?
a network generally restricted to employee access
What is a library program?
programs that are frequently used by other programs
What is a local area network?
a network of computers within a small area to transmit information electronically and share files and peripheral equipment among members
What is a management information system?
an information system within an organization that provides management with the information needed for planning and control. Involves an integration of the functions of gathering and analyzing data, and reporting the reporting the results to management in a meaningful form
What is mapping?
converting data between application format and a standard format
What is a master file?
contains relatively permanent data
What is an operating system?
manages the coordinating and scheduling of various application programs and computer functions
What is multiprocessing?
allows the execution of two or more programs at the same time and requires the utilization of more than one CPU
What is multiprogramming?
a program is processed until some type of input or output is needed; The OS then delegates the process to a piece of peripheral equipment and the CPU begins executing other programs
What is virtual storage?
the OS divides a program into segments called pages and brings only sections of the program into memory as needed to execute the instructions
What is a pass or run?
a complete cycle of input, processing, and output in the execution of a computer program
What is a patch?
an addition of a new part to a program
What is peripheral equipment?
equipment that is not part of the CPU but that may be placed under the control of the CPU
What is a point of sale system?
a system that records goods sold and figures the amount due at the cash register, frequently also verifying credit cards or checks
What is a record?
a group of related fields
What is a disk or diskette?
randomly accessible data is represented in concentric circles called tracks
What is magnetic tape?
plastic tape that is coated with a material on which data can be represented as magnetized dots according to a predetermined code; it resembles audio tape
What is off-line storage?
not in direct communication with the CPU; human intervention is needed for the data to be processed
What is online storage?
in direct communication with the CPU without human intervention
What is the meaning of randomly accessible?
data records can be accessed directly
What is sequentially accessible?
requires the reading of all data between the starting point and the information sought
What are systems programs?
perform the functions of coordinating and controlling the overall operation of the computer system
What is the transaction file?
contains current, temporary data; used to update a master file; also known as detail file
What is a trojan horse?
a seemingly legitimate program that operates in an unauthorized manner, usually causing damage
What is a utility program?
standard program for performing routine function such as sorting and merging
What is a virus hoax?
an email message with a false warning; its originator tries to get it circulated as widely as possible
What is a wide area network?
a computer network encompassing a large area to transmit information electronically and share files among members
What control procedures would an auditor generally focus on when they anticipate assessing control risk at a low level in a computerized environment?
general control procedures
Why may misstatements in a batch computer system caused by incorrect programs or data not be detected immediately?
Because there are time delays in processing transactions in a batch system
What can a source code be used to compare?
The original code written for a specific program to the current code in use for that program
What is the greatest risk regarding an entity's use of electronic data interchange?
improper distribution of EDI transactions
What is a benefit of using electronic funds transfer for international cash transactions?
reduction of the frequency of data entry errors