Accounting Information Systems The Processes and

Controls Turner 2nd Edition Solutions Manual

To download the complete and accurate content document, go to:

https://testbankbell.com/download/accounting-information-systems-the-processes-an
d-controls-turner-2nd-edition-solutions-manual/
Accounting Information Systems The Processes and Controls Turner 2nd Edition Solutions Manua

Chapter 7 Solutions Auditing Information Technology-Based Processes

Turner/Accounting Information Systems, 2e

Solutions Manual
Chapter 7

Concept Check
1. b
2. b
3. d
4. c
5. b
6. a
7. c
8. b
9. d
10. a
11. a
12. c
13. c
14. d
15. c
16. a
17. c
18. a
19. a
20. c
21. d

Discussion Questions

22. (SO 1) What are assurance services? What value do assurance services provide?
Assurance services are accounting services that improve the quality of information.
Many services performed by accountants are valued because they lend credibility to
financial information.
23. (SO 2) Differentiate between a compliance audit and an operational audit. A
compliance audit is a form of assurance service that involves accumulating and
analyzing information to determine whether a company has complied with
regulations and policies established by contractual agreements, governmental
agencies, company management, or other high authority. Operational audits assess
operating policies and procedures for efficiency and effectiveness.

Visit TestBankBell.com to get complete for all chapters

Chapter 7 Solutions Auditing Information Technology-Based Processes

24. (SO 2) Which type of audit is most likely to be performed by government auditors?
Which type of audit is most likely to be performed by internal auditors?
Governmental auditors are most likely to perform compliance audits, and internal
auditors are most likely to perform operational audits.
25. (SO 2) Identify the three areas of an auditor’s work that are significantly impacted by
the presence of IT accounting systems. The IT environment plays a key role in how
auditors conduct their work in the following areas:
• consideration of risk
• determination of audit procedures to be used to obtain knowledge of the
accounting and internal control systems
• design and performance of audit tests.
26. (SO 3) Describe the three causes of information risk. Information risk is caused by:
• Remote information; for instance, when the source of information is removed
from the decision maker, it stands a greater chance of being misstated.
• Large volumes of information or complex information.
• Variations in viewpoints or incentives of the preparer.
27. (SO 3) Explain how an audit trail might get “lost” within a computerized system.
Loss of an audit trail occurs when there is a lack of physical evidence to view in
support of a transaction. This may occur when the details of accounting transactions
are entered directly into the computer system, with no supporting paper documents.
If there is a system failure, database destruction, unauthorized access, or
environmental damage, the information processed under such a system may be lost
or altered.
28. (SO 3) Explain how the presence of IT processes can improve the quality of
information that management uses for decision making. IT processes tend to
provide information in a timely and efficient manner. This enhances management’s
ability to make effective decisions, which is the essence of quality of information.
29. (SO 4) Distinguish among the focuses of the GAAS standards of fieldwork and
standards of reporting. The standards of fieldwork provide general guidelines for
performing the audit. They address the importance of planning and supervision,
understanding internal controls, and evidence accumulation. The standards of
reporting address the auditor’s requirements for communicating the audit results in
writing, including the reference to GAAP, consistency, adequate disclosures, and the
expression of an overall opinion on the fairness of financial statements.
30. (SO 4) Which professional standard-setting organization provides guidance on the
conduct of an IT audit? The Information Systems Audit and Control Association
(ISACA) is responsible for issuing Information Systems Auditing Standards (ISASs),
which provide guidelines for conducting an IT audit.
31. (SO 5) If management is responsible for its own financial statements, why are
auditors important? Auditors are important because they are responsible for
analyzing financial statements to decide whether they are fairly stated and presented
in accordance with GAAP. Since the financial statements are prepared by managers
of the company, the role of auditors is to reduce information risk associated with
those financial statements. To accomplish this, auditors design tests to analyze
information supporting the financial statements in order to determine whether
management’s assertions are valid.
Chapter 7 Solutions Auditing Information Technology-Based Processes

