Professional Documents
Culture Documents
1. A CIS environment exists when a computer of any type or size is involved in the processing
by the entity of financial information of significance to the audit, whether the computer is
operated by the entity or by a third party.
2. The overall objective and scope of an audit does not change in a CIS environment.
4. The auditor should have sufficient knowledge of the CIS to plan, direct, and review the work
performed.
5. If specialized skills are needed, the auditor would seek the assistance of a professional
possessing such skills, who may be either on the auditor’s staff or an outside professional.
6. In planning the portions of the audit which may be affected by the client’s CIS environment,
the auditor should obtain an understanding of the significance and complexity of the CIS
activities and the availability of data for use in the audit.
7. When the CIS are significant, the auditor should also obtain an understanding of the CIS
environment and whether it may influence the assessment of inherent and control risks.
8. The auditor should consider the CIS environment in designing audit procedures to reduce
audit risk to an acceptably low level. The auditor can use either manual audit procedures,
computer-assisted audit techniques, or a combination of both to obtain sufficient evidential
matter.
Organizational Structure
Nature of Processing
The use of computers may result in the design of systems that provide less visible evidence than
those using manual procedures. In addition, these systems may be accessible by a larger number
of persons.
Page 1 of 12 Pages
10 AUDIT THEORY
System characteristics that may result from the nature of CIS processing include:
a. Consistency of performance
CIS perform functions exactly as programmed and are potentially more reliable than manual
systems, provided that all transaction types and conditions that could occur are anticipated
and incorporated into the system. On the other hand, a computer program that is not
correctly programmed and tested may consistently process transactions or other data
erroneously.
Page 2 of 12 Pages
10 AUDIT THEORY
GENERAL CIS CONTROLS—to establish a framework of overall control over the CIS activities
and to provide a reasonable level of assurance that the overall objectives of internal control are
achieved.
c. Delivery and support controls—designed to control the delivery of CIS services and
include:
• Establishment of service level agreements against which CIS services are measured.
• Performance and capacity management controls.
• Event and problem management controls.
• Disaster recovery/contingency planning, training, and file backup.
• Computer operations controls.
• Systems security.
• Physical and environment controls.
CIS APPLICATION CONTROLS—to establish specific control procedures over the application
systems in order to provide reasonable assurance that all transactions are authorized, recorded,
and are processed completely, accurately and on a timely basis. CIS application controls include:
• Processing errors (i.e., rejected data and incorrect transactions) are identified and
corrected on a timely basis.
CIS application controls which the auditor may wish to test include:
3. After obtaining the understanding of the accounting system and control environment, the
auditor may find it more cost-effective not to make a further review of general controls or
application controls, but to concentrate audit efforts on substantive procedures.
1. On-line computer systems are computer systems that enable users to access data and
programs directly through terminal devices.
2. On-line systems allow users to directly initiate various functions such as:
a. entering transactions d. updating master files
b. making inquiries e. electronic commerce activities
c. requesting reports
Page 4 of 12 Pages
10 AUDIT THEORY
d. On-line/Inquiry
- Restricts users at terminal devices to making inquiries of master file.
- Master files are updated by other systems, usually on a batch basis.
NETWORK ENVIRONMENT
1. A network environment is a communication system that enables computer users to share
computer equipment, application software, data, and voice and video transmissions.
2. A file server is a computer with an operating system that allows multiple users in a network
to access software applications and data files.
AUDIT APPROACHES
1. Auditing around the computer – the auditor ignores or bypasses the computer processing
function of an entity’s EDP system.
2. Auditing with the computer – the computer is used as an audit tool.
3. Auditing through the computer – the auditor enters the client’s system and examines directly
the computer and its system and application software.
I. Program analysis – techniques that allow the auditor to gain an understanding of the client’s
program.
1. Code review – involves actual analysis of the logic of the program’s processing routines.
2. Comparison programs – programs that allow the auditor to compare computerized files.
II. Program testing – involves the use of auditor-controlled actual or simulated data.
1. Historical audit techniques – test the audit computer controls at a point in time.
a. TEST DATA
• A set of dummy transactions specifically designed to test the control activities that
management claims to have incorporated into the processing programs.
• Shifts control over processing to the auditor by using the client’s software to
process auditor-prepared test data that includes both valid and invalid conditions.
