Auditing Computerized Information Systems

Questions and Answers

Which statement is incorrect when auditing in a CIS environment?

• A CIS environment changes the overall objective and scope of an audit. (correct)
• The auditor should consider how a CIS environment affects the audit.
• A CIS environment exists whether a computer of any type or size is involved.
• The use of a computer may affect the accounting and internal control systems.

Which of the following standards is mostly affected by a computerized information system?

• Standards of fieldwork (correct)
• Reporting standards
• General standards
• Second standard of field work

Which factor is least considered when an auditor needs to determine if specialized CIS Skills are needed?

• Auditor's need to make analytical procedures during completion stage of audit. (correct)
• Design and perform appropriate tests of controls and substantive procedures.
• Sufficient understanding of the accounting and internal control system.
• Determine the effect of the CIS environment on the assessment of overall risk.

What relates to the materiality of financial statement assertions affected by computer processing?

Significance (C)

Which of the following least likely indicates complexity of computer processing?

The system generates a daily exception report. (D)

The nature of risks in a CIS environment that auditors are concerned with include all except:

Cost-benefit ratio. (C)

Which is least likely a risk characteristic associated with CIS environment?

Initiation of changes in the master file is exclusively handled by respective users. (D)

Which of the following significance of CIS activities would an auditor least understand?

The use of software packages instead of customized software. (A)

Which statement is correct regarding personal computer systems?

Personal computers are economical yet powerful self-contained general purpose computers. (B)

A personal computer can be used in various configurations, including:

All of the above. (D)

Which statement is incorrect regarding personal computer configurations?

A stand-alone workstation may be referred to as a distributed system. (B)

Which is the least likely characteristic of personal computers?

They are relatively expensive. (B)

Which of the following is an inherent characteristic of a software package?

They are typically used without modifications of the programs. (C)

Which of the following is not normally a removable storage media?

Hard disk (D)

It is a computer program that attaches itself legitimate program to reproduce itself without user knowledge.

Virus (A)

Which statement is incorrect in personal computer environments?

The distinction between general CIS controls and CIS application controls is easily ascertained. (A)

What is least likely a security measure to restrict access to personal computers when not in use?

Using anti-virus software programs. (C)

Which is not likely a control over removable storage prevent alteration without authorization?

Using cryptography. (A)

Which of the following least likely protects critical and sensitive information from unauthorized access?

Keeping of back up copies offsite. (D)

What refers to plans made by the entity to obtain access to hardware and software after failure?

Back-up (C)

The effect of personal computers on the accounting system will least likely depend on...

The cost of personal computers. (B)

If control risk is high in personal computer systems, it may not be cost-effective for to implement controls.

More analytical procedures. (A)

Computer systems that enable users to access data directly through workstations are:

On-line computer systems (D)

On-line systems allow users to directly initiate any, or all, functions. What is an example of such a function?

Entering transactions (A)

The functions performed by workstations depend all except which factor?

Cost (A)

What is an example of Special Purpose Terminals?

Point of sale devices (A)

Special Purpose Terminals are used to initiate various banking transaction. Example of a Special Purpose Terminal is:

Automated teller machines (C)

Which statement is incorrect regarding workstations?

Workstations cannot be used by many users, for different purposes, in different locations all at the same time. (B)

On-line computer systems may be classified according to:

All of the above. (D)

In an on-line/real time processing system:

Individual transactions are entered at workstations, validated and used to update related computer files immediately. (C)

Flashcards

Incorrect Audit Statement?

Overall objective and scope doesn't change

Biggest risks in CIS?

Lacks segregation of functions or transaction trails

Least Correct?

Using software packages instead of customized software

Incorrect Statement About PC?

Data stored on non-removable storage

Incorrect Configuration Statement?

Stand-alone is distributed

Least Likely Character?

Relatively expensive

Inherent characteristic software package?

Typically used without modifications

Not Removable?

Hard disk

Computer program

Virus or malware

Incorrect Internal Control Statement?

Application controls are easily ascertained

Least Likely

Anti-virus software programs

Not a Control?

Using cryptography

Least Protection?

Using secret file names and hiding the files

Least Depend on?

The cost of personal computers

Least Likely entail

More analytical procedures

Collection data?

Database

Systems Employ

Systems employing CIS methods

Allows fictitious together

Integrated Test Facility

Smaller volumes ?

Less cost effective

Works with user?

The control group works with corrected inputs

Terminal Accuracy?

Self checking digit

Computer manufacturer?

Parity digit

EDP Environment?

Software to prevent unauthorized data changes

Performed well test?

The program tested is of use

Data method

Accuracy of input data.

Unapproved?

Revisions to existing computer software coding and data entry

Hardware prevent and monitor?

Duplication controls

Compilers?

Compilers system with procedural language system.

Study Notes

Auditing in a Computerized Information Systems (CIS) Environment

• A statement noting that a CIS environment changes the audit's overall scope and objectives is incorrect.
• Standards or groups of standards most affected by a computerized information system environment involves audit fieldwork.
• An auditor needs to determine specialized CIS skills during preliminary stages of audit instead of stages which involve analytical procedures.
• Relates to materiality of financial statement assertions, which are affected by computer processing, and significance.
• Complexity in computer processing does not involve system generation of daily exception reports.

