Week 5 - IT Controls

Questions and Answers

What does PALACE stand for?

Password Authorisation Levels Access Control Enforcement

Which of the following are NOT e-Commerce controls: (Select all that apply)

• Connecting to the internet could facilitate unauthorized access
• The audit team should review the system's life cycle and the overall process (correct)
• Customer information and inventory records should be regularly backed up
• Sensitive data must be encrypted to prevent unauthorized access

Which of the following are considered "Business Continuity Controls"?

• Having alternative processing, planning, documenting, and the testing facilities (correct)
• Must have a list of files and data to be recovered (correct)
• Must have virus protection installed and working (correct)
• Must have various and regular backups (correct)
• All of the above (correct)

What is the primary control activity for completeness of inventory transactions?

Recording all inventory that has been received

The audit team should review the system's life cycle and the overall process during the implementation of software.

True (A)

What does "SCRUM" stand for?

Segregation of Duty, Custody of Assets, Reconciliation, Unused Stationary, Management Supervision

What is the main concern of the auditor when examining the occurrence of inventory transactions?

That all recorded inventory exists and there is no theft of goods

What are the two primary concerns auditors have when examining the completeness of inventory transactions?

Recording all inventory that has been received and ensuring that all inventory is accounted for

What is the purpose of the control "No movement of stock without authorisation and a document"?

This control helps prevent unauthorized movement or loss of inventory.

Which of the following is NOT a risk related to the purchase cycle?

Late payment of invoices from the vendor (B)

What is the purpose of performing a "re-performance" test during an audit?

To verify the accuracy of calculations and the accuracy of the work that the client has already done

What is the primary concern of the auditor during the "matching" test?

To verify that all documents and transactions are linked together correctly

Which of the following is NOT a risk related to the revenue cycle?

Failing to record purchases in the proper period (D)

The validity of revenue transactions is tested by making sure all customers are properly identified and authenticated before sales are made.

True (A)

How is the "completeness" of revenue transactions tested?

Checking if the company has recorded all sales and related receipts and transactions.

The effectiveness of IT systems can be directly assessed by auditors through the use of CAATs.

True (A)

List three primary areas of concern for auditors examining the "accuracy" of the revenue cycle?

1. Checking if the prices and quantities on invoices are correct. 2. Making sure the calculation of sales, discounts, and commissions are accurate. 3. Ensuring the proper classification of revenue transactions.

What is the primary purpose of "cut-off" testing on the revenue cycle?

To verify that all revenues and expenses have been recorded in the correct accounting period, preventing revenue being recorded either too early or too late.

What is the purpose of "classification" testing on the revenue cycle?

To ensure that all revenue transactions have been properly categorized and recorded in the appropriate accounts.

What is the purpose of "completeness" testing of the revenue cycle?

To verify if the company has captured and recorded all of its revenue and that no sales have been missed.

What is the purpose of the "Existence and Rights/Obligations" assertion for accounts receivable?

To confirm that the company actually owns the accounts receivable it has recorded and that it has a legal right to collect those receivables.

What is the purpose of "Valuation" testing on accounts receivable?

To ensure that the allowance for uncollectible accounts is sufficient to cover potential losses from customers who may not be able to pay.

How should an auditor test the "existence" and "rights/obligations" assertions of accounts receivable?

By sending confirmation letters to customers and reviewing the contracts and agreements in relation to accounts receivable.

What is the purpose of performing "re-performance" testing on the purchases cycle?

To verify the accuracy of calculations done by the client when dealing with purchase orders and invoices.

What is the primary purpose of "matching" testing in the purchases cycle?

To confirm a complete chain of documentation, ensuring every step in the purchase cycle from purchase requisition to receiving of goods is properly linked and documented.

List three key areas where an auditor would focus to test the occurrence assertion of purchases?

1. Verifying the existence of a purchase order, delivery note, and invoice to support a particular purchase. 2. Checking if the purchase occurred within the correct accounting period. 3. Evaluating if the purchase was recorded by the appropriate company.

What is the main purpose of "cut-off" testing for purchases?

To ensure that all purchases are recorded in the correct accounting period, preventing purchases from being recorded either too early or too late.

What is the primary focus of the "completeness" assertion for purchases?

To confirm that all purchases made by the company have been recorded in the accounting system.

What is the main purpose of "accuracy" testing in the purchases cycle?

To ensure that all purchases are recorded at the correct amount and with the right details.

What is the purpose of "cut-off" testing for payments?