• If embedded controls are functioning properly, the client’s software should detect
all the exceptions planted in the auditor’s test data.
• Ineffective if the client does not use the software tested.
Page 6 of 12 Pages
10 AUDIT THEORY
d. PARALLEL SIMULATION
• It involves processing of client’s live (actual) data utilizing an auditor’s generalized
audit software.
• If an entity’s controls have been operating effectively, the client’s software should
generate the same exceptions as the auditor’s software.
• It should be performed on a surprise basis, if possible.
e. CONTROLLED REPROCESSING
• A variation of parallel simulation, it involves processing of actual client data
through a copy of the client’s application program.
2. Continuous audit techniques – test the audit computer controls throughout a period.
b. SYSTEMS CONTROL AUDIT REVIEW FILES (SCARFs) – logs that collect transaction
information for subsequent review and analysis by the auditor.
e. EXTENDED RECORDS – this technique attaches additional audit data which would not
otherwise be saved to regular historic records and thereby helps to provide a more
complete audit trail.
1. JOB ACCOUNTING DATA/OPERATING SYTEMS LOGS – these logs that track particular
functions, include reports of the resources used by the computer system. The auditor
may be able to use them to review the work processed, to determine whether
unauthorized applications were processed and to determine that authorized applications
were processed properly.
1. Audit software – computer programs used to process data of audit significance from the
client’s accounting system.
a. Package programs (also called generalized audit software) – programs that can be used
in numerous clients. They can be designed to perform different audit tasks such as:
Page 7 of 12 Pages
10 AUDIT THEORY
4. Text retrieval software - allow the user to view any text that is available in an electronic
format. The software program allows the user to browse through text files much as a user
would browse through books.
Page 8 of 12 Pages
10 AUDIT THEORY
3. Which of the following procedures would an entity most likely include in its computer disaster
recovery plan?
A. Develop an auxiliary power supply to provide uninterrupted electricity.
B. Store duplicate copies of critical files in a location away from the computer center.
C. Maintain a listing of entity passwords with the network manager.
D. Translate data for storage purposes with a cryptographic secret code.
4. What technology is needed in order to convert a paper document into a computer file?
A. Optical character recognition C. Bar-coding scanning
B. Electronic data interchange D. Joining and merging
6. Misstatements in a batch computer system caused by incorrect programs or data may not be
detected immediately because
A. Errors in some transactions may cause rejection of other transactions in the batch.
B. The identification of errors in input data typically is not a part of the program.
C. There are time delays in processing transactions in a batch system.
D. The processing of transactions in a batch system is not uniform.
7. A client is concerned that a power outage or disaster could impair the computer hardware’s
ability to function as designed. The client desires off-site back-up hardware facilities that are
fully configured and ready to operate within several hours. The client most likely should
consider a
A. Cold site. C. Warm site.
B. Cool site. D. Hot site.
8. What type of computer system is characterized by data that are assembled from more than
one location and records that are updated immediately?
A. Microcomputer system C. Batch processing system
B. Minicomputer system D. On-line, real-time system
9. End-user computing is most likely to occur on which of the following types of computers?
A. Mainframe C. Personal computers
B. Minicomputers D. Personal reference assistants
Page 9 of 12 Pages
10 AUDIT THEORY
10. Which of the following statements most likely represents a disadvantage for an entity that
keeps microcomputer-prepared data files rather than manually prepared files?
A. Random error associated with processing similar transactions in different ways is usually
greater.
B. It is usually more difficult to compare recorded accountability with physical count of
assets.
C. Attention is focused on the accuracy of the programming process rather than errors in
individual transactions.
D. It is usually easier for unauthorized persons to access and alter the files.
11. To avoid invalid data input, a bank added an extra number at the end of each account number
and subjected the new number to an algorithm. This technique is known as
A. Optical character recognition C. A dependency check
B. A check digit D. A format check
12. Preventing someone with sufficient technical skill from circumventing security procedures and
making changes to production programs is best accomplished by
A. Reviewing reports of jobs completed.
B. Comparing production programs with independently controlled copies.
C. Running test data periodically.
D. Providing suitable segregation of duties.
14. Which of the following controls is a processing control designed to ensure the reliability and
accuracy of data processing?
Validity
Limit test check test
A. Yes Yes
B. Yes No
C. No Yes
D. No No
15. Which of the following activities would most likely be performed in the information systems
department?
A. Initiation of changes to master records.
B. Conversion of information to machine-readable form.
C. Correction of transactional errors.
D. Initiation of changes to existing applications.
16. When computer programs or files can be accessed from terminals, users should be required
to enter a(n)
A. Parity check C. Self-diagnosis test
B. Personal identification code D. Echo check
Page 10 of 12 Pages
10 AUDIT THEORY
18. A control feature in an electronic data processing system requires the central processing unit
(CPU) to send signals to the printer to activate the print mechanism for each character. The
print mechanism, just prior to printing, sends a signal back to the CPU verifying that the
proper print position has been activated. This type of hardware control is referred to as
A. Echo control. C. Signal control.
B. Validity control. D. Check digit control.
19. Which of the following most likely represents a significant deficiency in internal control?
A. The systems analyst reviews applications of data processing and maintains systems
documentation.
B. The systems programmer designs systems for computerized applications and maintains
output controls.
C. The control clerk establishes control over data received by the information systems
department and reconciles control totals after processing.
D. The accounts payable clerk prepares data for computer processing and enters the data
into the computer.
21. An auditor would most likely be concerned with which of the following controls in a distributed
data processing system?
A. Hardware controls C. Access controls
B. Systems documentation controls D. Disaster recovery controls
22. An auditor anticipates assessing control risk at a low level in a computerized environment.
Under these circumstances, on which of the following activities would the auditor initially
focus?
A. Programmed control activities C. Output control activities
B. Application control activities D. General control activities
23. Auditing by testing the input and output of a computer system instead of the computer
program itself will
A. Not detect program errors which do not show up in the output sampled.
B. Detect all program errors, regardless of the nature of the output.
C. Provide the auditor with the same type of evidence.
D. Not provide the auditor with confidence in the results of the auditing procedures.
24. Which of the following client electronic data processing (EDP) systems generally can be
audited without examining or directly testing the EDP computer programs of the system?
A. A system that performs relatively uncomplicated processes and produces detailed output.
B. A system that affects a number of essential master files and produces a limited output.
C. A system that updates a few essential master files and produces no printed output other
than final balances.
D. A system that performs relatively complicated processing and produces very little detailed
output.
Page 11 of 12 Pages
10 AUDIT THEORY
25. To obtain evidence that on-line access controls are properly functioning, an auditor most likely
would
A. Create checkpoints at periodic intervals after live data processing to test for unauthorized
use of the system.
B. Examine the transaction log to discover whether any transactions were lost or entered
twice due to a system malfunction.
C. Enter invalid identification numbers or passwords to ascertain whether the system rejects
them.
D. Vouch a random sample of processed transactions to assure proper authorization.
26. An auditor most likely would introduce test data into a computerized payroll system to test
controls related to the
A. Existence of unclaimed payroll checks held by supervisors.
B. Early cashing of payroll checks by employees.
C. Discovery of invalid employee I.D. numbers.
D. Proper approval of overtime by supervisors.
27. When an auditor tests a computerized accounting system, which of the following is true of
the test data approach?
A. Several transactions of each type must be tested.
B. Test data are processed by the client’s computer programs under the auditor’s control.
C. Test data must consist of all possible valid and invalid conditions.
D. The program tested is different from the program used throughout the year by the client.
28. Which of the following computer-assisted auditing techniques allows fictitious and real
transactions to be processed together without client operating personnel being aware of the
testing process?
A. Integrated test facility C. Parallel simulation
B. Input controls matrix D. Data entry monitor
29. Which of the following methods of testing application controls utilizes a generalized audit
software package prepared by the auditors?
A. Parallel simulation
B. Integrated testing facility approach
C. Test data approach
D. Exception report tests
30. In creating lead schedules for an audit engagement, a CPA often uses automated work paper
software. What client information is needed to begin this process?
A. Interim financial information such as third quarter sales, net income, and inventory and
receivable balances.
B. Specialized journal information such as the invoice and purchase order numbers of the
last few sales and purchases of the year.
C. General ledger information such as account numbers, prior year account balances, and
current year unadjusted information.
D. Adjusting entry information such as deferrals and accruals, and reclassification journal
entries.
Page 12 of 12 Pages