Chapter 17—IT Controls Part III: Systems Development, Program Changes, and
Chapter 17—IT Controls Part III: Systems Development, Program Changes, and
Application Controls
Application Controls
TR!"#A$S! TR!"#A$S!
1.
1. Programs in Programs in their comtheir compiled statpiled state are ve are very susceptery susceptible to ible to the threat the threat of unautof unauthorized mhorized modification.odification. A
ANNSS:: FF 2.
2. aintenance accesaintenance access to sys to systems increases stems increases the ris! the ris! that logithat logic "ill bc "ill be corrupted e corrupted either by either by the accident the accident oror intent to defraud.
intent to defraud. A
ANNSS:: ## $.
$. Source progrSource program library am library controls controls should should prevent and prevent and detect unaudetect unauthorized accthorized access to ess to applicationapplication programs.
programs. A
ANNSS:: ## %.
%. A cA chec! dihec! digit is git is a methoa method of deted of detectincting data cog data coding eding errorsrrors.. A
ANNSS:: ## &.
&. 'nput co'nput controntrols are intenls are intended to deteded to detect errors in tract errors in transacnsaction dattion data after procea after processinssing.g. A
ANNSS:: FF (.
(. A A headeheader laber label is an l is an inteinternal) rnal) machimachine*rene*readabladable labele label.. A
ANNSS:: ## +.
+. #he user t#he user test and est and acceptance proceduacceptance procedure is the re is the last point last point at "hich tat "hich the user he user can determine can determine the system,the system,ss acceptability prior to it going
acceptability prior to it going into service.into service. A
ANNSS:: ## -.
-. A ruA run*ton*to*run co*run controntrol is an el is an eample oample of an outf an output coput controlntrol.. A
ANNSS:: FF /.
/. ShredShredding cding compuomputer priter printountouts is an ets is an eamplample of an oute of an output coput controntrol.l. A
ANNSS:: ## 10.
10. 'n a 'S envi'n a 'S environmronment) all inent) all input conput controls artrols are impleme implemented afented after datter data is inputa is input.. A
ANNSS:: FF 11.
11. Achieving bAchieving batch control atch control ob3ectives rob3ectives re4uires groupe4uires grouping similar ing similar types of types of input transinput transactions 5such actions 5such as salesas sales orders6 together in batches and
orders6 together in batches and then controlling the batches throughout data processing.then controlling the batches throughout data processing. A
12.
12. #he 7"hite #he 7"hite bo7 tests bo7 tests of program cof program controls are ontrols are also !no"n also !no"n as auditing as auditing through the through the computer.computer. A
ANNSS:: ## 1$.
1$. #he pre#he presence of a SP8sence of a SP8S effecS effectively gtively guaranuarantees protees program ingram integritegrityty.. A
ANNSS:: FF 1%.
1%. 9hen usi9hen using the test dang the test data methodta method) the presen) the presence of multipce of multiple error messle error messages indages indicateicates a fla" in thes a fla" in the preparation of test tr
preparation of test transactions.ansactions. A
ANNSS:: FF 1&.
1&. #he as#he ase ase Sye ase System vstem valuataluation is a vion is a variatariation of thion of the test de test data metata method.hod. A
ANNSS:: ## 1(.
1(. #racing #racing is a mis a method used tethod used to verify to verify the logical he logical operations eoperations eecuted by ecuted by a computer a computer application.application. A
ANNSS:: ## 1+.
1+. ;eneralized aud;eneralized audit soft"are it soft"are pac!ages are pac!ages are used to used to assist thassist the auditor e auditor in performing in performing substantive substantive tests.tests. A
ANNSS:: ## 1-.
1-. #he results #he results of a paralof a parallel simulatilel simulation are compon are compared to thared to the results e results of a produof a production run ction run in order tin order to 3udge o 3udge thethe 4uality of the
4uality of the application processes and controls.application processes and controls. A
ANNSS:: ## 1/.
1/. Firms "ith Firms "ith an independan independent internal ent internal audit stafaudit staff may conf may conduct tests duct tests of the syof the system development stem development life cyclelife cycle on an ongoing basis.
on an ongoing basis. A
ANNSS:: ## 20.
20. #he prog#he programmer,rammer,s authos authority tabrity table "ill spele "ill specify the libcify the librarieraries a programms a programmer may accesser may access.. A
ANNSS:: ## 21.
21. <se of the int<se of the integrategrated test facied test facility poslity poses no threaes no threat to organt to organizatiizational daonal data filesta files.. A
ANNSS:: FF
%$TIP$! C&'IC! %$TIP$! C&'IC!
1.
1. 9hich s9hich statemtatement is not coent is not correctrrect= #he aud= #he audit traiit trail in a compul in a computerizterized envied environmeronmentnt a.
a. consiconsists osts of recorf records thds that are at are storestored se4d se4uentuentially ially in an ain an audit udit filefile b.
b. traces transactions from ttraces transactions from their source to their finheir source to their final dispositional disposition c.
c. is a funis a function oction of the 4uaf the 4uality anlity and integd integrity ority of the appf the applicalication ption programrogramss d.
d. may tamay ta!e th!e the form e form of poof pointeinters) inrs) indeedees) and s) and embedembedded !ded !eyseys A
2.
2. 9hich co9hich controntrol is not assocl is not associated "iiated "ith ne" systth ne" systems deveems developmelopment activnt activitiesities== a.
a. recrecononcilciling ing proprogram gram verversiosion nun numbembersrs b.
b. program testingprogram testing c.
c. ususer er ininvovolvlvememenentt d.
d. ininterternal nal audaudit it parparticticipaipatiotionn A
ANNSS:: AA $.
$. >outi>outine maintne maintenancenance activie activities re4uties re4uire all of the follire all of the follo"ino"ing controg controls ecepls eceptt a.
a. dodocucumementntatatioion n upupdadatetess b.
b. testingtesting c.
c. foformrmal aual auththororizizatatioionn d.
d. ininteternrnal aal aududit ait apppprorovavall A
ANNSS:: ?? %.
%. 9hi9hich ch stastatemtement ent is is corcorrecrect=t= a.
a. compicompiled proled programgrams are very ss are very susceusceptibptible to unle to unauthoauthorized mrized modifiodificatiocationn b.
b. the source program librathe source program library stores application pry stores application programs in source code formrograms in source code form c.
c. modimodificatfications ions are mare made to ade to progrprograms iams in macn machine hine code code langulanguageage d.
d. the southe source progrce program librram library manaary managemengement systt system increem increases opases operatinerating effig efficiencyciency A
ANNSS:: &.
