Professional Documents
Culture Documents
Name___________________________________
MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question.
1) Which of the following is an enhancement to internal control resulting from integrating IT into 1)
accounting systems?
A) Computer controls replace manual ones B) Higher quality information
C) Both A and B D) Neither A nor B
Answer: C
Explanation: A)
B)
C)
D)
2) Which one of the following computer-assisted auditing techniques allows fictitious and real 2)
transactions to be processed together without client operating personnel being aware of the testing
process?
A) Test data approach B) Generalised audit software programming
C) Integrated test facility D) Parallel simulation
Answer: C
Explanation: A)
B)
C)
D)
4) To obtain evidence that all external users in an e-commerce system are authorised, a 'firewall' 4)
channels all network connections through a:
A) separate computer service bureau. B) control gateway.
C) single telephone line. D) single computer monitor.
Answer: B
Explanation: A)
B)
C)
D)
1
5) The function of an embedded audit module approach: 5)
A) tests data used to test specific controls.
B) analyses the client data.
C) inserts an audit module into the client's application system.
D) uses software to define the content of data records.
Answer: C
Explanation: A)
B)
C)
D)
7) Auditing standards describe which two broad control groupings for IT systems? 7)
1. General controls
2. Application controls
3. Information controls
4. Performance controls
A) 2 and 3 B) 1 and 3 C) 1 and 2 D) 3 and 4
Answer: C
Explanation: A)
B)
C)
D)
8) A computer service centre processes, for an auditor's client, financial data that has a material effect 8)
on that client's financial statements. The independent auditor need NOT consider a review of the
service centre controls if:
A) he or she is satisfied that a special report on internal controls issued by the service centre's
independent auditor can be relied on to the extent desired.
B) the service centre is a partially owned subsidiary of the client company, whose financial
statements are examined by another audit firm.
C) the service centre processes data exclusively for the audit client and its subsidiaries.
D) the service centre controls have already been reviewed by the internal audit team of the client.
Answer: A
Explanation: A)
B)
C)
D)
2
9) Which of the following is a generalised audit software package? 9)
A) MYOB B) ACL
C) Visual Basic D) None of the above
Answer: B
Explanation: A)
B)
C)
D)
10) Which of the following is NOT an example of a test data approach? 10)
A) Testing online passwords B) Testing input data to final reports
C) Testing authorisation of transactions D) Testing data access controls
Answer: C
Explanation: A)
B)
C)
D)
11) The audit procedure which is least useful in gathering evidence on significant computer processes 11)
is:
A) test data. B) generalised audit software.
C) tracing. D) observation.
Answer: D
Explanation: A)
B)
C)
D)
12) A well-controlled IT system offers greater potential for reducing misstatements because: 12)
A) computers reduce the human error that is likely to occur in traditional manual environments.
B) computers process information consistently.
C) computers handle tremendous volumes of complex business transactions effectively.
D) all of the above
Answer: D
Explanation: A)
B)
C)
D)
13) Application controls vary with each application in the IT system. In attempting to review and gain 13)
an understanding of the internal control system, the auditor must evaluate the application controls
for:
A) every audit area.
B) every material audit area.
C) every audit area in which the client uses the computer.
D) every audit area where the auditor plans to reduce assessed control risk.
Answer: D
Explanation: A)
B)
C)
D)
3
14) A database management system: 14)
A) allows quick retrieval of data, but it needs to update files continually.
B) reduces data redundancy.
C) allows quick retrieval of data but at a cost of inefficient use of file space.
D) stores data on different files for different purposes, but always knows where they are and
how to retrieve them.
Answer: B
Explanation: A)
B)
C)
D)
15) Which one of the following is NOT usually part of a contingency plan? 15)
A) Storing copies of critical software off premises
B) Identifying alternative hardware that can be used to process company data
C) Regular changing of access codes
D) Backing up critical data files
Answer: C
Explanation: A)
B)
C)
D)
16) The accumulation of source documents and records that allows the organisation to trace accounting 16)
entries back to their initiation is the:
A) substantiation record. B) initialisation procedure.
C) outsourcing code. D) audit trail.
Answer: D
Explanation: A)
B)
C)
D)
17) The auditor may decide NOT to reduce assessed control risk even if internal controls are adequate. 17)
This approach is followed if:
A) the cost of the study and tests of controls will exceed the savings from reduced substantive
procedures.
B) the auditor plans to rely on the controls and reduce substantive testing.
C) a qualified opinion will be issued.
D) All of the above are true.
