Internal Controls in a CIS Environment

Questions and Answers

PDF Questions PDF Answers

What is the primary reason for segregating functions of system development and computer operations?

To enhance the usability of the programs

To prevent computer-related fraud (correct)

To reduce the need for documentation

To ensure faster system development

Which group is responsible for testing and modifying the program to ensure it operates as intended?

The management team

The computer operators

The user department and CIS department (correct)

The systems analyst alone

What is a crucial element of data recovery controls to prevent loss of computer files?

Only backing up files weekly

Daily copying of files to tape or disks (correct)

Restricting access to all employees

Keeping files in a single storage location

What control is essential to protect data files and programs from unauthorized alteration?

Access controls using passwords

What is the Grandfather, Father, Son practice used for?

File retention in data recovery

What is the goal of monitoring controls in a computer information system?

To ensure effective operation of CIS controls

Which of the following is not an acceptable practice for systems development?

Systems analysts using the programs they develop

Who should have limited access to the computer system?

Authorized operators and employees

What is a primary assumption behind the auditing around the computer method?

The input data must reconcile with the output for the computer program to be considered reliable.

What approach is also referred to as the 'black box approach'?

Auditing around the computer.

What is a defining feature of Computer-Assisted Audit Techniques (CAATs)?

They allow auditors to directly evaluate the client’s accounting programs.

Which method involves examining documents and reports while ignoring data processing procedures?

Auditing around the computer.

How does an auditor confirm the reliability of the system when auditing around the computer?

By ensuring input data reconciles with output data.

What condition must be met for auditing around the computer to be applicable?

Visible input documents and detailed output are available.

Which approach allows for manual testing when there is no visible evidence?

Computer-Assisted Audit Techniques.

What is typically required for successful application control testing?

The ability to trace transactions through visible input and output.

What is the purpose of implementing appropriate controls in a system?

To prevent unauthorized access to data files and programs

How does the segregation of duties differ between manual processing and a CIS environment?

CIS allows more functions to be combined due to efficiency

What role do compensating controls play in a CIS environment?

They strengthen the internal control despite combined functions

Which of the following statements about systems generated transactions is true?

They can be initiated automatically by the CIS

What is a significant vulnerability of data in a CIS environment compared to a manual system?

Information can be easily lost without physical records

Which of the following control procedures remain applicable in a CIS environment?

Authorization of transactions

Why are independent checking procedures important in a CIS environment?

They serve to verify accuracy, completeness, and authorization of transactions

Which of the following statements about the characteristics of a sound internal control system is correct?

It requires consistent application of controls for data integrity

What is the primary purpose of the test data technique?

To test the effectiveness of internal control procedures

What does an auditor do with the test data during the audit process?

Compares the output with his predetermined expected result

What is a key limitation of the test data technique?

It does not assure that the tested program is the same used throughout the accounting period

How does the integrated test facility (ITF) enhance the auditing process?

By integrating test data with ordinary transactions without client awareness

What type of data does the auditor create for the test data technique?

Fictitious transactions with valid and invalid conditions

What outcome does the auditor look for when comparing the results of processed test data?

The output should match the auditor’s predetermined expected output

Which of the following best describes the relationship between the test data technique and the integrated test facility?

The ITF is a variation of the test data technique that allows better integration

Why does the ITF use dummy or fictitious units for testing?

To ensure that the testing process remains hidden from management

What is the main objective of using Integrated Test Facility (ITF) during an audit?

To ensure the tested program matches the client's program used in transactions.

What precaution must auditors take when employing ITF?

Eliminate the effects of all audit test transactions to prevent data contamination.

How does Parallel Simulation differ from ITF?

Parallel Simulation focuses on simulating processes rather than using test inputs.

What types of software can assist auditors in Parallel Simulation?

Generalized audit software and purpose written programs.

What is a key feature of generalized audit software?

It performs common audit tasks, like calculations and reporting.

What is the primary risk associated with using ITF during an audit?

Contaminating the client’s master files with test data.

What is the goal of comparing results in Parallel Simulation?

To evaluate the effectiveness of the client’s program against expected outputs.

Which statement is true regarding purpose written programs in auditing?

They are designed for specific audit tasks within particular contexts.

Study Notes

Internal Controls in a CIS Environment

• Data security is crucial, only authorized people should have access to data files and programs.
• Segregation of duties is vital, but may be less strict in a CIS environment due to computer programing.
• Some transactions are automatically generated by the CIS system, eliminating the need for input documents.
• CIS environment is more vulnerable to changes and data loss compared to handwritten records, as changes can happen without a trace.
• The elements of internal control are the same, but implementation methods for CIS are different.

Systems Development and Documentation Controls

• Software development and changes must be approved by management and the user department.
• Programs must be tested extensively and modified by both the user and CIS department.
• Adequate documentation is essential to facilitate program use and future changes.

Access Controls

• All computer systems require security controls to protect equipment, files, and programs.
• Access should be limited to authorized employees and operators.
• Passwords and other controls are necessary to protect data from unauthorized alterations.

Data Recovery Controls

• To prevent data loss, back up files must be regularly maintained and stored off-site.
• Daily backups and updates are essential to quickly recover files in case of disaster.
• The "Grand-father, father, son" method is used for file retention, keeping multiple generations of master files.

Monitoring Controls

• Monitoring controls ensure CIS controls are functioning effectively as planned.
• Auditor's objectives and scope remain the same when auditing a CIS environment.
• Testing methods must be adjusted due to the changes in processing and storing financial information.

Auditing Around the Computer (Black Box Approach)

• The auditor examines input documents and reports to test the system's reliability without directly examining the program.
• This method relies on reconciling input and output, assuming accurate processing if they match.
• Suitable only when visible input documents and detailed output allow tracing individual transactions.

Computer-Assisted Audit Techniques (CAATs) (White Box Approach)

• Used when manual testing is impractical due to the lack of visible evidence.
• Auditor directly audits the client's computer program using CAATs.
• Common CAATs include test data, integrated test facility, and parallel simulation.

Test Data Technique

• Designed to test internal control procedures within a program.
• Auditor creates fictitious transactions with valid and invalid conditions.
• The auditor knows the expected output, allowing them to compare the processing results with their predetermined output.

Integrated Test Facility (ITF)

• Overcomes the disadvantage of test data by integrating test data with actual transactions.
• A dummy unit is created within the system to process test data alongside regular transactions.
• Provides assurance that the tested program is the one actively used by the client.

Parallel Simulation

• Auditor creates a simulated program that mimics key aspects of the program being reviewed.
• Transactions are reprocessed using both the real and simulated programs.
• The output is compared to determine the reliability of the client's program.

Generalized Audit Software (GAS) and Purpose Written Programs

• GAS are widely available packages for common audit tasks.
• Purpose written programs are designed for specific audit tasks.
• Both are used in parallel simulation to perform specific audit activities.

Description

This quiz explores the vital aspects of internal controls within a Computerized Information System (CIS) environment. It covers data security, segregation of duties, and the unique challenges posed by automation and documentation. Test your understanding of creating effective controls and protocols in modern systems.