&. 9hich c9hich controntrol is not a parol is not a part of the sout of the source progrce program librram library manaary managemengement systt system=em= a.
a. usinusing pasg pass"ors"ords to ds to limilimit accet access tss to appo applicalication tion progprogramsrams b.
b. assigning a test namassigning a test name to all programs underge to all programs undergoing maintenanceoing maintenance c.
c. combicombining acning access tcess to the devo the developmelopment and ment and mainteaintenance tnance test libest librariesraries d.
d. assiassigning vgning versiersion numbon numbers to proers to programs to regrams to record procord program mogram modificdificatioationsns A
ANNSS:: (.
(. 9hich con9hich control ensures trol ensures that prothat production duction files cannofiles cannot be t be accessed "accessed "ithout sithout specific permpecific permission=ission= a.
a. ?a?atatababase se ananagagememenent Syt Syststemem b.
b. >ecovery @perations Func>ecovery @perations Functiontion c.
c. SouSource Prce Progrogram 8ram 8ibribrary ary anaanagemgement Syent Systemstem d.
d. omompuputeter Serr Serviviceces Funs Functctioionn A
ANNSS:: +.
+. PrProgograram m teteststiningg a.
a. invoinvolves lves indiindividuvidual mal moduleodules onlys only) no) not the t the full full systsystemem b.
b. re4uires creation of mre4uires creation of meaningful test dataeaningful test data c.
c. need need not not be rbe repeatepeated oed once tnce the syhe system stem is imis implemplementedented d.
d. is pris primaimarily rily conconcercerned "ned "ith uith usabsabiliilityty A
ANNSS:: -.
-. #he correct #he correct purchase ordepurchase order number) r number) 12$%&() "as 12$%&() "as incorrectly recoincorrectly recorded as shrded as sho"n in o"n in the soluthe solutions. Ations. All ofll of the follo"ing are transcription errors ecept
the follo"ing are transcription errors ecept aa.. 1122$$%%&&((++
b.
b. 12$%&12$%& cc.. 1122%%$$&&(( d
A
ANNSS:: /.
/. 9hi9hich och of thf the fole follo"lo"ing iing is cos correrrect=ct= a.
a. chechec! dic! digitgits shos should uld be usbe used foed for all dr all data cata codeodess b.
b. chec! digits are al"aychec! digits are al"ays placed at the end of a data cods placed at the end of a data codee c.
c. chec! chec! digidigits ts do ndo not ot affecaffect pt procesrocessing sing effiefficienciencycy d.
d. chec! dchec! digitigits are desis are designed to degned to detect trtect transcranscriptiiption and traon and transponspositisition erroron errorss A
ANNSS:: ?? 10.
10. 9hich statem9hich statement is nent is not correct= ot correct= #he goal #he goal of batch coof batch controls is ntrols is to ensure to ensure that during that during processingprocessing a.
a. trtranansasactctioions ans are nre not omot omitittetedd b.
b. transactions are not transactions are not addedadded c.
c. tratransansactictions aons are frre free froee from clm clerierical ecal errorrorsrs d.
d. an aan aududit tit trarail iil is cs crereatateded A
ANNSS:: 11
11.. An An eameample ple of a of a hashash th totaotal il iss a.
a. tototal tal paypayrolroll l chechec!sc!sB1B12)$2)$1&1& b.
b. total number of employtotal number of employees10ees10 c.
c. sum sum of tof the he socisocial sal securiecurity ty numbenumbers1rs12)&&&2)&&&)%$+)2)%$+)2&1&1 d.
d. nonone ne of of ththe ae aboboveve A
ANNSS:: 12.
12. 9hich 9hich statestatement iment is not trs not true= A ue= A batch cbatch controntrol recool recordrd a.
a. cocontntaiains a tns a traransnsacactition con cododee b.
b. records the record counrecords the record countt c.
c. cocontntaiains ns a haa hash tsh tototalal d.
d. contcontrol figrol figures iures in the recn the record may bord may be ad3use ad3usted duted during prring procesocessingsing e.
e. AlAll tl the he ababovove ae are re trtrueue A
ANNSS:: 1$.
1$. 9hich 9hich of the foof the follo"llo"ing is noing is not an eamt an eample of a prple of a processocessing coning controltrol== aa.. hhaassh th toottaall..
b.
b. record count.record count. cc.. bbaattcch th toottaall.. d
d.. cchheecc! ! ddiiggiitt A
ANNSS:: ?? 1%.
1%. 9hich 9hich of the foof the follo"llo"ing is aing is an eampn eample of inple of input conut control tetrol test=st= aa.. sese44ueuenncce e chcheec! c!
b.
b. zero value chec! zero value chec! cc.. spspoooollining cg chhecec! ! d
d.. rraanngge e cchheecc! ! A
ANNSS:: ?? 1&.
1&. 9hich i9hich input conput controntrol chec! "ol chec! "ould detuld detect a paymect a payment made to a noent made to a noneisneistent vetent vendorndor== a.
a. mimissssining g dadata ta chchecec! ! b.
b. numericCalphabetinumericCalphabetic chec! c chec! cc.. rraanngge ce chheecc! !
d
A
ANNSS:: ?? 1(.
1(. #he empl#he employee entoyee entered 7%07 in thered 7%07 in the 7hours "ore 7hours "or!ed per day!ed per day7 field. 9h7 field. 9hich checich chec! "ould det! "ould detect thisect this unintentional error=
unintentional error= a.
a. numnumeriericCacCalphlphabeabetic tic datdata a chechec! c! b.
b. sign chec! sign chec! cc.. lliimmiit t cchheecc! ! d.
d. mimissssining dg datata cha checec! ! A
ANNSS:: 1+.
1+. An inventoAn inventory record inry record indicates that dicates that 12 items 12 items of a specifof a specific product ic product are on hanare on hand. A d. A customer purcustomer purchasedchased t"o of the items) but "hen
t"o of the items) but "hen recording the order) the data entry cler! mista!enly entered 20 items sold.recording the order) the data entry cler! mista!enly entered 20 items sold. 9hich chec! could detect this error=
9hich chec! could detect this error= a.
a. numnumeriericCacCalphlphabeabetic tic datdata ca chechec!s!s b.
b. limit chec! limit chec! cc.. rraanngge ce chheecc! ! d.
d. rereasasononabableleneness ss chchecec! ! A
ANNSS::
1-1-.. 9hi9hich chch chec! iec! is nos not an int an input put concontrotrol=l= a.
a. rereasasononabableleneness ss chchecec! ! b.
b. validity chec! validity chec! . .
cc.. spspoooollining cg chhecec! ! d.
d. mimissssining dg datata cha checec! ! A
ANNSS:: 1/.
1/. A comA computer opputer operatoerator "as in a hurry and accidr "as in a hurry and accidentalentally used the "roly used the "rong masteng master file to procer file to process ass a transaction file. As a result) the
transaction file. As a result) the accounts receivable master file "as accounts receivable master file "as erased. 9hich control "oulderased. 9hich control "ould prevent this from happ
prevent this from happening=ening= a.
a. heheadader er lalabebel l chchecec! ! b.
b. epiration date chec! epiration date chec! cc.. vvererssiion on chchecec! !
d
d.. vvalaliididity ty chchecec! ! A
ANNSS:: AA 20.
20. >un*t>un*to*run coo*run controntrol totall totals can be used fs can be used for all of the foor all of the follo"llo"ing eceing eceptpt a.
a. to ento ensursure the that alat all dal data inta input iput is vals validaidatedted b.
b. to ensure that only tto ensure that only transactions of a simiransactions of a similar type are being processedlar type are being processed c.
c. to ento ensure sure the rthe records ecords are in are in se4uese4uence ance and arnd are not e not missmissinging d.
d. to ento ensursure the that no tat no tranransacsactiotion is omn is omittitteded A
ANNSS:: AA 21.
21. ethods used ethods used to maintain to maintain an audit an audit trail in trail in a computerized a computerized environment environment include all include all of the foof the follo"ingllo"ing ecept
ecept a.
a. trtranansasactctioion n lologsgs b.
b. #ransactio#ransaction 8istingsn 8istings . .
cc.. ddatata ea encncryryptptioionn d.
d. log log of of autautomaomatic tic tratransansactictionsons A
22.
22. >is! eposu>is! eposures associated res associated "ith creatin"ith creating an outpg an output file ut file as an inas an intermediate step termediate step in the in the printing pprinting processrocess 5spooling6 include all of the follo"ing actions by a computer criminal ecept
5spooling6 include all of the follo"ing actions by a computer criminal ecept a.
a. gaingaining accing access to tess to the outhe output fiput file and chle and changinanging critg critical dical data valata valuesues b.
b. using a remote printer anusing a remote printer and incurring operating d incurring operating inefficienciesinefficiencies c.
c. ma!inma!ing a copy of the oug a copy of the output fitput file and usile and using the copy ng the copy to prodto produce illuce illegal ouegal output reptput reportsorts d.
d. prinprinting ting an ean etra tra hardhardcopy copy of tof the ohe outpuutput filt filee A
ANNSS:: 2$
2$.. 9hi9hich sch stattatemeement int is nos not cot correrrect=ct= a.
a. only sonly succesuccessful sful transtransactioactions are ns are recorrecorded on ded on a trana transactisaction loon logg b.
b. unsuccessful transunsuccessful transactions are recorded in an erroactions are recorded in an error filer file c.
c. a tra transansactaction ion lolog is g is a tea tempomporary rary filfilee d.
d. a hara hardcopy dcopy transtransactioaction lisn listing ting is pris providovided to ed to useruserss A
ANNSS:: 2%.
2%. 'nput 'nput contcontrols irols inclunclude all de all of the of the follfollo"ino"ing eceg eceptpt aa.. cchheecc! d! diiggiittss
b.
b. 8imit chec! 8imit chec! . .
cc.. spspoooollining cg chhecec! ! d.
d. mimissssining dg datata cha checec! ! A
ANNSS:: 2&.
2&. 9hich o9hich of the follf the follo"ing io"ing is an eamps an eample of an inpule of an input error cort error correctirection techon techni4ueni4ue== a.
a. imimmemedidiatate core correrectctioionn b.
b. re3ection of batchre3ection of batch c.
c. crcreaeatition on of of ererroror fir filele d.
d. all aall are ere eampleamples of is of input nput error error correcorrection ction techntechni4uesi4ues A
ANNSS:: ?? 2(.
2(. 9hich test 9hich test of controls of controls "ill prov"ill provide evidence ide evidence that the that the system as system as originally imoriginally implemented "as plemented "as free fromfree from material errors and free from
material errors and free from fraud= >evie" of the documentation indicates thatfraud= >evie" of the documentation indicates that a.
a. a coa cost*st*benbenefiefit ant analyalysis "sis "as coas condunductectedd b.
b. the detailed design "the detailed design "as an appropriate soluas an appropriate solution to the userDs ption to the userDs problemroblem c.
c. testtests "ere conds "ere conducted aucted at the indt the individuividual modual module and totle and total systal system levelem levels prior tos prior to implementation
implementation d.
d. problproblems deteems detected durcted during the conving the conversioersion perion period "ere correcd "ere corrected in the mainted in the maintenantenance phasece phase A
ANNSS:: 2+
2+.. 9hi9hich ch stastatemtement ent is is not not trutrue=e= a.
a. An audiAn audit ob3ectt ob3ective for sysive for systems maintems maintenantenance is to detect unce is to detect unauthauthorizeorized access to appd access to applicatlicationion databases.
databases. b.
b. An audit ob3ectivAn audit ob3ective for systems maintenance ie for systems maintenance is to ensure that applicas to ensure that applications are free fromtions are free from errors.
errors. c.
c. An audiAn audit ob3ectt ob3ective for syive for systems mastems maintenintenance is to vance is to verify therify that user reat user re4ues4uests for maints for maintenantenancece reconcile to program version
reconcile to program version numbers.numbers. d.
d. An audiAn audit ob3ectt ob3ective for sysive for systems maintems maintenantenance is to ensure thce is to ensure that the produat the production liction libraribraries arees are protected from unautho
protected from unauthorized access.rized access. A
2-.
2-. 9hen the 9hen the auditor rauditor reconciles teconciles the program he program version numversion numbers) "hich bers) "hich audit audit ob3ective iob3ective is being s being tested=tested= a.
a. protprotect ect applapplicatiications ons from from unauunauthorithorized zed changchangeses b.
b. ensure applications ensure applications are free from error are free from error c.
c. protprotect pect producroduction tion libralibraries ries from from unauunauthorithorized azed accessccess d.
d. ensurensure income incompatibpatible funcle functiontions have bes have been ideen identifntified and sied and segregegregatedated A
ANNSS:: AA 2/.
2/. 9hen audit9hen auditors do noors do not rely on t rely on a detailed a detailed !no"ledge o!no"ledge of the appf the applicationDs ilicationDs internal lognternal logic) they areic) they are performing
performing a.
a. blablac! bc! bo to testests os of prf progogram ram concontrotrolsls b.
b. "hite bo tests of p"hite bo tests of program controlsrogram controls c.
c. susubsbstatantntivive tese testitingng d.
d. inintutuititivive tee teststiningg A
ANNSS:: AA $0.
$0. All of tAll of the follo"inhe follo"ing concepts g concepts are associated are associated "ith the "ith the blac! bo blac! bo approach to approach to auditing comauditing computerputer applications ecept
applications ecept a.
a. the apthe applicplicatioation need n need not be not be removremoved from ed from servservice and ice and testetested dird directlyectly b.
b. auditors do not rely oauditors do not rely on a detailed !no"ledn a detailed !no"ledge of the applicationge of the applicationDs internal logicDs internal logic c.
c. the audithe auditor recontor reconcileciles previos previously prously produceduced outpud output resultt results "ith prods "ith productiuction inpuon inputt transactions
transactions d.
d. this apthis approaproach is used foch is used for compler comple trans transactioactions that rens that receive inceive input from mput from many sourany sourcesces A
ANNSS:: ?? $1.
$1. 9hich 9hich test test is nis not an ot an eameample of ple of a "ha "hite bite bo teo test=st= a.
a. detdetermerminiining tng the fahe fair vir valualue of ie of invenventontoryry b.
b. ensuring that pass"ensuring that pass"ords are validords are valid c.
c. verifyverifying ting that ahat all pay ll pay rates rates are "iare "ithin thin a spea specifiecified rangd rangee d.
d. recrecononcilciling ing concontrotrol l tottotalsals A
ANNSS:: AA $2.
$2. 9hen analy9hen analyzing the reszing the results of ults of the test the test data method) data method) the auditothe auditor "ould r "ould spend the spend the least amount least amount of timeof time revie"ing
revie"ing a.
a. ththe e tetest st trtranansasactctioionsns b.
b. error reportserror reports c.
c. upupdadateted md masasteter fir fileless d
d.. ooututppuut rt repeporortsts A
ANNSS:: AA $$.
$$. All of the foAll of the follo"llo"ing are adving are advantagantages of the teses of the test data techt data techni4uni4ue ecepte ecept a.
a. audiauditors ntors need meed minimainimal compl computer euter epertpertise to ise to use thuse this meis methodthod b.
b. this method causes mthis method causes minimal disruption tinimal disruption to the firmDs operationso the firmDs operations c.
c. the the testest dt data ata is is easeasily ily comcompilpileded d.
d. the audithe auditor obtator obtains eplins eplicit eviicit evidence codence concernncerning appling applicatiication funcon functionstions A
ANNSS:: $%.
$%. All of the foAll of the follo"llo"ing are diing are disadvasadvantagntages of the teses of the test data tect data techni4uhni4ue ecepte ecept a.
a. the testhe test data tect data techni4hni4ue re4uiue re4uires eteres etensivnsive compue computer epeter epertisrtise on the part of the on the part of the audite auditor or b.
b. the auditor cannot bthe auditor cannot be sure that the applicatie sure that the application being tested is a coon being tested is a copy of the currentpy of the current application used by computer services personnel
c.
c. the audthe auditor canitor cannot be sunot be sure that thre that the applie applicatiocation beinn being tested ig tested is the same aps the same applicplication uation usedsed throughout the entire year
throughout the entire year d.
d. prepapreparatioration of n of the the test test data data is tis time*cime*consumonsuminging A
ANNSS:: AA $&.
$&. All of the folAll of the follo"inlo"ing statemg statements are truents are true about the ine about the integrategrated test facted test facility 5'ility 5'#F6 ecep#F6 eceptt a.
a. produproduction ction reporreports ats are afre affectfected by ed by '#F t'#F transaransactioctionsns b.
b. '#F databases contain 7d'#F databases contain 7dummy7 records integrated "ummy7 records integrated "ith legitimate recordsith legitimate records c.
c. '#F pe'#F permirmits onts ongoigoing apng appliplicatcation aion aududitiitingng d.
d. '#F does not di'#F does not disrupt opsrupt operatierations or re4uons or re4uire the intire the intervenervention of comtion of computer serputer servicevices persons personnelnel A
ANNSS:: AA $(.
$(. 9hich 9hich statestatement iment is not ts not true= mrue= mbeddebedded audid audit modut modulesles a.
a. can can be tube turnerned on ad on and ond off by ff by ththe aude auditoitor.r. b.
b. reduce operating effreduce operating efficiency.iciency. c.
c. may lose tmay lose their viheir viabilability in an envity in an environmironment "heent "here progrre programs are moams are modified fdified fre4uere4uentlyntly.. d.
d. idenidentify ttify transaransactioctions to ns to be anabe analyzed lyzed usinusing "hig "hite bo te bo testtests.s. A
ANNSS:: ?? $+.
$+. ;ener;eneralizealized audit sod audit soft"arft"are pac!age pac!ages perform ales perform all of the follo"l of the follo"ing tas!ing tas!s ecepts ecept a.
a. rerecacalclcululatate e dadata ta fifieleldsds b.
b. compare files and identcompare files and identify differencesify differences c.
c. strstratiatify fy stastatististictical al samsamplepless d.
d. anaanalyzlyze ree resulsults ats and fnd form orm opiopinionionsns A
ANNSS:: ?? S&'RT A(S)!R S&'RT A(S)!R
1.
1. ontrontrast the souast the source progrrce program libraam library 5SP86 manary 5SP86 managemengement system to the dat system to the databastabase manageme management systent systemem 5?S6.
5?S6. ANS: ANS:
#he SP8 soft"are manages program files and the ?S
#he SP8 soft"are manages program files and the ?S manages data files.manages data files. 2.
2. ?escr?escribe t"o mibe t"o methods uethods used to consed to control thtrol the source source program le program libraibraryry.. ANS:
ANS:
pass"ords) separatio
pass"ords) separation of development progrn of development programs from maintenance programs) proams from maintenance programs) program managementgram management reports) program version numbers) controlling maintenance commands
reports) program version numbers) controlling maintenance commands $.
$. Ne" syNe" system developmstem development activient activity controls ty controls must focus must focus on the on the authorization) authorization) development) development) andand implementation of ne" systems and its maintenance. ?iscuss at least five control activities that are implementation of ne" systems and its maintenance. ?iscuss at least five control activities that are found in an effective system development life cycle.
found in an effective system development life cycle. ANS:
ANS:
System authorization activities assure that all s
System authorization activities assure that all systems are properly authorized to ensure ystems are properly authorized to ensure their economictheir economic 3ustification an
3ustification and feasibilityd feasibility..
<ser specification activities should not be stifled
<ser specification activities should not be stifled by technical issues. <sers can by technical issues. <sers can provide "rittenprovide "ritten description of the logical needs that must be satisfied by the
#e
#echnical design activities must lead to chnical design activities must lead to specifications that meet user needs. specifications that meet user needs. ?ocumentation is both a?ocumentation is both a control and evidence of control.
control and evidence of control.
'nternal audit involvement should occur throughou
'nternal audit involvement should occur throughout the process to assure that t the process to assure that the system "ill servethe system "ill serve user needs.
user needs.
Program testing is to verify that data is
Program testing is to verify that data is processed as intended.processed as intended. %.
%. 9hat ar9hat are the thre the three broaee broad cated categoriegories of apps of applicatlication conion controlstrols== ANS:
ANS:
input) processing) and output controls input) processing) and output controls &.
&. Eo" Eo" does does privprivacy acy relatrelate to e to outpuoutput cont control=trol= ANS:
ANS:
'f the privacy of certain
'f the privacy of certain types of output) e.g.) sensitive information about clients or customers) a firmtypes of output) e.g.) sensitive information about clients or customers) a firm could be legally eposed.
could be legally eposed. (.
(. 9hat 9hat are tare the thhe three caree categortegories oies of prof processicessing cong controntrol=l= ANS:
ANS:
atch controls) run*to*run controls) and audit
atch controls) run*to*run controls) and audit trail controls.trail controls. +.
+. 9hat con9hat control isstrol issue is ue is related to related to reentering reentering corrected ecorrected error records rror records into a into a batch procebatch processing syssing system=stem= 9hat are the t"o methods for
9hat are the t"o methods for doing this=doing this= ANS:
ANS:
rrors detected during processing re4uire careful handling) since these records may already be rrors detected during processing re4uire careful handling) since these records may already be partially processed
partially processed. Simply resubmitting t. Simply resubmitting the corrected records at the data he corrected records at the data input stage may result input stage may result inin processing portio
processing portions of these transactions of these transactions t"ice.ns t"ice. #"
#"o methods are: o methods are: 516 reverse the 516 reverse the effects of the partially effects of the partially processed transactions and resubmit theprocessed transactions and resubmit the corrected records to the data input stage. #he second method is
corrected records to the data input stage. #he second method is to reinsert corrected records into theto reinsert corrected records into the processing stage at "
processing stage at "hich the error "as detectedhich the error "as detected.. -.
-. @utput con@utput controls ensure trols ensure that outputhat output is not is not lost) t lost) misdirected) or misdirected) or corrupted and corrupted and that privathat privacy is not cy is not violated.violated. 9hat are some output eposures or situations "here output is at ris!=
9hat are some output eposures or situations "here output is at ris!= ANS:
ANS:
output spooling) delayed printing) "aste)
output spooling) delayed printing) "aste) report distributionreport distribution /.
/. 'nput co'nput controntrols are progls are programmed prorammed procedurcedures 5routes 5routinesines6 that perfo6 that perform tests on trarm tests on transacnsactiontion data to ensure they are
data to ensure they are free from errors. Name free from errors. Name four input controls and describe "hat they testfour input controls and describe "hat they test ANS:
ANS: 1.
1. numeric*alphabetinumeric*alphabetic chec!s loo! for the correct type of character content in a field) numbers orc chec!s loo! for the correct type of character content in a field) numbers or letters
letters 2.
2. limit chec!s verify that values are "ithin preset limlimit chec!s verify that values are "ithin preset limitsits $.
$. range chec!s verify the values fall "ith in an acceptable rangerange chec!s verify the values fall "ith in an acceptable range %.
%. reasonableness chec! determireasonableness chec! determines if a value in one field) "hich has already passed a limit chec! andnes if a value in one field) "hich has already passed a limit chec! and a range chec!) is
10.
10. A A GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGG fraud affectfraud affects a largs a large number oe number of victims f victims but the but the harm to eachharm to each appears to be very small.
appears to be very small. ANS:
ANS: salami salami 11.
11. ?escribe a ?escribe a test of cotest of controls thntrols that "ould at "ould provide evidprovide evidence that ence that only authoonly authorized program rized program maintenance ismaintenance is occurring.
occurring. ANS: ANS:
reconcile program version numbers) confirm
reconcile program version numbers) confirm maintenance authorizationsmaintenance authorizations 12.
12. Auditors do Auditors do not rely not rely on detailed on detailed !no"ledge o!no"ledge of the appf the applicationDs ilicationDs internal lognternal logic "hen tic "hen they use they use thehe GGGGGGGGGGGG
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG approach to auditinG approach to auditing computer applicatiog computer applications.ns. ANS:
ANS:
blac! bo or auditi
blac! bo or auditing around the computer ng around the computer 1$
1$.. ?es?escricribe pabe paralrallel slel simuimulatlationion.. ANS:
ANS:
#he auditor "rites a
#he auditor "rites a program that simulates the application under program that simulates the application under revie". #revie". #he simulation is used he simulation is used toto reprocess production transactions that "ere previously processed by the
reprocess production transactions that "ere previously processed by the production application. #heproduction application. #he results of the simulation are compared to the results of
results of the simulation are compared to the results of the original production run.the original production run. 1%.
1%. 9hat is 9hat is meant by meant by auditing aauditing around the round the computer versus computer versus auditing thauditing through the rough the computer= 9computer= 9hy is thy is this sohis so important=
important= ANS: ANS:
Auditing around the computer involves blac! bo testing in "hich the auditors do not rely on a Auditing around the computer involves blac! bo testing in "hich the auditors do not rely on a detailed !no"ledge of the applicationDs internal logic. 'nput
detailed !no"ledge of the applicationDs internal logic. 'nput is reconciled "ith corresponding output.is reconciled "ith corresponding output. Auditing through the computer involves obtaining an in*depth understanding of
Auditing through the computer involves obtaining an in*depth understanding of the internal logic ofthe internal logic of the computer application. As transactions become increasingly automated) the inputs and outputs ma the computer application. As transactions become increasingly automated) the inputs and outputs ma yy become decreasingly vis
become decreasingly visible. #hus) the imible. #hus) the importance of understandiportance of understanding the programming compng the programming components ofonents of the system is crucial.
the system is crucial. 1&
1&.. 9ha9hat is at is an emn embedbedded aded aududit mit moduodule=le= ANS:
ANS:
A techni4ues use one or more specially programmed modules embedded in a
A techni4ues use one or more specially programmed modules embedded in a host application tohost application to select and record
select and record predetermined types of transactions for subse4uent analysis. #his method allo"spredetermined types of transactions for subse4uent analysis. #his method allo"s material transactions to be
material transactions to be captured throughout the audit period. #he auditorDs substantive testing tas!captured throughout the audit period. #he auditorDs substantive testing tas! is thus made easier since they
is thus made easier since they do not have to identify significant transactions for substantive testing.do not have to identify significant transactions for substantive testing. 1(.
1(. 9hat ar9hat are the audie the audit,s t,s ob3eob3ectivectives relats relating to sying to systems destems develovelopmenpment=t= ANS:
ANS:
#he auditor,s ob3ectives are to
#he auditor,s ob3ectives are to ensure that 516 sensure that 516 systems development activities are applied consistentlyystems development activities are applied consistently and in accordance
and in accordance "ith management,s polic"ith management,s policies to ies to all systems development pro3ects 526 the all systems development pro3ects 526 the system assystem as originally implemented "as free from material errors and fraud 5$6
originally implemented "as free from material errors and fraud 5$6 the system "as 3udged necessarythe system "as 3udged necessary and 3ustified at various chec!points throughout the
and 3ustified at various chec!points throughout the S?8 and 5%6 S?8 and 5%6 system documentation issystem documentation is sufficiently accurate and complete to facilitate audit
!SSA* !SSA*
1.
1. @utl@utline the si coine the si controlntrollabllable activie activities thaties that relate to ne" syt relate to ne" systems destems developvelopmentment ANS:
ANS:
Systems Authoriz
Systems Authorization Activitiesation Activities: All systems should : All systems should be properly authorized be properly authorized to ensure their to ensure their economiceconomic 3ustification an
3ustification and feasibilityd feasibility. #his re4u. #his re4uires a formal environment iires a formal environment in "hich users submin "hich users submit re4uests tot re4uests to systems professionals in "ritten form.
systems professionals in "ritten form. <ser Specification Activi
<ser Specification Activities: <sers need ties: <sers need to be actively involved in to be actively involved in the systems development process.the systems development process. <sers should create a detailed "ritten description of their needs. 't should describe the
<sers should create a detailed "ritten description of their needs. 't should describe the user,s vie" ofuser,s vie" of the problem) not that of the
the problem) not that of the systems professionals.systems professionals. #e
#echnical ?esign Activities: #he technical design activities translate chnical ?esign Activities: #he technical design activities translate user specifications into a user specifications into a set ofset of detailed technical specifications for a system that meets the user,s needs. #he scope of these activities detailed technical specifications for a system that meets the user,s needs. #he scope of these activities includes systems analysis) feasibility analysis) and detailed systems design.
includes systems analysis) feasibility analysis) and detailed systems design. 'nternal Audit Participation: #o m
'nternal Audit Participation: #o meet the eet the governance*related epectations of management under governance*related epectations of management under S@H)S@H) an organization,s in
an organization,s internal audit department needs to ternal audit department needs to be independent) ob3ective) and technicallybe independent) ob3ective) and technically 4ualified. A
4ualified. As such) the internal auditor can play s such) the internal auditor can play an important role in the control of san important role in the control of systemsystems development activities.
development activities. Program #es
Program #esting: All program modules must be thoroughly tested before ting: All program modules must be thoroughly tested before they are implemented. #histhey are implemented. #his involves creating hypothetical master files and transactions files that
involves creating hypothetical master files and transactions files that are processed by are processed by the modulesthe modules being tested. #h
being tested. #he results of the tests ae results of the tests are then compared against pre then compared against predetermined results to redetermined results to identifyidentify programming and logic erro
programming and logic errors.rs. <ser #es
<ser #est and Acceptance Procedures: Prior to t and Acceptance Procedures: Prior to system implementation) the individual modules of thesystem implementation) the individual modules of the system need to be formally and
system need to be formally and rigorously tested as a "hole. #he test team should comprise of rigorously tested as a "hole. #he test team should comprise of useruser personnel) systems pro
personnel) systems professionals) and intfessionals) and internal auditors. #hernal auditors. #he details of the tests pee details of the tests performed and theirrformed and their results need to be formally documented and analyzed. @nce the
results need to be formally documented and analyzed. @nce the test team is satisfied that the stest team is satisfied that the systemystem meets its stated re4uirements) the system can be
meets its stated re4uirements) the system can be transferred to the user.transferred to the user. 2.
2. plplain thain the three me three methodethods used ts used to correo correct erroct errors in dars in data entryta entry.. ANS:
ANS:
'mmediate orrection. 'n the direct data validation approach) error detection and correction ta!e place 'mmediate orrection. 'n the direct data validation approach) error detection and correction ta!e place during data entry. 9hen an error or
during data entry. 9hen an error or illogical relationship is entered) the sillogical relationship is entered) the system should halt the dataystem should halt the data entry procedure until the error is corrected.
entry procedure until the error is corrected. reation of an rror File.
reation of an rror File. 'n the delayed data validation approach) errors are flagged and 'n the delayed data validation approach) errors are flagged and placed in anplaced in an error file. >ecords "ith errors "ill not be
error file. >ecords "ith errors "ill not be processed until the error is investigated and corrected.processed until the error is investigated and corrected. >e3ection of the ntire atch. Some
>e3ection of the ntire atch. Some errors are associated "ith the entire batch and are errors are associated "ith the entire batch and are not attributablenot attributable to individual records. An eample of this is a control total that does not balance. #he entire batch is to individual records. An eample of this is a control total that does not balance. #he entire batch is placed in the error file and "
placed in the error file and "ill be reprocessed "hen ill be reprocessed "hen the error is corrected.the error is corrected. $.
$. #he presence #he presence of an audof an audit trail it trail is critical is critical to the to the integrity ointegrity of the accouf the accounting informnting information systemation system. ?iscuss. ?iscuss three of the techni4ues used to preserve the
three of the techni4ues used to preserve the audit trail.audit trail. ANS:
ANS: #ransactio
#ransaction logs list all n logs list all transactions successfully processed by the system and transactions successfully processed by the system and serve as 3ournals)serve as 3ournals) permanent records. #
permanent records. #ransactions thransactions that "ere not processed sucat "ere not processed successfully should bcessfully should be recorded in an errore recorded in an error file.
After processing transactions) a paper
After processing transactions) a paper transaction listing should be produced and used transaction listing should be produced and used by appropriateby appropriate users to reconcile input.
users to reconcile input. 8ogs and listings of
8ogs and listings of automatic transactions should be produced for transactions received or automatic transactions should be produced for transactions received or initiatedinitiated internally by the system.
internally by the system.
rror listing should document all errors and be sent to
rror listing should document all errors and be sent to appropriate users to support error correction.appropriate users to support error correction. %.
%. ?efin?efine each of the foe each of the follo"llo"ing inping input contut controls anrols and give an eamd give an eample of ho" thple of ho" they may be usey may be used:ed: a.
a. issing issing data data chec! chec! b.
b. NumericCalphabetNumericCalphabetic data chec! ic data chec! c. 8imit chec!
c. 8imit chec! d.
d. >ange >ange chec! chec! e.
e. >easonableness >easonableness chec! chec! f.
f. IaIalidity lidity chec! chec! ANS:
ANS:
%issing data chec+
%issing data chec+ Some programming languages are restrictive as to the 3ustification 5right or left6Some programming languages are restrictive as to the 3ustification 5right or left6 of data "ithin the field. 'f
of data "ithin the field. 'f data are not properly 3ustified or if a data are not properly 3ustified or if a character is missing 5has been replacedcharacter is missing 5has been replaced "ith a blan!6) the value in
"ith a blan!6) the value in the field "ill be improperly processed. For eample) the the field "ill be improperly processed. For eample) the presence of blan!spresence of blan!s in a numeric data field
in a numeric data field may cause a smay cause a system failure. 9hen the control routine detects a blan! "here itystem failure. 9hen the control routine detects a blan! "here it epects to see a data
epects to see a data value) the error is flagged.value) the error is flagged. (-meric.alpha/etic chec+
(-meric.alpha/etic chec+ #his control identifies "hen data in a particular field are in #his control identifies "hen data in a particular field are in the "rongthe "rong form. For eample) a
form. For eample) a customer,s account balance should not contain alphabetic data and the presencecustomer,s account balance should not contain alphabetic data and the presence of it "ill cause a
of it "ill cause a data processing error. #hedata processing error. #herefore) if alphabetic data are detected)refore) if alphabetic data are detected) the error record flagthe error record flag is set.
is set.
$imit chec+
$imit chec+ 8imit chec!s are used to identify field values that eceed 8imit chec!s are used to identify field values that eceed an authorized limit. Foran authorized limit. For eample) assume the firm,s policy is that no employee "or!s more than %%
eample) assume the firm,s policy is that no employee "or!s more than %% hours per "ee!. #hehours per "ee!. #he payroll system inpu
payroll system input control program can test t control program can test the hours*"or!ed field the hours*"or!ed field in the "ee!ly payrolin the "ee!ly payroll records forl records for values greater than %%.
values greater than %%. Range chec+
Range chec+ any times data have upper and any times data have upper and lo"er limits to their acceptable values. For eample) iflo"er limits to their acceptable values. For eample) if the range of pay rates
the range of pay rates for hourly employees in a firm for hourly employees in a firm is bet"een - and 20 is bet"een - and 20 dollars) this control candollars) this control can eamine the pay rate field of
eamine the pay rate field of all payroll records to ensure that they fall "ithin this range.all payroll records to ensure that they fall "ithin this range. Reasona/leness chec+
Reasona/leness chec+ #he test determines if a value in #he test determines if a value in one field) "hich has already passed a one field) "hich has already passed a limitlimit chec! and a range
chec! and a range chec!) is reasonable "hen considered along "ith data in other fields of chec!) is reasonable "hen considered along "ith data in other fields of the record.the record. For eample) assume that an e
For eample) assume that an employee,s pmployee,s pay rate of 1- ay rate of 1- dollars per hour falls "ithin an acceptabledollars per hour falls "ithin an acceptable range. #his rate is ecessive) ho"ever) "hen compared to the employee,s 3ob s!ill code of (/$ range. #his rate is ecessive) ho"ever) "hen compared to the employee,s 3ob s!ill code of (/$ employees in this s!ill class should not earn more than 12
employees in this s!ill class should not earn more than 12 dollars per hour.dollars per hour. 0alidity chec+
0alidity chec+ A validity chec! compares actual field values against A validity chec! compares actual field values against !no"n acceptable values. For!no"n acceptable values. For eample) this control may be used to
eample) this control may be used to verify such things as valid vendor codes) state abbreviations) orverify such things as valid vendor codes) state abbreviations) or employee 3ob s!ill codes. 'f the value
employee 3ob s!ill codes. 'f the value in the field does not match one in the field does not match one of the acceptable values) theof the acceptable values) the record is flagged as an
record is flagged as an error.error. &.
&. After data After data is entered is entered into the into the system) it system) it is processedis processed. Processing . Processing control eicontrol eists to sts to ma!e sure tma!e sure that thehat the correct things happen during processing. ?iscuss processing controls.
correct things happen during processing. ?iscuss processing controls. ANS:
ANS:
Processing controls ta!e three formsbatch controls) run*to*run controls) and
atch controls
atch controls are used to manage the are used to manage the flo" of high volumes of transactions through batch processingflo" of high volumes of transactions through batch processing systems. #he ob3ective of batch control is to reconcile output produced by the system "ith the input systems. #he ob3ective of batch control is to reconcile output produced by the system "ith the input originally entered into the system. #his provides
originally entered into the system. #his provides assurance that:assurance that: G Al
G All records in the batch are prol records in the batch are processed.cessed. G No records are processed m
G No records are processed more than once.ore than once. G An a
G An audit trail of transactiudit trail of transactions is created from input ons is created from input through processing through processing to the output stagto the output stage of thee of the system.
system.
>un*to*run controls use batch figures and ne" balances to monitor the batch as
>un*to*run controls use batch figures and ne" balances to monitor the batch as it goes through theit goes through the systemi.e. from run*to*run. #hese are to assure that no
systemi.e. from run*to*run. #hese are to assure that no transactions are lost and that all are processedtransactions are lost and that all are processed completely.
completely.
Audit trail controls are designed to document the movement of transactions through the system. #he Audit trail controls are designed to document the movement of transactions through the system. #he most common techni4ues include the use
most common techni4ues include the use of transaction logs and of transaction logs and transaction listings) uni4uetransaction listings) uni4ue transaction identifiers) logs and listings of automatic transactions) and
transaction identifiers) logs and listings of automatic transactions) and error listings.error listings. (.
(. 'f inpu'f input and proct and processinessing contrg controls are adols are ade4uate4uate) "hy are oute) "hy are output conput controltrols neededs needed== ANS:
ANS:
@utput controls are designed to ensure that system output is not lost) misdirected) or corrupted and @utput controls are designed to ensure that system output is not lost) misdirected) or corrupted and thatthat privacy is not viol
privacy is not violated. ;reat ris! eists iated. ;reat ris! eists if chec!s are misdirected) lostf chec!s are misdirected) lost) or stolen. ertain types of d) or stolen. ertain types of dataata must be !ept privatetrade secrets) patents pending) customer records) etc.
must be !ept privatetrade secrets) patents pending) customer records) etc. +.
+. ?escr?escribe and contibe and contrast the tesrast the test data metht data method "ith the inod "ith the integrategrated test facted test facilityility.. ANS:
ANS:
'n the test data method) a
'n the test data method) a specially prepared set of input data is processed the results of specially prepared set of input data is processed the results of the test arethe test are compared to predetermined epectations. #
compared to predetermined epectations. #o use the test data method) a copo use the test data method) a copy of the current version ofy of the current version of the application must be obtained. #he
the application must be obtained. #he auditor "ill revie" printed reports) transaction listings) errorauditor "ill revie" printed reports) transaction listings) error reports) and master files to evaluate application logic and control effectiveness. #he test data approach reports) and master files to evaluate application logic and control effectiveness. #he test data approach results in minimal disruption to the
results in minimal disruption to the organizationorganizationDs operations and re4uires little coDs operations and re4uires little computer epertise onmputer epertise on the part of auditors.
the part of auditors.
#he integrated test facility 5'#F6 is an automated approach that permits auditors to test
#he integrated test facility 5'#F6 is an automated approach that permits auditors to test an applicationDsan applicationDs logic and controls during its normal operation. '#F databases contain test records integrated "ith logic and controls during its normal operation. '#F databases contain test records integrated "ith legitimate records. ?uring normal operations) test transactions are entered into the stream of regular legitimate records. ?uring normal operations) test transactions are entered into the stream of regular production trans
production transactions and are processed agactions and are processed against the test recordainst the test records. #he '#F transactions. #he '#F transactions are nots are not included "ith the production reports but are reported separately to the auditor for evaluation. #he included "ith the production reports but are reported separately to the auditor for evaluation. #he auditor compares '#F results
auditor compares '#F results against epected results.against epected results. 'n contrast to the test data approach)
'n contrast to the test data approach) the '#F techni4ue promotes ongoing application auditing andthe '#F techni4ue promotes ongoing application auditing and does not interfere "ith the normal "or! of
does not interfere "ith the normal "or! of computer services employees. 'n the test data approach)computer services employees. 'n the test data approach) there is a ris!
there is a ris! that the auditor might perform the tests on a that the auditor might perform the tests on a version of the application other than theversion of the application other than the production versi
production version this cannot happon this cannot happen in the '#F approach. oth veen in the '#F approach. oth versions are relatively corsions are relatively costly tostly to implement. #he ma3or ris! "ith the '#F approach is
implement. #he ma3or ris! "ith the '#F approach is that '#F data could become combined "ith livethat '#F data could become combined "ith live data and the reports "ould be misstated this cannot happen in the
data and the reports "ould be misstated this cannot happen in the test data approach.test data approach. -.
-. ontrontrast mbeast mbedded Added Audit odudit odules "itules "ith ;enerah ;eneralized lized AudAudit Soft"it Soft"are.are. ANS:
oth techni4ues permit auditors to access) organize) and select data in support of the
oth techni4ues permit auditors to access) organize) and select data in support of the substantive phasesubstantive phase of the audit. #he
of the audit. #he mbedded Audimbedded Audit odule 5A6 t odule 5A6 techni4ue embeds special audit modules intotechni4ue embeds special audit modules into applications. #he A captures specific transactions for auditor r
applications. #he A captures specific transactions for auditor r evie". As reduce operationalevie". As reduce operational efficiency and are not appropriate for environments "ith a high level of
efficiency and are not appropriate for environments "ith a high level of program maintenance.program maintenance. ;eneralized Au
;eneralized Audit Soft"are 5;AS6 dit Soft"are 5;AS6 permits auditors to electronically access audit permits auditors to electronically access audit files and to performfiles and to perform a variety of audit procedures. For
a variety of audit procedures. For eample the ;AS can recalculate) stratify) compare) format) andeample the ;AS can recalculate) stratify) compare) format) and print the contents o
print the contents of files.f files.
#he A is an internal program
#he A is an internal program that is designed and programmed into the application. #he ;AS is anthat is designed and programmed into the application. #he ;AS is an eternal pac!age that does not affect operational efficiency of the program. ;ASs are
eternal pac!age that does not affect operational efficiency of the program. ;ASs are easy to use)easy to use) re4uire little '# bac!ground on the part of the user) are
re4uire little '# bac!ground on the part of the user) are hard"are independent) can be used "ithout thehard"are independent) can be used "ithout the assistance of computer service employees) and are not application*specific. @n the other hand) As assistance of computer service employees) and are not application*specific. @n the other hand) As are programmed into a
are programmed into a specific application by computer service professionals.specific application by computer service professionals. /.
/. 9hat i9hat is the pus the purposrpose of the aue of the auditoditorDs revrDs revie" of S?ie" of S?8 doc8 documentumentatioation=n= ANS:
ANS:
'n revie"ing the S?8 documentation) the auditor see!s to determine that completed pro3ects no" in 'n revie"ing the S?8 documentation) the auditor see!s to determine that completed pro3ects no" in use reflect compliance "ith
use reflect compliance "ith S?8 policies including:S?8 policies including:
•
• proper authorizat proper authorization of the pro3ect by users ion of the pro3ect by users and computer service mand computer service management)anagement) •
• a preliminary feasibility study sho"ed that the pro3ect had merit)a preliminary feasibility study sho"ed that the pro3ect had merit) •
• that a detailed analysis of user needs "as conducted)that a detailed analysis of user needs "as conducted) •
• that a cost*benefit analysis "as that a cost*benefit analysis "as performed)performed) •
• that the pro3ect can be demonstrated to solve the that the pro3ect can be demonstrated to solve the usersD problem) andusersD problem) and •
• that the system "as that the system "as thoroughly tested.thoroughly tested.
10.
10. icrocomputers hicrocomputers have traditioave traditionally been nally been difficult difficult to controlto control) leaving ) leaving auditors "auditors "ith special ith special problems inproblems in verifying physical controls. ?iscuss "hat an auditorDs ob3ectives might be
verifying physical controls. ?iscuss "hat an auditorDs ob3ectives might be in testing microcomputerin testing microcomputer controls.
controls. ANS: ANS:
#he auditor must investigate several things: 16
#he auditor must investigate several things: 16 that ade4uate supervision and operating proceduresthat ade4uate supervision and operating procedures eist to compensate for the lac! of
eist to compensate for the lac! of segregation of duties that occur "hen users are functioning also assegregation of duties that occur "hen users are functioning also as programmers and operators
programmers and operators 26 that access to hard"are 26 that access to hard"are) data and soft"are is limi) data and soft"are is limited to authorizedted to authorized personnel $6 that ba
personnel $6 that bac!up procedures are in plc!up procedures are in place and implemented to prevenace and implemented to prevent data and program losst data and program loss and %6 that
and %6 that procedures for systems selection and procedures for systems selection and ac4uisition assure high 4uality) error free)ac4uisition assure high 4uality) error free) applications. #his is far from
applications. #his is far from an ideal situation.an ideal situation. 11.
11. ontrast the ontrast the 7blac! bo7 7blac! bo7 approach to approach to '# audit'# auditing and ting and the 7"hite he 7"hite bo7 approachbo7 approach. 9hich . 9hich is preferred=is preferred= ANS:
ANS:
#he blac! bo approach
#he blac! bo approach is not concerned "ith the is not concerned "ith the applicationDs internal "or!ings. #he auditorapplicationDs internal "or!ings. #he auditor
eamines documentation of the system) intervie"s personnel) and bases the evaluation on the logical eamines documentation of the system) intervie"s personnel) and bases the evaluation on the logical consistency bet"een input and output. #his method is
consistency bet"een input and output. #his method is often referred to often referred to as 7auditing*around*the*as 7auditing*around*the* computer7 because there is no eamination of data as
computer7 because there is no eamination of data as it is processed.it is processed. #he "hite bo approach)
#he "hite bo approach) also called 7auditing*through*the*comalso called 7auditing*through*the*computer)7 relies on !no"ledge of puter)7 relies on !no"ledge of thethe internal "or!ings of the systems and actually tests the application in action "ith test data having internal "or!ings of the systems and actually tests the application in action "ith test data having !no"n results. Several "hite bo techni4ues are available. #hese include the test data method) base !no"n results. Several "hite bo techni4ues are available. #hese include the test data method) base case evaluation) tracing) the
case evaluation) tracing) the integrated test facility) and parallel simulation. #his method ma!es theintegrated test facility) and parallel simulation. #his method ma!es the computer a tool of the audit