Hall 5e TB Chapter 17

Chapter 17—IT Controls Part III: Systems Development, Program Changes, and Application Controls

TR!"#A$S!

1. Programs in their compiled compiled state state are very very susceptible susceptible to the threat of unauthorized unauthorized modification. modification. ANS: F 2. aintenance access access to systems systems increases the ris! that logic logic "ill be be corrupted either by the accident or intent to defraud. ANS: # $. Source program program library controls should prevent and detect unauthorized unauthorized access access to application  programs. ANS: # %. A chec! chec! digit digit is a method method of detectin detecting g data coding coding errors errors.. ANS: # &. 'nput contro controls ls are intended intended to detect detect errors in transac transaction tion data data after processin processing. g. ANS: F (. A header header label label is an internal) internal) machine*re machine*readabl adablee label. label. ANS: # +. #he user test test and acceptance procedure procedure is the last point at "hich the the user can determine the system,s system,s acceptability prior to it going into service. ANS: # -. A run*to run*to*run *run contro controll is an eample eample of of an output output control control.. ANS: F /. Shredding Shredding compu computer ter printou printouts ts is an eampl eamplee of an output output contro control. l. ANS: # 10. 'n a 'S environm environment) ent) all input input controls controls are are implemented implemented after after data data is input. input. ANS: F 11. Achieving batch batch control ob3ectives re4uires re4uires grouping grouping similar types of input transactions transactions 5such as sales orders6 together in batches and then controlling the batches throughout data processing. ANS: #

12. #he 7"hite bo7 tests of program controls controls are also !no"n as auditing through the computer. ANS: # 1$. #he presence presence of a SP8S SP8S effectively effectively guaran guarantees tees program program integri integrity ty.. ANS: F 1%. 9hen using using the test data data method) method) the presence presence of multiple multiple error messages messages indicate indicatess a fla" in the  preparation of test transactions. transactions. ANS: F 1&. #he ase ase ase System System valuat valuation ion is a variat variation ion of the the test data data method. method. ANS: # 1(. #racing is a method method used to to verify the the logical operations eecuted eecuted by a computer application. ANS: # 1+. ;eneralized audit audit soft"are pac!ages are used to assist the the auditor in performing substantive tests. ANS: # 1-. #he results of a parallel parallel simulation simulation are compared compared to the the results of a production production run in order to to 3udge the 4uality of the application processes and controls. ANS: # 1/. Firms "ith an independent independent internal audit staff staff may conduct conduct tests of the system system development life cycle on an ongoing basis. ANS: # 20. #he programmer, programmer,ss authority authority table table "ill specify specify the librarie librariess a programmer programmer may access. access. ANS: # 21.
1. 9hich statem statement ent is not correct correct== #he audit audit trail trail in a computeriz computerized ed environme environment nt a. consists consists of of records records that that are stored stored se4uent se4uentially ially in an audit audit file  b. traces transactions from their their source to their final final disposition c. is a function function of of the 4uality 4uality and and integrity integrity of of the applica application tion program programss d. may ta!e ta!e the the form of pointe pointers) rs) indee indees) s) and embedded embedded !eys !eys ANS: A

