Auditing Principles and Practices Quiz

Questions and Answers

What is the primary purpose of continuous auditing for auditors?

To perform audit tests once a year

To focus solely on revenue transactions

To analyze past financial statements

To subject all transactions to control functions in real time (correct)

Which function is NOT included in the capabilities of GAS CAAT?

Report generation (correct)

Recalculation

File import

Gap analysis

What does the Benford Law state about financial numbers?

The only acceptable first digit is 5

The first digit is most likely to be 1 and least likely to be 9 (correct)

The first digit is more likely to be 0 than any other digit

Every digit has an equal probability of appearing as the first digit

What is a significant risk when using CAAT?

Unauthorized changes and incomplete testing

Which of the following is a potential issue with outsourcing in auditing?

The firm remains liable for issues despite outsourcing services

What should a service auditor do if there is a significant control deficiency?

Issue a qualified report

Which procedure is documented in a type 1 sampling test?

Only controls

What is the purpose of identifying compensating controls?

To strengthen weak controls when combined

Which of the following is NOT included in the standards developed by the PCI Security Council?

User training programs

What does SOC 2 specifically address in its reports?

Security, availability, integrity, and confidentiality

What must a user auditor review upon receiving a control assurance report?

Control considerations and procedures

What type of report is SOC designed to provide for service organizations?

Trust and confidence in services and controls

Which of the following is a procedure used in audit?

Testing

What is the main goal of user acceptance testing (UAT)?

To ensure the system is functioning as intended

Which conversion method is the least risky?

Phased conversion

What is NOT a component of the Fraud Triangle?

Policy

What is the purpose of program change controls?

To prioritize, authorize and document changes to programs

Which infrastructure component is NOT part of e-business?

File management software

What is the primary reason for segregation of duties?

To ensure independent verification and reduce risk of fraud

Which of the following is an essential part of end user development controls?

Strict policies for documentation and approval

What does detection risk refer to in terms of system controls?

Risks arising from the complexity and lack of audit trails in systems

Which of the following represents a post-implementation review activity?

Assessing previous system errors

Which risk involves transaction accuracy and completion in systems?

Control risk

What is a cold site in the context of disaster recovery?

A backup site available within a week without hardware, software, or data

How often should a disaster recovery plan be tested?

Annually

What aspect is crucial for assessing the adequacy of a data center's protection?

Environmental controls like humidity and temperature

Which of the following is NOT a component of general control weaknesses?

Technical documentation

What can result from insufficient controls during the System Development Life Cycle (SDLC)?

Errors in programming logic

What is the purpose of corporate governance within an organization?

To select objectives and monitor performance

Which of the following is a potential issue with accounting information systems due to development problems?

Bookkeeping fraud

What should be reviewed to ensure systems can be recovered in a timely manner?

Backup procedures

Which method ensures that receivable balances are unchanged between postings?

Compare total receivable before and after posting

What is a primary method for ensuring invoice data is accurately transferred between systems?

Check for duplicate entries

What common method is used to verify the accuracy of system tax calculations?

Prepare simulated transactions and compare results

Which approach is essential during a walkthrough interview for testing application controls?

Engage with key personnel responsible for using the application

How should auditors ensure the reliability of reports used in substantive procedures?

Ensure data can be verified against independent sources

What must auditors evaluate regarding significant controls related to business objectives?

If they help address completeness and accuracy assertions

What is the purpose of analyzing the flow of transactions through systems during a control evaluation?

To understand the effectiveness of controls

Which of the following actions would not contribute to effective test strategy and frequency determination?

Rely solely on prior audit results

What is the primary difference between symmetric key encryption and asymmetric key encryption?

Symmetric uses one common key for encryption and decryption, while asymmetric uses a public and a private key.

What is a potential risk of using symmetric key encryption?

A single compromised key allows unauthorized access to all encrypted data.

Which component of a digital signature ensures the integrity of the message?

The hash computed from the original document.

Which application of encryption is NOT mentioned in the content?

Instant messaging

What does a digital certificate establish in an online transaction?

