Add to collection(s) Add to saved
  1. Business

Part I Multiple Choice and Short questions

advertisement 
Auditing & Ethics Issues
Tutorial 27
___________________________________________________________________________________
Tutorial 27:
EDP Audit I
Review the lecture notes and reading materials, ask in the tutorial if you do not
understand.
Part I
1.
Multiple Choice and Short questions
Which of the following is not a characteristic of a batch processed computer
system?
a. The collection of like transactions that are sorted and processed sequentially
against a master file.
b. Keypunching of transactions, followed by machine processing.
c. The production of numerous printouts.
d. The posting of a transaction, as it occurs, to several files, without
intermediate printouts.
2.
What type of IT system is characterized by data that are assembled from more
than one location and records that are updated immediately?
a.
b.
c.
d.
3
Microcomputer system.
Minicomputer system.
Batch processing system.
Online real-time system.
Which of the following best describes a fundamental control weakness often
associated with electronic data processing systems?
a. Electronic data processing equipment is more subject to systems error than
manual processing is subject to human error.
b. Electronic data processing equipment processes and records similar
transactions in a similar manner.
c. Electronic data processing procedures for detection of invalid and unusual
transactions are less effective than manual control procedures.
d. Functions that would normally be separated in a manual system are combined
in the electronic data processing system.
_______________________________________________________________________________
1
AEI-TE-L27- 2003
Auditing & Ethics Issues
Tutorial 27
___________________________________________________________________________________
4
Which of the following would lessen internal control in an IT system?
a. The computer librarian maintains custody of computer program instructions
and detailed program listings.
b. Computer operators have access to operator instructions and detailed program
listings.
c. The control group maintains sole custody of all computer output.
d. Computer programmers write and debug programs, which perform routines
designed by the systems analyst.
5
An IT input control is designed to ensure that
a. Machine processing is accurate.
b. Only authorized personnel have access to the computer area.
c. Data received for processing are properly authorized and converted to
machine-readable form.
d. Electronic data processing has been performed as intended for the particular
application.
6.
Where computer processing is used in significant accounting applications,
internal control procedures may be defined by classifying control procedures into
two types: general and
a. Administrative.
b. Specific.
c. Application.
d. Authorization.
7
Which of the following most likely constitutes a weakness in the internal controls
of an IT system?
a. The control clerk establishes control over data received by the IT department
and reconciles control totals after processing.
b. The application programmer identifies programs required by the system's
design and flowcharts the logic of these programs.
c. The systems analyst reviews output and controls the distribution of output
_______________________________________________________________________________
2
AEI-TE-L27- 2003
Auditing & Ethics Issues
Tutorial 27
___________________________________________________________________________________
from the IT department.
d. The accounts payable clerk prepares data from computer processing and
enters the data into the computer
Short Questions
8.
What are the problems inherent in on-line and real time systems and how can
they be mitigated?
9.
What controls should exist over computer operators?
Part II
Long Questions
10. Sun system Manufacturing Limited is proposing to install a new computer
system, and the financial controller has asked you to suggest the controls, which
should be exercised over access to the computer system from remote terminals.
List and describe the general controls, which can be exercised to prevent
unauthorized access to the computer system.
11. You are the auditor of Oilco plc, a major petroleum refiner, and you are about to
commence the interim audit. The company utilizes an on-line computerized
accounting system operated by a central mainframe computer with terminals
located in several departments. The audit senior has asked you to take charge
of the interim audit of sales and debtors, and has arranged a meeting between
yourself and the accountant responsible for the debtors section.
The audit senior further informs you that he wishes you to review the controls in
existence not only as regards the accounting for sales and debtors but also the
database facility as far as it concerns your audit assignment.
Required
(a) List ten questions you would ask the accountant responsible for the debtors
section in order to provide an initial evaluation of the effectiveness of the
computer controls over sales and debtors.
(b) Explain the controls which ought to be in existence in order to maintain the
integrity of the database.
_______________________________________________________________________________
3
AEI-TE-L27- 2003
Auditing & Ethics Issues
Tutorial 27
___________________________________________________________________________________
(c) Explain the reasons why it is important for the auditors to constantly keep
up to date with the developments in computerized systems.
12. “The auditors should consider how a computer information systems (“CIS”)
environment affects the audit.” (SAS 310.1)
A CIS environment exists when a computer of any type or size is involved in the
processing of financial information by the entity. Such financial information
must be of significance to the audit, whether that computer is operated by the
entity or by a third party.
The overall objective and scope of an audit does not change in a CIS
environment. However, the use of a computer changes the processing, storage
and communication of financial information and may affect the accounting and
internal control systems employed by the entity.
Audit test data and parallel simulation are commonly used audit techniques in
auditing a CIS environment.
Required:
(a)
Explain what “auditing around the computer” means.
State the
circumstances under which auditors may consider adopting this approach.
(b)
Explain what “auditing through the computer” means.
State the
circumstances under which auditors may consider adopting this approach.
(c)
Explain what “auditing with the computer” means.
(d)
Explain what “audit test data” means. State THREE disadvantages of this
approach in testing a CIS environment.
(e)
Explain what “parallel simulation” means. State THREE advantages of
this approach in testing a CIS environment.
(HKAAT Dec 2001)
Part III Revision Questions
Case study 2, page 323 Chapter 32, Alan Millichamp
Case study 1,page 341 of Chapter 32, Alan Millichamp
Question 1, page 325 of Chapter20, Teresa Ho
Question 1 and question 2, page 342 of chapter21, Teresa Ho
_______________________________________________________________________________
4
AEI-TE-L27- 2003
Auditing & Ethics Issues
Tutorial 27
___________________________________________________________________________________
Tutorial Exercise – Answer
Tutorial 27
1. D
2. D
3. D
4. B
5. C
6. C
7. C
8.
The problems include:
- Information will be stored on magnetic files and will be continuously
changed
-
9.
There will be a minimum of print-outs and minimum of permanently retained
data
Authority for approval of a transaction will be under programmed control
procedures without any human intervention
Controls over computer operators:
-
10 a.
b.
c.
Segregation of duties
Rotation of duties
The use of manual to standardize the work
Recording of operator intervention in programmes in mainframe computer
Ensure computer systems are for authorized purposes only
Access to computer operations is restricted to authorized personnel, e.g.,
controls over files and library
Reasonable assurance that errors are detected during processing by close
supervision of operations, use of operator manual and review of operators
log
11
(a) The questions to be asked in order to review the computer controls in existence
over sales and debtors must cover controls over input, processing, access, files
and output. The following questions could be asked of the accountant
responsible for the debtors section.
_______________________________________________________________________________
5
AEI-TE-L27- 2003
Auditing & Ethics Issues
Tutorial 27
___________________________________________________________________________________
(i)
What systematic action is taken to ensure the completeness, accuracy and
authorization of input of sales invoices, credit notes, journal entries, cash
and so on? For example, batch totaling, sequence checking, programmed
matching of input to control files containing details of expected input, and
authorization limits and reasonableness checks.
(ii)
Are source documents checked one-for-one to processed output and output
control totals matched to predetermined manually prepared control totals
in the debtors section?
(iii) By what methods is it established that all input is fully and accurately
processed? Examples are batch reconciliation after records update,
summary totals, programmed validity checks.
(iv)
What controls are in place to prevent or detect unauthorized amendments
to programs and data files (for example, restrictions of access to
programmers and to users of the on-line terminals)?
(v)
what controls exist over the work done by computer operators (for
example, division of duties, job scheduling, computer logs, cross-checks to
input control, authorization of file issue)?
(vi)
What procedures are in operation to ensure the continuing correctness or
master files and the standing data they contain? For example, record
counts or hash totals for the files, produced and checked each time they are
used, regular checks of all contents, run-to-run control totals.
(vii) Are there procedures for the review and despatch of output by the
computer control section? Examples are: comparison of output with prelist
totals of input, checking all queries have been properly dealt with,
distribution list for all output and close control over exception reports,
audit totals and so on.
(viii) Is the reasonableness of output tested? For example, is output tested
against file totals after update, and compared with manually prepared
totals and balanc3es on individual debtors accounts?
(ix)
Is there an adequate management (audit) trail of generated data and regular
listing of ledger balances and debtor analysis?
(x)
Is there an accounting manual in existence, detailing all procedures and
clerical processes relating to the sales and debtors system, and is it up to
date?
(b) A database is a collection of interrelated data, stored together in order to
_______________________________________________________________________________
6
AEI-TE-L27- 2003
Auditing & Ethics Issues
Tutorial 27
___________________________________________________________________________________
minimize redundant data and to serve multiple applications.
which ought to be in existence are as follows.
The controls
(i)
Proper authorization of input prior to submission of data to the system.
Validation tests on input and on its authorization should be built into the
system. As the company uses on-line terminals, it may only be practical
to authorize input after submission. In this case, the input will need to be
prevented from being amended or used to produce output until it is
cleared.
(ii)
Access must be restricted to authorized personnel and should be logged.
Passwords should be used to identify and permit different levels of access.
(iii) Permissible activity should be defined to ensure that operator access to
terminals, terminal access to programs and program access to data are
restricted and controlled and that evidence is available to demonstrate this.
(iv)
The database manager should have overall responsibility for the integrity
of the database, and should approve all program modifications and new
type of input data and reports to be generated. The database manager
must control all aspects of the database, but his work should be segregated
for control purposes from applications development, systems analysis,
programming operators, librarians and the control section staff.
(v)
Controls should be incorporated to help the auditors to use the database
control programme to generate analysis, totals and reports.
To
compensate for the lack of audit trail, the auditors may require the building
in of resident audit monitoring systems and the use of test data and enquiry
programs. The centralization of so much data with access possible in
several departments increases audit risk and calls for tighter and more
sophisticated control than stand-alone applications with their own set of
master files.
(c) Auditors must keep up to date with developments in computer systems, hardware
and software in order to carry out their statutory duties efficiently and effectively.
