Control within Computer Systems

Questions and Answers

Which element of a computer system exercises ultimate control, influencing how systems meet user needs?

• JCL (Job Control Language)
• Operating System
• Human Element (correct)
• Applications

In the context of computer systems, what is the primary function of 'Run Instructions'?

• Guiding computer operators on job execution and responding to system queries. (correct)
• Defining user variations to adjust how programs operate.
• Executing business functions under the Operating System.
• Automating job-running processes.

Which role is primarily responsible for maintaining the Database Management System (DBMS)?

• Database Analysts (correct)
• Systems Analysts
• Network Analysts
• Systems Programmers

What distinguishes online processing from batch processing in the context of data capture?

Online processing focuses on real-time data capture, though early systems had accuracy issues, unlike batch processing. (C)

Which communication mode allows for simultaneous two-way communication?

Duplex (D)

What aspect of data management does database administration primarily focus on?

Coordinating and controlling activities related to databases. (D)

What is the role of 'checkpoints' in database recovery?

Defining stable database states that can be used for recovery. (B)

In database auditing, what is the purpose of studying relationships (One: Many, Many: Many)?

To verify design consistency and understand how different entities interact. (D)

What is the primary function of a Data Dictionary/Directory System (DD/DS) in database management?

To aid in documentation, cross-referencing, and change control. (B)

What is the focus of operational controls that auditors ensure in a database environment?

Controlling unauthorized access, assuring accuracy, enabling recovery, and protecting data (C)

Which of the following is a mitigating factor in addressing the impact of databases on completeness and accuracy?

Ensuring consistency and accessibility of data (D)

What is the key objective of 'uniqueness checking' as one of the common DBMS controls?

Ensuring each record within a database is distinct (A)

Which of the following best describes the role of 'Memory' (RAM, ROM) in Computing?

Data storage, volatile (RAM) and non-volatile (ROM) (D)

In the context of database management, what is the role of a 'modem'?

To convert digital signals to analog and vice versa. (A)

What is the overarching goal of information systems auditing?

To improve IT management and address cybersecurity threats. (C)

Which of the following best describes what 'management' entails in the context of corporate resources?

Optimizing resources through planning, organizing, leading, and controlling (A)

What is the primary purpose of 'establishing performance objectives' in the management process?

To set achievable targets, define KPIs, and assess internal/external threats. (D)

What is the audit risk?

The possibility of issuing an incorrect audit opinion. (B)

What is the role of IS auditing in relation to the external auditor?

To ensure financial statement reliability. (D)

What should an audit charter ideally define?

The relationship between the Chief Executive, head of IS Audit, and line managers (D)

What is the primary function of attestation services in auditing?

Issuing a written communication expressing a conclusion about the reliability of an assertion. (A)

Which of the following is considered an unlawful service for public accounting firms providing attest services?

Management functions (C)

What is the definition of internal audits according to the IIA?

An independent appraisal function to examine and evaluate activities. (C)

What is the main purpose of 'substantive testing' during an audit?

To verify financial data accuracy (C)

The Sarbanes-Oxley Act (SOX) of 2002 primarily aims to:

Strengthen corporate governance and internal controls (C)

What is the purpose of detective controls in the PDC (Preventive, Detective, Corrective) model?

To identify and expose errors (C)

What is the focus of 'Computer Operations Controls'?

Ensures smooth day-to-day IT activities. (A)

Which of the following best describes Corporate IT Governance?

It involves setting objectives, monitoring performance, and ensuring legal compliance. (A)

What are Computer-Assisted Audit Techniques (CAATs)?

Computer programs and data used in audit procedures to process data of audit significance (D)

What is a Potential Impact of Risks?

Complete business failure (D)

Flashcards

Operating System

A set of programs that control basic computer operations and directs other software.

Applications

Perform specific business tasks, running on the Operating System.

Parameters

User-defined values that adjust how programs operate.

Run Instructions

Instructions for computer operators on jobs to be run.

JCL (Job Control Language)

Automates job-running processes in computer systems.