2. 9hich contro controll is not associated associated "ith "ith ne" systems systems developme development nt activities activities== a. recon reconcil ciling ing program program versio version n numbe numbers rs  b. program testing c. user user invo involv lvem emen entt d. inter internal nal audit audit partic participa ipatio tion n ANS: A $. >outine >outine maintenanc maintenancee activities activities re4uire re4uire all of the follo"in follo"ing g controls controls ecept ecept a. docu docume ment ntat atio ion n upda update tess  b. testing c. form formal al auth author oriz izat atio ion n d. inte intern rnal al aud audit it app appro rova vall ANS: ? %. 9hich 9hich statem statement ent is correc correct= t= a. compiled compiled program programss are very susce susceptib ptible le to unautho unauthorized rized modifi modificatio cation n  b. the source program library library stores application programs programs in source code form c. modificat modifications ions are made made to programs programs in in machine machine code language language d. the source source program program library library managemen managementt system system increases increases operatin operating g efficiency efficiency ANS:  &. 9hich contr control ol is not a part part of the source source program program library library managemen managementt system= system= a. using using pass"or pass"ords ds to limit limit access access to to applica application tion programs programs  b. assigning a test name name to all programs undergoing undergoing maintenance c. combining combining access access to to the developm development ent and mainte maintenance nance test test libraries libraries d. assigning assigning versi version on numbers numbers to programs programs to record record program program modific modificatio ations ns ANS:  (. 9hich control control ensures that production production files cannot cannot be accessed "ithout "ithout specific specific permission= permission= a. ?ata ?ataba base se an anag agem emen entt Syst System em  b. >ecovery @perations Function Function c. Source Source Prog Program ram 8ibr 8ibrary ary ana anagem gement ent System System d. ompu ompute terr Servi Service cess Funct Functio ion n ANS:  +. Prog Progra ram m test testin ing g a. involves involves individu individual al module moduless only) only) not not the full system system  b. re4uires creation of meaningful meaningful test data c. need not be repeat repeated ed once once the the system system is implem implemented ented d. is prima primarily rily concer concerned ned "ith "ith usab usabili ility ty ANS:  -. #he correct purchase order order number) 12$%&() "as incorrectly recorded recorded as sho"n sho"n in the solutions. solutions. All All of the follo"ing are transcription errors ecept a. 12$%&(+  b. 12$%& c. 12%$&( d. 12$%&%

ANS:  /. 9hich 9hich of of the the follo" follo"ing ing is is corre correct= ct= a. chec! chec! digit digitss should should be used used for for all data data code codess  b. chec! digits are al"ays al"ays placed at the end of a data code code c. chec! digits digits do not not affect affect proces processing sing efficien efficiency cy d. chec! digit digitss are designed designed to detect detect transcr transcripti iption on and transpo transpositi sition on errors errors ANS: ? 10. 9hich statement statement is not not correct= #he goal of batch controls controls is to ensure that during processing a. tran transa sact ctio ions ns are are not not omit omitte ted d  b. transactions are not added c. transa transacti ctions ons are are free free from from cleri clerical cal erro errors rs d. an aud audit it tra trail il is is cre creat ated ed ANS:  11. 11. An eample eample of a hash hash tota totall is is a. total total payrol payrolll chec!s chec!sB1 B12)$ 2)$1& 1&  b. total number of employees10 employees10 c. sum of the the social social securi security ty numbers1 numbers12)&&& 2)&&&)%$+)2 )%$+)2&1 &1 d. none none of the the abo above ve ANS:  12. 9hich statement statement is is not true= true= A batch contr control ol record record a. cont contai ains ns a tra trans nsac acti tion on cod codee  b. records the record count count c. cont contai ains ns a hash hash tot total al d. control control figures figures in in the record record may be be ad3usted ad3usted during during proces processing sing e. All All the the abov abovee are are true true ANS:  1$. 9hich of the follo" follo"ing ing is not not an eample eample of a process processing ing control control== a. hash to total.  b. record count. c. batch to total. d. chec! digit ANS: ? 1%. 9hich of the follo" follo"ing ing is an an eample eample of input input control control test= test= a. se4 se4uen uence che chec!   b. zero value chec!  c. spoo spoolling ing ch chec!  ec!  d. range chec!  ANS: ? 1&. 9hich input input contro controll chec! "ould "ould detect detect a payment payment made to a noneis noneistent tent vendor vendor== a. miss missin ing g data data chec chec!  !   b. numericCalphabetic numericCalphabetic chec!  c. range cch hec!  d. vali alidity dity chec chec!  ! 

