Solution manual auditing and services 2e by louwers MODH

• Librarian: Maintains control over 1 system and program documentation and 2 data files and programs used in processing transactions.. • Control Group: The control group receives input

MODULE H

Information Systems Auditing

LEARNING OBJECTIVES

ReviewCheckpoints

Exercises, Problems and Simulations

1 List and describe the general and application controls

in a computerized information system 1, 2, 3, 4, 5, 6, 7, 8,9, 10, 11, 12, 13 52, 53, 54, 55, 57, 58, 59,60, 61, 62, 66

2 Explain the difference between auditing around the

computer and auditing through the computer 14, 15, 16 51, 65

3 List several techniques auditors can use to perform

tests of controls in a computerized information

system

17, 18, 19, 20, 21 64

4 Describe the characteristics and control issues

associated with end-user and other computing

environments

22, 23, 24, 25 63

5 Define and describe computer fraud and the controls

that an entity can use to prevent it

26, 27, 28, 29, 30 56

SOLUTIONS FOR REVIEW CHECKPOINTS

H.1 Given its extensive use, auditors must consider clients’ computerized information systems technology All

auditors should have sufficient familiarity with computers, computerized information systems, and

computer controls to be able to complete the audit of simple systems and to work with information system auditors More importantly, auditors must assess the control risk (and the risk of material misstatement) regardless of the technology used for preparing the financial statements In a computerized processing environment, auditors must study and test information technology general and application controls H.2 COBIT (which stands for Control Objectives for Information and Related Technology) represents a set of

best practices for information technology management that has achieved general acceptance as the internal control framework for information technology COBIT’s basic principle is:

To provide the information the enterprise requires to achieve its objectives, the enterprise needs to invest in and manage and control IT resources using a structured set of processes to provide the services that deliver the required enterprise information

H.3 The four domains of COBIT (along with a brief description of each) are:

1 Plan and Organize: Summarizes how information and technology can be used within an entity to

best achieve its goals and objectives

2 Acquire and Implement: Focuses on identifying the related IT requirements, acquiring the

necessary technology, and implementing the technology within the entity’s business processes

3 Delivery and Support: Focuses on the execution of applications within the IT system.

4 Monitor and Evaluate: Considers whether the IT system continues to meet the entity’s

objectives

H.4 ITGC (information technology general controls) apply to all applications of a computerized information

system, while ITAC (information technology application controls) apply to specific business activities within a computerized information system Thus, ITGC operate at an overall entity level and ITAC operate

at a transaction level

H.5 The five major categories of ITGC are:

1 Hardware controls: Provide reasonable assurance that data are not altered or modified as they are

transmitted within the system

2 Program development: Provide reasonable assurance that (1) acquisition or development of

programs and software is properly authorized, conducted in accordance with entity policies, and supports the entity’s financial reporting requirements; (2) appropriate users participate in the software acquisition or program development process; (3) programs and software are tested and validated prior to being placed into operation; and (4) all software and programs have appropriate documentation

3 Program changes: Provide reasonable assurance that modifications to existing programs (1) are

properly authorized, conducted in accordance with entity policies, and support the entity’s financial reporting requirements; (2) involve appropriate users in the program modification process; (3) are tested and validated prior to being placed into operation; and, (4) have been appropriately documented

H.5 (Continued)

4 Computer operations: Provide reasonable assurance that the processing of transactions through the

computerized information system is in accordance with the entity’s objectives and actions are taken to facilitate the backup and recovery of important data when the need arises

5 Access to programs and data: Provide reasonable assurance that access to programs and data is only

granted to authorized users

H.6 Auditors are not expected to be computer technicians with respect to hardware controls, but they should be

familiar with the terminology and the way these controls operate This will allow auditors to identify potential issues related to these controls and converse knowledgeably with the entity’s computer personnel

If hardware controls fail, auditors should be primarily concerned with operator procedures in response to this failure

H.7 The Systems Development Life Cycle (SDLC) is the process through which the entity plans, develops, and

implements new computerized information systems or databases

The SDLC includes the following controls related to program development and changes:

• Ensuring that software acquisition and program development efforts are

consistent with the entity’s needs and objectives

• Following established entity policies and procedures for acquiring or developing

software or programs

• Involving users in the design of programs, selection of prepackaged software and

programs, and testing of programs

• Testing and validating new programs and developing proper implementation and

“back out” plans prior to placing the programs into operation

• Ensuring that data are converted completely and accurately for use in the new

systems

• Ensuring that consistent processes are followed and the most recent version of

programs are implemented

• Considering application controls that should be incorporated within the system to

facilitate the accurate processing of data and transactions

• Periodically reviewing entity policies and procedures for acquiring and developing

software or programs for continued appropriateness and modifying thesepolicies and procedures, as necessary

H.8 The primary duties associated with various functions related to computerized information systems are:

• Systems Analyst: Analyze requirements for information, evaluate the existing system, and design

new or improved computerized information systems

• Programmer: Flowcharts the logic of the computer programs required by the computerized

information system designed by the systems analyst

• Computer Operator: Operates the computer for each accounting application system according to

written operating procedures found in the computer operation instructions

• Data Conversion Operator: Prepares data for machine processing by converting manual data

into machine-readable form or directly entering transactions into the system using remote terminals

• Librarian: Maintains control over (1) system and program documentation and (2) data files and

programs used in processing transactions

• Control Group: The control group receives input from user departments, logs the input and

transfers it to data conversion, reviews documentation sequence numbers, reviews and processes error messages, monitors actual processing, compares control totals to computer output, and distributes output

Separation of the duties performed by systems analysts, programmers, and computer operators is important.The general idea is that anyone who designs a computerized information system should not perform the technical programming work, and anyone who performs either of these tasks should not be the computer operator when “live” data are processed Persons performing each function should not have access to each other’s work, and only the computer operators should have access to the equipment

H.9 ITGC are important in the auditors’ evaluation of internal control and assessment of control risk (and the

risk of material misstatement) because they are pervasive and the effectiveness of application controls reliesheavily on the effectiveness of ITGC

H.10 The objective of input controls is to provide reasonable assurance that data received for processing by the

computer department have been properly authorized and accurately entered and converted for processing H.11 Record counts are tallies of the number of transaction documents submitted for data conversion These

counts allow situations in which transactions may not have been input or may have been input more than once to be identified

Batch totals are mathematical totals of an important quantity or amount, such as the total of sales dollars in

a batch of invoices Batch totals allow the following types of input errors to be detected: (1) input error for the wrong amount; (2) transactions have not been input; and, (3) transactions have been input more than once

Hash totals are mathematical totals of a quantity or amount that is not meaningful, such as the total of all

invoice numbers Like batch totals, hash totals allow the following types of input errors to be detected: (1) input error for the wrong amount; (2) transactions have not been input; and, (3) transactions have been input more than once

H.12 The objective of processing controls is to provide reasonable assurance that data processing has been

performed accurately, without any omission or duplication of transactions Examples of processing controlsinclude:

• Run-to-run totals: Totals such as record counts, batch totals, and/or hash totals obtained at the

end of one processing run are distributed to the next run and compared to corresponding totals produced at the end of the second run

• Control total reports: Control totals, such as record counts, batch totals, hash totals, and

run-to-run totals, can be calculated during processing and reconciled to input totals or totals from earlier processing runs

• File and operator controls: External and internal labels ensure that the proper files are used in

applications

• Limit and reasonableness tests: These tests should be programmed to ensure that illogical

conditions do not occur (for example, depreciating an asset below zero or calculating a negative inventory quantity)

H.13 The objective of output controls is to ensure that only authorized persons receive output or have access to

files produced by the system Some common output controls include:

• Control total reports: Compare controls totals to input and run-to-run control totals produced during

transaction processing

• Master file changes: Any changes to master file information should be properly authorized by the

entity and reported in detail to the user department from which the request for change originated

• Output distribution: Systems output should only be distributed to persons authorized to receive the

output

H.14 The major steps in the auditors’ assessment of control risk in a computerized processing environment

include:

• Identify specific control objectives based on the types of misstatements that

can occur in significant accounting applications

• Identify the points in the flow of transactions where specific types of

misstatements could occur

• Identify specific control procedures designed to prevent or detect these

misstatements

• Evaluate the design of control procedures to determine whether the design

suggests a low control risk and whether tests of controls might be effective

cost-• Perform tests of the operating effectiveness of control procedures designed to

prevent or detect misstatements (assuming it is cost-effective to do so)