Complexity of Computer Processing

• Transactions occur between organizations electronically without manual intervention.
• Users struggle identifying and correcting data errors.
• Computer systems generate material transactions for other applications.

Nature of Risks in CIS Environments

• Cost-benefit ratio is not a risk factor.
• Identifying potential unauthorized data access or alteration without visible evidence is fundamental.
• Having changes in the master file handled exclusively by select users is a key component.
• You should least understand the organizational structure of a client’s CIS activities.

Hardware and Software

• Use of software packages instead of customized software is a good decision
• Programs and data are stored on only non-removable storage media.
• Stand-alone workstations can be operated by a single user or a number of users.
• A stand-alone workstation does not refer to a distributed system.
• You CAN use workstations for many purposes, in different locations all at the same time
• Personal computers are not relatively expensive.
• Software packages are often used without program modifications.
• Hard disks aren't the removable storage media
• Virus is the malware described as transmitting through executable code by attaching itself to a system.
• It is not easy to find general CIS controls to easily ascertain application controls
• Anti-virus software programs do not provide physical security when the device is not in use
• Data cryptography, as well as physical record protection is key

Computer Systems and Security

• You should avoid using anti-virus software or programs
• The affect of costs and the associated risks will not impact the cost of personal computers.
• Analytical procedures are better than test details
• Online computer systems enable users to directly access data and programs via workstations.
• The cost does not impact the various stations within an online computer system.

Workstations

• Workstations may exist locally or at remote sites
• Local workstations often are connected to through cables
• Remote workstations require telecommunications links
• Some workstations include general or specialized capabilities.
• Specialized workstations include basic keyboards, point of sale devices or intelligent terminals.

Network Classification

• A network, a computer system, enables equipment users to exchange software and data.
• MAN (Metropolitan Area Network) is for multiple buildings
• Wide Area Networks (WAN) are usually more expensive than LAN (Local Area Networks).
• Gateway is the hardware system which supports networks
• Transmission, and storage are key for data.
• Switch works to direct data in network settings.

Online Systems

• Immediate validation checks are a valuable characteristic for online computer systems.
• Important CIS controls involve access, system development, and edit reasonableness.
• Pre-processing authorization, balance, and transaction logs are crucial CIS applications.
• Access to data online provides opportunities to access programs by unauthorized personnel.
• Potential of unauthorized use of a workstation and entry of unauthorized transactions may be risky but not necessarily
• Authorization, completeness, accuracy, and integrity of processes impacts security
• Online immediate processing of data increases the potential for risk in wrong processing periods
• A collection of data that is shared by a number of users is a Database

Database Systems

• There are several data owners who are assigned responsibility for defining access.
• Standard approaches to data for application program development and adjustments improves control.
• It is critical to segregate data in separate files
• Discretionary access controls mandate the ability to assign security attributes to data
• An important point is name dependent retractions
• The rate of financial transactions impacts database systems risk
• Auditing mainly impacted by accounting needs

CIS Environments and Operations

• General CIS controls is most important in database environments.
• System operations reduces persons involving data so manual steps reduce
• System characteristics affect lack of visible transaction trail
• CIS design and procedural characteristics should follow programmed control procedures and update databases.
• Internal controls need to include design of computer programs
• Controls over computer data files are useful
• Monitoring is an excellent control as well as input and output control

General and Application Controls

• Auditors should analyze general controls related to applications
• Its important for the system to be accurate
• Design of application controls before general is more efficient
• Manual procedures are effective
• Preclude is important for applications

Auditing Tools

• Computer assisted audit techniques are the applications of auditing under computer
• They are often efficient means of testing large amounts of data and controls
• The presence of the auditor is not necessary for PAPS 1009 in small entities
• Computer assisted software like generalized or packet software supports
• Manual working papers is not a good procedure because systems aren't efficient
• Using groups instead of programmers and operators is crucial for security
• Password compatibility testing
• Self-checking digit checks system

Program and Data Integrity

• Up-to-date maintained programs are important
• Self-checking digit is how computer programs have built in hardware
• Firware makes programs more reliable
• Operators and programmers need limited access
• Hash totals to monitor payroll
• Completeness test
• Firmware prevents security from computer access
• Validity test ascertain given characteristics
• Control systems are hardware based

EDP and Systems Analysis

• State of art software and hardware is key to implementation
• Project leaders and programers are not part of internal control structure
• Audit software is an effective key to program controls
• The use of integrated test facility
  • Limits and numbers
• Audit is not part of matrix
  • It should be for all users
• EDP processes include machine readable sources
• Analyst designs systems
• Departments have to review data and totals after processing
• It should be initiated or changed by managers

Tests and Errors

• It must be for all tests
• The ones who change it is the operator
• It must be updated for errors
• Microcompters are able to control
• The source code is important
• Parallel has to have reports as well as be equal
• The novice has to create control
• Segragation is more likely
• Software is important
• Passwords need an expert
• To get results code has to be correct.

Test Data Approach

• All tests should be valid
• Auditors need some checks because that's the rules
• All tests need checks and limits
• Files need checks and code
• Errors must be valid and true
• Computer data needs to be confidential
• Access needs check
• Security protocols must be high