The identity of users and electronic assets.

In asymmetric encryption, what role does the private key play?

It decrypts data that was encrypted with the public key.

What is a significant advantage of asymmetric key encryption over symmetric key encryption?

It does not require secure key exchange.

How can encryption help in data transmission?

By preventing unauthorized access through data scrambling.

Study Notes

CAATOE

• Completeness
• Accuracy
• Timeliness
• Authorization
• Occurrence
• Efficiency computes information faster and more cost-effectively, and is scalable.

Components of AIS - SIPPII

• Information system collects, stores, and processes financial and accounting data for decision-makers.
• Infrastructure includes LAN, WAN, wireless network, hardware, and real estate.
• Software includes system software and application software.
• People include CIO, system operations, management, and users.
• IT controls are security measures and procedures to ensure information security.
• IT controls are important for reliable output and to mitigate risks like theft and fraud, ensuring information security.

Effective Decision Making

• AIS purpose is to collect and store data about organizational activities, resources, and personnel.
• Transform data into information to help management plan, execute, control, and evaluate activities and resources.
• Enables management decision-making.
• Provides adequate control to protect organizational assets and data.

Processing Modes

• Online input update: transfer money in real time.
• Online input and batch update: paying credit cards through bank accounts.
• Batch input and period update: writing and giving checks to people for later deposit.

Databases

• Databases are collections of files used in related applications; they can be shared.
• Require a database management system (DBMS).
• DBMS advantages include reduced data redundancy, data independence, and improved data accessibility.
• DBMS disadvantages include complexity in setup, high cost, and slower processing of high volumes of periodic transactions.

Computer Processing

• Computer processing often eliminates random errors but may not eliminate systemic errors.

Incompatible Functions

• Incompatible functions may not be segregated.
• Inappropriate access could be an issue.
• Increased management supervision is required.
• Controls affect auditing of general purpose financial statements.

Causes of IT Issues

• Lack of testing
• Overload of access
• Lack of bandwidth
• Human error

Sources of Problems

• Hardware implementation issues
• Programming issues
• Abuse and misuse

Audit Risk

• Risk that audit opinion is wrong.
• Inherent risk.
• Risk of undesirable financial events occurring.
• Management cannot influence inherent risk but can mitigate control risk.
• Auditors can influence detection risk.
• Control risk is the risk of controls not preventing or detecting undesirable events.
• If control risk is high, substantive testing will be required.

IT Effect on Risk

• IT supports new business models like e-commerce, increasing inherent risk due to external parties processing transactions.
• Increase in control risk due to fewer people, reduced segregation of duties, and inability to keep up with technological advancements.
• It can decrease control risk since computer usage reduces human mistakes.
• Increase in detection risk due to more complex and integrated IT systems.
• Increase in audit risk because of less competent IT systems and insufficient audit capabilities.

Input Risk

• Incorrect input
• Untimely input or incomplete input
• Unauthorized transactions for another user
• Loss of audit trail

Processing Risk

• Incomplete processing
• Inaccurate processing errors
• Undocumented processes
• Untimely processing

Output Risk

• Incomplete output
• Inaccurate output
• Unauthorized access to reports
• Untimely output (like late T4)
• Stored data risk (unauthorized access and unavailability of data, data loss)

Other Risks

• Virus
• Hackers
• Disasters/catastrophes
• Computer crime
• Sabotage

IT Governance and General Controls

• IT strategy must align with business strategy, covering a 3-year period, and addressing infrastructure, software, information, and people.
• Procedures are not part of IT governance; it addresses IP and I.
• CIO is accountable for setting corporate policies and providing IT infrastructure.
• Executives are responsible for approving IT expenditures and projects.
• CIO reports to the CEO or COO, not the CFO.

General Controls

• IT controls that apply to more than one system.
• Should be implemented before application controls.
• Not every system has the same risks, so application controls are necessary.

Types of General Controls

• Organizational controls, such as segregation of duties.
• IT governance controls, such as checks and balances for minimizing errors and ensuring efficiency.