To ensure that all payments made by the company are recorded in the correct accounting period, preventing payments from being recorded either too early or too late.

What is the purpose of "completeness" testing in the payments cycle?

To verify that all payments made by the company have been accounted for and that no payments have been missed.

What is the purpose of "accuracy" testing for payments?

To confirm that all payments made by the company have been recorded at the correct amount and with the correct details.

What is the main concern when auditors examine the "classification" of purchases?

They are verifying that all purchases have been allocated to the correct expense accounts.

What is the primary responsibility of an auditor during an inventory count?

To verify that all inventory recorded in the company's records is physically present and accounted for.

Besides physically inspecting the inventory, what are three other key activities an auditor should perform during an inventory count?

1. Obtain copies of the inventory count sheets. 2. Trace the inventory count sheets back to the physical inventory. 3. Inquire about the inventory held by third parties and possibly visit those locations.

What is the main purpose of "rights and obligations" testing for inventory?

To ensure that the company owns the inventory it possesses and that other parties' inventory is not included.

What is the purpose of "completeness" testing for inventory?

To verify that all inventory belonging to the company has been recorded and that no inventory has been omitted from the records.

What is the purpose of "valuation" testing in the inventory cycle?

To ensure that the value of inventory is properly determined and reflected in the company's financial statements.

How does an auditor test the accuracy of an inventory valuation?

Through reviewing details such as purchase invoices, reviewing calculations, and comparing the inventory valuation to the lower of cost or net realizable value.

How does an auditor test the "classification" assertion of inventory?

By verifying that all inventory items have been assigned to the correct categories based on their nature, such as raw materials, work in progress, or finished goods.

What is a key control to be in place to prevent unauthorized movement of inventory?

A system that requires authorization and documentation for any movement of inventory.

Why are strong internal controls crucial for ensuring the accuracy of inventory records?

It is important to prevent errors, fraud, and theft of inventory and ensure that it is accurately valued for financial reporting.

What is the primary concern when auditors examine the "completeness" of inventory transactions?

Ensuring that all the inventory that has been received has been properly recorded in the accounting system.

Besides physical inspection of inventory, what are three key aspects of testing the accuracy of inventory transactions?

1. Verifying that the costs associated with purchases and other inventory adjustments are accurately recorded. 2. Evaluating the accuracy of any inventory adjustments. 3. Ensuring the valuation of inventory items is accurate, using methods such as net realizable value calculations.

Flashcards

IT System Maintenance Controls

Controls used to prevent unauthorized changes to programs, data, terminals, and files, and to correct errors or changes in user requirements, ensuring data integrity after system changes.

Program Change Standards

Formal rules and procedures for modifying computer programs.

Access Controls

Mechanisms to restrict access to IT systems and data.

Passwords (PALACE)

A security mechanism to limit access to IT infrastructure.

Segregation of Duties

Dividing responsibilities among different people to prevent fraud and errors.

Application Controls: Validity

Ensuring the accuracy and legitimacy of transaction data, checking ID numbers, and credit card info before accepting orders.

Application Controls: Completeness

Checking for missing data in transaction processing.

Input Controls

Controls ensuring data entered into a system meets specified criteria.

Processing Controls

Controls ensuring data is processed accurately and only valid transactions are processed.

Output Controls

Controls ensuring outputs from a system are accurate and complete.

Master File Controls

Controls over standing data, ensuring accuracy and completeness of important data, such as customer and supplier details.

CAATs (Computer Assisted Auditing Techniques)

Techniques to improve audit efficiency and accuracy, often automating data analysis.

E-Commerce Controls

Measures to ensure the security and integrity of e-commerce transactions.

Implementation of Software

Processes for safely introducing new software and databases, ensuring data integrity throughout the transition.

Revenue Recognition

The process of recording revenue when a sale is completed and the company has fulfilled its obligations.

Key Controls (Revenue)

Procedures to manage the revenue process, preventing fraud and errors.

Substantive Analytical Procedures (Revenue)

Data analysis techniques and comparisons to identify potential issues and make estimations.

Substantive Tests of Detail (Revenue)

Detailed testing of individual transactions and balances in the revenue cycle.

Purchase Requisition

A document requesting goods or services to be purchased.

GRN (Goods Received Note)

A document that confirms receipt of goods.

Inventory Cycle

The series of processes for managing inventory from ordering to tracking to adjusting stock levels.

Inventory Count

Physical check of inventory balance and counting to confirm the accuracy of inventory.