Human Element

The exercise of control by users, operators and managers.

Operators

Run computers daily.

Programmers

Write application programs.

Systems Designers

Design application systems.

Systems Analysts

Analyze business structures and applications.

Database Analysts

Maintain the Database Management System.

Network Analysts

Ensure network performance and security.

Management

Plan, organize, and direct operations to meet objectives.

Batch Processing

Inputs collected and input in "batches".

Online Processing

Real-time data capture common with today's systems.

Simplex

One-way communication.

Half-Duplex

Two-way, but only one direction at a time.

Duplex

Simultaneous two-way communication.

Access Methods

Logic for retrieving, inserting, modifying, and deleting data.

Data Dictionary

Repository of metadata.

Data Independence

Users can access same data with different views.

Database

A structured collection of data.

Database Administration

Coordination and control of data-related activities.

User System Interfaces

Components requesting and transforming data.

Checkpoints

Defining stable database states for recovery.

Roll Back

Undoing transactions to the last checkpoint.

Roll Forward

Replaying transactions from logs.

Back-up Copy Updates

Restoring previous states after failures.

Corporate IT Governance

Corporate governance ensures ethical practices.

Factors When Using CAATs

IT knowledge, availability of software, and audit constraints.

Study Notes

Control Within the Computer Systems

• Control is applied throughout the computer architecture to meet user needs.
• The operating system is a program set that controls the computer's basic functions, with other software running under it.
• Applications conduct business functions and operate under the Operating System, including built-in controls.
• Parameters are user-defined adjustments that modify program operations.
• Run Instructions are instructions for operators in the jobs to be run and how to respond to machine queries.
• Job Control Language (JCL) automates the processes of running jobs.
• Users, operators, programmers, and managers ultimately exercise the human element of control.

People in Computer Systems

• Control is enacted by individuals involved in developing and processing computer systems.
• Operators run computers daily.
• Programmers write applications.
• System designers design application.
• Systems analysts analyze business structures and application.
• Systems programmers manage Operating Systems.
• Database analysts maintain Database Management Systems (DBMS).
• Network analysts ensure network performance and security.
• Management is responsible for planning, organizing, and directing operations.

Batch vs. Online Processing

• Batch Processing involves collecting inputs and entering them in batches, requiring stringent data controls.
• Online Processing involves real-time data capture; however, early systems lacked sufficient controls.

Communication Modes

• Simplex is a one-way communication.
• Half-Duplex is a two-way communication, but only one direction can transmit at a time.
• Duplex involves a simultaneous two-way communication.

Database Management Systems

• A DBMS controls the access to and management of data.
• Access Methods involve the logic for retrieving, inserting, modifying, and deleting data.
• Data Dictionary/Data Directory Systems (DD/DS) are repositories of metadata.
• Data Independence allows users different logical views to access the same data.
• A database is a structured collection of data.
• Database Administration coordinates and controls data-related activities.
• User System Interfaces components request and transform data.

Database Administrator Responsibilities

• Define storage structures and access strategies.
• Coordinate database security and recovery strategies.
• Monitor performance and respond to requirement changes.
• Employ tools like utility programs, reorganization routines, and statistical analysis.

Database Recovery

• Database recovery reinstates databases to a known state while minimizing lost work.
• Checkpoints define stable database states for recovery.
• Roll Back undoes transactions to the last checkpoint.
• Roll Forward replays transactions from logs.
• Back-up Copy Updates restore previous states after failures.
• Compensating Transactions are corrective journal entries.

Auditing Database Migration

• Migrating controls from applications to the database environment improves control opportunities.
• Audit steps include listing record types, identifying key records, ensuring uniqueness, and studying relationships.
• The Data Dictionary/Directory System (DD/DS) aids documentation, cross-referencing, and change control.
• Administration and coordination of database designs, data quality monitoring, and ensuring proper organizational segregation of roles.