Computer Operations Controls

• Use operations systems to specify resource allocation, constraints, and types of allowed transactions.
• Maintain file versions.
• Distribute outputs/transactions.

Disaster Prevention and Recovery Plan

• Purpose is to recover critical applications in case of system collapse.

Backup

• Environmental controls
• Preventative controls
• Detective controls
• Corrective controls

Plan availability

• Hot site: available within a day, including hardware, software, and data; most expensive.
• Warm site: has hardware but no software; typically available within a few days.
• Cold site: has no hardware, software, or data; typically available within a week.
• Plans should be tested, reviewed, and approved by management.
• Tested annually.
• Procedures and criteria for invoking plans.
• Distanced from production site
• Auditing Disaster recovery planning.
• Review backup procedure
• Obtain and review recovery plan

Review Backups

• Review backup logs for correctness - currency and offsite storage
• Inspect site locations for weaknesses
• Review previous recovery test results
• Assess the adequacy of data center protection in terms of humidity, temperature, fire, and flood prevention.
• Consult experts, as needed.

General Control Weaknesses

• Assess weaknesses related to application impact.
• Relate general control weaknesses to the impact on application controls.
• Identify weak general controls that may still allow some application controls to be relied upon, such as access controls, organizational controls, and program change controls.
• Corporate governance - organization objectives, processes, IT infrastructure, and alignment with business strategy.

System-Development Controls

• Why test the System Development Life Cycle (SDLC)?
• Reliability of computer systems is dependent on change management controlling system developments.
• Insufficient or inappropriate controls lead to errors in programming logic and subsequently, errors in output.

Source Code

• Source code written by the programmer.
• Escrow agreement (protects provider and user), where a third party holds rights if vendor/developer goes out of business.
• Object code is run by computers (off the shelf).

Customized vs. Off-the-Shelf Software

• Customized software meets specific user needs, while off-the-shelf software is generic.
• Customization is more expensive and has a greater chance of errors.

Web-Based Solutions (One Drive, Google Docs)

• Provide backups and accessibility..
• Easy to use for collaboration.

Security

• Security risks related to Wi-Fi and internet connectivity, including potential hacker risks and data interception/tampering.

SDLC, Operational, Technical, and Financial Factors

• Operational: how well the system can be executed.
• Technical: available resources.
• Financial: funds required (recurring costs and non-recurring costs).
• Quantifiable (tangible) costs such as setting up a system.
• Non-quantifiable (intangible) costs, such as employee satisfaction.

Unit Testing

• Testing one component of the system, done by the developer.

Integration Testing

• Independent tester tests multiple components through integration testing.

UAT

• User acceptance testing (UAT) done at the end by the user to ensure the system works as intended.

Production Infrastructure Installation

• Install production infrastructure.
• Conversion and implementation: manual or automated methods of converting the system from older versions to new versions (e.g., parallel, direct, or phased).

Post-Implementation Review

• Review what went wrong with the process
• Ensure the new system is functioning as planned.

Checklist and Documentation

• Segregation of duties for developers, testers, and computer operators.
• Segregation of development, testing, and production environments (physically if possible).

Program Change Controls

• Prioritization criteria
• Authorization procedures
• Documentation procedures
• Testing procedures
• Segregation of environments
• Back-out procedures
• End-user development controls

Application Development Controls

• Application or mini-applications developed by users.
• Policies for documentation, approval, testing, and system types.

Sample Size Guidelines

• Automated controls;
• Manual changes depend on annual frequency; intervals are not critical.

Fraud Triangle

• Incentive: financial or emotional force
• Opportunity: can execute without getting caught
• Rationalization: personal justification

Fraud Triangle Causes

• Greed, stress, or pressure (incentive).
• Weak controls or loopholes in the system (opportunity).
• Justification and rationalization of actions (rationalization).

E-business Infrastructure

• Web servers and web masters
• Firewalls
• Internet service providers (ISPs)
• Application servers
• Database servers
• Routers
• Web hosting software
• Website management systems
• Network operating systems
• Inherent risk from complexity and hacker risks.