They need to appreciate fully the scope and areas of audit risk to be found in
modern computerized systems. Specialist training will be necessary to keep
their expertise up to the standard required by clients and by the needs of their
own audit firm. An up to date understanding of computer systems will also
help the auditors in the following ways.
(i)
To advise clients at the development stage on audit aids and controls to be
built into, or provided for, in the system.
(ii)
To understand what totals and print out are needed at different program
stages and how to test controls.
_______________________________________________________________________________
7
AEI-TE-L27- 2003
Auditing & Ethics Issues
Tutorial 27
___________________________________________________________________________________
(iii)
To highlight key features and help assess audit risk and sensitivity to error.
(iv)
To obtain stratified files to aid testing and random samples, as a basis for
statistical testing.
(v)
to obtain computer print outs for direct use on the audit, for example for
the circularization of debtors and creditors.
(vi)
To appreciate the need to revise audit software to use on new operational
systems. In modern computer systems, the auditor may do some of his
audit work at the time the data is being processed by the operating system,
by tagging audit flags on to user accounts.
12. (a)
Auditing around the computer means that the auditor bypasses the
computer and treats it as a giant book-keeping machine. This is
acceptable in some situations but becomes unacceptable if the relationship
between the output and the input cannot be properly understood without
examining the intervening computer processing, e.g. when there is no
visible audit trail.
This technique is used when the audit trail is complete, computer
processing operations are straightforward and system documentation is
complete and readily available.
(b)
Auditing through the computer means that the auditor focuses on the
computer and its programmes directly in the audit. The auditor’s intent is
to perform tests of control and substantive tests on the computer, operating
system and application system software. For example, the auditor
submits data for processing and analyses results to determine the
processing reliability and accuracy of the computer programme.
Auditors may consider adopting this approach when:
(c)
(i)
the transaction trails exist for a short period of time or only in
computer-readable form,
(ii)
the auditors would like to test the EDP controls of the client’s
systems.
Auditing with the computer means that the computer and its programmes
are treated as a tool of the auditors, e.g. putting computers to work footing
subsidiary ledgers on magnetic tape or disk, calculating amounts such as
depreciation, comparing the contents of two files, and computing ratios
required for analysis.
_______________________________________________________________________________
8
AEI-TE-L27- 2003
Auditing & Ethics Issues
Tutorial 27
___________________________________________________________________________________
(d)
The objective of the audit test data approach is to determine whether the
client’s computer programmes can correctly process valid and invalid
transactions. To fulfil this objective, the auditor develops both valid and
invalid transactions that are processed under the auditor’s own control
using the client’s EDP equipment. Since the auditor has complete
knowledge of the errors and irregularities that exist in the test data, it is
possible for the auditor to check whether the client’s system has properly
processed the input.
Disadvantages of audit test data approach may include the following:
(i)
There is no assurance that the actual programme used by the client to
process actual data has been tested.
(ii)
The client’s programme is tested for reliability of controls that exist
only at the time the test transactions are being processed.
(iii) Since test transactions are used, there is no opportunity to examine
transactions actually processed by the system.
(iv) It can be time-consuming to create a representative range of
tr5ansactions capable of testing all kinds of valid and invalid
conditions and combinations. Hence the test data approach is most
useful in simple computer systems where the number of conditions
for testing is limited.
(v)
(e)
The scope of testing is limited to the type of data designed by the
auditors.
A parallel simulation involves the auditor writing a computer programme
that replicates all or part of a client’s application system. The auditor
makes comparisons between the client’s application system output and
understanding of the client’s systems via the parallel simulation. An
exception report is generated to record the differences identified.
Advantages of the parallel simulation approach may include the following:
(i)
As the auditor’s programme is used, the auditor can test essential
controls in the client’s system.
(ii)
The auditor’s programme is run concurrently with the client’s
programme, so the auditor can be assured that the correct programme
is being tested.
(iii) The auditor can utilize real data to trace the transactions back to
source documents and check for approvals.
_______________________________________________________________________________
9
AEI-TE-L27- 2003
Auditing & Ethics Issues
Tutorial 27
___________________________________________________________________________________
(iv) No fictitious data is used, thus reducing the risk of disruption to the
client’s files.
(v)
There is no limitation in the scope of testing as the sample size can
be expanded easily without additional cost in developing any other
sets of test data.
_______________________________________________________________________________
10
AEI-TE-L27- 2003
Related documents
Green Impact Auditor
Green Impact Auditor
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Case
Case
Accounting 241 Outline
Accounting 241 Outline
COVER LETTER SAMPLE
COVER LETTER SAMPLE
CIS 349 – Information Technology Audit and Control
CIS 349 – Information Technology Audit and Control
Getting to Know Internal Auditing - The Institute of Internal Auditors
Getting to Know Internal Auditing - The Institute of Internal Auditors
Chapter-17 Audit of Information Systems IS Auditor must ensure
Chapter-17 Audit of Information Systems IS Auditor must ensure
Download
advertisement