Chapter 17—IT Controls Part III: Systems Development, Program Changes, and

Application Controls

TR!"#A$S!

1. Programs in their compiled

compiled state
state are very
very susceptible
susceptible to the threat of unauthorized
unauthorized modification.
modification.

ANS: F

2. aintenance access
access to systems
systems increases the ris! that logic
logic "ill be
be corrupted either by the accident or
intent to defraud.

ANS: #

$. Source program
program library controls should prevent and detect unauthorized
unauthorized access
access to application
 programs.

ANS: #

%. A chec!
chec! digit
digit is a method
method of detectin
detecting
g data coding
coding errors
errors..

ANS: #

&. 'nput contro

controls
ls are intended
intended to detect
detect errors in transac
transaction
tion data
data after processin
processing.
g.

ANS: F

(. A header
header label
label is an internal)
internal) machine*re
machine*readabl
adablee label.
label.

ANS: #

+. #he user test

test and acceptance procedure
procedure is the last point at "hich the
the user can determine the system,s
system,s
acceptability prior to it going into service.

ANS: #

-. A run*to
run*to*run
*run contro
controll is an eample
eample of
of an output
output control
control..

ANS: F

/. Shredding
Shredding compu
computer
ter printou
printouts
ts is an eampl
eamplee of an output
output contro
control.
l.

ANS: #

10. 'n a 'S environm

environment)
ent) all input
input controls
controls are
are implemented
implemented after
after data
data is input.
input.

ANS: F

11. Achieving batch

batch control ob3ectives re4uires
re4uires grouping
grouping similar types of input transactions
transactions 5such as sales
orders6 together in batches and then controlling the batches throughout data processing.

ANS: #
 12. #he 7"hite bo7 tests of program controls
controls are also !no"n as auditing through the computer.

ANS: #

1$. #he presence

presence of a SP8S
SP8S effectively
effectively guaran
guarantees
tees program
program integri
integrity
ty..

ANS: F

1%. 9hen using

using the test data
data method)
method) the presence
presence of multiple
multiple error messages
messages indicate
indicatess a fla" in the
 preparation of test transactions.
transactions.

ANS: F

1&. #he ase

ase ase System
System valuat
valuation
ion is a variat
variation
ion of the
the test data
data method.
method.

ANS: #

1(. #racing is a method

method used to
to verify the
the logical operations eecuted
eecuted by a computer application.

ANS: #

1+. ;eneralized audit

audit soft"are pac!ages are used to assist the
the auditor in performing substantive tests.

ANS: #

1-. #he results of a parallel

parallel simulation
simulation are compared
compared to the
the results of a production
production run in order to
to 3udge the
4uality of the application processes and controls.

ANS: #

1/. Firms "ith an independent

independent internal audit staff
staff may conduct
conduct tests of the system
system development life cycle
on an ongoing basis.

ANS: #

20. #he programmer,

programmer,ss authority
authority table
table "ill specify
specify the librarie
librariess a programmer
programmer may access.
access.

ANS: #

21. <se of the integrat

integrated
ed test facility
facility poses
poses no threat
threat to organizati
organizational
onal data
data files.
files.

ANS: F

%$TIP$! C&'IC!

1. 9hich statem
statement
ent is not correct
correct== #he audit
audit trail
trail in a computeriz
computerized ed environme
environment
nt
a. consists
consists ofof records
records that
that are stored
stored se4uent
se4uentially
ially in an audit
audit file
 b. traces transactions from their
their source to their final
final disposition
c. is a function
function ofof the 4uality
4uality and
and integrity
integrity of
of the applica
application
tion program
programss
d. may ta!e
ta!e the
the form of pointe
pointers)
rs) indee
indees)
s) and embedded
embedded !eys!eys

ANS: A
2. 9hich contro
controll is not associated
associated "ith
"ith ne" systems
systems developme
development
nt activities
activities==
a. recon
reconcil
ciling
ing program
program versio
version
n numbe
numbersrs
 b. program testing
c. user
user invo
involv
lvem
emen
entt
d. inter
internal
nal audit
audit partic
participa
ipatio
tion
n

ANS: A

$. >outine
>outine maintenanc
maintenancee activities
activities re4uire
re4uire all of the follo"in
follo"ing
g controls
controls ecept
ecept
a. docu
documementntat
atio
ionn upda
updatetess
 b. testing
c. form
formalal auth
author
orizizat
atio
ionn
d. inte
intern
rnal
al aud
auditit app
approrova
vall

ANS: ?

%. 9hich
9hich statem
statement
ent is correc
correct=
t=
a. compiled
compiled program
programss are very susce
susceptib
ptible
le to unautho
unauthorized
rized modifi
modificatio
cation
n
 b. the source program library
library stores application programs
programs in source code form
c. modificat
modifications
ions are made
made to programs
programs inin machine
machine code language
language
d. the source
source program
program library
library managemen
managementt system
system increases
increases operatin
operating
g efficiency
efficiency

ANS: 

&. 9hich contr

control
ol is not a part
part of the source
source program
program library
library managemen
managementt system=
system=
a. using
using pass"or
pass"ordsds to limit
limit access
access to
to applica
application
tion programs
programs
 b. assigning a test name
name to all programs undergoing
undergoing maintenance
c. combining
combining access
access to
to the developm
developmentent and mainte
maintenance
nance test
test libraries
libraries
d. assigning
assigning versi
version
on numbers
numbers to programs
programs to record
record program
program modific
modificatio
ations
ns
ANS: 

(. 9hich control
control ensures that production
production files cannot
cannot be accessed "ithout
"ithout specific
specific permission=
permission=
a. ?ata
?ataba
base
se an
anag
agem
emenentt Syst
System
em
 b. >ecovery @perations Function
Function
c. Source
Source Prog
Program
ram 8ibr
8ibrary
ary ana
anagem
gement
ent System
System
d. ompu
omputeterr Servi
Service
cess Funct
Functio
ion
n

ANS: 

+. Prog
Progra
ramm test
testin
ing
g
a. involves
involves individu
individual
al module
moduless only)
only) not
not the full system
system
 b. re4uires creation of meaningful
meaningful test data
c. need not be repeat
repeated
ed once
once the
the system
system is implem
implemented
ented
d. is prima
primarily
rily concer
concerned
ned "ith
"ith usab
usabili
ility
ty

ANS: 

-. #he correct purchase order

order number) 12$%&() "as incorrectly recorded
recorded as sho"n
sho"n in the solutions.
solutions. All
All of
the follo"ing are transcription errors ecept
a. 12$%&(+
 b. 12$%&
c. 12%$&(
d. 12$%&%
 ANS: 

/. 9hich
9hich of
of the
the follo"
follo"ing
ing is
is corre
correct=
ct=
a. chec!
chec! digit
digitss should
should be used
used for
for all data
data code
codess
 b. chec! digits are al"ays
al"ays placed at the end of a data code
code
c. chec! digits
digits do not
not affect
affect proces
processing
sing efficien
efficiency
cy
d. chec! digit
digitss are designed
designed to detect
detect transcr
transcripti
iption
on and transpo
transpositi
sition
on errors
errors

ANS: ?

10. 9hich statement

statement is notnot correct= #he goal of batch controls
controls is to ensure that during processing
a. tran
transa
sact
ctio
ions
ns are
are not
not omit
omitte
ted
d
 b. transactions are not added
c. transa
transacti
ctions
ons are
are free
free from
from cleri
clerical
cal erro
errors
rs
d. an aud
audit
it tra
trail
il is
is cre
creat
ated
ed

ANS: 

11.
11. An eample
eample of a hash
hash tota
totall is
is
a. total
total payrol
payrolll chec!s
chec!sB1
B12)$
2)$1&
1&
 b. total number of employees10
employees10
c. sum of the
the social
social securi
security
ty numbers1
numbers12)&&&
2)&&&)%$+)2
)%$+)2&1
&1
d. none
none of the
the abo
above
ve

ANS: 

12. 9hich statement

statement isis not true=
true= A batch contr
control
ol record
record
a. cont
contai
ains
ns a tra
trans
nsac
acti
tion
on cod
codee
 b. records the record count
count
c. cont
contai
ains
ns a hash
hash tot
total
al
d. control
control figures
figures inin the record
record may be
be ad3usted
ad3usted during
during proces
processing
sing
e. All
All the
the abov
abovee are
are true
true

ANS: 

1$. 9hich of the follo"

follo"ing
ing is not
not an eample
eample of a process
processing
ing control
control==
a. hash to
total.
 b. record count.
c. batch to
total.
d. chec! digit
ANS: ?

1%. 9hich of the follo"

follo"ing
ing is an
an eample
eample of input
input control
control test=
test=
a. se4
se4uen
uence che
chec! 
 b. zero value chec! 
c. spoo
spoolling
ing ch
chec! 
ec! 
d. range chec! 

ANS: ?

1&. 9hich input

input contro
controll chec! "ould
"ould detect
detect a payment
payment made to a noneis
noneistent
tent vendor
vendor==
a. miss
missining
g data
data chec
chec! ! 
 b. numericCalphabetic
numericCalphabetic chec! 
c. range cchhec! 
d. vali
alidity
dity chec
chec! 
! 
 ANS: ?

1(. #he employee

employee entered
entered 7%07 in the
the 7hours "or!ed
"or!ed per day7
day7 field. 9hich
9hich chec!
chec! "ould detect
detect this
unintentional error=
a. num
numeri
ericCa
cCalph
lphabe
abetic
tic data
data chec! 
chec! 
 b. sign chec! 
c. limit chec! 
d. miss
missin
ing
g dat
dataa chec
chec! 
! 

ANS: 

1+. An inventory
inventory record indicates
indicates that 12 items of a specific
specific product are on hand.
hand. A customer purchased
purchased
t"o of the items) but "hen recording the order) the data entry cler! mista!enly entered 20 items sold.
9hich chec! could detect this error=
a. num
numeri
ericCa
cCalph
lphabe
abetic
tic data
data chec
chec!s
!s
 b. limit chec! 
c. range cch
hec! 
d. reas
reason
onab
able
lene
ness
ss chec
chec! 
! 

ANS: 

1-.
1-. 9hich
9hich chec!
chec! isis not
not an input
input contro
control=
l=
a. reas
reason
onab
able
lene
ness
ss chec
chec! 
! 
 b. validity chec!  .
 .

c. spoo
spoolling
ing ch
chec! 
ec! 
d. miss
missin
ing
g dat
dataa chec
chec! 
! 

ANS: 

1/. A computer
computer operato
operatorr "as in a hurry and accidental
accidentally
ly used the "rong
"rong master
master file to process
process a
transaction file. As a result) the accounts receivable master file "as erased. 9hich control "ould
 prevent this from happening=
happening=
a. head
header
er labe
labell chec
chec! 
! 
 b. epiration date chec! 
c. vers
ersion chec
chec! ! 
d. vali
alidity
dity chec
chec! ! 

ANS: A

20. >un*to*run
>un*to*run contro
controll totals
totals can be used for
for all of the follo"
follo"ing
ing ecept
ecept
a. to ensur
ensuree that
that all
all data
data input
input is
is valida
validated
ted
 b. to ensure that only transactions
transactions of a similar
similar type are being processed
c. to ensure
ensure the records
records are in se4uence
se4uence and
and are
are not missing
missing
d. to ensur
ensuree that
that no tran
transac
sactio
tion
n is omitt
omitted
ed

ANS: A

21. ethods used to maintain an audit trail in a computerized environment include all of the follo"ing
follo"ing
ecept
a. tran
transa
sact
ctio
ion
n logs
logs
 b. #ransaction
#ransaction 8istings  .

c. data
ata enc
encry
rypt
ptio
ion
n
d. log of automa
automatictic transa
transacti
ctions
ons
ANS: 
22. >is! eposures
eposures associated "ith creating
creating an output
output file as an intermediate
intermediate step in the printing process
process
5spooling6 include all of the follo"ing actions by a computer criminal ecept
a. gaining
gaining access
access to the
the output
output file
file and changin
changing g critical
critical data
data values
values
 b. using a remote printer and
and incurring operating inefficiencies
c. ma!ing
ma!ing a copy of the output
output file
file and using
using the copy to produce
produce illegal
illegal output
output reports
reports
d. printing
printing an etra
etra hardcopy
hardcopy of thethe outpu
outputt file
file

ANS: 

2$.
2$. 9hich
9hich stat
stateme
ement
nt is
is not
not corre
correct=
ct=
a. only succes
successful
sful transactio
transactions
ns are recorded
recorded on a transacti
transaction
on log
log
 b. unsuccessful transactions
transactions are recorded in an error
error file
c. a trans
transact
action
ion log
log is a tempo
temporary
rary file
file
d. a hardcopy
hardcopy transactio
transactionn listing
listing is provid
provided
ed to users
users

ANS: 

2%. 'nput controls

controls inclu
include
de all of the follo"in
follo"ing
g ecept
ecept
a. chec! di
digits
 b. 8imit chec!   .
 .

c. spoo
spoolling
ing ch
chec! 
ec! 
d. miss
missin
ing
g dat
dataa chec
chec! 
! 

ANS: 

2&. 9hich ofof the follo"ing

follo"ing is is an eample
eample of an input
input error correcti
correction
on techni4ue
techni4ue==
a. imme
immedi diat
atee corre
correct
ctio
ionn
 b. re3ection of batch
c. crea
creati
tion
on of erro
errorr file
file
d. all are
are eample
eampless of input
input error correction
correction techni4ues
techni4ues

ANS: ?

2(. 9hich test of controls "ill provide

provide evidence that the system as originally implemented
implemented "as free from
material errors and free from fraud= >evie" of the documentation indicates that
a. a cost*
cost*ben
benefi
efitt analy
analysis
sis "as
"as condu
conducte
cted
d
 b. the detailed design "as
"as an appropriate solution
solution to the userDs problem
problem
c. tests
tests "ere conducted
conducted atat the individu
individual
al module
module and total
total system
system levels
levels prior to
implementation
d. problems
problems detected
detected during
during the conversio
conversionn period
period "ere corrected
corrected in the maintenan
maintenance
ce phase

ANS: 

2+.
2+. 9hich
9hich statem
statement
ent is not true=
true=
a. An audit
audit ob3ective
ob3ective for systems
systems maintenan
maintenance
ce is to detect unauth
unauthorize
orized
d access to applicat
application
ion
databases.
 b. An audit ob3ective
ob3ective for systems maintenance is
is to ensure that applications
applications are free from
errors.
c. An audit
audit ob3ective
ob3ective for systems
systems mainten
maintenance
ance is to verify
verify that
that user re4ues
re4uests
ts for maintenan
maintenance ce
reconcile to program version numbers.
d. An audit
audit ob3ective
ob3ective for systems
systems maintenan
maintenance
ce is to ensure that
that the production
production librari
libraries
es are
 protected from unauthorized
unauthorized access.

ANS: A
2-. 9hen the auditor reconciles
reconciles the
the program version numbers)
numbers) "hich audit ob3ective is
is being tested=
a. protect
protect applicati
applications
ons from unauthori
unauthorized
zed changes
changes
 b. ensure applications are free from error 
c. protect
protect produc
production
tion libraries
libraries from unauthori
unauthorized
zed access
access
d. ensure
ensure incompatib
incompatiblele function
functionss have been
been identif
identified
ied and segreg
segregated
ated

ANS: A

2/. 9hen auditors

auditors do not not rely on a detailed !no"ledge of
of the applicationDs
applicationDs internal
internal logic)
logic) they are
 performing
a. blac!
blac! bo
bo test
testss o
off prog
program
ram contro
controls
ls
 b. "hite bo tests of program
program controls
c. subs
substa
tant
ntiv
ivee testi
testing
ng
d. intu
intuit
itiv
ivee test
testin
ing
g

ANS: A

$0. All of the

the follo"ing
follo"ing concepts are associated "ith the blac! bo approach to auditing computer
computer
applications ecept
a. the applic
applicatio
ation
n need not be removed
removed from service
service and tested
tested directly
directly
 b. auditors do not rely on
on a detailed !no"ledge
!no"ledge of the applicationDs
applicationDs internal logic
c. the auditor
auditor reconcile
reconciless previously
previously produce
producedd output
output results
results "ith producti
production
on input
input
transactions
d. this approa
approach
ch is used for
for comple
comple transactio
transactions
ns that receive
receive input
input from many
many sources
sources

ANS: ?

$1. 9hich test is not

not an eample
eample of a "hite
"hite bo
bo test=
test=
a. determ
determini
ining
ng the
the fair
fair valu
valuee of inve
invento
ntory
ry
 b. ensuring that pass"ords
pass"ords are valid
c. verifying
verifying that
that all
all pay rates are "ithin
"ithin a specifie
specified
d range
range
d. recon
reconcil
ciling
ing contro
controll totals
totals

ANS: A

$2. 9hen analyzing

analyzing the results
results of the test data method) the auditor
auditor "ould spend the least amount of time
revie"ing
a. the
the test
test tran
transa
sact
ctio
ions
ns
 b. error reports
c. upda
update
ted
d mas
maste
terr file
filess
d. outp
utput rep
repor
orts
ts
ANS: A

$$. All of the follo"

follo"ing
ing are advantag
advantageses of the test
test data techni4u
techni4uee ecept
a. auditors
auditors need
need minima
minimall computer
computer epert
epertise
ise to use this
this method
method
 b. this method causes minimal
minimal disruption to to the firmDs operations
c. the test
test data
data is easily
easily compil
compileded
d. the auditor
auditor obtains
obtains eplicit
eplicit evidence
evidence concern
concerning
ing applicati
application
on functions
functions

ANS: 

$%. All of the follo"

follo"ing
ing are disadva
disadvantag
ntages
es of the test
test data techni4u
techni4uee ecept
a. the test
test data techni4
techni4ue
ue re4uires
re4uires etensiv
etensivee computer
computer epertis
epertisee on the part of the
the auditor 
auditor 
 b. the auditor cannot be be sure that the application
application being tested is a copy
copy of the current
application used by computer services personnel
 c. the auditor
auditor cannot
cannot be sure
sure that the
the applicatio
application
n being
being tested is
is the same applic
application
ation used
used
throughout the entire year 
d. preparatio
preparation
n of the test data is time*c
time*consum
onsuming
ing

ANS: A

$&. All of the follo"in

follo"ingg statements
statements are true
true about the integra
integrated
ted test facility
facility 5'#F6
5'#F6 ecept
ecept
a. production
production reports
reports are
are affect
affected
ed by '#F transa
transactio
ctions
ns
 b. '#F databases contain 7dummy7
7dummy7 records integrated "ith"ith legitimate records
c. '#F permi
permits
ts ongoi
ongoing
ng appli
applicat
cation
ion aud
auditi
iting
ng
d. '#F does not disrupt
disrupt operati
operations
ons or re4uire
re4uire the interven
intervention
tion of computer
computer service
servicess personnel
personnel
ANS: A

$(. 9hich statement

statement is is not true=
true= mbedde
mbedded d audit
audit modules
modules
a. can be turne
turned d on and
and off
off by the
the audito
auditor.
r.
 b. reduce operating efficiency.
efficiency.
c. may lose their
their viabil
viability
ity in an environm
environment
ent "here
"here programs
programs are modified
modified fre4ue
fre4uently
ntly..
d. identify
identify transa
transactio
ctions
ns to be analyzed
analyzed using
using "hite
"hite bo tests.
tests.

ANS: ?

$+. ;eneralize
;eneralized d audit soft"ar
soft"aree pac!ages
pac!ages perform all
all of the follo"ing
follo"ing tas!s
tas!s ecept
a. reca
recalc
lcul
ulat
atee data
data fiel
fields
ds
 b. compare files and identify
identify differences
c. strati
stratify
fy statis
statistic
tical
al sample
sampless
d. analyz
analyzee resul
results
ts and
and form
form opinio
opinions
ns
ANS: ?

S&'RT A(S)!R 

1. ontrast
ontrast the source
source program
program library
library 5SP86 managemen
managementt system to the databas
databasee management
management system
system
5?S6.

ANS:
#he SP8 soft"are manages program files and the ?S manages data files.

2. ?escribe
?escribe t"o methods
methods used
used to control
control the
the source
source program libra
library
ry..

ANS:
 pass"ords) separation
separation of development programs
programs from maintenance programs) program
program management
reports) program version numbers) controlling maintenance commands

$. Ne" system
system development
development activity
activity controls must focus on the authorization) development) and
implementation of ne" systems and its maintenance. ?iscuss at least five control activities that are
found in an effective system development life cycle.

ANS:
System authorization activities assure that all systems
s ystems are properly authorized to ensure their economic
 3ustification and
and feasibility.
feasibility.

<ser specification activities should not be stifled by technical issues. <sers can provide "ritten
description of the logical needs that must be satisfied by the system.
 #echnical
#echnical design activities must lead to specifications that meet user needs. ?ocumentation is both a
control and evidence of control.

'nternal audit involvement should occur throughout

throughout the process to assure that the system "ill serve
user needs.

Program testing is to verify that data is processed as intended.

%. 9hat are
are the three
three broad
broad categorie
categoriess of applicat
application
ion controls
controls==

ANS:
input) processing) and output controls

&. Eo" does privacy

privacy relate
relate to output
output control=
control=

ANS:
'f the privacy of certain types of output) e.g.) sensitive information about clients or customers) a firm
could be legally eposed.

(. 9hat are the

the three
three categor
categories
ies of
of processi
processing
ng contro
control=
l=

ANS:
atch controls) run*to*run controls) and audit trail controls.

+. 9hat control
control issue
issue is related to reentering corrected error
error records into a batch processing
processing system=
system=
9hat are the t"o methods for doing this=

ANS:
rrors detected during processing re4uire careful handling) since these records may already be
 partially processed.
processed. Simply resubmitting the
the corrected records at the data input stage may result in
 processing portions
portions of these transactions
transactions t"ice.

#"o
#"o methods are: 516 reverse the effects of the partially processed transactions and resubmit the
corrected records to the data input stage. #he second method is to reinsert corrected records into the
 processing stage at "hich
"hich the error "as detected.
detected.

-. @utput controls
controls ensure that output
output is not
not lost) misdirected) or corrupted and that privacy
privacy is not violated.
9hat are some output eposures or situations "here output is at ris!=

ANS:
output spooling) delayed printing) "aste) report distribution

/. 'nput contro
controls
ls are programmed
programmed procedur
procedures
es 5routines
5routines66 that perform
perform tests on transac
transaction
tion
data to ensure they are free from errors. Name four input controls and describe "hat they test

ANS:
1. numeric*alphabetic
numeric*alphabetic chec!s loo! for the correct type of character content in a field) numbers or
letters
2. limit chec!s verify that values are "ithin preset limits
limits
$. range chec!s verify the values fall "ith in an acceptable range
%. reasonableness chec! determines
determines if a value in one field) "hich has already passed a limit chec! and
a range chec!) is reasonable "hen considered along "ith data in other fields of the record.
10. A GGGGGGGGGGGGGGGGGGGGGGGGGG
GGGGGGGGGGGGGGGGGGGGGGGGGG fraud affects
affects a large
large number of
of victims but the harm to each
appears to be very small.

ANS:
salami

11. ?escribe a test of controls

controls that
that "ould provide evidence
evidence that only authorized
authorized program maintenance is
occurring.

ANS:
reconcile program version numbers) confirm maintenance authorizations

12. Auditors do not rely on detailed !no"ledge of

 GGGGGGGGGGGGGGGGGGGGGGGGG
 GGGGGGGGGGGGGGGGGGGGGGGGGG
of the applicationDs
applicationDs internal
internal logic
logic "hen they
they use the
the
G approach to auditing
auditing computer applications.
applications.

ANS:
 blac! bo or auditing
auditing around the computer 

1$.
1$. ?escri
?escribe
be paral
parallel
lel simu
simulat
lation
ion..

ANS:
#he auditor "rites a program that simulates the application under revie". #he
#he simulation is used to
reprocess production transactions that "ere previously processed by the production application. #he
results of the simulation are compared to the results of the original production run.

1%. 9hat is meant by auditing around

around the computer versus auditing through
through the computer= 9hy
9hy is this
this so
important=

ANS:
Auditing around the computer involves blac! bo testing in "hich the auditors do not rely on a
detailed !no"ledge of the applicationDs internal logic. 'nput is reconciled "ith corresponding output.
Auditing through the computer involves obtaining an in*depth understanding of the internal logic of
the computer application. As transactions become increasingly automated) the inputs and outputs ma y
 become decreasingly visible.
visible. #hus) the importance
importance of understanding
understanding the programming components
components of
the system is crucial.

1&.
1&. 9hat
9hat is an
an embed
embedded
ded aud
audit
it modu
module=
le=

ANS:
A techni4ues use one or more specially programmed modules embedded in a host application to
select and record predetermined types of transactions for subse4uent analysis. #his method allo"s
material transactions to be captured throughout the audit period. #he auditorDs substantive testing tas!
is thus made easier since they do not have to identify significant transactions for substantive testing.

1(. 9hat are

are the audit,s
audit,s ob3ective
ob3ectivess relating
relating to systems
systems develo
developmen
pment=
t=

ANS:
#he auditor,s ob3ectives are to ensure that 516 systems
s ystems development activities are applied consistently
and in accordance "ith management,s policies
policies to all systems development pro3ects 526 the system as
originally implemented "as free from material errors and fraud 5$6 the system "as 3udged necessary
and 3ustified at various chec!points throughout the S?8 and 5%6 system documentation is
sufficiently accurate and complete to facilitate audit and maintenance activities.
!SSA*

1. @utline
@utline the si control
controllabl
lablee activities
activities that
that relate to ne" systems
systems develop
development
ment

ANS:
Systems Authorization
Authorization Activities:
Activities: All systems should be properly authorized to ensure their economic
 3ustification and
and feasibility.
feasibility. #his re4uires
re4uires a formal environment in
in "hich users submit
submit re4uests to
systems professionals in "ritten form.

<ser Specification Activities:

Activities: <sers need to be actively involved in the systems development process.
<sers should create a detailed "ritten description of their needs. 't should describe the user,s vie" of
the problem) not that of the systems professionals.

#echnical
#echnical ?esign Activities: #he technical design activities translate user specifications into a set of
detailed technical specifications for a system that meets the user,s needs. #he scope of these activities
includes systems analysis) feasibility analysis) and detailed systems design.

'nternal Audit Participation: #o meet

meet the governance*related epectations of management under S@H)
an organization,s internal
internal audit department needs to be independent) ob3ective) and technically
4ualified. As
As such) the internal auditor can play an important role in the control of systems
s ystems
development activities.

Program #esting:
#esting: All program modules must be thoroughly tested before they are implemented. #his
involves creating hypothetical master files and transactions files that are processed by the modules
 being tested. #he
#he results of the tests are
are then compared against predetermined
predetermined results to identify
 programming and logic errors.
errors.

<ser #est
#est and Acceptance Procedures: Prior to system implementation) the individual modules of the
system need to be formally and rigorously tested as a "hole. #he test team should comprise of user
 personnel) systems professionals)
professionals) and internal
internal auditors. #he
#he details of the tests performed
performed and their
results need to be formally documented and analyzed. @nce the test team is satisfied that the system
s ystem
meets its stated re4uirements) the system can be transferred to the user.

2. plain
plain the
the three method
methodss used to
to correct
correct errors
errors in data
data entry.
entry.

ANS:
'mmediate orrection. 'n the direct data validation approach) error detection and correction ta!e place
during data entry. 9hen an error or illogical relationship is entered) the system
s ystem should halt the data
entry procedure until the error is corrected.

reation of an rror File. 'n the delayed data validation approach) errors are flagged and placed in an
error file. >ecords "ith errors "ill not be processed until the error is investigated and corrected.

>e3ection of the ntire atch. Some errors are associated "ith the entire batch and are not attributable
to individual records. An eample of this is a control total that does not balance. #he entire batch is
 placed in the error file and "ill
"ill be reprocessed "hen the error is corrected.

$. #he presence of an audit

audit trail is critical to the integrity of
of the accounting
accounting information
information system.
system. ?iscuss
three of the techni4ues used to preserve the audit trail.

ANS:
#ransaction
#ransaction logs list all transactions successfully processed by the system and serve as 3ournals)
 permanent records. #ransactions
#ransactions that
that "ere not processed successfully
successfully should be
be recorded in an error
file.
 After processing transactions) a paper transaction listing should be produced and used by appropriate
users to reconcile input.

8ogs and listings of automatic transactions should be produced for transactions received or initiated
internally by the system.

rror listing should document all errors and be sent to appropriate users to support error correction.

%. ?efine
?efine each of the follo"
follo"ing
ing input
input controls
controls and
and give an eample
eample of ho" they
they may be used:
used:
a. issing data chec! 
 b. NumericCalphabetic
NumericCalphabetic data chec! 
c. 8imit chec! 
d. >ange chec! 
e. >easonableness chec! 
f. Ialidity
Ialidity chec! 

ANS:
%issing data chec+ Some programming languages are restrictive as to the 3ustification 5right or left6
of data "ithin the field. 'f data are not properly 3ustified or if a character is missing 5has been replaced
"ith a blan!6) the value in the field "ill be improperly processed. For eample) the presence of blan!s
in a numeric data field may cause a system
s ystem failure. 9hen the control routine detects a blan! "here it
epects to see a data value) the error is flagged.

(-meric.alpha/etic chec+ #his control identifies "hen data in a particular field are in the "rong
form. For eample) a customer,s account balance should not contain alphabetic data and the presence
of it "ill cause a data processing error. #herefore)
#herefore) if alphabetic data are detected) the error record flag
is set.

$imit chec+ 8imit chec!s are used to identify field values that eceed an authorized limit. For
eample) assume the firm,s policy is that no employee "or!s more than %% hours per "ee!. #he
 payroll system input
input control program can test the hours*"or!ed field in the "ee!ly payroll
payroll records for
values greater than %%.

Range chec+ any times data have upper and lo"er limits to their acceptable values. For eample) if
the range of pay rates for hourly employees in a firm is bet"een - and 20 dollars) this control can
eamine the pay rate field of all payroll records to ensure that they fall "ithin this range.

Reasona/leness chec+ #he test determines if a value in one field) "hich has already passed a limit
chec! and a range chec!) is reasonable "hen considered along "ith data in other fields of the record.
For eample) assume that an employee,s
e mployee,s pay
pay rate of 1- dollars per hour falls "ithin an acceptable
range. #his rate is ecessive) ho"ever) "hen compared to the employee,s 3ob s!ill code of (/$
employees in this s!ill class should not earn more than 12 dollars per hour.

0alidity chec+ A validity chec! compares actual field values against !no"n acceptable values. For
eample) this control may be used to verify such things as valid vendor codes) state abbreviations) or
employee 3ob s!ill codes. 'f the value in the field does not match one of the acceptable values) the
record is flagged as an error.

&. After data is entered into the system) it is processed.

processed. Processing control eists
eists to ma!e sure that
that the
correct things happen during processing. ?iscuss processing controls.

ANS:
Processing controls ta!e three formsbatch controls) run*to*run controls) and audit trail controls.
 atch controls are used to manage the flo" of high volumes of transactions through batch processing
systems. #he ob3ective of batch control is to reconcile output produced by the system "ith the input
originally entered into the system. #his provides assurance that:
 G All
All records in the batch are processed.
processed.
 G No records are processed moremore than once.
 G An audit
audit trail of transactions
transactions is created from input through processing to the output stage
stage of the
system.

>un*to*run controls use batch figures and ne" balances to monitor the batch as it goes through the
systemi.e. from run*to*run. #hese are to assure that no transactions are lost and that all are processed
completely.

Audit trail controls are designed to document the movement of transactions through the system. #he
most common techni4ues include the use of transaction logs and transaction listings) uni4ue
transaction identifiers) logs and listings of automatic transactions) and error listings.

(. 'f input
input and processin
processing
g controls
controls are ade4uat
ade4uate)
e) "hy are output
output control
controlss needed=
needed=

ANS:
@utput controls are designed to ensure that system output is not lost) misdirected) or corrupted and that
 privacy is not violated.
violated. ;reat ris! eists if
if chec!s are misdirected) lost)
lost) or stolen. ertain types of data
data
must be !ept privatetrade secrets) patents pending) customer records) etc.

+. ?escribe
?escribe and contrast
contrast the test
test data method
method "ith the integra
integrated
ted test facility
facility..

ANS:
'n the test data method) a specially prepared set of input data is processed the results of the test are
compared to predetermined epectations. #o #o use the test data method) a copy
cop y of the current version of
the application must be obtained. #he auditor "ill revie" printed reports) transaction listings) error
reports) and master files to evaluate application logic and control effectiveness. #he test data approach
results in minimal disruption to the organizationDs
organizationDs operations and re4uires little computer
co mputer epertise on
the part of auditors.

#he integrated test facility 5'#F6 is an automated approach that permits auditors to test an applicationDs
logic and controls during its normal operation. '#F databases contain test records integrated "ith
legitimate records. ?uring normal operations) test transactions are entered into the stream of regular
 production transactions
transactions and are processed against
against the test records.
records. #he '#F transactions
transactions are not
included "ith the production reports but are reported separately to the auditor for evaluation. #he
auditor compares '#F results against epected results.

'n contrast to the test data approach) the '#F techni4ue promotes ongoing application auditing and
does not interfere "ith the normal "or! of computer services employees. 'n the test data approach)
there is a ris! that the auditor might perform the tests on a version of the application other than the
 production version
version this cannot happen
happen in the '#F approach. oth versions
versions are relatively costly
costly to
implement. #he ma3or ris! "ith the '#F approach is that '#F data could become combined "ith live
data and the reports "ould be misstated this cannot happen in the test data approach.

-. ontrast
ontrast mbedded
mbedded Audit
Audit odules
odules "ith
"ith ;eneralized
;eneralized Audit
Audit Soft"are.
Soft"are.

ANS:
 oth techni4ues permit auditors to access) organize) and select data in support of the substantive phase
of the audit. #he mbedded Audit
Audit odule 5A6 techni4ue embeds special audit modules into
applications. #he A captures specific transactions for auditor r evie". As reduce operational
efficiency and are not appropriate for environments "ith a high level of program maintenance.

;eneralized Audit
Audit Soft"are 5;AS6 permits auditors to electronically access audit files and to perform
a variety of audit procedures. For eample the ;AS can recalculate) stratify) compare) format) and
 print the contents of
of files.

#he A is an internal program that is designed and programmed into the application. #he ;AS is an
eternal pac!age that does not affect operational efficiency of the program. ;ASs are easy to use)
re4uire little '# bac!ground on the part of the user) are hard"are independent) can be used "ithout the
assistance of computer service employees) and are not application*specific. @n the other hand) As
are programmed into a specific application by computer service professionals.

/. 9hat is
is the purpos
purposee of the audito
auditorDs
rDs revie"
revie" of S?8
S?8 document
documentatio
ation=
n=

ANS:
'n revie"ing the S?8 documentation) the auditor see!s to determine that completed pro3ects no" in
use reflect compliance "ith S?8 policies including:
•  proper authorization
authorization of the pro3ect by users and computer service management)
management)
• a preliminary feasibility study sho"ed that the pro3ect had merit)
• that a detailed analysis of user needs "as conducted)
• that a cost*benefit analysis "as performed)
• that the pro3ect can be demonstrated to solve the usersD problem) and
• that the system "as thoroughly tested.

10. icrocomputers have

have traditionally
traditionally been difficult to control)
control) leaving auditors "ith
"ith special problems in
verifying physical controls. ?iscuss "hat an auditorDs ob3ectives might be in testing microcomputer
controls.

ANS:
#he auditor must investigate several things: 16 that ade4uate supervision and operating procedures
eist to compensate for the lac! of segregation of duties that occur "hen users are functioning also as
 programmers and operators
operators 26 that access to hard"are)
hard"are) data and soft"are is limited
limited to authorized
 personnel $6 that bac!up
bac!up procedures are in place
place and implemented to prevent
prevent data and program loss
loss
and %6 that procedures for systems selection and ac4uisition assure high 4uality) error free)
applications. #his is far from an ideal situation.

11. ontrast the 7blac! bo7 approach to '# auditing

auditing and the
the 7"hite bo7 approach.
approach. 9hich is preferred=

ANS:
#he blac! bo approach is not concerned "ith the applicationDs internal "or!ings. #he auditor
eamines documentation of the system) intervie"s personnel) and bases the evaluation on the logical
consistency bet"een input and output. #his method is often referred to as 7auditing*around*the*
computer7 because there is no eamination of data as it is processed.

#he "hite bo approach) also called 7auditing*through*the*computer)7

7auditing*through*the*computer)7 relies on !no"ledge of the
internal "or!ings of the systems and actually tests the application in action "ith test data having
!no"n results. Several "hite bo techni4ues are available. #hese include the test data method) base
case evaluation) tracing) the integrated test facility) and parallel simulation. #his method ma!es the
computer a tool of the audit as "ell as its target.