Answer: A
Explanation: A)
B)
C)
D)
4
18) Controls which are designed to assure that the information processed by the computer is 18)
authorised, complete and accurate are called:
A) processing controls. B) general controls.
C) output controls. D) input controls.
Answer: D
Explanation: A)
B)
C)
D)
19) Which one of the following statements is incorrect about network environments? 19)
A) Decentralised servers often increase control risk.
B) Many environments lack standardised procedures.
C) Responsibility for purchasing equipment usually resides with a centralised IT function.
D) Network-related software often lacks the security features typically available in traditionally
centralised systems.
Answer: C
Explanation: A)
B)
C)
D)
20) Many clients have their data processed at an independent computer service centre (IT outsourcing). 20)
The difficulty the independent auditor faces when a computer service centre is used is:
A) in trying to abide by the joint Code of Professional Conduct to maintain the security and
confidentiality of the client's data.
B) in determining the adequacy of the service centre's internal controls.
C) finding compatible programs that will analyse the service centre's programs.
D) gaining the permission of the service centre to review its work.
Answer: B
Explanation: A)
B)
C)
D)
21) The objective of understanding internal control and assessing control risk in an IT system is: 21)
A) to gain an understanding of the computer hardware and software.
B) to evaluate management's efficiency in designing and using the IT system.
C) to determine if the audit firm must have an IT auditor on the team.
D) to aid in determining the audit evidence that should be accumulated.
Answer: D
Explanation: A)
B)
C)
D)
5
22) Internal control is ineffective when computer programmers: 22)
A) design documentation for computerised systems.
B) request physical security be provided for program files.
C) have access to actual programs used to produce accounting information.
D) participate in computer software acquisition decisions.
Answer: C
Explanation: A)
B)
C)
D)
24) When the client uses a computer but the auditor chooses to use only the non-IT segment of internal 24)
control to assess control risk, it is referred to as auditing around the computer. Which one of the
following conditions need NOT be present in order to audit around the computer?
A) Computer programs must be available in English.
B) User controls include comparison of computer-produced records with source documents.
C) The accounting software can display or print ledger balances and transaction details that
allow the auditor to trace individual transactions through the accounting records.
D) The source documents are available in a readable form and can be traced easily through the
accounting system to output.
Answer: A
Explanation: A)
B)
C)
D)
6
26) A site is allowed to retain the Webtrust seal if the auditor monitors compliance at least every: 26)
A) 120 days. B) 60 days. C) 30 days. D) 90 days.
Answer: D
Explanation: A)
B)
C)
D)
27) Well-controlled organisations segregate key duties within IT. Ideally, this means the following 27)
responsibilities should be separated:
A) IT management separate from operations.
B) IT management separate from data control.
C) IT management separate from systems development.
D) All of the above
Answer: D
Explanation: A)
B)
C)
D)
28) When auditing a computerised system, an auditor may use the test data approach as an audit tool. 28)
This technique:
A) involves introducing simulated transactions into the client's actual application program(s).
B) should not involve the actual application programs the client uses throughout the year, since
use of the actual programs would contaminate the client's accounting data.
C) is more applicable to independent audits than internal audits.
D) is a commonly used audit technique for auditing around the computer.
Answer: A
Explanation: A)
B)
C)
D)
7
30) An auditor's investigation of a company's IT control procedures has disclosed the following four 30)
circumstances. Indicate which circumstance constitutes a weakness in internal control.
A) Only one copy of backup files is stored in an off-premises location.
B) Computer operators are closely supervised by programmers.
C) Programmers do not have the authorisation to operate equipment.
D) Computer operators do not have access to the complete run manual.
Answer: B
Explanation: A)
B)
C)
D)
31) Generalised audit software can be used to perform many different kinds of tests. Which is NOT one 31)
of them?
A) Review of accounts receivable balances for amounts over the credit limit
B) Observing cash receipts processes
C) Recalculating employees' net pay calculations
D) Preparing general ledger trial balances
Answer: B
Explanation: A)
B)
C)
D)
32) Development and changes to IT systems are generally coordinated by a ________ analyst. 32)
A) financial B) technical C) systems D) all of the above
Answer: C
Explanation: A)
B)
C)
D)
8
34) Auditors usually evaluate the effectiveness of: 34)
A) applications controls first.
B) sales-cycle controls first.
C) general controls before applications controls.
D) hardware controls first.
Answer: C
Explanation: A)
B)
C)
D)
35) The auditor can perform many different kinds of tests and other functions with the auditor's 35)
computer program. Which of the following tests or functions CANNOT be performed?