H.15 The following are points in the processing of transactions at which misstatements

may be introduced because of the use of computerized processing:

1 Preparation of source data for input

2 Manual summary of data (preparation of batch totals and hash totals)

3 Conversion of source data into computer-readable form

4 Use of incorrect input files in processing

5 Transfer of information from one computer program to another

6 Use of incorrect computer files in processing transactions

7 Inappropriate initiation of transactions by the computer

8 Creation of output files are update of master files

9 Changes to master files outside the normal flow of transactions within each

cycle through file maintenance procedures

10 Production of output reports or files

11 Correction of errors identified by control procedures

H.16 Auditing “though the computer” refers to making use of the computer itself to test the operating

effectiveness of application controls in the program used to process transactions When auditing “around the computer”, auditors are only concerned with the correspondence of the input with the output and do not specifically evaluate the effectiveness of the client’s computer controls

H.17 Audit hooks: Client or auditors can select specific transactions of audit/control interest.

Tagging transactions: Auditors or client select and “tag” transactions to capture a computer trail of the

transaction

SCARF (systems control audit review file): Program that selects transactions according to auditors’ or

client’s criteria (e.g reasonableness limit)

SARF (sample audit review file): Program that randomly selects transactions for review.

Snapshot: Taking a “picture” of main memory of transactions and database elements before and after

computerized processing

Monitoring systems activity: Computerized information system capture of activity records, such as all

passwords used during a period

Extended records: Expanding the transaction record itself to include computer trail information, such as

snapshot information before and after processing

H.18 The test data technique uses simulated transactions created by auditors that are processed by the client’s

actual programs at a different time from the processing of actual client transactions The integrated test facility technique is an extension of the test data technique, but simulated transactions for a “dummy” department or division are intermingled with the actual client transactions and processed along with actual client transactions

H.19 It is true that fictitious (fake) transactions are not used by auditors when the information processing system

is manual, but in a manual system, documentary evidence is available for visual examination to audit a client’s control activities New techniques are necessary to gather evidence and evaluate controls with computer programs The client should be advised of the nature of the test data or integrated test facility and these procedures must be carefully controlled to prevent contamination of actual client files

H.20 Both test data and parallel simulation are audit procedures that use the computer to test computer controls

The basic difference is that the test data procedure uses the client’s program with auditor-created

transactions, while parallel simulation uses an auditor-created program with actual client transactions In the test data procedure, the results from the client program are compared to auditors’ predetermined results

to determine whether the controls operate as intended In the parallel simulation procedure, the results fromauditors’ program are compared to the results from the client’s program to determine whether the controls operate as intended

H.21 Controlled reprocessing is another method of obtaining evidence regarding the operating effectiveness of

the client’s computer controls through parallel simulation In controlled reprocessing, auditors create the

“simulated system” by performing a thorough technical audit of the controls in the client’s actual program, then maintain a copy of this program Actual client data can later be processed using this copy of the client’s program

H.22 In an end-user environment, limited resources may result in a lack of separation of duties in the accounting

function (initiate and authorize source documents, enter data, operate the computer, and distribute output) and computer functions (programming and computer operations)

H.23 Major characteristics in end-user computing environments include:

• Terminals are used for transaction data entry, inquiry, and other interactive functions

• Purchased software packages are used extensively

• Portable storage devices (compact disks (CDs) and Universal Serial Bus (USB) drives) are used for file

storage

• Available system, program, operation, and user documentation is often limited or does not exist.Control problems in end-user computing environments include:

• Lack of separation of duties, both in accounting functions and computer functions

• Lack of physical security over computer hardware, programs, and data files

• Lack of documentation and testing

• Limited computer knowledge

H.24 Control procedures an entity can use to achieve control over computer operations in an end-user computing

environment include:

• Restricting access to input devices

• Standard screens and computer prompting

• On-line editing and sight verification

H.25 Control procedures an entity can use to achieve control over computerized in an end-user computing

H.26 Five things used to facilitate computer fraud are (1) the computer, (2) data files, (3) computer programs, (4)

system information (documentation), and (5) time and opportunity to convert the assets to personal use