Operational Controls

• Auditors ensure controls over unauthorized access, accuracy, recovery, and data protection.
• Security concerns involve hardware theft, sabotage, software corruption, data theft, integrity manipulation, and data loss.
• Risks related to database technology include increasing the cost of error correction and reducing user confidence due to cascading errors.
• Mitigating factors include ensuring consistency, accessibility, enhancing audit quality, and formalizing data resource management.
• Implementing control migration.

Common DBMS Controls

• Uniqueness checking
• Structural/Relational checking
• Format validation
• Declarative edit criteria

Computing Jargon - Hardware

• CPU stands for Central Processing Unit.
• Peripherals are input/output devices.
• Memory includes RAM (volatile), ROM (non-volatile), PROM, and EPROM.
• Types of computers: Mainframe, Mini, Microcomputers.
• LANs (Local Area Networks) and WANs (Wide Area Networks).

Computing Jargon - Communications

• Terminals are remote input/output devices.
• Modems convert digital-to-analog signals.
• Multiplexers combine signals for transmission.
• Cables can be twisted pair, coaxial, or fiber optics.
• Microwave uses wireless high-power signal transmission.

Computing Jargon - Input and Output Devices

• Input Devices: Cards, Paper Tape, Keyboards, Mouse, Scanners, Bar Codes, Voice Input
• Output Devices: Paper, Screens, Magnetic Media, Voice Output

Information Systems Auditing

• It is critical for an organization to effectively manage information and IT.
• Threats like cyberterrorism, as well as dependence on information and related systems requires improved IT management.
• IS Audit is based on management control and its role is evolving to have process owners becoming custodians of internal control.

What is Management?

• Management optimizes corporate resources through planning, organizing, leading, and controlling.
• Management involves continuous improvement and adaptation to changing environments.

Management Process

• Understanding the Organization's Business requires combining theoretical & practical staff interviews.
• Establishing Needs identifies key products/services, customer needs, and key performance areas (KPAs).
• Establishing Performance Objectives sets achievable targets, defines Key Performance Indicators (KPIs), and assesses internal and external risks/threats.
• Deciding Control Strategies determines which risks to manage, transfer, prevent, or detect.
• Implementing and Monitoring Controls requires active management, review for relevance, and adaptation.

Executive Management's Responsibility and Corporate Governance

• Corporate Governance defines relationships among key stakeholders in determining a company's direction and performance.
• Key stakeholders include shareholders, management, the board of directors, and employees.
• Objectives include human satisfaction, efficiency, effectiveness, flexibility, and continuity.

Audit Role

• Auditing includes IS, internal, external, and public sector auditing.
• Internal Auditing evaluates internal control effectiveness.
• External Auditing ensures the fairness of financial statements.
• Public Sector Auditing focuses on management efficiency and service delivery.
• IS Auditing supports all types of auditing.
• Audit activities which include control strategy assessment, control adequacy, unit performance reporting and follow up actions.

Conceptual Foundation

• A structured risk analysis assesses audit risk (incorrect opinion) and business risk (risks to the auditee and third parties).
• The external auditor is responsible to the organization and stakeholders.
• IS auditing ensures financial statement reliability.

Relationship of IS Audit

• IS Auditors may serve as external consultants or independent internal professionals.
• The audit charter defines the relationship and responsibilities between the Chief Executive, IS Audit head, and line managers.
• The audit charter defines the IS Audit function/objectives and establishes reporting lines/authority levels, and also assurance on internal control reliability.

Audit Charter Content

• Includes a formal definition of IS Audit objectives.
• Includes authority/reporting structure and terms of reference detailing IS Audit function's role/objectives.

Attest Service vs. Advisory Services

• Attestation Service is a written communication that provides a conclusion about the reliability of a written assertion by another party
• Attestation Service requirements include written assertions, a written report, and formal measurement criteria.
• Levels of attestation engagements include Examination, Review, and Agreed-upon Procedures.
• Advisory Services are professional services that aim to improve operational efficiency and effectiveness (fraud investigations, system design, SOX compliance assessments).
• Unlawful Services for Public Accounting Firms Providing Attest Services includes bookkeeping and financial information systems design.

