Part I Multiple Choice and Short questions

typoweheeΗλεκτρονική - Συσκευές

8 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

632 εμφανίσεις

Auditing & Ethics Issues




Tutorial 27

___________________________________________________________________________________



_______________________________________________________________________________

AEI
-
TE
-
L27
-

2003





1

Tutorial 27:

EDP Audit I


Review the lecture notes and reading materials, ask in the tutorial if you do not
understand.


Part I

Multiple Choice and Short questions


1.

Which of the following is
not

a characteristic of a batch processed computer
system?

a.

The collection of like transactions that are sorted and processed sequentially
against a master file.

b.

Keypunching of transactions, followed by machine processing.

c.

The production of numerous printouts.


d.

The posting of a transaction, as it occurs, t
o several files, without
intermediate printouts.



2.

What type of IT system is characterized by data that are assembled from more
than one location and records that are updated immediately?

a.

Microcomputer system.

b.

Minicomputer system.

c.

Batch processing

system.

d.

Online real
-
time system.


3

Which of the following
best

describes a fundamental control weakness often
associated with electronic data processing systems?

a.

Electronic data processing equipment is more subject to systems error than
manual process
ing is subject to human error.

b.

Electronic data processing equipment processes and records similar
transactions in a similar manner.

c.

Electronic data processing procedures for detection of invalid and unusual
transactions are less effective than manual

control procedures.


d.

Functions that would normally be separated in a manual system are combined
in the electronic data processing system.


Auditing & Ethics Issues




Tutorial 27

___________________________________________________________________________________



_______________________________________________________________________________

AEI
-
TE
-
L27
-

2003





2

4

Which of the following would
lessen

internal control in an IT system?

a.

The computer librarian maintains custo
dy of computer program instructions
and detailed program listings.


b.

Computer operators have access to operator instructions and detailed program
listings.

c.

The control group maintains sole custody of all computer output.

d.

Computer programmers write and

debug programs, which perform routines
designed by the systems analyst.



5

An IT input control is designed to ensure that

a.

Machine processing is accurate.

b.

Only authorized personnel have access to the computer area.


c.

Data received for processing a
re properly authorized and converted to
machine
-
readable form.

d.

Electronic data processing has been performed as intended for the particular
application.




6.

Where computer processing is used in significant accounting applications,
internal control pro
cedures may be defined by classifying control procedures into
two types: general and

a.

Administrative.

b.

Specific.


c.

Application.

d.

Authorization.


7

Which of the following most likely constitutes a weakness in the internal controls
of an IT system?

a.

The control clerk establishes control over data received by the IT department
and reconciles control totals after processing.

b.

The application programmer identifies programs required by the system's
design and flowcharts the logic of these programs.


c.

The systems analyst reviews output and controls the distribution of output
Auditing & Ethics Issues




Tutorial 27

___________________________________________________________________________________



_______________________________________________________________________________

AEI
-
TE
-
L27
-

2003





3

from the IT department.

d.

The accounts payable clerk prepares data from computer processing and
enters the data into the computer


Short Questions


8.

What are the problems inheren
t in on
-
line and real time systems and how can
they be mitigated?


9.

What controls should exist over computer operators?


Part II

Long Questions


10.

Sun system Manufacturing Limited is proposing to install a new computer
system, and the financial controller has

asked you to suggest the controls, which
should be exercised over access to the computer system from remote terminals.
List and describe the general controls, which can be exercised to prevent
unauthorized access to the computer system.


11.

You are the a
uditor of Oilco plc, a major petroleum refiner, and you are about to
commence the interim audit. The company utilizes an on
-
line computerized
accounting system operated by a central mainframe computer with terminals
located in several departments. The au
dit senior has asked you to take charge
of the interim audit of sales and debtors, and has arranged a meeting between
yourself and the accountant responsible for the debtors section.


The audit senior further informs you that he wishes you to review the co
ntrols in
existence not only as regards the accounting for sales and debtors but also the
database facility as far as it concerns your audit assignment.


Required


(a)

List ten questions you would ask the accountant responsible for the debtors
section in order

to provide an initial evaluation of the effectiveness of the
computer controls over sales and debtors.


(b)

Explain the controls which ought to be in existence in order to maintain the
integrity of the database.



Auditing & Ethics Issues




Tutorial 27

___________________________________________________________________________________



_______________________________________________________________________________

AEI
-
TE
-
L27
-

2003





4


(c)

Explain the reasons why it is important for
the auditors to constantly keep
up to date with the developments in computerized systems.


12.

“The auditors should consider how a computer information systems (“CIS”)
environment affects the audit.” (
SAS 310.1)



A CIS environment exists when a computer o
f any type or size is involved in the
processing of financial information by the entity. Such financial information
must be of significance to the audit, whether that computer is operated by the
entity or by a third party.



The overall objective and scop
e of an audit does not change in a CIS
environment. However, the use of a computer changes the processing, storage
and communication of financial information and may affect the accounting and
internal control systems employed by the entity.



Audit test d
ata and parallel simulation are commonly used audit techniques in
auditing a CIS environment.


Required:


(a)

Explain what “auditing around the computer” means. State the
circumstances under which auditors may consider adopting this approach.



(b)

Explai
n what “auditing through the computer” means. State the
circumstances under which auditors may consider adopting this approach.



(c)

Explain what “auditing with the computer” means.



(d)

Explain what “audit test data” means. State THREE disadvantages o
f this
approach in testing a CIS environment.



(e)

Explain what “parallel simulation” means. State THREE advantages of
this approach in testing a CIS environment.












(HKAAT Dec 2001)



Part III

Revision Questions


Case study 2, page 323 Chapter 3
2, Alan Millichamp

Case study 1,page 341 of Chapter 32, Alan Millichamp

Question 1, page 325 of Chapter20, Teresa Ho

Question 1 and question 2, page 342 of chapter21, Teresa Ho
Auditing & Ethics Issues




Tutorial 27

___________________________________________________________________________________



_______________________________________________________________________________

AEI
-
TE
-
L27
-

2003





5

Tutorial Exercise


Answer

Tutorial 27


1.

D

2.

D

3.

D

4.

B

5.

C

6.

C

7.

C


8.

The problems include:

-

In
formation will be stored on magnetic files and will be continuously
changed

-

There will be a minimum of print
-
outs and minimum of permanently retained
data

-

Authority for approval of a transaction will be under programmed control
procedures without any human

intervention


9.

Controls over computer operators:

-

Segregation of duties

-

Rotation of duties

-

The use of manual to standardize the work

-

Recording of operator intervention in programmes in mainframe computer


10

a.

Ensure computer systems are for authorized pu
rposes only

b.

Access to computer operations is restricted to authorized personnel, e.g.,
controls over files and library

c.

Reasonable assurance that errors are detected during processing by close
supervision of operations, use of operator manual and review of
operators
log



11


(a)

The questions to be asked in order to review the computer controls in existence
over sales and debtors must cover controls over input, processing, access, files
and output. The following questions could be asked of the accountant
respo
nsible for the debtors section.

Auditing & Ethics Issues




Tutorial 27

___________________________________________________________________________________



_______________________________________________________________________________

AEI
-
TE
-
L27
-

2003





6



(i)

What systematic action is taken to ensure the completeness, accuracy and
authorization of input of sales invoices, credit notes, journal entries, cash
and so on? For example, batch totaling, sequence checking, programm
ed
matching of input to control files containing details of expected input, and
authorization limits and reasonableness checks.



(ii)

Are source documents checked one
-
for
-
one to processed output and output
control totals matched to predetermined manually
prepared control totals
in the debtors section?



(iii)

By what methods is it established that all input is fully and accurately
processed? Examples are batch reconciliation after records update,
summary totals, programmed validity checks.



(iv)

What cont
rols are in place to prevent or detect unauthorized amendments
to programs and data files (for example, restrictions of access to
programmers and to users of the on
-
line terminals)?



(v)

what controls exist over the work done by computer operators (for
ex
ample, division of duties, job scheduling, computer logs, cross
-
checks to
input control, authorization of file issue)?



(vi)

What procedures are in operation to ensure the continuing correctness or
master files and the standing data they contain? For exam
ple, record
counts or hash totals for the files, produced and checked each time they are
used, regular checks of all contents, run
-
to
-
run control totals.



(vii)

Are there procedures for the review and despatch of output by the
computer control section? Ex
amples are: comparison of output with prelist
totals of input, checking all queries have been properly dealt with,
distribution list for all output and close control over exception reports,
audit totals and so on.



(viii)

Is the reasonableness of output t
ested? For example, is output tested
against file totals after update, and compared with manually prepared
totals and balanc3es on individual debtors accounts?



(ix)

Is there an adequate management (audit) trail of generated data and regular
listing of le
dger balances and debtor analysis?



(x)

Is there an accounting manual in existence, detailing all procedures and
clerical processes relating to the sales and debtors system, and is it up to
date?


(b)

A database is a collection of interrelated data, stored to
gether in order to
Auditing & Ethics Issues




Tutorial 27

___________________________________________________________________________________



_______________________________________________________________________________

AEI
-
TE
-
L27
-

2003





7

minimize redundant data and to serve multiple applications. The controls
which ought to be in existence are as follows.



(i)

Proper authorization of input prior to submission of data to the system.
Validation tests on input and on its

authorization should be built into the
system. As the company uses on
-
line terminals, it may only be practical
to authorize input after submission. In this case, the input will need to be
prevented from being amended or used to produce output until it i
s
cleared.



(ii)

Access must be restricted to authorized personnel and should be logged.
Passwords should be used to identify and permit different levels of access.



(iii)

Permissible activity should be defined to ensure that operator access to
terminal
s, terminal access to programs and program access to data are
restricted and controlled and that evidence is available to demonstrate this.


(iv)

The database manager should have overall responsibility for the integrity
of the database, and should approve all p
rogram modifications and new
type of input data and reports to be generated. The database manager
must control all aspects of the database, but his work should be segregated
for control purposes from applications development, systems analysis,
programming

operators, librarians and the control section staff.



