Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
ais test 3
| Question | Answer |
|---|---|
| auditing | a systematic process of objectively obtaining and evaluation evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to ppl |
| what are the 3 phases of a financial audit? | familiarization with client firm, evaluation and testing of internal controls, assessment of reliability of financial data |
| what is audit risk? | the probability the auditor will issue an unqualified opinion when in fact the financial statements are materially misstated |
| What are the 3 components of audit risk? | inherent risk, control risk, detection risk |
| inherent risk | associated with the unique characteristics of the business or industry of the client |
| control risk | the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts |
| detection risk | the risk that errors not detected or prevented by the control structure will also not be detected by the auditor |
| what are the 2 main types of audit tests? | tests of controls, substantive testing |
| tests of controls | tests to determine if appropriate IC are in place and functioning effectively |
| substantive testing | detailed examination of account balances and transactions |
| Pre-SOX audit of internal controls | did not require IC tests, only required to be familiar with client's IC, audit consisted primarily of substantive tests |
| post SOX audit of internal controls | there was a radically expanded scope of audit, issue new audit opinion on mgmt's IC assessment, required to test IC affecting financial info, collect docs of mgmt's IC tests and interview mgmt on IC changes |
| major requirements under SOX 404 | state responsibility for establishing and maintaining adequate financial reporting IC, assess IC effectiveness of financial reporting, reference the external auditors' attestation report on mgmt's IC assessment |
| major requirements under SOX 404 | provide explicit conclusions on the effectiveness of financial reporting IC, identify the framework mgmt used to conduct their IC assessment |
| major requirements under SOX 302 | certify financial & other info contained in the reports, the IC over financial reporting, state responsibility for IC design, provide reasonable assurance as to the reliability of the financial reporting process, disclose ne recent material changes in IC |
| distributed computing | computer services are distributed to end users and placed under their control |
| centralized computing | all data processing is performed by one or more large computers housed at a central site that serves users throughout the org. |
| what are the five control implications of distributed data processing | incompatibility, redundancy, consolidating incompatible activities, acquiring qualified professionals, lack of standards |
| what are the audit objectives for the computer center? | physical security IC protects the computer center, insurance coverage compensates for damage to the computer center, operator documentation addresses routine operations as well as system failures |
| in centralized computing what are the critical segregation of duties? | systems development from computer operations, DBA from other computer service functions, maintenance from new systems development, data library from operations |
| what is the audit objective for computer center disaster recover planning | verify that DRP is adequate and feasible for dealing with disasters |
| financial statements reflect | a set of mgmt assertions about the financial health of an entity |
| the task of the auditor is to | determine whether the financial statements are fairly presented |
| auditors develop their audit objectives and design audit procedures based on | assertions |
| attestation | practitioner is engaged to issue a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party |
| assurance | professional services that are designed to improve the quality of info, both financial and non-financial, used by decision makers |
| general standards of auditing | the auditor must have adequate technical training and proficiency, must have independence of mental attitude, must exercise due professional care in the performance of the audit and the prep of the report |
| standards of field work | audit work must be adequately planned, the auditor must gain a sufficient understanding of the internal control structure , must obtain sufficient, competent evidence |
| reporting standards of auditing | the auditor must state in the report whether financial statements w/ generally accepted acct princ., report must identify those circumstances in which GAAP were not applied, report must identify any items that dont have adequate info disclosures |
| mgmt assertion of existence or occurrence | objective: inventories listed on the balance sheet exist. procedure: observe the counting of PI |
| mgmt assertion of completeness | objective: accts payable include all obligations to vendors for the period. procedure: compare receiving reports, supplier invoices, PO's, and journal entries for the period and the beginning of the next period |
| mgmt assertion of rights and obligations | objective: plant and equip listed in the bal. sheet are owned by the entity, procedure: review purchase agreements, insurance policies, and related docs |
| mgmt assertion of valuation or allocation | objective: accts rec. are stated at net realizable value. procedure: review entity's aging of accts and evaluate the adequacy of the allowance for uncorrectable accts |
| mgmt assertion of presentation and disclosure | obj: contingencies not reported in financial accts are properly disclosed in footnotes. procedures: obtain info from entity lawyers about the status of litigation and estimates of potential loss |
| the auditor's objective is to | minimize qudit risk by performing tests of controls and substantive tests |
| the stronger the internal control structure, | the lower the control risk and less substantive tests an auditor must do |
| evidence gathering can include both: | manual technique, using specialized computer audit techniques |
| external auditors | represent the interests of third party stakeholders |