A) Verify extensions and footings.
B) Analyse exception responses returned with confirmations received from customers.
C) Compare data on separate files.
D) Re-sequence data and perform analyses.
Answer: B
Explanation: A)
B)
C)
D)
36) Generalised audit software can be used to perform many different kinds of tests. Which is NOT one 36)
of them?
A) Totalling the client's accounts receivable balances
B) Random sampling of all other receivables
C) Inquiry of management policy on aged debtors
D) Comparing creditor statements with accounts payable files
Answer: C
Explanation: A)
B)
C)
D)
37) IT can significantly impact on an organisation's overall control risk. Which of the following risks 37)
would NOT be important from an auditing perspective?
A) Use of unreliable information because of processing errors produced by the technology
B) The inability to retrieve important information because of IT systems failure
C) The potential for material misstatement
D) None of the above, i.e., they are all important.
Answer: D
Explanation: A)
B)
C)
D)
9
38) Strong general controls mitigate which type of risks? 38)
A) Risk of system obsolescence B) Risk of system crash
C) Risk of theft of information and data D) All of the above
Answer: B
Explanation: A)
B)
C)
D)
39) Should the auditor feel, after obtaining an understanding of IT internal control, that control risk 39)
cannot be reduced, he or she will:
A) issue an adverse opinion.
B) increase the sample size for tests of controls.
C) issue a disclaimer.
D) expand the substantive testing portion of the audit.
Answer: D
Explanation: A)
B)
C)
D)
10
42) Which of the following is NOT a general control? 42)
A) Processing controls
B) Procedures for documenting, reviewing and approving systems and payments
C) Hardware controls
D) The plan of organisation and operation of IT activity
Answer: A
Explanation: A)
B)
C)
D)
43) Oversight of the IT function to ensure that all activities are carried out consistently with the IT 43)
strategic plan is the responsibility of the:
A) librarian. B) chief information officer.
C) data control group. D) computer operators.
Answer: B
Explanation: A)
B)
C)
D)
44) If a control total were to be computed on each of the following data items, which would BEST be 44)
identified as a hash total for a payroll IT application?
A) Department numbers B) Net pay
C) Total debits and total credits D) Hours worked
Answer: A
Explanation: A)
B)
C)
D)
45) An independent auditor uses generalised audit software. The second step in using GAS, 45)
application design, might include which of the following?
A) Design the most useful format and contents of the auditor's GAS reports.
B) Develop a logical approach to extract and manipulate data obtained from the client's records.
C) Identify and describe the client's data files and the information to which access is desired.
D) All of the above
Answer: D
Explanation: A)
B)
C)
D)
11
46) The audit approach in which the auditor runs his or her own program on a controlled basis in order 46)
to verify the client's data recorded in a machine language is:
A) the microcomputer-aided auditing approach.
B) the generalised audit software approach.
C) the test data approach.
D) called auditing around the computer.
Answer: B
Explanation: A)
B)
C)
D)
12
50) How do information technologies enhance internal control? 50)
A) Computer controls replace manual controls.
B) Higher quality information is available.
C) Computer controls are cheaper.
D) Both A and B above
Answer: D
Explanation: A)
B)
C)
D)
51) Physical control over computer equipment restricts access to: 51)
A) software. B) hardware.
C) backup data files. D) all of the above
Answer: D
Explanation: A)
B)
C)
D)
52) Controls which are built in by the manufacturer to detect equipment failure are called: 52)
A) input controls. B) manufacturer's controls.
C) hardware controls. D) fail-safe controls.
Answer: C
Explanation: A)
B)
C)
D)
54) Controls which apply to the processing of individual transactions are called: 54)
A) user controls. B) systems controls.
C) general controls. D) applications controls.
Answer: D
Explanation: A)
B)
C)
D)
13
55) Pre-designed formats for audit working papers and letters can be created and saved using both 55)
electronic spreadsheets and word processors. These are called:
A) audit software. B) macros.
C) templates. D) desktop publishing.
Answer: C
Explanation: A)
B)
C)
D)
56) The use of 'encryption' techniques protect the security of electronic communication during the: 56)
A) recording process. B) transmission process.
C) data backup process. D) data output process.
Answer: B
Explanation: A)
B)
C)
D)
14
60) The most important output control is: 60)
A) distribution control, which assures that only authorised personnel receive the reports
generated by the system.
B) review of the data for reasonableness by someone who knows what the output should look
like.
C) control totals, which are used to verify that the computer's results are correct.