H.27 Physical controls that can be used to protect computerized information systems from fraud include:

• Inconspicuous location

• Controlled access

• Computer room guard (after hours)

• Computer room entry log record

• Preprinted limits on documents

• Data backup storage

H.28 Technical controls that can be used to protect computerized information systems from fraud include:

• Data encryption

• Access control software and passwords

• Transaction logging reports

• Control totals (both batch totals and hash totals)

• Program source comparison

• Range checks on permitted transaction amounts

• Reasonableness check on permitted transaction amounts

H.29 Administrative controls that can be used to protect computerized information systems from fraud include:

• Security checks on personnel

• Separation of duties

• Proper review of access and execution log records

• Program testing after modification

• Rotation of computer duties

• Transaction limit amounts

H.30 Methods of limiting damages resulting from computer fraud (through damage-limiting controls) include:

• Rotation of computer duties

• Transaction limit amounts

• Range checks on permitted transaction amounts

• Preprinted limits on documents (e.g., checks)

• Data backup storage

• Reasonableness check on permitted transaction amounts

SOLUTIONS FOR MULTIPLE-CHOICE QUESTIONS

H.31 a Incorrect This is a software function

b Incorrect This is a programmer function

c Incorrect This is an input control function

d Correct This is an automated hardware function

H.32 a Correct A payroll processing program is an example of user software

b Incorrect The operating system program is an example of a system program

c Incorrect Data management system software is an example of a system program

d Incorrect Utility programs are examples of system programs

H.33 a Incorrect The computer librarian is the appropriate person to maintain these files, since

this individual has no access to the computer

b Correct Computer operators should not have access to instructions and detailed program

lists, since they have would have enough knowledge to alter programs and run those programs

c Incorrect The control group is appropriate for distributing output, since they do not have

access to programs and computer

d Incorrect Programmers are the appropriate individuals to write and debug programs, since

they have no access to data

H.34 a Incorrect Employee intelligence is not necessarily greater in a computerized environment

b Incorrect Due to the limitations of computer evidence (it may only exist for a very brief

time), auditors should audit the computerized information system throughout theyear

c Incorrect Large dollar amounts are not unique to a computerized environment

d Correct Due to the accessibility of large number of computer terminals, employees have

greater access to computerized information systems and computer resources in acomputerized environment

H.35 a Incorrect Control totals detect input and processing errors

b Incorrect Record counts are used to ensure that all transactions are entered once, and only

once

c Incorrect Limit tests identify items larger than expected during input or processing

d Correct External labels reduce the likelihood that operators will not use the incorrect

file

H.36 a Incorrect Copies of client data files for controlled reprocessing should be obtained from

the client, but not extracted using CAATs

b Correct CAATs can be used to create a parallel simulation to test the client’s computer

controls

c Incorrect CAATs are not designed to perform tests of a client’s hardware controls

d Incorrect Attempting to enter false passwords is the best way to test the operating

effectiveness of a client’s password access control, not the use of CAATs.H.37 a Correct It may be appropriate to audit simple systems without testing computer

programs; essentially, the client is using this system in a manner similar to a calculator

b Incorrect The impact of computerized processing on master files would require the

computer programs to be tested

c Incorrect Auditors cannot audit “around the computer” when limited output is available

d Incorrect See (b) and (c).

H.38 a Incorrect Condensing data would not necessarily result in a more efficient audit

b Correct Abnormal conditions inform auditors of potential issues and allow them to focus

their efforts on these issues

c Incorrect Reduced tests of controls would depend upon the content of the exemption

reports (i.e., number of exceptions), not the existence of these reports

d Incorrect Exception reporting is an example of an output control, not an input control

H.39 a Incorrect The use of test data evaluates computer controls, not input data.

b Incorrect Machine capacity can be evaluated by reference to the manufacturer’s

specifications

c Correct Test data are used to examine the operating effectiveness of computer control

procedures

d Incorrect Test data provide evidence on specific application control procedures, not

information technology general controls

H.40 d Correct In a computerized processing environment, a sample of one transaction is

sufficient because the computer handles all transactions identically

H.41 NOTE TO INSTRUCTOR: Since this question asks students to identify the statement that is not true, the

response labeled “correct” is not true and those labeled “correct” are true.