Internal Audits

• Defined by the IIA (internal auditing) as an independent appraisal function within an organization to examine and evaluate activities.
• Internal auditors conduct financial audits and operational reviews.

Management Assertions and Audit Objectives

• Auditors determine whether financial statements are fairly presented by testing management assertions.
• Existence or Occurrence ensures assets exist and transactions occurred.
• Completeness ensures all material items are included.
• Rights and Obligations ensures ownership of assets and liabilities.
• Valuation or Allocation ensures assets are valued per GAAP.
• Presentation and Disclosure ensures proper classification and disclosures.

Communicating the Audit Result

• Auditors report findings to stakeholders via audit opinions in financial reports.

Computer Risks and Exposures

• Control ensures organizations can achieve goals reliably.
• Risk is the possibility of adverse consequences.
• The risk management process includes identifying processes/risks, evaluating control adequacy, and determining key controls and their effectiveness.

Types of Risk

• Inherent Risk: Likelihood of loss before considering controls.
• Control Risk: Likelihood that existing controls will fail.
• Audit Risk: Risk that audit fails to detect significant exposures.
• Detection Risk: Risk that auditors fail to detect errors not caught by controls.

Categories of Risk

• Controllable: managed internally
• Uncontrollable: requiring strategic responses
• Influenceable: can be influenced

Audit Evidence

• Auditors must gather evidence to assess internal control effectiveness through physical, testimonial, documentary, and analytical approaches.
• Evidence Characteristics must be sufficient, competent, relevant, and useful.

Audit Planning

• Before an audit, the auditor assesses the client's business and audit planning risk.
• Planning involves reviewing internal controls, identifying key business exposures, and evaluating control effectiveness.
• Evidence-Gathering Techniques use questionnaires, interviews, document reviews, and observations.

Tests of Controls

• Tests of controls purpose is to effectively determine if internal controls are in place and functioning.
• Tests use manual procedures and CAATs (computer assisted audit tools and techniques).
• Auditors assign a control risk level based on the results.

Substantive Testing

• Substantive testing involves verifying financial data accuracy through confirming customer balances and physical verification of cash/inventory.
• Substantive testing uses CAATs to extract and analyze financial data.

Internal Control

• Organizations are legally required to establish and maintain internal control systems.
• Key Legislations include the Foreign Corrupt Practices Act (FCPA) of 1977, Committee of Sponsoring Organizations (COSO) – 1992, and Sarbanes-Oxley Act (SOX) of 2002.
• SOX Key Sections require CEO/CFO certification of internal controls (Section 302) and annual assessment of control effectiveness (Section 404).

Internal Control Objectives

• Safeguard assets.
• Ensure reliable financial reporting.
• Promote operational efficiency.
• Ensure compliance with policies and procedures.

Modifying Principles

• Management Responsibility: Establish and maintain controls.
• Data Processing Methods: Controls apply regardless of processing method.
• Limitations: Every system has errors.
• Reasonable Assurance: Cost-benefit balance of controls.

The PDC Model (Preventive, Detective, Corrective Controls)

• Preventive Controls are blocking errors before occurrence.
• Detective Controls identify and expose errors.
• Corrective Controls fix detected problems.

Internal Controls

• A control is any action taken by management to enhance the likelihood that goals will be achieved.
• Variants include management control, internal control, etc.

Types of Objectives

• Corporate are broad statements of intent.
• Management are detailed methods to achieve corporate goals.
• Internal Control ensures management objectives are planned and executed.

Levels of Control

• Strategic, Tactical, and Operational each require different levels of control.

Internal Control Objectives

• Reliability and Integrity of Information ensures trustworthy data for decision-making.
• Compliance with Policies, Laws, and Regulations prevents legal and regulatory breaches.
• Safeguarding of Assets protects physical and intangible assets.
• Effectiveness and Efficiency of Operations ensures optimal resource utilization.

Elements of Internal Control

• Segregation of Duties prevents unauthorized actions by separating responsibilities.
• Competence and Integrity of People requires skilled and ethical personnel.
• Appropriate Levels of Authority grants permissions based on necessity.
• Accountability uses logs and audit trails for tracking actions.
• Adequate Resources ensures sufficient manpower, finance, and tools.
• Supervision and Review ensures compliance with control measures.

Control Procedures

• General IS Controls covers the environment where computer systems operate.
• Computer Operations Controls ensures smooth day-to-day IT activities.
• Physical Security Controls protects IT infrastructure.
• Logical Security Controls manages data access and security.
• Program Change Controls maintains software integrity.
• Systems Development Controls ensures efficiency in IT system creation.

Control Objectives and Risks

• Common IT Risks: Fraud, business interruption, errors, customer dissatisfaction, poor public image, and inefficient resource utilization.
• General Control Objectives: Ensuring data integrity, strengthening computer security, and maintaining compliance with policies and regulations.

Data and Transaction Control Objectives

• Input: ensure transactions are completely recorded and entered accurately by using pre-numbered documents, validation checks, and authorization controls.
• Processing: ensure all approved transactions are processed once and accurately by using control totals, exception reports, and error logs.
• Output: ensure only authorized personnel receive processed data by using output distribution logs and audit trails.
• Program Control Objectives: ensuring program integrity and preventing unauthorized changes.

Corporate IT Governance

• Governance mechanisms ensure accountability and ethical business practices.
• Involves setting objectives, monitoring performance, and ensuring legal compliance.
• Key IT Governance Factors: legal and regulatory compliance, ethical business conduct, environmental and societal responsibility.
• Computer-Assisted Audit Techniques (CAATs) programs and data are used in audit procedures.

Uses of CAATS

• Tests of details on transactions and balances.
• Analytical procedures to identify inconsistencies.
• General and application control testing.
• Audit sampling and recalculations.
• Factors include the IT knowledge of the audit team, the availability of suitable software and data.

Common IT Governance Factors

• Legal regulatory compliance
• Ethical business conduct
• Environmental and societal responsibility

Risk in Auditing

• Auditing involves an annual risk assessment and planning exercise to determine overall audit coverage.
• Key steps include a preliminary review for understanding and evaluation, etc.
• Auditors identify appropriate control objectives, assess responsibility, and evaluate necessary management, system, or physical controls.

Defining the Audit Universe

• Computer Risk: Probability that an undesirable event leads to a loss.
• Computer Exposure: Potential threat from an undesirable event.
• Vulnerability: Flaw or weakness that can become a risk.
• Impacts of Risks: Loss of sales, revenue, profits, etc.

Computer System Threats

• Users: Errors, fraud, malicious damage.
• Management: Errors, fraud, manipulation of records.
• IS Staff: Errors affecting entire systems, fraud, change control.
• IS Auditors: Errors, fraud, excessive access.
• Others: Errors, fraud, loss of confidentiality.
• External: Hackers, viral attacks, access control.

Risk Management Approaches

• Accepting the risk
• Reducing the risk
• Transferring the risk
• Ignoring risk is NOT an option.
• Risk Assessment Goals: Efficient allocation of IS Audit resources, etc.

Risk Factor Assessment

• Date/results of last audit.
• Change in operations, programs, systems and controls.
• Exposure to potential losses.

Risk-Based Auditing

• Risk-based auditing integrates high-level risk analysis into audit planning.
• Audit activities are divided into Mandatory (legal-regulatory) and Discretionary activities (business-critical).

Common IS Risk Factors

• Monetary values handled within applications
• Data loss and information disclosure

Audit Planning Process

• A structured, well-documented audit plan identifies the criteria against which a successful audit is measured.
• Audit process measures identifying tasks to be performed and task duration assessment.