(v)

Controls should be incorporated to help the auditors to use the database
control programme to generate analysis, totals and reports. To
compensate for the lack of audit trail, the auditors may re
quire the building
in of resident audit monitoring systems and the use of test data and enquiry
programs. The centralization of so much data with access possible in
several departments increases audit risk and calls for tighter and more
sophisticated cont
rol than stand
-
alone applications with their own set of
master files.


(c)

Auditors must keep up to date with developments in computer systems, hardware
and software in order to carry out their statutory duties efficiently and effectively.
They need to apprec
iate fully the scope and areas of audit risk to be found in
modern computerized systems. Specialist training will be necessary to keep
their expertise up to the standard required by clients and by the needs of their
own audit firm. An up to date understa
nding of computer systems will also
help the auditors in the following ways.


(i)

To advise clients at the development stage on audit aids and controls to be
built into, or provided for, in the system.


(ii)

To understand what totals and print out are need
ed at different program
stages and how to test controls.

Auditing & Ethics Issues




Tutorial 27

___________________________________________________________________________________



_______________________________________________________________________________

AEI
-
TE
-
L27
-

2003





8


(iii)

To highlight key features and help assess audit risk and sensitivity to error.


(iv)

To obtain stratified files to aid testing and random samples, as a basis for
statistical testing.


(v)

to o
btain computer print outs for direct use on the audit, for example for
the circularization of debtors and creditors.


(vi)

To appreciate the need to revise audit software to use on new operational
systems. In modern computer systems, the auditor may do so
me of his
audit work at the time the data is being processed by the operating system,
by tagging audit flags on to user accounts.


12.

(a)

Auditing around the computer means that the
auditor bypasses the
computer

and treats it as a giant book
-
keeping machi
ne. This is
acceptable in some situations but becomes unacceptable if the relationship
between the output and the input cannot be properly understood without
examining the intervening computer processing, e.g. when there is no
visible audit trail.




This

technique is used when the
audit trail is complete
,
computer
processing operations are straightforward

and system documentation is
complete and readily available.



(b)

Auditing through the computer means that the
auditor focuses on the
computer and its p
rogrammes directly

in the audit. The auditor’s intent is
to perform tests of control and substantive tests on the computer, operating
system and application system software. For example, the auditor
submits data for processing and analyses results to dete
rmine the
processing reliability and accuracy of the computer programme.




Auditors may consider adopting this approach when:




(i)

the transaction trails exist for a short period of time or only in
computer
-
readable form,





(ii)

the auditors would lik
e to test the EDP controls of the client’s
systems.



(c)

Auditing with the computer means that the computer and its programmes
are treated as a tool of the auditors, e.g. putting computers to work footing
subsidiary ledgers on magnetic tape or disk, calcu
lating amounts such as
depreciation, comparing the contents of two files, and computing ratios
required for analysis.



Auditing & Ethics Issues




Tutorial 27

___________________________________________________________________________________



_______________________________________________________________________________

AEI
-
TE
-
L27
-

2003





9


(d)

The objective of the audit test data approach is to determine whether the
client’s computer programmes can correctly process valid
and invalid
transactions
. To fulfil this objective, the auditor develops both valid and
invalid transactions that are processed under the auditor’s own control
using the client’s EDP equipment. Since the
auditor has complete
knowledge of the errors and i
rregularities that exist in the test data, it is
possible for the auditor to check whether the client’s system has properly
processed the input
.





Disadvantages of audit test data approach may include the following:




(i)

There is no assurance that the
actual programme used by the client to
process actual data has been tested.




(ii)

The client’s programme is tested for reliability of controls that exist
only at the time the test transactions are being processed.




(iii)

Since test transactions are use
d, there is no opportunity to examine
transactions actually processed by the system.




(iv)

It can be time
-
consuming to create a representative range of
tr5ansactions capable of testing all kinds of valid and invalid
conditions and combinations. Hence th
e test data approach is most
useful in simple computer systems where the number of conditions
for testing is limited.




(v)

The scope of testing is limited to the type of data designed by the
auditors.






(e)

A parallel simulation involves the
auditor w
riting a computer programme
that replicates all or part of a client’s application system
. The auditor
makes
comparisons between the client’s application system output and
understanding of the client’s systems

via the parallel simulation. An
exception rep
ort is generated to record the differences identified.




Advantages of the parallel simulation approach may include the following:



(i)

As the auditor’s programme is used, the auditor can test essential
controls in the client’s system.



(ii)

The auditor
’s programme is run concurrently with the client’s
programme, so the auditor can be assured that the correct programme
is being tested.



(iii)

The auditor can utilize real data to trace the transactions back to
source documents and check for approvals.

Auditing & Ethics Issues




Tutorial 27

___________________________________________________________________________________



_______________________________________________________________________________

AEI
-
TE
-
L27
-

2003





10



(iv)

No fictitious data is used, thus reducing the risk of disruption to the
client’s files.



(v)

There is no limitation in the scope of testing as the sample size can
be expanded easily without additional cost in developing any other
sets of test data.