a Incorrect The test data approach does test the client’s computer programs

b Incorrect Test data need to include only the transactions that test control procedures

auditors believe to be important

c Correct Test data need to include only the transactions that test control procedures

auditors believe to be important

d Incorrect One of each deviation condition is sufficient, because the computer handles each

transaction in an identical manner

H.42 a Incorrect Auditors may submit test data at several different times to gain additional

assurance on the processing of transactions

b Incorrect Manually comparing detail transactions to the program’s actual error messages

is a way of verifying the operation of computer control procedures

c Incorrect Comparing transactions processed through a separate program to those

processed through the client’s program is a form of parallel simulation and will test the operation of computer controls

d Correct This is an example of auditing “around the computer” and will not test the

operation of computer control procedures

H.43 a Incorrect Writing a computer program that simulates the logic of a good password control

system does not test the actual system

b Incorrect A test of proper authorization is not a test of actual access to the system

c Correct Attempting to sign onto the computer system with a false password is similar to

a test data approach Several different types of false passwords might need to be used

d Incorrect Written representations are not direct or reliable form of evidence on a detailed

matter such as password controls

H.44 a Incorrect Inquiries produce a relatively weak form of evidence

b Incorrect Observation is not relevant to the performance of computer controls

c Correct This method will test computer controls since it compares known input with

computer output

d Incorrect The run manual provides information to the computer operator and does not

allow auditors to test computer controls

H.45 a Incorrect Computers do not make mathematical errors.

b Correct When personal computers are used, it is easier for unauthorized persons to

access the computer and alter data files

c Incorrect Transaction coding prior to computerized processing is necessary and an

advantage to an entity

d Incorrect The rarity of random errors in report printing is an advantage, not a

disadvantage

H.46 a Incorrect Batch processing involves delays in processing transactions

b Correct Real-time processing handles transactions as they occur and does not have the

delays associated with batch processing

c Incorrect Integrated data processing refers to situations in which multiple users access

elements in a data base and is not involved with the timeliness of processing transactions

d Incorrect Random access processing refers to the use of disk files versus tape files and is

not involved with the timeliness of processing transactions

H.47 NOTE TO INSTRUCTOR: Since this question asks students to identify the statement that is not a

characteristic of a batch processing system, the response labeled “correct” is not a characteristic of a batch processing system and those labeled “correct” are examples of a batch processing system.

a Incorrect In a batch processing system, all transactions are processed at a single time

b Incorrect This is a characteristic of batch processing systems

c Incorrect Batch processing systems produce printouts and reports as the transactions are

processed through the system

d Correct This characteristic describes a real-time processing system

H.48 a Correct Check digits are imbedded algorithms that prevent incorrect characters from

being input

b Incorrect Record counts involve totaling the number of items input In this case, the

correct number of transactions would be input, so a record count would not detect the error

c Incorrect Hash totals involve a number of transactions, not single transactions

d Incorrect A redundant data check is a hardware control to make sure that computers

properly communicate with each other

H.49 a Incorrect Sequence checking test the input data for numerical sequence of documents

when sequence is important for processing, as in batch processing This control does little to address transaction accuracy

b Correct Batch totals sum dollar amounts of items that have numerical significance (such

as inventory data) These totals will address the completeness and accuracy of data input

c Incorrect Limit checks are input controls that prevent numbers outside of a specified range

from being incorrectly input These controls might address accuracy, but not completeness

d Incorrect Check digits are imbedded algorithms that prevent incorrect characters from

being input, but provide little assurance that data are completely entered.H.50 a Incorrect Programmers code the logic in the computer program

b Incorrect Data conversion operators prepare data for computerized processing

c Correct The librarian controls access to systems documentation and access to program

and data files

d Incorrect Computer operators operate the computer for each application according to

written operating procedures found in the computer operation instructions

SOLUTIONS FOR EXERCISES, PROBLEMS AND SIMULATIONS

H.51 Auditing “around” versus Auditing “through” Computers

a Auditing “around” the computer generally refers to auditors reconciling inputs to processing