Elements of an Audit

• Determining Objectives and Scope by establishing objectives in consultation with auditees.
• Understanding Business and Control Objectives by identify key performance areas (KPAs).
• Establishing Performance Objectives by defining Key Performance Indicators (KPIs) and assess internal and external threats affecting performance.
• Audit Classification by testing compliance with designed controls.
• Selecting the Audit Team and assigning team members based on expertise.
• Initial Communication with Auditees to notify auditees before the audit starts.
• Preliminary Audit Program Preparation to establish a detailed list of analytical steps.
• Planning the Audit Report to ensure itis objective and clear to drive improvements.
• Approval for the Audit Approach by the lead auditor.
• Structure of Audit Plan preliminary survey, internal control description and analysis, expanded tests and findings.
• Conduct follow-up reports and audit evaluation.

Types of Audits

• Financial: The accuracy of financial statements.
• Operational: The efficiency and effectiveness of operations.
• General Control : The IT management controls.
• Applications Audits: Live systems, development processes, and security.
• Operating System Audits: The implementation of OS security.
• Physical Access: The protection of corporate assets.
• Logical Access: Proper user access permissions.

Audit Management

• The IS Audit’s mission is to evaluate controls and compliance.
• Staffing Requirements: Based on the complexity/size audit team includes Computer Audit Manager, Application Auditors, Trainee Auditors, Technical Support Specialists and Audit Application Developers.

Integrated IS Auditors vs. Integrated IS Audits

• Integrated Auditors expand traditional auditors' knowledge of IT Systems and use CAATS (Computer-Assisted Audit Techniques).
• Integrated audits assemble multidisciplinary teams with IS and financial auditors.
• Application Audit Tools use CAATs, interviews, questionnaires and risk analyzers
• Specialists conduct performance, security, telecommunications, and strategic IT planning audits.

IS Audit Quality Assurance

• Assured by managers through peer review of work and engaging external reviewers for independent assessments.

Audit Evidence Procedures

• Stay on schedule and budget.
• Assign tasks systematically.
• Control and evaluate.
• Maintain audit quality

Statistical Sampling

• Sampling techniques allow auditors to test a portion of a population to make conclusions about the whole.
• Judgmental Sampling (Non-Statistical): Based on the auditor's professional judgment.
• Statistical Sampling: Uses random selection for representative results.
• Provides accurate information about a population, time and effort savings.
• Sampling Risk: The sample may not represent the entire population.
• Non-Sampling Risk: Errors due to incorrect procedures or failure to recognize misstatements.

Statistical Sampling contd.

• Beta Risk (Over-Reliance on Controls): Auditors mistakenly rely on weak controls.
• Alpha Risk (Under-Reliance on Controls): Auditors incorrectly conclude controls are ineffective.
• Risk of Incorrect Acceptance: Auditors believe a balance is correct when it is misstated.
• Risk of Incorrect Rejection: Auditors believe a balance is misstated when it is correct.

Quantitative Methods

• Include trend analysis.
• Include chi-square tests

Project Scheduling Techniques

• PERT identifies task dependencies
• CPM analyzes normal and accelerated task completion times.
• Gantt charts visualize project timelines and task progress.

Simulations

• Monte Carlo simulations use probability models to estimate outcomes.
• Game Theory analyzes competitive strategies.
• Queuing theory optimizes service point efficiency.

Generalized Audit Software (GAS)

• Examines records
• Performs calculations

Application and Industry-Specific Software

• Standard software for payroll
• Standard Software Industry-specific software for healthcare
• Standard Software Industry-specific software for insurance

Customized Audit Software

• Designed for unique audit tests.
• Requires high IS expertise.

Information Retrieval Software

• Includes report writers, qyery languages and program generators.

Utility Programs

• Perform copy, sort, print, merge, and edit functions.

Online Inquiry and Test Transaction Techniques

• Test Data: Uses a copy of the live system for test transactions.
• Integrated Test Facility (ITF): Creates a dummy entity within the live system.
• Source Code Review: Examines original program code for weaknesses.
• Embedded Audit Modules (SCARFs): Collects real-time audit trail data.
• Parallel Simulation: Runs live data through a simulated program to compare results.