D) logic tests, which verify that no mistakes were made in processing.
Answer: B
Explanation: A)
B)
C)
D)
61) A common assumption is that 'the information is ________ because the computer produced it'. 61)
A) relevant B) dubious C) substantive D) correct
Answer: D
Explanation: A)
B)
C)
D)
62) Data Corporation has just completely computerised its billing and accounts receivable 62)
record-keeping. Your firm has recently acquired IDEA software and you want to make maximum
use of the computer in your audit of Data Corporation. Which of the following audit techniques
could NOT be performed using generalised audit software?
A) Selecting a sample of accounts to be confirmed and printing confirmation requests
B) Comparing data on separate files
C) Resolving differences reported by customers on confirmation requests
D) Examining records for quality, completeness, consistency and correctness
Answer: C
Explanation: A)
B)
C)
D)
63) An auditor who is testing IT controls in a payroll system would most likely use test data that 63)
contains conditions such as:
A) time tickets with invalid job numbers.
B) deductions not authorised by employees.
C) overtime not approved by supervisors.
D) payroll cheques with unauthorised signatures.
Answer: A
Explanation: A)
B)
C)
D)
15
SHORT ANSWER. Write the word or phrase that best completes each statement or answers the question.
64) Discuss what is meant by the term 'auditing through the computer'. 64)
Answer: This approach can be used when source documents are kept in electronic format. Its
use can only be justified when general controls are acceptable. The auditor may rely
on application controls built into the client's application software for processing. The
auditor may use such techniques as test data, generalised or specialist audit
software.
Explanation:
65) Discuss how the integration of IT into accounting systems enhances internal control. 65)
Answer: Enhancements to internal control resulting from the integration of IT into accounting
systems include:
· Computer controls replace manual controls. Replacing manual procedures with
programmed controls that apply checks and balances to each processed transaction
and that process information consistently can reduce human error that is likely to
occur in traditional manual environments.
· Higher quality information is available. IT systems typically provide management
with more and higher quality information faster than most manual systems.
Explanation:
66) Describe four common audit tasks that can be simplified by the use of microcomputers in 66)
practice.
Answer: Common audit tasks that can be simplified by the use of microcomputers in practice
include:
· preparing trial balances and lead schedules
· preparing working papers
· performing analytical procedures
· preparing audit programs
· obtaining an understanding of the client's internal controls
· performing audit sampling
· managing engagements and time budgets.
Explanation:
67) Although IT can enhance a company's internal control, it can also affect a company's 67)
overall control risk. Identify any four of these new risks specific to IT environments.
Answer: Objective 2 discusses eight new IT control risks:
1. Reliance on the functioning capabilities of hardware and software
2. Visibility of audit trail
3. Reduced human involvement
4. Systematic versus random errors
5. Loss of data
6. Reduced segregation of duties
7. Lack of traditional authorisation
8. Need for IT experience
Explanation:
16
68) Identify the three categories of application controls and give one example of each. 68)
Answer: Application controls fall into three categories:
· Input controls. Key verification and batching are examples of input controls.
· Processing controls. One example is a reasonableness test for the unit selling price
of a sale.
· Output controls. One example is post-processing review of sales transactions by
the sales department.
Explanation:
69) There are three concerns or difficulties that must be overcome before the test data 69)
approach can be used by the auditor. Discuss each of these concerns.
Answer: Three concerns to be addressed before the test data approach can be used by the
auditor are:
· Test data must include all relevant conditions that the auditor wants tested.
· Application programs tested by the auditor's test data must be the same as those
used throughout the year by the client.
· Copies of client files must be used when testing programs that update master files,
to avoid damaging or distorting those files.
Explanation:
70) Provide five examples of different IT environments the auditor may encounter. 70)
Answer: Examples of the various IT environments that exist today include:
1. Microcomputer environments
2. Network environments
3. Database management systems
4. E-commerce systems
5. Clients who outsource IT
6. Other engagements involving IT systems
Explanation:
TRUE/FALSE. Write 'T' if the statement is true and 'F' if the statement is false.
71) Tests of controls are normally performed only if the auditor believes the client's internal control 71)
may be effective.
Answer: True False
Explanation:
72) Using the test data approach, the auditor processes a set of the client's actual transaction data using 72)
the auditor's computer programs on the auditor's computer equipment to determine whether the
client's computer programs and equipment are processing data correctly.
Answer: True False
Explanation:
73) Systems development, operations and data control, and librarianship are separated in an IT system. 73)
Answer: True False
Explanation:
74) The perceived importance of IT within an organisation is often dictated by the attitude of the audit 74)
committee.
Answer: True False
Explanation:
17
75) The objective of the computer audit technique known as the test data approach is to determine 75)
whether the client's computer programs can correctly process valid and invalid transactions.
Answer: True False
Explanation:
76) An advantage of generalised audit software (GAS) is the ability to access and test client data 76)
independently.
Answer: True False
Explanation:
77) One key to a backup and contingency plan is to make sure that all critical copies of software and 77)
data files are backed up and stored off-premises.
Answer: True False
Explanation:
78) In IT systems, if general controls are effective, it increases the auditor's ability to rely on application 78)
controls to reduce control risk.
Answer: True False
Explanation:
79) General controls are normally evaluated earlier in the audit than application controls. 79)
Answer: True False
Explanation:
80) When the auditor decides to audit around the computer, he or she is not required to test the client's 80)
IT controls.
Answer: True False
Explanation:
81) Encryption techniques protect the security of electronic communication during transmission. 81)
Answer: True False
Explanation:
83) The major disadvantage of generalised audit software is that its complexity limits its use primarily 83)
to IT specialists.
Answer: True False
Explanation:
84) When auditing a client whose information is processed by an outside computer service company, it 84)
is acceptable for the auditor to rely on the audit report of another independent auditor who has
previously tested the internal controls of the computer service centre rather than testing the service
centre's controls himself or herself.
Answer: True False
Explanation:
18
85) Controls that relate to a specific use of the IT system, such as the processing of sales or cash 85)
receipts, are called application controls.
Answer: True False
Explanation:
86) The day-to-day operations of the computer are the responsibility of management. 86)
Answer: True False
Explanation:
88) Auditing around the computer is acceptable when general controls are strong. 88)
Answer: True False
Explanation:
89) Control risk is often affected by a complex IT system even if it enhances internal controls. 89)
Answer: True False
Explanation:
90) One disadvantage of IT systems is the potential elimination of the control provided by division of 90)
duties of independent persons normally present in manual systems.
Answer: True False
Explanation:
91) One common use of generalised audit software is to help the auditor identify weaknesses in the 91)
client's IT control procedures.
Answer: True False
Explanation:
92) In database management systems many applications share files, whereas in non-database 92)
environments each application manages its own data file.
Answer: True False
Explanation:
93) General controls in smaller companies are usually less effective than in more complex IT 93)
environments.
Answer: True False
Explanation:
94) A firewall is a system of hardware and software that monitors and controls the flow of e-commerce 94)
communications by channelling all network connections through a control gateway.
Answer: True False
Explanation:
95) One potential disadvantage of IT systems is the increased risk of destruction of entire data files. 95)
Answer: True False
Explanation:
19
96) Auditing through the computer is justified when general controls are acceptable. 96)
Answer: True False
Explanation:
97) In database management systems, each application contains its own data file whereas in 97)
non-database environments, many applications share files.
Answer: True False
Explanation:
99) Auditing around the computer is acceptable if the auditor has access to sufficient source documents 99)
and a detailed listing of output in a readable form.
Answer: True False
Explanation:
ESSAY. Write your answer in the space provided or on a separate sheet of paper.
100) Assume you are using generalised audit software (GAS) during your audit of accounts receivable. Discuss four
kinds of tests or audit procedures you can perform with the GAS if the client's data are in machine-readable
form.
Answer: Examples of the types of tests that can be performed using GAS during the audit of accounts receivable
include:
· verifying extensions and footings
· examining records for quality, completeness, consistency and correctness
· comparing data on separate files
· summarising or resequencing data and performing analyses
· comparing data obtained through other audit procedures with company records
· selecting audit samples
· printing confirmation requests.
101) Discuss the four areas of responsibility under the IT function that should be segregated in large companies.
Answer: The responsibilities for IT management, systems development, operations and data control should be
separated:
· IT Management. Oversight of the IT function should be segregated from the systems development,
operations and data control functions. Oversight of IT should be the responsibility of the chief
information officer or IT manager.
· Systems development. Systems analysts are responsible for the overall design of each application
system. Programmers develop, test and document applications software. Programmers and analysts
should not have access to input data or computer operations.
· Operations. Computer operators are responsible for the day-to-day operations of the computer.
· Data control. Data control personnel independently verify the quality of input and the reasonableness
of output.
20
102) Discuss the circumstances that may exist in a 'network environment' which may challenge traditional general
CIS controls.