Net Realizable Value (NRV)

The estimated selling price of inventory minus any costs to complete or sell it.

Study Notes

Week 5 - IT Controls

• System maintenance controls prevent unauthorized changes to programs, data, terminals and files. Standards for program changes, requests, forms, testing, and documentation are used.
• Organizational and management controls establish a framework for computer activities, including responsibility levels, staff practices, division of duties, virus controls, and supervision. IT departments should be separate, and transactions shouldn't be authorized by IT staff. Training on systems and databases is essential.
• Access controls restrict physical access to IT infrastructure (servers, data centers, network equipment) to authorized personnel based on roles (segregation of duties). VPNs secure remote user access, and logon IDs are used for authorization, logging unauthorized attempts.
• Computer operating controls schedule processing using correct programs and data files, ensuring procedures are applied consistently. Hardware checks and duty divisions are included.
• System development controls use software from reputable companies, process data, require training, and ensure new system conversions are correctly performed with post-implementation reviews and backups.

Access Controls

• Only authorized personnel can access physical IT infrastructure.
• Access is granted based on the role/segregation of duties.
• VPNs ensure secure remote user access.
• Authorization of users through logon IDs.
• A log of unauthorized attempts is maintained.

Computer Operating Controls

• Controls include scheduling processing and using the correct programs and data files.
• Procedures are applied correctly and consistently.
• Hardware checks and division of duties are part of the operating procedures.

System Development Controls

• Software must come from reputable companies.
• Conversion controls ensure data transfer with balancing of old and new files, backup of the new system, and implementation review. Required training is provided.

Business Continuity Controls

• List of files and data to be recovered.

Week 7 - Revenue and Receipts Cycle

• Revenue Process Risks: Early revenue recognition, holding books open past the accounting period, including false sales, problems with related party transactions, overstating receivables, and other income.
• Key Controls: Adequate segregation of duties, proper authorization of sales, adequate records of receiving, authorising, processing, dispatching, invoicing, and recording. Documents are sequentially prenumbered and monthly statements and reconciliations are performed.
• Inherent Risks: Nature of business and other industry-related factors.

Week 8 - Purchases Cycle

• Inspect (Documents), Observe (Actions), Inquire (Missing Documents), Re-Perform (Numbers and Calculations), Test, Matching (Documents): Purchase requisitions, purchase orders, receiving of goods (GRNs), recording of purchases, payment preparation, recording of payments.
• Test of Controls: All documents are sequentially prenumbered and inspections/signatures confirm procedures.
• Inherent Risks: Management bias and incentive to misstate expenses, complexity of expenditures, inadequate controls, incorrect cut-offs, and understating accounts payable.

Week 9 - Inventory Cycle

• Planning (Order), Receipt, Issue, Inventory Adjustment Forms, Inventory Records: Key processes and documents related to inventory management.
• Inherent Risks: Volume and complexity of manufacturing, changes in staff and systems, net realisable value (NRV).

Inventory Controls (Week 9/10)

• Inventory is located at multiple sites with 'Goods in Transit'.
• Staff are trained to do the inventory tasks accurately and correctly with controls to prevent obsolete or damaged goods.
• Controls to ensure no double-counting and omission of inventory, and procedures exist to account for inclusion of the same inventory more than once, to prevent damage, loss, or theft of stock. Segregation of duties and reconciliation procedures are essential.
• Controls for the efficient production planning and scheduling of the inventory tasks.

ISA 501 (Week 9/10)

• Before Inventory Count: Contact with the client and previous auditor, review of procedures, verification of locations where inventory is stored. Third party arrangements must be made.
• During Inventory Count: Inquire on segregation of duties, team numbers, no movement, and no production is scheduled. Inspecting count sheets verifies completeness, sequences, and descriptions of goods. Verify inventory is allocated to counting teams, ensuring it's all included, avoiding duplication in the count and identifying those that shouldn't be valued (e.g., damaged, obsolete stock).
• Testing of Controls: Cut-off, inspection of documents (e.g., GRNs, GDNs, purchase invoices), verifying sequential pre-numbering and supplier invoices/payroll. Inventory is also checked for correct classification, condition (obsolete, slow-moving, excess), and net realisable value (NRV).

Description

This quiz covers essential IT controls for maintaining system integrity and security. Topics include system maintenance, organizational controls, access restrictions, and operational procedures. Understanding these controls is crucial for effective IT management and risk mitigation.