Control Risk and Risk Implications

• Increased risk due to external party controls and lack of audit trails.
• Nonoccurrence of transactions
• Incomplete processing
• Inaccurate processing
• Interception of transactions
• Inefficiency.
• E-business controls: Disaster recovery planning (DRP)

EDI - Electronic Data Interchange

• EDI use before the internet.
• EDI is now used for electronic transfer of information, such as batch purchase orders or invoices.
• EDI issues related to CAATOE (Completeness, Accuracy, Timeliness, Authorization, Occurrence)
• Problems with EDI: Inaccurate or untimely data, Security issues, Network problems.

XBRL - Extensible Business Reporting Language

• A standard format for exchanging business information, such as financial reports.
• Allows for better exchange and comparison between companies due to standardization.
• Audit XBRL procedures are to make sure users rely on these documents for financial statements and ensure appropriate tagging.
• Audit procedures: reviewing controls, policies for generating XBRL statements, and procedures, and reviewing the frequency of statement generation.

Application Controls

• Programmers have access to the operational environment, so they can make changes that are put into production; this can cause system crashes.
• Obtain all documentation required, and get system-generated lists of changes, samples, backups, and approvals.

Data Integrity

• Integrity, availability, and confidentiality are the main objectives
• Access controls involve user authentication procedures (Identification, Authentication, Authorization).
• Logs and monitoring of user activities are vital for security purposes.

General Access Controls

• Apply to numerous systems.
• Can be a policy, standards, or system controls; crucial for external audits.
• Includes physical security, education, privacy policies, and information security policies.

Password Security and Usage

• Passwords should not be shared and should be changed frequently..
• Passwords should contain 8 characters, special characters, or a combination.
• Password cracking methods (random trials/dictionaries, brute force) should be analyzed.

Two-Factor Authentication

• Compensates for password weakness, such as guessing and hacking, and uses something the user has and knows.

Biometrics

• Use of fingerprints or other biometric verification methods; often seen as a substitute for signatures, however, there are privacy concerns related to this method of identification

Application Access Controls

• Applies to specific systems.
• Can be procedural or automated.
• Supports management controls.
• Example like passwords.
• Access control lists (ACLs) restrict functions, like payroll or employee access for specific tasks.
• Uses Encryption and Procedures.
• Monitoring mechanisms are in place to oversee system activities.
• Supports segregation of duties.

Platform (Operating System) Security

• Use of standard checklists.
• Locking down workstations to prevent unauthorized software installation.
• Vulnerability scanning.
• Automated patching/fixing of vulnerabilities for security protection.
• Server profiles are used to determine password length.
• Firewall is essential to protect internal networks.

Virus Protection, VPN, and Intrusion Detection/Prevention

• Internet email systems protect against viruses.
• VPN securely accesses company systems for staff.
• Intrusion detection systems identify and prevent questionable or unacceptable traffic patterns.
• Prevention systems can be deployed to block threats.

Data Encryption

• Uses math to scramble data.
• Symmetric cryptography (one key for encryption and decryption.)
• Asymmetric cryptography (two keys, one public, one private).
• Digital signatures verify identities and content authenticity.
• Public key infrastructure (PKI) manages certificates and digital signatures.

Digital Certificate

• Establishes the identities of users and electronic assets.
• Verifies transactions and security.
• Certificate authorities (CAs) issue and maintain certificates.
• Essential for online transactions to prevent fraud and security risks.
• Keys used to decrypt digital signatures match the algorithms to compare.
• PKI (Public Key Infrastructure): A set of policies and procedures, servers to operate a public key environment.

Public Key Infrastructure (PKI)

• Set of policies, procedures, and servers for public key environment operations.
• Public key servers store public keys.
• Servers authenticate users who activate private keys.
• Need to have a record of where the keys are kept.
• Disposal of encryption keys is important.

Wireless Encryption

• Uses 128-bit or 256-bit symmetric keys that change with each data packet.
• Static 128-bit keys are used for authentication.