ANS: ? 1(. #he employee employee entered entered 7%07 in the the 7hours "or!ed "or!ed per day7 day7 field. 9hich 9hich chec! chec! "ould detect detect this unintentional error= a. num numeri ericCa cCalph lphabe abetic tic data data chec!  chec!   b. sign chec!  c. limit chec!  d. miss missin ing g dat dataa chec chec!  !  ANS:  1+. An inventory inventory record indicates indicates that 12 items of a specific specific product are on hand. hand. A customer purchased purchased t"o of the items) but "hen recording the order) the data entry cler! mista!enly entered 20 items sold. 9hich chec! could detect this error= a. num numeri ericCa cCalph lphabe abetic tic data data chec chec!s !s  b. limit chec!  c. range cch hec!  d. reas reason onab able lene ness ss chec chec!  !  ANS:  1-. 1-. 9hich 9hich chec! chec! is is not not an input input contro control= l= a. reas reason onab able lene ness ss chec chec!  !   b. validity chec!  c. spoo spoolling ing ch chec!  ec!  d. miss missin ing g dat dataa chec chec!  !   .  .

ANS:  1/. A computer computer operato operatorr "as in a hurry and accidental accidentally ly used the "rong "rong master master file to process process a transaction file. As a result) the accounts receivable master file "as erased. 9hich control "ould  prevent this from happening= happening= a. head header er labe labell chec chec!  !   b. epiration date chec!  c. vers ersion chec chec!  !  d. vali alidity dity chec chec!  !  ANS: A 20. >un*to*run >un*to*run contro controll totals totals can be used for for all of the follo" follo"ing ing ecept ecept a. to ensur ensuree that that all all data data input input is is valida validated ted  b. to ensure that only transactions transactions of a similar similar type are being processed c. to ensure ensure the records records are in se4uence se4uence and and are are not missing missing d. to ensur ensuree that that no tran transac sactio tion n is omitt omitted ed ANS: A 21. ethods used to maintain an audit trail in a computerized environment include all of the follo"ing follo"ing ecept a. tran transa sact ctio ion n logs logs  b. #ransaction #ransaction 8istings c. data ata enc encry rypt ptio ion n d. log of automa automatic tic transa transacti ctions ons  .

ANS: 

22. >is! eposures eposures associated "ith creating creating an output output file as an intermediate intermediate step in the printing process process 5spooling6 include all of the follo"ing actions by a computer criminal ecept a. gaining gaining access access to the the output output file file and changin changing g critical critical data data values values  b. using a remote printer and and incurring operating inefficiencies c. ma!ing ma!ing a copy of the output output file file and using using the copy to produce produce illegal illegal output output reports reports d. printing printing an etra etra hardcopy hardcopy of the the outpu outputt file file ANS:  2$. 2$. 9hich 9hich stat stateme ement nt is is not not corre correct= ct= a. only succes successful sful transactio transactions ns are recorded recorded on a transacti transaction on log log  b. unsuccessful transactions transactions are recorded in an error error file c. a trans transact action ion log log is a tempo temporary rary file file d. a hardcopy hardcopy transactio transaction n listing listing is provid provided ed to users users ANS:  2%. 'nput controls controls inclu include de all of the follo"in follo"ing g ecept ecept a. chec! di digits  b. 8imit chec!  c. spoo spoolling ing ch chec!  ec!  d. miss missin ing g dat dataa chec chec!  !   .  .