32. (SO 6) List the techniques used for gathering evidence. The techniques used for
gathering evidence include the following:
• physically examining or inspecting assets or supporting documentation
• obtaining written confirmation from an independent source
• rechecking or recalculating information
• observing activities
• making inquiries of company personnel
• analyzing financial relationships and making comparisons to determine
reasonableness
33. (SO 6) During which phase of an audit would an auditor consider risk assessment
and materiality? Risk assessment and materiality are considered during the
planning phase of an audit.
34. (SO 7) Distinguish between auditing through the computer and auditing with the
computer. When are auditors required to audit through the computer as opposed to
auditing around the computer? Auditing through the computer involves directly
testing internal controls within the IT system, which requires the auditors to
understand the computer system logic. Auditing through the computer is necessary
when the auditor wants to test computer controls as a basis for evaluating risk and
reducing the amount of audit testing required, and when supporting documents are
available only in electronic form. Auditing with the computer involves auditors using
their own systems, software, and computer-assisted audit techniques to help
conduct an audit.
35. (SO 8) Explain why it is customary to complete the testing of general controls before
testing application controls. Since general controls are the automated controls that
affect all computer applications, the reliability of general controls must be
established before application controls are tested. The effectiveness of general
controls is considered the foundation for the IT control environment. If there are
problems with the effectiveness of general controls, auditors will not devote attention
to the testing of application controls; rather, they will reevaluate the audit approach
with reduced reliance on controls.
36. (SO 8) Identify four important aspects of administrative control in an IT environment.
Four important aspects of administrative control include:
• personal accountability and segregation of incompatible responsibilities
• job descriptions and clear lines of authority
• computer security and virus protection
• IT systems documentation
37. (SO 8) Explain why Benford’s Law is useful to auditors in the detection of fraud.
Benford’s Law recognizes nonuniform patterns in the frequency of numbers
occurring in a list, so it is useful to auditors in the identification of fabricated data
within account balances such as sales, accounts receivable, accounts payable, cash
disbursements, income taxes, etc. If fraudulent data are presented, they would not
likely follow the natural distribution that Benford’s Law sets forth.
38. (SO 8) Think about a place you have worked where computers were present. What
are some physical and environmental controls that you have observed in the
workplace? Provide at least two examples of each from your personal experience.
Student’s responses are likely to vary greatly. Examples of physical controls may
Chapter 7 Solutions Auditing Information Technology-Based Processes

include card keys and configuration tables, as well as other physical security
features such as locked doors, etc. Environmental controls may include temperature
and humidity controls, fire, flood, earthquake controls, or measures to ensure a
consistent power supply.
39. (SO 8) Batch totals and hash totals are common input controls. Considering the fact
that hash totals can be used with batch processing, differentiate between these two
types of controls. Both batch totals and hash totals are mathematical sums of data
that can be used to determine whether there may be missing data. However, batch
totals are meaningful because they provide summations of dollar amounts or item
counts for a journal entry used in the financial accounting system, whereas hash
totals are not relevant to the financial accounting system (i.e., the hash totals are
used only for their control purpose and have no other numerical significance).
40. (SO 8) The test data method and an integrated test facility are similar in that they are
both tests of applications controls and they both rely on the use of test data. Explain
the difference between these two audit techniques. The test data method tests the
processing accuracy of software applications by using the company’s own computer
system to process fictitious information developed by the auditors. The results of the
test must be compared with predicted results. An integrated test facility also tests
processing applications, but can accomplish this without disrupting the company’s
operations. An integrated test facility inputs fictitious data along with the company’s
actual data, and tests it using the client’s own computer system. The testing occurs
simultaneously with the company’s actual transaction processing.
41. (SO 9) Explain the necessity for performing substantive testing even for audit clients
with strong internal controls and sophisticated IT systems. Since substantive testing
determines whether financial information is accurate, it is necessary for all financial
statement audits. Control testing establishes whether the system promotes
accuracy, while substantive testing verifies the monetary amounts of transactions
and account balances. Even if controls are found to be effective, there still needs to
be some testing to make sure that the amounts of transactions and account
balances have actually been recorded fairly.
42. (SO 9) What kinds of audit tools are used to perform routine tests on electronic data
files taken from databases? List the types of tests that can be performed with these
tools. CPA firms use generalized audit software (GAS) or data analysis software
(DAS) to perform audit tests on electronic data files taken from commonly used
database systems. These tools help auditors perform routine testing in an efficient
manner. The types of tests that can be performed using GAS or DAS include:
• mathematical and statistical calculations
• data queries
• identification of missing items in a sequence
• stratification and comparison of data items
• selection of items of interest from the data files
• summarization of testing results into a useful format for decision making
43. (SO 10) Which of the four types of audit reports is the most favorable for an audit
client? Which is the least favorable? An unqualified audit report is the most
favorable because it expresses reasonable assurance that the underlying financial
statements are fairly stated in all material respects. On the other hand, an adverse
Chapter 7 Solutions Auditing Information Technology-Based Processes

opinion is the least favorable report because it indicates the presence of material
misstatements in the underlying financial statements.
44. (SO 10) Why is it so important to obtain a letter of representations from an audit
client? The letter of representations is so important because it is management’s
acknowledgement of its primary responsibility for the fair presentation of the financial
statements. In this letter, management must declare that it has provided complete
and accurate information to its auditors during all phases of the audit. This serves as
a significant piece of audit evidence.
45. (SO 11) How can auditors evaluate internal controls when their clients use IT
outsourcing? When a company uses IT outsourcing, auditors must still evaluate
internal controls. This may be accomplished by relying upon a third-party report from
the independent auditor of the outsourcing center, or it can audit around the
computer, or it can test controls at the outsourcing center.
46. (SO 12) An auditor’s characteristic of professional skepticism is most closely
associated with which ethical principle of the AICPA Code of Professional Conduct?
Professional skepticism is most closely associated with the principle of Objectivity
and Independence. Professional skepticism means that auditors should have a
questioning mind and a persistent approach for evaluating financial information for
the possibility of misstatements. This is closely related to the notion of objectivity and
independence in its requirements for being free of conflicts of interest.

Brief Exercises
47. (SO 2) Why is it necessary for a CPA to be prohibited from having financial or
personal connections with a client? Provide an example of how a financial
connection to a company would impair an auditor’s objectivity. Provide an example
of how a personal relationship might impair an auditor’s objectivity. An auditor
should not have any financial or personal connections with a client company
because they could impair his/her objectivity. It would be difficult for an auditor to be
free of bias if he/she were to have a financial or personal relationship with the
company or one of its associates. For example, if an auditor owned stock in a client
company, the auditor would stand to benefit financially if the company’s financial
statements included and unqualified audit report, as this favorable opinion could lead
to favorable results for the company such as paying a dividend, obtaining financing,
etc. Additionally, if an auditor had a family member or other close personal
relationship with someone who works for the company, the auditor’s independence
may be impaired due to the knowledge that the family member or other person may
be financially dependent upon the company or may have played a significant role in
the preparation of the financial statements.
48. (SO 3) From an internal control perspective, discuss the advantages and
disadvantages of using IT-based accounting systems. The advantages of using IT-
based accounting systems are the improvements in internal control due to the
reduction of human error and increase in speed. The disadvantages include the loss
of audit trail visibility, increased likelihood of lost or altered data, lack of segregation
of duties, and fewer opportunities for authorization and review of transactions.
Chapter 7 Solutions Auditing Information Technology-Based Processes

49. (SO 4) Explain why standards of fieldwork for GAAS are not particularly helpful to an
auditor who is trying to determine the types of testing to be used on an audit
engagement. GAAS provides a general framework that is not specific enough to
provide specific guidance in the actual performance of an audit. For detailed
guidance, auditors rely upon standards issued by the PCAOB, the ASB, the IAPC,
and ISACA.
50. (SO 5) Ping and Pong are assigned to perform the audit of Paddle Company. During
the audit, it was discovered that the amount of sales reported on Paddle’s income
statement was understated because one week’s sales transactions were not
recorded due to a computer glitch. Ping claims that this problem represents a
violation of the management assertion regarding existence, because the reported
account balance was not real. Pong argues that the completeness assertion was
violated, because relevant data was omitted from the records. Which auditor is
correct? Explain your answer. The completeness assertion is concerned with
possible omissions from the accounting records and the related understatements of
financial information; in other words, it asserts that all valid transactions have been
recorded. Accordingly, Pong’s argument is correct. Ping’s argument is not correct
because the existence assertion is concerned with the possibility of fictitious
transactions and the related overstatements of financial information.
51. (SO 6) One of the most important tasks of the planning phase is for the auditor to
gain an understanding of internal controls. How does this differ from the tasks
performed during the tests of controls phase? During the planning phase of an audit,
auditors must gain an understanding of internal controls in order to determine
whether the controls can be relied upon as a basis for reducing the extent of
substantive testing to be performed. Understanding of internal controls is the basis
for the fundamental decision regarding the strategy of the audit. It also impacts the
auditor’s risk assessment and establishment of materiality. During the tests of
controls phase, the auditor goes beyond the understanding of the internal controls
and actually evaluates the effectiveness of those controls.
52. (SO 8) How is it possible that a review of computer logs can be used to test for both
internal access controls and external access controls? Other than reviewing the
computer logs, identify and describe two types of audit procedures performed to test
internal access controls, and two types of audit procedures performed to test
external access controls. Internal access controls can be evaluated by reviewing
computer logs for the existence of login failures or unusual activity, and to gauge
access times for reasonableness in light of the types of tasks performed. Internal
access controls can also be tested by reviewing the company’s policies regarding
segregation of IT duties and other IT controls, and can test those controls to
determine whether access is being limited in accordance with the company’s
policies. In addition, auditors may perform authenticity testing to evaluate the
authority tables and determine whether only authorized employees are provided
access to IT systems.
Computer logs can also be reviewed to evaluate external access controls, as the
logs may identify unauthorized users and failed access attempts. External access
controls may also be tested through authenticity tests, penetrations tests, and
vulnerability assessments. Authenticity tests, as described above, determine
Chapter 7 Solutions Auditing Information Technology-Based Processes

whether access has been limited to those included in the company’s authority tables.
Penetration tests involve the auditor trying to gain unauthorized access to the client’s
system, by attempting to penetrate its firewall. Vulnerability assessments are tests
aimed at identifying weak points in the company’s IT systems where unauthorized
access may occur, such as through a firewall or due to problems in the encryption
techniques.
53. (SO 9) Explain why continuous auditing is growing in popularity. Identify and
describe a computer-assisted audit technique useful for continuous auditing.
Continuous auditing has increased in popularity due to the increase in e-commerce.
Real-time financial reporting has created the need for continuous auditing, whereby
auditors continuously analyze evidence and provide assurance on the related
financial information as soon as it occurs or shortly thereafter. The embedded audit
module is a computer-assisted audit technique that accomplishes continuous
auditing. The embedded audit module approach involves placing special audit
testing programs within a company’s operating system. These test modules search
the data and analyze transactions or account balances that meet specified
conditions of interest to the auditor.
54. (SO 11) Distinguish between the various service organization controls (SOC)
reporting options available to auditors who evaluate cloud computing service
providers. The SOC 1 report addresses internal controls over financial reporting. A
SOC 1Type I report contains management’s assessment and the auditor’s opinion
on the operating design of internal controls over financial reporting. A SOC 1 Type II
report is an extension of the Type I report in that it also evaluates the operating
effectiveness of those internal controls. A SOC 2 report considers controls over
compliance and operations, including the Trust Services Principles. Similar to SOC 1
reports, SOC 2 reporting options also allow for a Type I or Type II conclusion
depending upon whether the auditor consider suitability of design or operating
effectiveness of those controls, respectively. Finally, a SOC 3 report is an unaudited
report that is available to the general public containing a CPA firm’s conclusion on
the elements of the Trust Services Principles.

Problems
55. (SO 4) Given is a list of standard-setting bodies and a description of their purpose.
Match each standard-setting body with its purpose.
I. c.
II. a.
III. d.
IV. b.

56. (SO 8) Identify whether audit tests are used to evaluate internal access controls (I),
external access controls (E), or both (B).
• Authenticity tests (B)
• Penetration tests (E)
• Vulnerability assessments (E)
Chapter 7 Solutions Auditing Information Technology-Based Processes

• Review of access logs (B)

• Review of policies concerning the issuance of passwords and security tokens (I)

57. (SO 9) Refer to the notes payable audit program excerpt presented in Exhibit 7-3. If
an auditor had a copy of his client’s data file for its notes receivable, how could a
general audit software or data analysis software package be used to assist with
these audit tests? GAS and DAS could assist auditors in testing notes payable by
performing mathematical calculations of interest amounts, stratification of amounts
into current and long-term categories according to maturity dates, and performing
ratio calculations as may be needed to assess compliance with restrictions.

58. (SO 11) In order to preserve auditor independence, the Sarbanes-Oxley Act of 2002
restricts the types of nonaudit services that auditors can perform for their public-
company audit clients. The list includes nine types of services that are prohibited
because they are deemed to impair an auditor’s independence. Included in the list
are the following:
• financial information systems design and implementation
• internal audit outsourcing
Describe how an auditor’s independence could be impaired if she performed IT
design and implementation functions for her audit client. Likewise, how could an
auditor’s involvement with internal audit outsourcing impair her independence with
respect to auditing the same company? Both of these scenarios would place the
auditor in a position of auditing his/her own work. Auditors could not maintain
independence if they are involved in both the IT design and implementation as well
as the financial statement audit. To the extent that the IT system impacts financial
reporting, an auditor could not possibly be unbiased with respect to a system that
he/she had designed and implemented. Likewise, auditors are not likely to be
unbiased with respect to performing a financial statement audit for the same
company as he/she performed internal audit work. Any evaluations performed during
the internal audit engagement are likely to have a bearing on the auditor’s
professional attitude while performing the financial statement audit.

59. (SO 2) Visit the AICPA website at www.aicpa.org and select the tab for Career
Paths. Click on “This Way to CPA” to locate information on audit careers. The
AICPA website presents information on various career paths, including public
accounting (audit, taxation, financial planning, etc.), business and industry,
governmental accounting, not-for-profit accounting, education, and
entrepreneurship. Some specialty areas include forensic accounting, environmental
accounting, and showbiz accounting.

60. (SO 4, 9) Visit the ISACA website at www.isaca.org and click on the Knowledge
Center tab, then select ITAF (Information Technology Assurance Framework) and
click on the IT Audit Basics tab to find articles covering topics concerning the audit
process. Locate an article on each of the following topics and answer the related
question:
Chapter 7 Solutions Auditing Information Technology-Based Processes

a. Identify and briefly describe the four categories of CAATs used to support
IT auditing. The four categories include1:
• data analysis software, including GAS and DAS
• Network security evaluation software/utilities
• OS and DBMS security evaluation software/utilities
• Software and code testing tools
b. List three possible procedures to be performed by auditors who are
evaluating controls pertaining to the backup and recovery of a client’s
data. The three procedures include2:
• Review or observe backup procedures
• Review documentation of a successful restore within the period
• Personally verify restoration when risk is high or when restoration is an
audit objective.
61. (SO 8) Locate the stock tables for the two major stock exchanges in any issue of
the Wall Street Journal. Beginning from any point within the table, prepare a list of
the first digits of the daily volume for 100 stocks. Determine whether the listed
numbers conform to Benford’s Law. Student responses will vary depending upon the
timing of carrying out this requirement and the starting point used. However,
students should determine whether the number 1 is represented as the first digit of
the volume figures for approximately 33% of the items within the list. If so, then the
data conform to Benford’s Law.
62. (SO 12) Perform an Internet search to determine the nature of Xerox Corporation’s
management fraud scheme and to find out what happened to the company after the
problems were discovered. Xerox’s fraud involved earnings management or
manipulation of the financial statements in order to boost earnings. This occurred at
Xerox to the tune of hundreds of millions of dollars and involved various accounting
tricks to hide the company’s true financial performance so that it would meet or beat
Wall Street expectations. The most significant trick was the premature recording of
revenues. Upon discovery of the fraud, the SEC filed a $10 million civil suit against
Xerox, the largest fine in SEC history. In addition, Xerox had to restate its earnings
from 1997 through 2001.

Cases
63. Internal Controls and CAATs for a Wholesale client.
a. What tests of controls would be effective in helping Draker determine whether
Palitt’s vendor database was susceptible to fraud? The following tests of
controls could be used:
• Verify that the database is physically secure and that programs and
data files are password protected to prevent unauthorized access.

1 “Using CAATs to Support IS Audit” by S. Anantha Sayana for Information Systems Control Journal, Vol.
1, 2003.
2 “What Every IT Auditor Should Know About Backup and Recovery” by Tommie W. Singleton for ISACA

Journal, Vol, 6, 2011.

Chapter 7 Solutions Auditing Information Technology-Based Processes

Since this situation involves an internal breach of authority, access

logs should be reviewed for activity at unusual times (non-business
hours).
• Make sure that system programmers do not have access to database
operations so that there is no opportunity to alter source code and the
related operational data.
• Ascertain that database inputs are being compared with system-
generated outputs.
• Determine whether run-to-run totals are being generated and reviewed
to evaluate the possibility of lost or altered data.
• Ascertain that computer-generated reports are regularly reviewed by
management.
• Determine whether the client’s field checks, validity checks, and
reasonableness checks are all working effectively.
b. What computer-assisted audit technique would be effective in helping Draker
determine whether Palitt’s vendor database had actually been falsified?
Draker could use GAS or DAS to perform audit testing on electronic data files
taken from Lea’s database system. Several types of audit tests commonly
performed by GAS or DAS systems could be used in this case, including data
queries, stratification and comparison of data items, and selection of items of
interest. In addition, the following tests can be performed to test the propriety
of inputs to the system:
• Financial control totals can be used to determine whether total dollar
amounts or item counts are consistent with journal entry amounts.
This can detect whether additions have been made during processing.
• Validation checks can be performed to scan entries for bogus
information. Depending on the type of IT system, a validity check of the
vendor number field may prevent the entry of fictitious vendors.
• Field checks can be performed to identify unrecognized data.
If the bogus transactions are being entered during processing, the auditor
may use program tracing to evaluate program logic for possible points of
entering fraudulent information. Run-to-run totals may also be used to
determine whether data have been altered during processing. In addition,
output controls such as reasonableness tests could be performed to review
the output against authorized inputs, and/or audit trail tests could be
performed to trace transactions through the system to determine if changes
occurred along the way.

64. Issues with the client representation letter.

a. Would it be appropriate for Pannor to reopen the audit testing phases in
order to expand procedures, in light of the lack of representative evidence
from management? Why or why not? No, Pannor should not expand
testing procedures. The purpose of the client’s representations letter is for
management to acknowledge its primary responsibility for the fair
presentation of the financial statements and the accuracy of evidence
provided to the auditors. It is considered the most significant piece of audit
Accounting Information Systems The Processes and Controls Turner 2nd Edition Solutions Manua

Chapter 7 Solutions Auditing Information Technology-Based Processes

evidence. Obtaining additional evidence would not compensate for a

failure to secure a letter of representations; in fact, it is likely that
additional testing would be meaningless unless management represents
that the evidence it supplies is accurate.
b. Will Pannor’s firm still be able to issue an unqualified audit report if it does
not receive the representations letter? Research the standard wording to
be included in an unqualified audit report, as well as the typical wording
included in a client representations letter. Base your answer on your
findings. No, an unqualified report is no longer possible due to the failure
to obtain written representations from management. This constitutes a
limitation in the scope of the audit. Pannor’s firm may either withdraw from
the engagement or issue a disclaimer. The standard wording for a client
representations letter can be found in AU section 333. The standard
wording for an unqualified audit report can be found in AU section 508.

Visit TestBankBell.com to get complete for all chapters