Answer: To audit a network environment, the auditor must first thoroughly assess the environment as the
following conditions occasionally exist in some local area or wide area networks:
· Some networks decentralise their network's servers, thus increasing control risk.
· Some networks lack standardised equipment and procedures.
· Responsibility for purchasing, maintenance administration, etc., often resides with key user groups
rather than centrally.
· Network-related software often lacks the security features typically available in centralised
environments.
103) Discuss the major factors associated with complex IT systems that increase control risk and the likelihood of
material misstatements in the financial statements.
Answer: Factors associated with complex IT systems that increase the likelihood of material misstatements in the
financial statements include:
· Reliance on the functioning capabilities of hardware and software. Without proper protection,
hardware or software may not function properly.
· Reduced visibility of audit trail. Because much of the information is entered directly into the computer,
the use of IT often reduces or eliminates source documents and records that allow the organisation to
trace accounting information.
· Reduced human involvement. In complex IT systems, there are fewer opportunities for observing
whether misstatements have occurred.
· Uniformity of processing increases risk of systematic errors. Erroneous processing can result in the
accumulation of a great number of misstatements in a short period of time.
· Unauthorised access. If not well controlled, data-processing systems allow easy access to data and use
of the data by unauthorised persons.
· Loss of data. When large amounts of data are centralised, there is an increased risk of their loss or
destruction.
· Reduced segregation of duties. In IT systems, computers perform many duties that were traditionally
segregated, such as authorisation and record keeping.
· Lack of traditional authorisation. It is common in IT systems for certain types of transactions to be
initiated automatically by the computer.
· Need for IT experience. Personnel with knowledge and experience to install, maintain and use the
computer system are essential. The reliability of an IT system and the information it produces often
depend on whether the organisation can employ personnel with appropriate technology knowledge and
experience.
104) Identify the six categories of general controls and give one example of each.
Answer: General controls fall into the following six categories:
· Administration of IT function. For example, the chief information officer (CIO) should report to senior
management and board of directors.
· Segregation of IT duties. For example, there should be separation of duties between the computer
programmers, operators and the data control group.
· Systems development. Users, analysts and programmers develop and test software.
· Physical and online security. For example, passwords should be required for access to computer
systems.
· Backup and contingency planning. Written backup plans should be prepared and tested on a regular
basis throughout the year.
· Hardware controls. For example, uninterruptible power supplies should be used to avoid loss of data in
the event of a power blackout.
21
105) Auditing a small client in an IT environment poses some particular challenges for the auditor. Identify and
describe.
Answer: Most entities, including small, family-owned businesses, rely on IT to record and process business
transactions. As a result of explosive advancements in IT, even relatively simple businesses use personal
computers with purchased accounting software such as MYOB for their accounting processes.
The auditor needs to recognise that smaller firms will have some IT environment; however, the
challenges would include:
1. General controls. The auditor should expect that overall in smaller IT systems, general controls will be
weaker. For example, an important general control is segregation of IT functions. It may be that in many
small companies it is not practical to segregate the duties to the extent desirable.
2. Microcomputers. Smaller firms would rely more on microcomputers, which leads to the following
concerns:
· Often, there are no dedicated IT personnel or the client relies on periodic involvement of IT
consultants to assist in installing and maintaining hardware and software.
· Also, the responsibility of the IT function is often assigned to user departments where the
hardware physically resides.
· controls over software acquisition, physical and online access security, and backup planning are
still important
3. Many clients outsource some or all of their IT needs to an independent computer service centre,
including smaller clients.
106) Describe the method used to reduce unauthorised exposures by external parties in e-commerce systems.
Answer: The use of e-commerce systems exposes company data, programs and hardware to potential interception
or sabotage by external parties. This can be limited by the use of digital signatures, firewalls, and
encryption techniques to protect data, programs and other IT resources, and limitation of access to IT
information by use of passwords in microcomputer systems.
107) Discuss the advantages and benefits of using generalised audit software.
Answer: Advantages and benefits of using generalised audit software include:
· They are developed in such a manner that most of the audit staff can be trained to use the program
even if they have little formal IT education.
· The auditor is able to access and test client data independently without reliance on the client's
personnel or software.