ANS:  2&. 9hich of of the follo"ing follo"ing is is an eample eample of an input input error correcti correction on techni4ue techni4ue== a. imme immedi diat atee corre correct ctio ion n  b. re3ection of batch c. crea creati tion on of erro errorr file file d. all are are eample eampless of input input error correction correction techni4ues techni4ues ANS: ? 2(. 9hich test of controls "ill provide provide evidence that the system as originally implemented implemented "as free from material errors and free from fraud= >evie" of the documentation indicates that a. a cost* cost*ben benefi efitt analy analysis sis "as "as condu conducte cted d  b. the detailed design "as "as an appropriate solution solution to the userDs problem problem c. tests tests "ere conducted conducted at at the individu individual al module module and total total system system levels levels prior to implementation d. problems problems detected detected during during the conversio conversion n period period "ere corrected corrected in the maintenan maintenance ce phase ANS:  2+. 2+. 9hich 9hich statem statement ent is not true= true= a. An audit audit ob3ective ob3ective for systems systems maintenan maintenance ce is to detect unauth unauthorize orized d access to applicat application ion databases.  b. An audit ob3ective ob3ective for systems maintenance is is to ensure that applications applications are free from errors. c. An audit audit ob3ective ob3ective for systems systems mainten maintenance ance is to verify verify that that user re4ues re4uests ts for maintenan maintenance ce reconcile to program version numbers. d. An audit audit ob3ective ob3ective for systems systems maintenan maintenance ce is to ensure that that the production production librari libraries es are  protected from unauthorized unauthorized access. ANS: A

2-. 9hen the auditor reconciles reconciles the the program version numbers) numbers) "hich audit ob3ective is is being tested= a. protect protect applicati applications ons from unauthori unauthorized zed changes changes  b. ensure applications are free from error  c. protect protect produc production tion libraries libraries from unauthori unauthorized zed access access d. ensure ensure incompatib incompatible le function functionss have been been identif identified ied and segreg segregated ated ANS: A 2/. 9hen auditors auditors do not not rely on a detailed !no"ledge of of the applicationDs applicationDs internal internal logic) logic) they are  performing a. blac! blac! bo bo test testss o off prog program ram contro controls ls  b. "hite bo tests of program program controls c. subs substa tant ntiv ivee testi testing ng d. intu intuit itiv ivee test testin ing g ANS: A $0. All of the the follo"ing follo"ing concepts are associated "ith the blac! bo approach to auditing computer computer applications ecept a. the applic applicatio ation n need not be removed removed from service service and tested tested directly directly  b. auditors do not rely on on a detailed !no"ledge !no"ledge of the applicationDs applicationDs internal logic c. the auditor auditor reconcile reconciless previously previously produce produced d output output results results "ith producti production on input input transactions d. this approa approach ch is used for for comple comple transactio transactions ns that receive receive input input from many many sources sources ANS: ? $1. 9hich test is not not an eample eample of a "hite "hite bo bo test= test= a. determ determini ining ng the the fair fair valu valuee of inve invento ntory ry  b. ensuring that pass"ords pass"ords are valid c. verifying verifying that that all all pay rates are "ithin "ithin a specifie specified d range range d. recon reconcil ciling ing contro controll totals totals ANS: A $2. 9hen analyzing analyzing the results results of the test data method) the auditor auditor "ould spend the least amount of time revie"ing a. the the test test tran transa sact ctio ions ns  b. error reports c. upda update ted d mas maste terr file filess d. outp utput rep repor orts ts ANS: A $$. All of the follo" follo"ing ing are advantag advantages es of the test test data techni4u techni4uee ecept a. auditors auditors need need minima minimall computer computer epert epertise ise to use this this method method  b. this method causes minimal minimal disruption to to the firmDs operations c. the test test data data is easily easily compil compiled ed d. the auditor auditor obtains obtains eplicit eplicit evidence evidence concern concerning ing applicati application on functions functions ANS:  $%. All of the follo" follo"ing ing are disadva disadvantag ntages es of the test test data techni4u techni4uee ecept a. the test test data techni4 techni4ue ue re4uires re4uires etensiv etensivee computer computer epertis epertisee on the part of the the auditor  auditor   b. the auditor cannot be be sure that the application application being tested is a copy copy of the current application used by computer services personnel