results Little or no attempt is made to audit the computer controls, programs, or procedures employed by the computer to process the data This audit approach is based on the premise that themethod of processing data is irrelevant as long as the results can be traced back to the input of dataand the input can be validated If the sample of transactions has been handled correctly, then the system outputs can be considered to be correct within a satisfactory degree of confidence

b Auditors would decide to audit “through” the computer instead of “around” the computer when (1)

the computer applications are complex or (2) audit trails become partly obscured and external evidence is not available Auditing “around” the computer would be inappropriate and inefficient when the major portion of the client’s internal controls are embodied in the computer system and when accounting information is intermixed with operation information in a computer program that

is too complex to permit the ready identification of data inputs and outputs Auditing “around” the computer will also be ineffective if the sample of transactions selected does not include unusual transactions that require special treatment

c (1) Test data are a set of data representing a full range of simulated transactions, some of

which may be erroneous, to test the effectiveness of the computer controls and to ascertain how transactions would be handled (accepted or rejected) and if accepted, the effect they would have on the accumulated accounting data

(2) Auditors may use test data to gain a better understanding of what the computerized

information system does, and to check its conformity to desired objectives Test data may

be used to test the processing accuracy by comparing computer results with results predetermined manually Test data may also be used to determine whether errors can occur without observation and thus test the system’s ability to detect noncompliance with prescribed procedures and methods

d To ensure that the auditors are using the client’s actual computer programs, they can either request

the program from the librarian on a surprise basis or request access to the program immediately following the client’s use of the program to process transactions

H.52 Computer Internal Control Questionnaire Evaluation

Does access to online files require specific passwords to be entered to identify and validate the terminal user? Unauthorized access may be obtained to programs or data resulting in the loss of assets or

other entity resources through theft or fraud

Does the user establish control totals prior to submitting data for processing? Sales transactions may

be lost in data conversion or processing, or errors made in data conversion or processing

Are input totals reconciled to output control totals? Control totals are not useful unless they are

reconciled to equivalent totals determined following processing As a result, auditors would fail to detect errors made in the input or processing of data

H.53 Batch versus Real-Time Processing

a When using batch processing, a group of similar transactions is processed simultaneously, using the

same program In contrast, real-time processing involves processing transactions as they occur without delay

Batch processing is more likely to be used in situations where transactions occur at periodic and infrequent intervals (such as payroll transactions) Real-time processing is more likely to be used

in situations where transactions occur frequently and more immediate processing is necessary (such as sales made to the entity’s customers)

b With respect to input controls, both methods of processing allow for controls related to individual

transactions to be implemented, such as the use of check digits, valid character tests, valid sign tests, sequence tests, limit and reasonableness tests, and error correction and resubmission However, because transactions are not collected (or “batched”) in a real-time processing environment, the use of record counts, batch totals, and hash totals is not possible The collection

of transactions in a batch processing system allows these types of controls to be used

H.54 File Retention and Backup

a A grandfather-father-son file retention policy involves retaining two predecessor master and

transaction files as backup for the current file This provides a method for reconstructing the files

in the event of accidental destruction of a file used during processing

b Retaining two generations of backup files generally provides adequate protection An additional

generation might be maintained if the file is crucial or if there is a high rate of file destruction Since all files are stored together, they are vulnerable to loss through a common catastrophe, such

as fire, theft or a malicious act For this reason it is desirable that at least one generation of backupfiles be maintained in a separate location that is well protected from environmental hazards such

as fire or magnetic interference Access to both storage areas should be limited, and the librarian function should be specifically assigned

H.55 Separation of Duties and General Control Procedures

a The primary internal control objectives in separating the programming and operating functions are

achieved by: (1) preventing operator access to the computer or to input or output documents; (2) preventing operator access to operating programs and operating program documentation; and, (3) preventing operators from developing or modifying programs

Programmers should not be allowed in the computer room during processing They should submit their tests to be scheduled and run by the operators as any other job

Operators should not be allowed to interfere with the running of any program If an application fails, the operators should not be allowed to attempt to fix the programs The failed application should be returned to the programmers for correction

b In a small computer installation where there are few employees, separation of the programming

and operating functions may not be possible (as in an end-user computing environment)

Important compensating controls for the lack of segregation of duties include: