Professional Documents
Culture Documents
IT Controls Part III: Systems Development, Program Changes, Andapplication ControlsApplication Controls
IT Controls Part III: Systems Development, Program Changes, Andapplication ControlsApplication Controls
Application Controls
TR!"#A$S!
ANS: F
2. aintenance access
access to systems
systems increases the ris! that logic
logic "ill be
be corrupted either by the accident or
intent to defraud.
ANS: #
$. Source program
program library controls should prevent and detect unauthorized
unauthorized access
access to application
programs.
ANS: #
%. A chec!
chec! digit
digit is a method
method of detectin
detecting
g data coding
coding errors
errors..
ANS: #
ANS: F
(. A header
header label
label is an internal)
internal) machine*re
machine*readabl
adablee label.
label.
ANS: #
ANS: #
-. A run*to
run*to*run
*run contro
controll is an eample
eample of
of an output
output control
control..
ANS: F
/. Shredding
Shredding compu
computer
ter printou
printouts
ts is an eampl
eamplee of an output
output contro
control.
l.
ANS: #
ANS: F
ANS: #
12. #he 7"hite bo7 tests of program controls
controls are also !no"n as auditing through the computer.
ANS: #
ANS: F
ANS: F
ANS: #
ANS: #
ANS: #
ANS: #
ANS: #
ANS: #
ANS: F
%$TIP$! C&'IC!
1. 9hich statem
statement
ent is not correct
correct== #he audit
audit trail
trail in a computeriz
computerized ed environme
environment
nt
a. consists
consists ofof records
records that
that are stored
stored se4uent
se4uentially
ially in an audit
audit file
b. traces transactions from their
their source to their final
final disposition
c. is a function
function ofof the 4uality
4uality and
and integrity
integrity of
of the applica
application
tion program
programss
d. may ta!e
ta!e the
the form of pointe
pointers)
rs) indee
indees)
s) and embedded
embedded !eys!eys
ANS: A
2. 9hich contro
controll is not associated
associated "ith
"ith ne" systems
systems developme
development
nt activities
activities==
a. recon
reconcil
ciling
ing program
program versio
version
n numbe
numbersrs
b. program testing
c. user
user invo
involv
lvem
emen
entt
d. inter
internal
nal audit
audit partic
participa
ipatio
tion
n
ANS: A
$. >outine
>outine maintenanc
maintenancee activities
activities re4uire
re4uire all of the follo"in
follo"ing
g controls
controls ecept
ecept
a. docu
documementntat
atio
ionn upda
updatetess
b. testing
c. form
formalal auth
author
orizizat
atio
ionn
d. inte
intern
rnal
al aud
auditit app
approrova
vall
ANS: ?
%. 9hich
9hich statem
statement
ent is correc
correct=
t=
a. compiled
compiled program
programss are very susce
susceptib
ptible
le to unautho
unauthorized
rized modifi
modificatio
cation
n
b. the source program library
library stores application programs
programs in source code form
c. modificat
modifications
ions are made
made to programs
programs inin machine
machine code language
language
d. the source
source program
program library
library managemen
managementt system
system increases
increases operatin
operating
g efficiency
efficiency
ANS:
(. 9hich control
control ensures that production
production files cannot
cannot be accessed "ithout
"ithout specific
specific permission=
permission=
a. ?ata
?ataba
base
se an
anag
agem
emenentt Syst
System
em
b. >ecovery @perations Function
Function
c. Source
Source Prog
Program
ram 8ibr
8ibrary
ary ana
anagem
gement
ent System
System
d. ompu
omputeterr Servi
Service
cess Funct
Functio
ion
n
ANS:
+. Prog
Progra
ramm test
testin
ing
g
a. involves
involves individu
individual
al module
moduless only)
only) not
not the full system
system
b. re4uires creation of meaningful
meaningful test data
c. need not be repeat
repeated
ed once
once the
the system
system is implem
implemented
ented
d. is prima
primarily
rily concer
concerned
ned "ith
"ith usab
usabili
ility
ty
ANS:
/. 9hich
9hich of
of the
the follo"
follo"ing
ing is
is corre
correct=
ct=
a. chec!
chec! digit
digitss should
should be used
used for
for all data
data code
codess
b. chec! digits are al"ays
al"ays placed at the end of a data code
code
c. chec! digits
digits do not
not affect
affect proces
processing
sing efficien
efficiency
cy
d. chec! digit
digitss are designed
designed to detect
detect transcr
transcripti
iption
on and transpo
transpositi
sition
on errors
errors
ANS: ?
ANS:
11.
11. An eample
eample of a hash
hash tota
totall is
is
a. total
total payrol
payrolll chec!s
chec!sB1
B12)$
2)$1&
1&
b. total number of employees10
employees10
c. sum of the
the social
social securi
security
ty numbers1
numbers12)&&&
2)&&&)%$+)2
)%$+)2&1
&1
d. none
none of the
the abo
above
ve
ANS:
ANS:
ANS: ?
ANS:
1+. An inventory
inventory record indicates
indicates that 12 items of a specific
specific product are on hand.
hand. A customer purchased
purchased
t"o of the items) but "hen recording the order) the data entry cler! mista!enly entered 20 items sold.
9hich chec! could detect this error=
a. num
numeri
ericCa
cCalph
lphabe
abetic
tic data
data chec
chec!s
!s
b. limit chec!
c. range cch
hec!
d. reas
reason
onab
able
lene
ness
ss chec
chec!
!
ANS:
1-.
1-. 9hich
9hich chec!
chec! isis not
not an input
input contro
control=
l=
a. reas
reason
onab
able
lene
ness
ss chec
chec!
!
b. validity chec! .
.
c. spoo
spoolling
ing ch
chec!
ec!
d. miss
missin
ing
g dat
dataa chec
chec!
!
ANS:
1/. A computer
computer operato
operatorr "as in a hurry and accidental
accidentally
ly used the "rong
"rong master
master file to process
process a
transaction file. As a result) the accounts receivable master file "as erased. 9hich control "ould
prevent this from happening=
happening=
a. head
header
er labe
labell chec
chec!
!
b. epiration date chec!
c. vers
ersion chec
chec! !
d. vali
alidity
dity chec
chec! !
ANS: A
20. >un*to*run
>un*to*run contro
controll totals
totals can be used for
for all of the follo"
follo"ing
ing ecept
ecept
a. to ensur
ensuree that
that all
all data
data input
input is
is valida
validated
ted
b. to ensure that only transactions
transactions of a similar
similar type are being processed
c. to ensure
ensure the records
records are in se4uence
se4uence and
and are
are not missing
missing
d. to ensur
ensuree that
that no tran
transac
sactio
tion
n is omitt
omitted
ed
ANS: A
21. ethods used to maintain an audit trail in a computerized environment include all of the follo"ing
follo"ing
ecept
a. tran
transa
sact
ctio
ion
n logs
logs
b. #ransaction
#ransaction 8istings .
c. data
ata enc
encry
rypt
ptio
ion
n
d. log of automa
automatictic transa
transacti
ctions
ons
ANS:
22. >is! eposures
eposures associated "ith creating
creating an output
output file as an intermediate
intermediate step in the printing process
process
5spooling6 include all of the follo"ing actions by a computer criminal ecept
a. gaining
gaining access
access to the
the output
output file
file and changin
changing g critical
critical data
data values
values
b. using a remote printer and
and incurring operating inefficiencies
c. ma!ing
ma!ing a copy of the output
output file
file and using
using the copy to produce
produce illegal
illegal output
output reports
reports
d. printing
printing an etra
etra hardcopy
hardcopy of thethe outpu
outputt file
file
ANS:
2$.
2$. 9hich
9hich stat
stateme
ement
nt is
is not
not corre
correct=
ct=
a. only succes
successful
sful transactio
transactions
ns are recorded
recorded on a transacti
transaction
on log
log
b. unsuccessful transactions
transactions are recorded in an error
error file
c. a trans
transact
action
ion log
log is a tempo
temporary
rary file
file
d. a hardcopy
hardcopy transactio
transactionn listing
listing is provid
provided
ed to users
users
ANS:
c. spoo
spoolling
ing ch
chec!
ec!
d. miss
missin
ing
g dat
dataa chec
chec!
!
ANS:
ANS: ?
ANS:
2+.
2+. 9hich
9hich statem
statement
ent is not true=
true=
a. An audit
audit ob3ective
ob3ective for systems
systems maintenan
maintenance
ce is to detect unauth
unauthorize
orized
d access to applicat
application
ion
databases.
b. An audit ob3ective
ob3ective for systems maintenance is
is to ensure that applications
applications are free from
errors.
c. An audit
audit ob3ective
ob3ective for systems
systems mainten
maintenance
ance is to verify
verify that
that user re4ues
re4uests
ts for maintenan
maintenance ce
reconcile to program version numbers.
d. An audit
audit ob3ective
ob3ective for systems
systems maintenan
maintenance
ce is to ensure that
that the production
production librari
libraries
es are
protected from unauthorized
unauthorized access.
ANS: A
2-. 9hen the auditor reconciles
reconciles the
the program version numbers)
numbers) "hich audit ob3ective is
is being tested=
a. protect
protect applicati
applications
ons from unauthori
unauthorized
zed changes
changes
b. ensure applications are free from error
c. protect
protect produc
production
tion libraries
libraries from unauthori
unauthorized
zed access
access
d. ensure
ensure incompatib
incompatiblele function
functionss have been
been identif
identified
ied and segreg
segregated
ated
ANS: A
ANS: A
ANS: ?
ANS: A
ANS:
ANS: A
ANS: ?
$+. ;eneralize
;eneralized d audit soft"ar
soft"aree pac!ages
pac!ages perform all
all of the follo"ing
follo"ing tas!s
tas!s ecept
a. reca
recalc
lcul
ulat
atee data
data fiel
fields
ds
b. compare files and identify
identify differences
c. strati
stratify
fy statis
statistic
tical
al sample
sampless
d. analyz
analyzee resul
results
ts and
and form
form opinio
opinions
ns
ANS: ?
S&'RT A(S)!R
1. ontrast
ontrast the source
source program
program library
library 5SP86 managemen
managementt system to the databas
databasee management
management system
system
5?S6.
ANS:
#he SP8 soft"are manages program files and the ?S manages data files.
2. ?escribe
?escribe t"o methods
methods used
used to control
control the
the source
source program libra
library
ry..
ANS:
pass"ords) separation
separation of development programs
programs from maintenance programs) program
program management
reports) program version numbers) controlling maintenance commands
$. Ne" system
system development
development activity
activity controls must focus on the authorization) development) and
implementation of ne" systems and its maintenance. ?iscuss at least five control activities that are
found in an effective system development life cycle.
ANS:
System authorization activities assure that all systems
s ystems are properly authorized to ensure their economic
3ustification and
and feasibility.
feasibility.
<ser specification activities should not be stifled by technical issues. <sers can provide "ritten
description of the logical needs that must be satisfied by the system.
#echnical
#echnical design activities must lead to specifications that meet user needs. ?ocumentation is both a
control and evidence of control.
%. 9hat are
are the three
three broad
broad categorie
categoriess of applicat
application
ion controls
controls==
ANS:
input) processing) and output controls
ANS:
'f the privacy of certain types of output) e.g.) sensitive information about clients or customers) a firm
could be legally eposed.
ANS:
atch controls) run*to*run controls) and audit trail controls.
+. 9hat control
control issue
issue is related to reentering corrected error
error records into a batch processing
processing system=
system=
9hat are the t"o methods for doing this=
ANS:
rrors detected during processing re4uire careful handling) since these records may already be
partially processed.
processed. Simply resubmitting the
the corrected records at the data input stage may result in
processing portions
portions of these transactions
transactions t"ice.
#"o
#"o methods are: 516 reverse the effects of the partially processed transactions and resubmit the
corrected records to the data input stage. #he second method is to reinsert corrected records into the
processing stage at "hich
"hich the error "as detected.
detected.
-. @utput controls
controls ensure that output
output is not
not lost) misdirected) or corrupted and that privacy
privacy is not violated.
9hat are some output eposures or situations "here output is at ris!=
ANS:
output spooling) delayed printing) "aste) report distribution
/. 'nput contro
controls
ls are programmed
programmed procedur
procedures
es 5routines
5routines66 that perform
perform tests on transac
transaction
tion
data to ensure they are free from errors. Name four input controls and describe "hat they test
ANS:
1. numeric*alphabetic
numeric*alphabetic chec!s loo! for the correct type of character content in a field) numbers or
letters
2. limit chec!s verify that values are "ithin preset limits
limits
$. range chec!s verify the values fall "ith in an acceptable range
%. reasonableness chec! determines
determines if a value in one field) "hich has already passed a limit chec! and
a range chec!) is reasonable "hen considered along "ith data in other fields of the record.
10. A GGGGGGGGGGGGGGGGGGGGGGGGGG
GGGGGGGGGGGGGGGGGGGGGGGGGG fraud affects
affects a large
large number of
of victims but the harm to each
appears to be very small.
ANS:
salami
ANS:
reconcile program version numbers) confirm maintenance authorizations
ANS:
blac! bo or auditing
auditing around the computer
1$.
1$. ?escri
?escribe
be paral
parallel
lel simu
simulat
lation
ion..
ANS:
#he auditor "rites a program that simulates the application under revie". #he
#he simulation is used to
reprocess production transactions that "ere previously processed by the production application. #he
results of the simulation are compared to the results of the original production run.
ANS:
Auditing around the computer involves blac! bo testing in "hich the auditors do not rely on a
detailed !no"ledge of the applicationDs internal logic. 'nput is reconciled "ith corresponding output.
Auditing through the computer involves obtaining an in*depth understanding of the internal logic of
the computer application. As transactions become increasingly automated) the inputs and outputs ma y
become decreasingly visible.
visible. #hus) the importance
importance of understanding
understanding the programming components
components of
the system is crucial.
1&.
1&. 9hat
9hat is an
an embed
embedded
ded aud
audit
it modu
module=
le=
ANS:
A techni4ues use one or more specially programmed modules embedded in a host application to
select and record predetermined types of transactions for subse4uent analysis. #his method allo"s
material transactions to be captured throughout the audit period. #he auditorDs substantive testing tas!
is thus made easier since they do not have to identify significant transactions for substantive testing.
ANS:
#he auditor,s ob3ectives are to ensure that 516 systems
s ystems development activities are applied consistently
and in accordance "ith management,s policies
policies to all systems development pro3ects 526 the system as
originally implemented "as free from material errors and fraud 5$6 the system "as 3udged necessary
and 3ustified at various chec!points throughout the S?8 and 5%6 system documentation is
sufficiently accurate and complete to facilitate audit and maintenance activities.
!SSA*
1. @utline
@utline the si control
controllabl
lablee activities
activities that
that relate to ne" systems
systems develop
development
ment
ANS:
Systems Authorization
Authorization Activities:
Activities: All systems should be properly authorized to ensure their economic
3ustification and
and feasibility.
feasibility. #his re4uires
re4uires a formal environment in
in "hich users submit
submit re4uests to
systems professionals in "ritten form.
#echnical
#echnical ?esign Activities: #he technical design activities translate user specifications into a set of
detailed technical specifications for a system that meets the user,s needs. #he scope of these activities
includes systems analysis) feasibility analysis) and detailed systems design.
Program #esting:
#esting: All program modules must be thoroughly tested before they are implemented. #his
involves creating hypothetical master files and transactions files that are processed by the modules
being tested. #he
#he results of the tests are
are then compared against predetermined
predetermined results to identify
programming and logic errors.
errors.
<ser #est
#est and Acceptance Procedures: Prior to system implementation) the individual modules of the
system need to be formally and rigorously tested as a "hole. #he test team should comprise of user
personnel) systems professionals)
professionals) and internal
internal auditors. #he
#he details of the tests performed
performed and their
results need to be formally documented and analyzed. @nce the test team is satisfied that the system
s ystem
meets its stated re4uirements) the system can be transferred to the user.
2. plain
plain the
the three method
methodss used to
to correct
correct errors
errors in data
data entry.
entry.
ANS:
'mmediate orrection. 'n the direct data validation approach) error detection and correction ta!e place
during data entry. 9hen an error or illogical relationship is entered) the system
s ystem should halt the data
entry procedure until the error is corrected.
reation of an rror File. 'n the delayed data validation approach) errors are flagged and placed in an
error file. >ecords "ith errors "ill not be processed until the error is investigated and corrected.
>e3ection of the ntire atch. Some errors are associated "ith the entire batch and are not attributable
to individual records. An eample of this is a control total that does not balance. #he entire batch is
placed in the error file and "ill
"ill be reprocessed "hen the error is corrected.
ANS:
#ransaction
#ransaction logs list all transactions successfully processed by the system and serve as 3ournals)
permanent records. #ransactions
#ransactions that
that "ere not processed successfully
successfully should be
be recorded in an error
file.
After processing transactions) a paper transaction listing should be produced and used by appropriate
users to reconcile input.
8ogs and listings of automatic transactions should be produced for transactions received or initiated
internally by the system.
rror listing should document all errors and be sent to appropriate users to support error correction.
%. ?efine
?efine each of the follo"
follo"ing
ing input
input controls
controls and
and give an eample
eample of ho" they
they may be used:
used:
a. issing data chec!
b. NumericCalphabetic
NumericCalphabetic data chec!
c. 8imit chec!
d. >ange chec!
e. >easonableness chec!
f. Ialidity
Ialidity chec!
ANS:
%issing data chec+ Some programming languages are restrictive as to the 3ustification 5right or left6
of data "ithin the field. 'f data are not properly 3ustified or if a character is missing 5has been replaced
"ith a blan!6) the value in the field "ill be improperly processed. For eample) the presence of blan!s
in a numeric data field may cause a system
s ystem failure. 9hen the control routine detects a blan! "here it
epects to see a data value) the error is flagged.
(-meric.alpha/etic chec+ #his control identifies "hen data in a particular field are in the "rong
form. For eample) a customer,s account balance should not contain alphabetic data and the presence
of it "ill cause a data processing error. #herefore)
#herefore) if alphabetic data are detected) the error record flag
is set.
$imit chec+ 8imit chec!s are used to identify field values that eceed an authorized limit. For
eample) assume the firm,s policy is that no employee "or!s more than %% hours per "ee!. #he
payroll system input
input control program can test the hours*"or!ed field in the "ee!ly payroll
payroll records for
values greater than %%.
Range chec+ any times data have upper and lo"er limits to their acceptable values. For eample) if
the range of pay rates for hourly employees in a firm is bet"een - and 20 dollars) this control can
eamine the pay rate field of all payroll records to ensure that they fall "ithin this range.
Reasona/leness chec+ #he test determines if a value in one field) "hich has already passed a limit
chec! and a range chec!) is reasonable "hen considered along "ith data in other fields of the record.
For eample) assume that an employee,s
e mployee,s pay
pay rate of 1- dollars per hour falls "ithin an acceptable
range. #his rate is ecessive) ho"ever) "hen compared to the employee,s 3ob s!ill code of (/$
employees in this s!ill class should not earn more than 12 dollars per hour.
0alidity chec+ A validity chec! compares actual field values against !no"n acceptable values. For
eample) this control may be used to verify such things as valid vendor codes) state abbreviations) or
employee 3ob s!ill codes. 'f the value in the field does not match one of the acceptable values) the
record is flagged as an error.
ANS:
Processing controls ta!e three formsbatch controls) run*to*run controls) and audit trail controls.
atch controls are used to manage the flo" of high volumes of transactions through batch processing
systems. #he ob3ective of batch control is to reconcile output produced by the system "ith the input
originally entered into the system. #his provides assurance that:
G All
All records in the batch are processed.
processed.
G No records are processed moremore than once.
G An audit
audit trail of transactions
transactions is created from input through processing to the output stage
stage of the
system.
>un*to*run controls use batch figures and ne" balances to monitor the batch as it goes through the
systemi.e. from run*to*run. #hese are to assure that no transactions are lost and that all are processed
completely.
Audit trail controls are designed to document the movement of transactions through the system. #he
most common techni4ues include the use of transaction logs and transaction listings) uni4ue
transaction identifiers) logs and listings of automatic transactions) and error listings.
(. 'f input
input and processin
processing
g controls
controls are ade4uat
ade4uate)
e) "hy are output
output control
controlss needed=
needed=
ANS:
@utput controls are designed to ensure that system output is not lost) misdirected) or corrupted and that
privacy is not violated.
violated. ;reat ris! eists if
if chec!s are misdirected) lost)
lost) or stolen. ertain types of data
data
must be !ept privatetrade secrets) patents pending) customer records) etc.
+. ?escribe
?escribe and contrast
contrast the test
test data method
method "ith the integra
integrated
ted test facility
facility..
ANS:
'n the test data method) a specially prepared set of input data is processed the results of the test are
compared to predetermined epectations. #o #o use the test data method) a copy
cop y of the current version of
the application must be obtained. #he auditor "ill revie" printed reports) transaction listings) error
reports) and master files to evaluate application logic and control effectiveness. #he test data approach
results in minimal disruption to the organizationDs
organizationDs operations and re4uires little computer
co mputer epertise on
the part of auditors.
#he integrated test facility 5'#F6 is an automated approach that permits auditors to test an applicationDs
logic and controls during its normal operation. '#F databases contain test records integrated "ith
legitimate records. ?uring normal operations) test transactions are entered into the stream of regular
production transactions
transactions and are processed against
against the test records.
records. #he '#F transactions
transactions are not
included "ith the production reports but are reported separately to the auditor for evaluation. #he
auditor compares '#F results against epected results.
'n contrast to the test data approach) the '#F techni4ue promotes ongoing application auditing and
does not interfere "ith the normal "or! of computer services employees. 'n the test data approach)
there is a ris! that the auditor might perform the tests on a version of the application other than the
production version
version this cannot happen
happen in the '#F approach. oth versions
versions are relatively costly
costly to
implement. #he ma3or ris! "ith the '#F approach is that '#F data could become combined "ith live
data and the reports "ould be misstated this cannot happen in the test data approach.
-. ontrast
ontrast mbedded
mbedded Audit
Audit odules
odules "ith
"ith ;eneralized
;eneralized Audit
Audit Soft"are.
Soft"are.
ANS:
oth techni4ues permit auditors to access) organize) and select data in support of the substantive phase
of the audit. #he mbedded Audit
Audit odule 5A6 techni4ue embeds special audit modules into
applications. #he A captures specific transactions for auditor r evie". As reduce operational
efficiency and are not appropriate for environments "ith a high level of program maintenance.
;eneralized Audit
Audit Soft"are 5;AS6 permits auditors to electronically access audit files and to perform
a variety of audit procedures. For eample the ;AS can recalculate) stratify) compare) format) and
print the contents of
of files.
#he A is an internal program that is designed and programmed into the application. #he ;AS is an
eternal pac!age that does not affect operational efficiency of the program. ;ASs are easy to use)
re4uire little '# bac!ground on the part of the user) are hard"are independent) can be used "ithout the
assistance of computer service employees) and are not application*specific. @n the other hand) As
are programmed into a specific application by computer service professionals.
/. 9hat is
is the purpos
purposee of the audito
auditorDs
rDs revie"
revie" of S?8
S?8 document
documentatio
ation=
n=
ANS:
'n revie"ing the S?8 documentation) the auditor see!s to determine that completed pro3ects no" in
use reflect compliance "ith S?8 policies including:
• proper authorization
authorization of the pro3ect by users and computer service management)
management)
• a preliminary feasibility study sho"ed that the pro3ect had merit)
• that a detailed analysis of user needs "as conducted)
• that a cost*benefit analysis "as performed)
• that the pro3ect can be demonstrated to solve the usersD problem) and
• that the system "as thoroughly tested.
ANS:
#he auditor must investigate several things: 16 that ade4uate supervision and operating procedures
eist to compensate for the lac! of segregation of duties that occur "hen users are functioning also as
programmers and operators
operators 26 that access to hard"are)
hard"are) data and soft"are is limited
limited to authorized
personnel $6 that bac!up
bac!up procedures are in place
place and implemented to prevent
prevent data and program loss
loss
and %6 that procedures for systems selection and ac4uisition assure high 4uality) error free)
applications. #his is far from an ideal situation.
ANS:
#he blac! bo approach is not concerned "ith the applicationDs internal "or!ings. #he auditor
eamines documentation of the system) intervie"s personnel) and bases the evaluation on the logical
consistency bet"een input and output. #his method is often referred to as 7auditing*around*the*
computer7 because there is no eamination of data as it is processed.