c. the auditor auditor cannot cannot be sure sure that the the applicatio application n being being tested is is the same applic application ation used used throughout the entire year  d. preparatio preparation n of the test data is time*c time*consum onsuming ing ANS: A $&. All of the follo"in follo"ing g statements statements are true true about the integra integrated ted test facility facility 5'#F6 5'#F6 ecept ecept a. production production reports reports are are affect affected ed by '#F transa transactio ctions ns  b. '#F databases contain 7dummy7 7dummy7 records integrated "ith "ith legitimate records c. '#F permi permits ts ongoi ongoing ng appli applicat cation ion aud auditi iting ng d. '#F does not disrupt disrupt operati operations ons or re4uire re4uire the interven intervention tion of computer computer service servicess personnel personnel ANS: A $(. 9hich statement statement is is not true= true= mbedde mbedded d audit audit modules modules a. can be turne turned d on and and off off by the the audito auditor. r.  b. reduce operating efficiency. efficiency. c. may lose their their viabil viability ity in an environm environment ent "here "here programs programs are modified modified fre4ue fre4uently ntly.. d. identify identify transa transactio ctions ns to be analyzed analyzed using using "hite "hite bo tests. tests. ANS: ? $+. ;eneralize ;eneralized d audit soft"ar soft"aree pac!ages pac!ages perform all all of the follo"ing follo"ing tas!s tas!s ecept a. reca recalc lcul ulat atee data data fiel fields ds  b. compare files and identify identify differences c. strati stratify fy statis statistic tical al sample sampless d. analyz analyzee resul results ts and and form form opinio opinions ns ANS: ? S&'RT A(S)!R 

1. ontrast ontrast the source source program program library library 5SP86 managemen managementt system to the databas databasee management management system system 5?S6. ANS: #he SP8 soft"are manages program files and the ?S manages data files. 2. ?escribe ?escribe t"o methods methods used used to control control the the source source program libra library ry.. ANS:  pass"ords) separation separation of development programs programs from maintenance programs) program program management reports) program version numbers) controlling maintenance commands $. Ne" system system development development activity activity controls must focus on the authorization) development) and implementation of ne" systems and its maintenance. ?iscuss at least five control activities that are found in an effective system development life cycle. ANS: System authorization activities assure that all systems s ystems are properly authorized to ensure their economic  3ustification and and feasibility. feasibility.
#echnical #echnical design activities must lead to specifications that meet user needs. ?ocumentation is both a control and evidence of control. 'nternal audit involvement should occur throughout throughout the process to assure that the system "ill serve user needs. Program testing is to verify that data is processed as intended. %. 9hat are are the three three broad broad categorie categoriess of applicat application ion controls controls== ANS: input) processing) and output controls &. Eo" does privacy privacy relate relate to output output control= control= ANS: 'f the privacy of certain types of output) e.g.) sensitive information about clients or customers) a firm could be legally eposed. (. 9hat are the the three three categor categories ies of of processi processing ng contro control= l= ANS: atch controls) run*to*run controls) and audit trail controls. +. 9hat control control issue issue is related to reentering corrected error error records into a batch processing processing system= system= 9hat are the t"o methods for doing this= ANS: rrors detected during processing re4uire careful handling) since these records may already be  partially processed. processed. Simply resubmitting the the corrected records at the data input stage may result in  processing portions portions of these transactions transactions t"ice. #"o #"o methods are: 516 reverse the effects of the partially processed transactions and resubmit the corrected records to the data input stage. #he second method is to reinsert corrected records into the  processing stage at "hich "hich the error "as detected. detected. -. @utput controls controls ensure that output output is not not lost) misdirected) or corrupted and that privacy privacy is not violated. 9hat are some output eposures or situations "here output is at ris!= ANS: output spooling) delayed printing) "aste) report distribution /. 'nput contro controls ls are programmed programmed procedur procedures es 5routines 5routines66 that perform perform tests on transac transaction tion data to ensure they are free from errors. Name four input controls and describe "hat they test ANS: 1. numeric*alphabetic numeric*alphabetic chec!s loo! for the correct type of character content in a field) numbers or letters 2. limit chec!s verify that values are "ithin preset limits limits $. range chec!s verify the values fall "ith in an acceptable range %. reasonableness chec! determines determines if a value in one field) "hich has already passed a limit chec! and a range chec!) is reasonable "hen considered along "ith data in other fields of the record.

10. A GGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGG fraud affects affects a large large number of of victims but the harm to each appears to be very small. ANS: salami 11. ?escribe a test of controls controls that that "ould provide evidence evidence that only authorized authorized program maintenance is occurring. ANS: reconcile program version numbers) confirm maintenance authorizations 12. Auditors do not rely on detailed !no"ledge of of the applicationDs applicationDs internal internal logic logic "hen they they use the the  GGGGGGGGGGGGGGGGGGGGGGGGG  GGGGGGGGGGGGGGGGGGGGGGGGGG G approach to auditing auditing computer applications. applications. ANS:  blac! bo or auditing auditing around the computer  1$. 1$. ?escri ?escribe be paral parallel lel simu simulat lation ion.. ANS: #he auditor "rites a program that simulates the application under revie". #he #he simulation is used to reprocess production transactions that "ere previously processed by the production application. #he results of the simulation are compared to the results of the original production run. 1%. 9hat is meant by auditing around around the computer versus auditing through through the computer= 9hy 9hy is this this so important= ANS: Auditing around the computer involves blac! bo testing in "hich the auditors do not rely on a detailed !no"ledge of the applicationDs internal logic. 'nput is reconciled "ith corresponding output. Auditing through the computer involves obtaining an in*depth understanding of the internal logic of the computer application. As transactions become increasingly automated) the inputs and outputs ma y  become decreasingly visible. visible. #hus) the importance importance of understanding understanding the programming components components of the system is crucial. 1&. 1&. 9hat 9hat is an an embed embedded ded aud audit it modu module= le= ANS: A techni4ues use one or more specially programmed modules embedded in a host application to select and record predetermined types of transactions for subse4uent analysis. #his method allo"s material transactions to be captured throughout the audit period. #he auditorDs substantive testing tas! is thus made easier since they do not have to identify significant transactions for substantive testing. 1(. 9hat are are the audit,s audit,s ob3ective ob3ectivess relating relating to systems systems develo developmen pment= t= ANS: #he auditor,s ob3ectives are to ensure that 516 systems s ystems development activities are applied consistently and in accordance "ith management,s policies policies to all systems development pro3ects 526 the system as originally implemented "as free from material errors and fraud 5$6 the system "as 3udged necessary and 3ustified at various chec!points throughout the S?8 and 5%6 system documentation is sufficiently accurate and complete to facilitate audit and maintenance activities.

!SSA*

1. @utline @utline the si control controllabl lablee activities activities that that relate to ne" systems systems develop development ment ANS: Systems Authorization Authorization Activities: Activities: All systems should be properly authorized to ensure their economic  3ustification and and feasibility. feasibility. #his re4uires re4uires a formal environment in in "hich users submit submit re4uests to systems professionals in "ritten form. ecords "ith errors "ill not be processed until the error is investigated and corrected. >e3ection of the ntire atch. Some errors are associated "ith the entire batch and are not attributable to individual records. An eample of this is a control total that does not balance. #he entire batch is  placed in the error file and "ill "ill be reprocessed "hen the error is corrected. $. #he presence of an audit audit trail is critical to the integrity of of the accounting accounting information information system. system. ?iscuss three of the techni4ues used to preserve the audit trail. ANS: #ransaction #ransaction logs list all transactions successfully processed by the system and serve as 3ournals)  permanent records. #ransactions #ransactions that that "ere not processed successfully successfully should be be recorded in an error file.

After processing transactions) a paper transaction listing should be produced and used by appropriate users to reconcile input. 8ogs and listings of automatic transactions should be produced for transactions received or initiated internally by the system. rror listing should document all errors and be sent to appropriate users to support error correction. %. ?efine ?efine each of the follo" follo"ing ing input input controls controls and and give an eample eample of ho" they they may be used: used: a. issing data chec!   b. NumericCalphabetic NumericCalphabetic data chec!  c. 8imit chec!  d. >ange chec!  e. >easonableness chec!  f. Ialidity Ialidity chec!  ANS: %issing data chec+ Some programming languages are restrictive as to the 3ustification 5right or left6 of data "ithin the field. 'f data are not properly 3ustified or if a character is missing 5has been replaced "ith a blan!6) the value in the field "ill be improperly processed. For eample) the presence of blan!s in a numeric data field may cause a system s ystem failure. 9hen the control routine detects a blan! "here it epects to see a data value) the error is flagged. (-meric.alpha/etic chec+ #his control identifies "hen data in a particular field are in the "rong form. For eample) a customer,s account balance should not contain alphabetic data and the presence of it "ill cause a data processing error. #herefore) #herefore) if alphabetic data are detected) the error record flag is set. $imit chec+ 8imit chec!s are used to identify field values that eceed an authorized limit. For eample) assume the firm,s policy is that no employee "or!s more than %% hours per "ee!. #he  payroll system input input control program can test the hours*"or!ed field in the "ee!ly payroll payroll records for values greater than %%. Range chec+ any times data have upper and lo"er limits to their acceptable values. For eample) if the range of pay rates for hourly employees in a firm is bet"een - and 20 dollars) this control can eamine the pay rate field of all payroll records to ensure that they fall "ithin this range. Reasona/leness chec+ #he test determines if a value in one field) "hich has already passed a limit chec! and a range chec!) is reasonable "hen considered along "ith data in other fields of the record. For eample) assume that an employee,s e mployee,s pay pay rate of 1- dollars per hour falls "ithin an acceptable range. #his rate is ecessive) ho"ever) "hen compared to the employee,s 3ob s!ill code of (/$ employees in this s!ill class should not earn more than 12 dollars per hour. 0alidity chec+ A validity chec! compares actual field values against !no"n acceptable values. For eample) this control may be used to verify such things as valid vendor codes) state abbreviations) or employee 3ob s!ill codes. 'f the value in the field does not match one of the acceptable values) the record is flagged as an error.

&. After data is entered into the system) it is processed. processed. Processing control eists eists to ma!e sure that that the correct things happen during processing. ?iscuss processing controls. ANS: Processing controls ta!e three formsbatch controls) run*to*run controls) and audit trail controls.

atch controls are used to manage the flo" of high volumes of transactions through batch processing systems. #he ob3ective of batch control is to reconcile output produced by the system "ith the input originally entered into the system. #his provides assurance that:  G All All records in the batch are processed. processed.  G No records are processed more more than once.  G An audit audit trail of transactions transactions is created from input through processing to the output stage stage of the system. >un*to*run controls use batch figures and ne" balances to monitor the batch as it goes through the systemi.e. from run*to*run. #hese are to assure that no transactions are lost and that all are processed completely. Audit trail controls are designed to document the movement of transactions through the system. #he most common techni4ues include the use of transaction logs and transaction listings) uni4ue transaction identifiers) logs and listings of automatic transactions) and error listings. (. 'f input input and processin processing g controls controls are ade4uat ade4uate) e) "hy are output output control controlss needed= needed= ANS: @utput controls are designed to ensure that system output is not lost) misdirected) or corrupted and that  privacy is not violated. violated. ;reat ris! eists if if chec!s are misdirected) lost) lost) or stolen. ertain types of data data must be !ept privatetrade secrets) patents pending) customer records) etc. +. ?escribe ?escribe and contrast contrast the test test data method method "ith the integra integrated ted test facility facility.. ANS: 'n the test data method) a specially prepared set of input data is processed the results of the test are compared to predetermined epectations. #o #o use the test data method) a copy cop y of the current version of the application must be obtained. #he auditor "ill revie" printed reports) transaction listings) error reports) and master files to evaluate application logic and control effectiveness. #he test data approach results in minimal disruption to the organizationDs organizationDs operations and re4uires little computer co mputer epertise on the part of auditors. #he integrated test facility 5'#F6 is an automated approach that permits auditors to test an applicationDs logic and controls during its normal operation. '#F databases contain test records integrated "ith legitimate records. ?uring normal operations) test transactions are entered into the stream of regular  production transactions transactions and are processed against against the test records. records. #he '#F transactions transactions are not included "ith the production reports but are reported separately to the auditor for evaluation. #he auditor compares '#F results against epected results. 'n contrast to the test data approach) the '#F techni4ue promotes ongoing application auditing and does not interfere "ith the normal "or! of computer services employees. 'n the test data approach) there is a ris! that the auditor might perform the tests on a version of the application other than the  production version version this cannot happen happen in the '#F approach. oth versions versions are relatively costly costly to implement. #he ma3or ris! "ith the '#F approach is that '#F data could become combined "ith live data and the reports "ould be misstated this cannot happen in the test data approach. -. ontrast ontrast mbedded mbedded Audit Audit odules odules "ith "ith ;eneralized ;eneralized Audit Audit Soft"are. Soft"are. ANS:

oth techni4ues permit auditors to access) organize) and select data in support of the substantive phase of the audit. #he mbedded Audit Audit odule 5A6 techni4ue embeds special audit modules into applications. #he A captures specific transactions for auditor r evie". As reduce operational efficiency and are not appropriate for environments "ith a high level of program maintenance. ;eneralized Audit Audit Soft"are 5;AS6 permits auditors to electronically access audit files and to perform a variety of audit procedures. For eample the ;AS can recalculate) stratify) compare) format) and  print the contents of of files. #he A is an internal program that is designed and programmed into the application. #he ;AS is an eternal pac!age that does not affect operational efficiency of the program. ;ASs are easy to use) re4uire little '# bac!ground on the part of the user) are hard"are independent) can be used "ithout the assistance of computer service employees) and are not application*specific. @n the other hand) As are programmed into a specific application by computer service professionals. /. 9hat is is the purpos purposee of the audito auditorDs rDs revie" revie" of S?8 S?8 document documentatio ation= n= ANS: 'n revie"ing the S?8 documentation) the auditor see!s to determine that completed pro3ects no" in use reflect compliance "ith S?8 policies including:  proper authorization authorization of the pro3ect by users and computer service management) management) a preliminary feasibility study sho"ed that the pro3ect had merit) that a detailed analysis of user needs "as conducted) that a cost*benefit analysis "as performed) that the pro3ect can be demonstrated to solve the usersD problem) and that the system "as thoroughly tested.

• • • • • •

10. icrocomputers have have traditionally traditionally been difficult to control) control) leaving auditors "ith "ith special problems in verifying physical controls. ?iscuss "hat an auditorDs ob3ectives might be in testing microcomputer controls. ANS: #he auditor must investigate several things: 16 that ade4uate supervision and operating procedures eist to compensate for the lac! of segregation of duties that occur "hen users are functioning also as  programmers and operators operators 26 that access to hard"are) hard"are) data and soft"are is limited limited to authorized  personnel $6 that bac!up bac!up procedures are in place place and implemented to prevent prevent data and program loss loss and %6 that procedures for systems selection and ac4uisition assure high 4uality) error free) applications. #his is far from an ideal situation. 11. ontrast the 7blac! bo7 approach to '# auditing auditing and the the 7"hite bo7 approach. approach. 9hich is preferred= ANS: #he blac! bo approach is not concerned "ith the applicationDs internal "or!ings. #he auditor eamines documentation of the system) intervie"s personnel) and bases the evaluation on the logical consistency bet"een input and output. #his method is often referred to as 7auditing*around*the* computer7 because there is no eamination of data as it is processed. #he "hite bo approach) also called 7auditing*through*the*computer)7 7auditing*through*the*computer)7 relies on !no"ledge of the internal "or!ings of the systems and actually tests the application in action "ith test data having !no"n results. Several "hite bo techni4ues are available. #hese include the test data method) base case evaluation) tracing) the integrated test facility) and parallel simulation. #his method ma!es the computer a tool of the audit as "ell as its target.