22
Answer Key
Testname: C10
1) C
2) C
3) D
4) B
5) C
6) A
7) C
8) A
9) B
10) C
11) D
12) D
13) D
14) B
15) C
16) D
17) A
18) D
19) C
20) B
21) D
22) C
23) C
24) A
25) A
26) D
27) D
28) A
29) D
30) B
31) B
32) C
33) B
34) C
35) B
36) C
37) D
38) B
39) D
40) A
41) A
42) A
43) B
44) A
45) D
46) B
47) C
48) D
49) A
50) D
23
Answer Key
Testname: C10
51) D
52) C
53) A
54) D
55) C
56) B
57) C
58) C
59) D
60) B
61) D
62) C
63) A
64) This approach can be used when source documents are kept in electronic format. Its use can only be justified when
general controls are acceptable. The auditor may rely on application controls built into the client's application software
for processing. The auditor may use such techniques as test data, generalised or specialist audit software.
65) Enhancements to internal control resulting from the integration of IT into accounting systems include:
· Computer controls replace manual controls. Replacing manual procedures with programmed controls that apply
checks and balances to each processed transaction and that process information consistently can reduce human error
that is likely to occur in traditional manual environments.
· Higher quality information is available. IT systems typically provide management with more and higher quality
information faster than most manual systems.
66) Common audit tasks that can be simplified by the use of microcomputers in practice include:
· preparing trial balances and lead schedules
· preparing working papers
· performing analytical procedures
· preparing audit programs
· obtaining an understanding of the client's internal controls
· performing audit sampling
· managing engagements and time budgets.
67) Objective 2 discusses eight new IT control risks:
1. Reliance on the functioning capabilities of hardware and software
2. Visibility of audit trail
3. Reduced human involvement
4. Systematic versus random errors
5. Loss of data
6. Reduced segregation of duties
7. Lack of traditional authorisation
8. Need for IT experience
68) Application controls fall into three categories:
· Input controls. Key verification and batching are examples of input controls.
· Processing controls. One example is a reasonableness test for the unit selling price of a sale.
· Output controls. One example is post-processing review of sales transactions by the sales department.
69) Three concerns to be addressed before the test data approach can be used by the auditor are:
· Test data must include all relevant conditions that the auditor wants tested.
· Application programs tested by the auditor's test data must be the same as those used throughout the year by the
client.
· Copies of client files must be used when testing programs that update master files, to avoid damaging or distorting
those files.
24
Answer Key
Testname: C10
25
Answer Key
Testname: C10
101) The responsibilities for IT management, systems development, operations and data control should be separated:
· IT Management. Oversight of the IT function should be segregated from the systems development, operations and
data control functions. Oversight of IT should be the responsibility of the chief information officer or IT manager.
· Systems development. Systems analysts are responsible for the overall design of each application system.
Programmers develop, test and document applications software. Programmers and analysts should not have access to
input data or computer operations.
· Operations. Computer operators are responsible for the day-to-day operations of the computer.
· Data control. Data control personnel independently verify the quality of input and the reasonableness of output.
102) To audit a network environment, the auditor must first thoroughly assess the environment as the following conditions
occasionally exist in some local area or wide area networks:
· Some networks decentralise their network's servers, thus increasing control risk.
· Some networks lack standardised equipment and procedures.
· Responsibility for purchasing, maintenance administration, etc., often resides with key user groups rather than
centrally.
· Network-related software often lacks the security features typically available in centralised environments.
103) Factors associated with complex IT systems that increase the likelihood of material misstatements in the financial
statements include:
· Reliance on the functioning capabilities of hardware and software. Without proper protection, hardware or software
may not function properly.
· Reduced visibility of audit trail. Because much of the information is entered directly into the computer, the use of IT
often reduces or eliminates source documents and records that allow the organisation to trace accounting information.
· Reduced human involvement. In complex IT systems, there are fewer opportunities for observing whether
misstatements have occurred.
· Uniformity of processing increases risk of systematic errors. Erroneous processing can result in the accumulation of a
great number of misstatements in a short period of time.
· Unauthorised access. If not well controlled, data-processing systems allow easy access to data and use of the data by
unauthorised persons.
· Loss of data. When large amounts of data are centralised, there is an increased risk of their loss or destruction.
· Reduced segregation of duties. In IT systems, computers perform many duties that were traditionally segregated,
such as authorisation and record keeping.
· Lack of traditional authorisation. It is common in IT systems for certain types of transactions to be initiated
automatically by the computer.
· Need for IT experience. Personnel with knowledge and experience to install, maintain and use the computer system
are essential. The reliability of an IT system and the information it produces often depend on whether the organisation
can employ personnel with appropriate technology knowledge and experience.
104) General controls fall into the following six categories:
· Administration of IT function. For example, the chief information officer (CIO) should report to senior management
and board of directors.
· Segregation of IT duties. For example, there should be separation of duties between the computer programmers,
operators and the data control group.
· Systems development. Users, analysts and programmers develop and test software.
· Physical and online security. For example, passwords should be required for access to computer systems.
· Backup and contingency planning. Written backup plans should be prepared and tested on a regular basis
throughout the year.
· Hardware controls. For example, uninterruptible power supplies should be used to avoid loss of data in the event of
a power blackout.
26
Answer Key
Testname: C10
105) Most entities, including small, family-owned businesses, rely on IT to record and process business transactions. As a
result of explosive advancements in IT, even relatively simple businesses use personal computers with purchased
accounting software such as MYOB for their accounting processes.
The auditor needs to recognise that smaller firms will have some IT environment; however, the challenges would
include:
1. General controls. The auditor should expect that overall in smaller IT systems, general controls will be weaker. For
example, an important general control is segregation of IT functions. It may be that in many small companies it is not
practical to segregate the duties to the extent desirable.
2. Microcomputers. Smaller firms would rely more on microcomputers, which leads to the following concerns:
· Often, there are no dedicated IT personnel or the client relies on periodic involvement of IT consultants to
assist in installing and maintaining hardware and software.
· Also, the responsibility of the IT function is often assigned to user departments where the hardware physically
resides.
· controls over software acquisition, physical and online access security, and backup planning are still important
3. Many clients outsource some or all of their IT needs to an independent computer service centre, including smaller
clients.
106) The use of e-commerce systems exposes company data, programs and hardware to potential interception or sabotage
by external parties. This can be limited by the use of digital signatures, firewalls, and encryption techniques to protect
data, programs and other IT resources, and limitation of access to IT information by use of passwords in
microcomputer systems.
107) Advantages and benefits of using generalised audit software include:
· They are developed in such a manner that most of the audit staff can be trained to use the program even if they have
little formal IT education.
· The auditor is able to access and test client data independently without reliance on the client's personnel or software.
27
Another random document with
no related content on Scribd:
[410]
[418]
Then winde and streame hath set the seas in rore. 1578.
[448] In such state. 1578.
[449] They soone depriued. N.
[450] Easely put me downe of late. 1559, 63.
[451]
[461]
[545] A, omitted. N.
[546] For him that did so ill. 1578.
[547] The vayne desires, when wit doth yeeld to will. 1578.
[548] Fly false prophets. N.
[549] Lyinge skill. 1578.
[550] Owen and his sedicious fautors, which beyng dismaied
and in maner desperate of all comfort by the reason of the
kynge’s late victory fled in desert places and solitary caues,
where he receiued a finall reward mete and prepared by
Godde’s prouidence for suche a rebell and sedicious seducer.
For beyng destitute of all comfort, dreadyng to shewe his face
to any creature, lackyng meate to sustain nature, for pure
hunger and lacke of fode miserably ended his wretched life.
This ende was prouided for suche as gaue credence to false
prophesies. This ende had they that by diabolical deuinations
wer promised great possessions and seignories. This ende
happeneth to suche as beleuyng suche fantasticall folies,
aspire and gape for honor and high promocions. Hall.
[551] Thomas Phaer. The above signature first added in ed.
1578, is omitted in ed. 1587, though confirmed by the next
note. The name is subscribed in Niccols.
[552] Whan mayster Phaer had ended the tragedy of thys
hunger staruen prynce of Wales, it was well liked of al the
company that a Saxon would speake so mutch for a Brytton,
then sodenly one found a doubt. 1578.
[553] That. 1559, 63.
[554] Percy, added. 1571.
[555] Sir, added. 1571.
[556] As followeth, added. 1571.
[557] Anno 1407, added. 1571.
[558] Kynsfolke. 1559, 63.
[559] For our peers. N.
[560] For few there were, that were so much redoubted. N.
[561] My valyauntise were. 1559, 63.
[562] Through our foes. N.
[563] Foes. N.
[564] In favour and offyce. 1559, 63.
[565] I had a son. 1559, 63.
[566] Foes. N.
[567] Syr Henry Hotspur they gaue hym to name. 1559, 63.
[568] Clere from. 1559, 63, 71. N.
[569] And openly proclaymed trayterous knight. 1559, 63. A
most disloyall knight. N.
[570] And soone. N.
[571] This alonely. 1559, 63.
[572] Nor age. N.
[573] Foes. N.
[574] With chaines fast bound. N.
[575] ’Gainst Mortimer and me. N.
[576] That. 1559, 63.
[577] To. N.
[578] Our. N.
[579] Seased. N.
[580] Into Scotland fled. N.
[581]