Web Application Security

• Input validation ensures input's validity, length, and type.
• Developers often implement client-side and server-side input checks.
• Reviews of security policies and procedures, including firewalls, intrusion detection systems, anti-virus software, and system configuration.

Test Access Controls

• Reviews of policies to ensure proper access rights and procedures.
• Review and testing of user profiles, access control lists, and system setups, including firewalls, intrusion detection systems, and antivirus software
• Reviewing configurations of security software and hardware.

Audit Trail

• Formation of date in DD/MM/YYYY format (Date)
• Other input controls (friendly screens, custom functionalities, exception reporting)
• How to test input data.
• Testing procedures for the quality of input data.
• Observation /Control walkthrough
• Review system documentation
• Review audit trails, processed, and rejected data
• Reperformance, using check to identify discrepancies or errors.

Processing Controls

• Segregation of duties
• Restricted access
• File labels
• Error/exception logs
• Programmed balance checks
• Manual cross-checks
• Concurrent update controls.

Test of Controls

• Using test data.
• Reviewing system documentation.
• Reviewing audit trails.
• CAAT (Computer-Assisted Audit Techniques).

Reliance on Reports

• Controls as part of the combined approach (Manual follow-up).
• Audit procedures to provide complete and accurate input.
• Substantive analytical procedures via computer-generated reports.

Data Analytics

• Descriptive analysis for past data understanding.
• Diagnostic analysis to determine causes and trends.
• Predictive analysis to forecast future results.
• Prescriptive analysis to determine optimal actions and strategies.
• Data visualization techniques to present data effectively.

Data Preparation

• Ensuring data format suitability.
• Checking for missing, duplicate, and inconsistent data.
• Data consistency with general ledger entries.

Risk Assessment

• Analyze the general ledger for unusual transactions.
• Create visualizations of ratio analyses.
• Analyze changes to accounts receivables.
• Perform trend analyses.

Substantive Testing

• Non-statistical and statistical models to predict revenue.
• Identifying and isolating unusual items.
• Testing net realizable value of inventory.
• Identifying payments after year-end related to cut-offs and other similar assurance concepts.

Planning for ADA

• Access and prepare data.
• Assess relevance and reliability.
• Perform ADA (Audit Data Analytics).
• Evaluate results effectively.

Objectives for Data Analytics

• Segregation of duties.
• Duplication of payments for invoices.
• Phantom employees/vendors.
• Documentation of compliance with relevant regulations.
• Testing of account balances in financial statements.

CAAT (Computer-Assisted Audit Techniques)

• General Audit software (Excel, Power BI)
• Embedded audit module (control functions)
• Integrated Test Facility.

Special Reports and Other Assurance Engagements

• Outsourcing: taking processes like payroll.
• Outsourcing review: ensuring controls are effective enough for proper oversight.

Issues with Outsourcing Processes

• Risk and accountability.
• Increased risk when services are outsourced.
• Difficulty replicating controls in-house for outsourced processes.

Control Assurance Report by Auditor

• Reviewing audit opinion and coverage period of a report.
• Review of control considerations (ensure they meet objectives), and exceptions and their impacts on management.

Payment Card Industry Data Security Standards (PCI DSS)

• Developed by the PCI Security Standards Council, based on security standards and practices related to credit cards.

SOC Reports

• Service organization reports help build trust for service providers by externally assessing their controls and procedures.
• SOC 1 reports assess controls over financial reporting (relevant to financial reporting)
• SOC 2 reports focus on security, availability, processing integrity, and privacy. – These are based on the trust services criteria of AICPA.
• SOC 3 reports are similar to SOC 2 but are accessible to the public.
• CSAE 3416 provides more guidance applicable for SOC 2/3 (reliability of the report).

Description

Test your knowledge on key auditing concepts, including continuous auditing, GAAS CAAT capabilities, and the implications of SOC reports. This quiz covers essential topics in audit methodology and risk management. Ideal for students and professionals in accounting and auditing fields.