| an external financial audit | an independent attestation by an external auditor- CPA regarding the faithful representation of the financial statements |
| internal auditors | serve an independent appraisal function w/in the organization, often perform tasks which can reduce external audit fees and help to achieve audit efficiency and reduce audit fees |
| sarbanes oxley act of 2002 established new corporate governance rules | created company acct oversight board, issuer & mgmt disclosure, inc. accountability for co. officers and board of directors, inc. white collar crime penalties, addressed auditor independence |
| SOX audit implications | pre-sox audits did not require IC tests, SOX radically expanded the scope of the audit, |
| SOX impact on assurance services | prior to SOX, acct firms could provide assurance services concurrently to audit functions, greatly restricts the types of nonaudit services that auditors may render audit clients |
| modern financial reporting is driven by | information technology |
| IT initiates, authorizes, records, and reports the | effects of financial transactions |
| what is an IT audit? | focus on the computer based aspects of an organization's info system, assess the proper implementation, operation, and control of computer resources |
| 3 phases of an IT audit | audit planning, tests of controls phase, substantive testing phase |
| internal control especially segregation of duties, is affected by which 2 organizational structures applies: | centralized model, distributed model |
| distributed data processing | reorganizing the computer services function into small info processing units that are distributed to end users and placed under their control |
| centralized data processing | all data processing is performed by one or more large computers housed at a central site that serves users throughout the organization |
| primary areas of centralized data processing | database administration, data processing, systems development, systems maintenance |
| centralized IT structure critical to segregate | systems development from computer operations, DBA from other computer service functions, maintanence from new systems development, data library from operations |
| despite its many advantages, important IC implications are present: | incompatible software among the various work centers, data redundancy may result, consolidation of incompatible tasks, difficulty hiring qualified professionals, lack of standards |
| a corporate IT function alleviates potential problems associated with distributed IT organizations by providing: | central testing of commercial hardware and software, a user services staff, a standard-setting body, reviewing technical credentials of prospective systems professionals |
| computer center IC considerations | man-made threats and natural hazards, underground utility and communications lines, a/c and air filtration systems, access limited operators and computer center works, fire suppression systems installed, fault tolerance |
| Computer Center IC audit objectives | physical security IC protects computer center from physical exposures, insurance coverage compensates the organization for damage to the computer center, operator documentation addresses routine operations as well as system failures |
| audit procedures | review the corporate policy on computer security, review documentation to determine if individuals or groups are performing incompatible functions, review systems documentation and maintenance records |
| audit procedures | observe if segregation policies are followed in practice, review user rights and privileges, review insurance coverage on hardware, software and physical facility, review operator documentation, run manuals for completeness and accuracy |
| disaster recovery plans identify | actions before, during and after the disatster, disaster recovery team, priorities for restoring critical applications |
| audit objective of DRP | verify that it's adequate and feasible for dealing with disasters |
| major IC concerns of DRP | second-site backups, critical applications and databases, back-up and off-site storage procedures, disaster recovery team, testing the DRP regularly |
| empty shell | involves 2 or more organizations that buy or lease a building and remodel it into a computer site, but without computer equipment |
| recovery operations center | a completely equipped site; very costly and typically shared among many companies |
| internally provided backup | companies with multiple data processing centers may create internal excess capacity |
| DRP audit procedures | evaluate adequacy of second-site backup arrangements, review list of critical applications for completeness and currency, verify that procedures are in place for storing off-site copies of applications and data |
| DRP audit procedures | verify that documentation, supplies, etc., are stored off-site, verify that the disaster recovery team knows its responsibilities |
| role of the OS | computer's control program, allows users and their apps to share and access common computer resources, handles the details of the operation of the hardware thus relieving application programs from having to manage these details |
| control objectives for OS | protect itself from tampering from users, prevent users from tampering with the programs of other users, safeguard users' apps from accidental corruption its own programs from accidental corruption, protect itself from power failures and other disasters |
| what role does the access control list serve in OS security | assigned to each computer resource and contain info that defines the access privileges for all valid users of the resource |
| audit procedures for malicious and destructive threats to the OS | review or verify: training of operations personnel on destructive programs, testing of new software prior to being implemented, currency of antiviral software and frequency of upgrades |
| event monitoring | an audit log that summarizes key activities, typically record the IDs of all users accessing the system, time & duration of a user's session, programs used, & files, databases, printers, and other resources used |
| 2 crucial database control issues | database access controls, database backup controls |
| audit procedures for database access controls | verify DBA sole responsibility for creating authority tables and designing user views, verify access privileges stored in the authority table are consistent with user's organizational functions, evaluate costs and benefits of use of biometric controls |
| 4 features of backup and recovery procedures of large scale database mgmt systems | database backup, transaction log, checkpoint features, recovery module |
| database backup | automatic periodic copy of entire database |
| transaction log | list of transactions and resulting changes to database which provides an audit trail |
| checkpoint features | suspends data during system reconciliation- occurs several times an hour |
| recovery module | restarts the system after a failure |
| purpose of database lockout | software control that prevents multiple simultaneous accesses to data, used to help ensure database currency which is the presence of complete and accurate data at all IPU sites |
| deadlock phenomenon | occurs in partitioned databases when multiple sites lock each other out of data that they are currently using, one site needs data locked by another site, special software needed to analyze and resolve conflicts |
| 2 general forms of risks associated with network communications technology | risks from subversive threats, risks from equipment failure |
| risks from subversive threats | unauthorized interception of a message, gaining unauthorized access to an organization's network, denial of service attack from a remote location |
| risks from equipment failure | noice on the communications line causes data loss |
| how does public key encryption work? | uses a public and private key, public key used for encoding and is distributed to all users, private key used for decoding and should only be distributed to the user for whom the messages are intended |
| digital signature | electronic authentication that cannot be forged, ensures that the message or document transmitted originated with the authorized sender and that it was not tampered w/ after the signature |
| message authentication | unauthorized access control |
| parity check | equipment failure control |
| call-back device | unauthorized access control |
| echo check | equipment failure control |
| line error | equipment failure control |
| data encryption | unauthorized access control |
| request response technique | unauthorized access control |
| OS performs 3 main tasks: | translates high level languages in the machine level language that the computer can execute, allocates computer resources to user apps, manages the tasks of job scheduling and multiprogramming |
| jobs are submitted to the system in 3 ways | directly by the system operator, from various batch-job queues, through telecommunications links from remote workstations |
| log-on procedures | first line of defense-user IDs and passwords- limited attempts |
| access token | created once log on is successful- contains key info about the user including privileges |
| access control list is assigned to each resource | defines access privileges of all valid users, system compares user privileges contained in access token w/ those in access control list for a match |
| discretionary access privileges | allows some users privileges to grant access to others, may be Read-Only or Read-Write |
| accidental threats to OS | hardware failures that cause OS to crash, errors in user application programs may cause OS failures |
| intentional threats to OS | attempts by internal and external users to illegally access data, exploit security flaws and insert destructive programs into the OS |
| threats to OS can be reduced through combination of technology controls and admin procedures | controls over software purchases and use of public domain software, policy, procedures, and training on use of unauthorized software, making changes to production programs,raising user awareness of threats, examine upgrades for viruses, backup |
| audit objectives of malicious and destructive programs | verify effectiveness of procedures to protect against programs such as viruses, worms, backdoors, logic bombs, and trojan horses |
| audit procedures of malicious and destructive programs | review or verify: training of operating personnel concerning destructive programs, testing of new software prior to being implemented, currency of antiviral software and frequency of upgrades |
| audit objectives of controlling access privileges | verify that access privileges are consistent w/ separation of incompatible functions and organization policies |
| audit procedures of controlling access privileges | review or verify: policies for separating incompatible functions, a sample of user privileges, especially access to data and programs- based on need to know, security clearance checks of privileged employees |
| audit objectives of password control | ensure adequacy and effectiveness of password policies for controlling access to the operating system |
| audit procedures of password control | review or verify: passwords required for all users, instructions for new users, changed regularly, password file for weak passwords, encryption, standards, acct lockout policies |
| audit trails | logs that record activity at the system, application, and user level |
| audit trail controls can be used to support security objectives in 3 ways: | detect unauthorized access, facilitate event reconstruction, promote accountability |
| 2 types of audit trail logs: | detailed logs of individual keystrokes, even monitoring log |
| audit objectives of audit trail controls | ensure the established audit trail is adequate for preventing and detecting abuses, reconstructing key events that precede system failures and planning resource allocation |
| audit procedures of audit trail controls | review or verify: how long audit trails have been in place, archived log files for key indicators, monitoring and reporting of security violations |
| PC based accounting systems | used by small firms and some large decentralized firms, allow 1 or few individuals perform entire accounting function |
| PC control issues with segregation of duties | tend to be inadequate and should be compensated for with increased supervision, detailed mgmt reports, and frequent independent verification |
| PC control issues with access control | controls to the data stored on the computer tend to be weak, methods such as encryption and disk locking devices should be used |
| PC control issues with accounting records | computer disk failures cause data losses, external backup methods need to be implemented to allow data recovery |
| database access controls | designed to prevent unauthorized individuals from viewing, retrieving, corrupting, or destroying the entity's data |
| audit objectives of database access controls | verify those authorized to use databases are limited to data needed to perform their duties and unauthorized individuals are denied access to data |
| PC control issues with segregation of duties | tend to be inadequate and should be compensated for with increased supervision, detailed mgmt reports, and frequent independent verification |
| PC control issues with access control | controls to the data stored on the computer tend to be weak, methods such as encryption and disk locking devices should be used |
| PC control issues with accounting records | computer disk failures cause data losses, external backup methods need to be implemented to allow data recovery |
| database access controls | designed to prevent unauthorized individuals from viewing, retrieving, corrupting, or destroying the entity's data |
| audit objectives of database access controls | verify those authorized to use databases are limited to data needed to perform their duties and unauthorized individuals are denied access to data |
| database backup controls | ensures that in the event of data loss from any adverse incident, the organization can recover its files and databases |
| audit objectives of database backup controls | verify backup controls can adequately recover lost, destroyed, or corrupted data |
| user views | based on sub-schemas |
| database authorization table | allows greater authority to be specified |
| user-defined procedures | allows the user to create a personal security program or routine |
| data encryption | encoding algorithms that are used to protect highly sensitive data- both stored and being transmitted across networks |
| biometric devices | user authentication using fingerprints, retina prints, or signature characteristics |
| the user view or subschema is a | subset of the database that defines the user's data domain and restricts access accordingly |
| audit concern of user view | access privileges match user's needs |
| user views retrict access but do not | define task privileges such as read or write |
| database access controls audit procedures | verify DBA sole responsibility for creating authority tables and designing user views, verify access privileges stored int he authority table are consistent with user's organizational functions, evaluate costs and benefits of use of biometric controls |
| database backup controls audit procedures | verify: that production databases are copied at regular intervals, backup copies of the database are stored off site to support disaster recovery |
| these database options impact the organization's ability to maintain database integrity, to preserve audit trails, and to have accurate acct records | centralized or distributed data, if distributed, replicated or partitioned, if replicated, totally or partially, if partitioned, what allocation of the data segments among the sites |
| distributed data processing | the data retained in a central location, remote IPUs send request for data, central site services the needs of the remote IPUs, the actual processing of the data is performed at the remote IPU site |
| advantages of DDP | cost reductions in hardware and data entry tasks, improved cost control responsibility, improved user satisfaction since control is closer to the user level, backup of data can be improved through the use of multiple data storage sites |
| disadvantages of DDP | loss of control, mismgmt of resources, hardware and software incompatibility, redundant tasks and data, consolidating incompatible tasks, difficulty attracting qualified personnel, lack of standards |
| partitioned DDP | central database is split into segments that are distributed to their primary users |
| advantages of partitioned DDP | users control is increased by having data stored at local sites, transaction processing response time is improved, volume of transmitted data b/w IPUs is reduced, reduces the potential data loss from a disaster |
| replicated DDP | entire database is duplicated for multiple IPUs, effective for situations w/ a high degree of data sharing, but no primary user, data traffic b/w sites is reduced considerably, maintaining current data at all locations is difficult |
| the deadlock phenomenon | a problem with partitioned databases, occurs when multiple sites lock each other out of data that they are currently using, one site needs data locked by another site, special software need to analyze and resolve conflicts |
| network topologies consists of various configurations of | communications lines, hardware components, software |
| internal controls for subversive threats | firewalls provide network security by channeling all network connections through a control gateway, only authorized traffic allowed to pass through |
| network level firewalls | low cost and low security access control, do not explicitly authenticate outside users, filter junk or improperly routed messages, experienced hackers can easily penetrate the system |
| application level firewalls | customizable network security, but expensive, sophisticated functions such as logging or user authentication |
| dual homed firewall | high level of firewall security, 2 firewall interfaces: screens requests from the internet, provides access to the intranet |
| denial of service attacks | security software searches for connections which have been half open for a period of time |
| 3 common forms of DOS attacks | smurf attacks, SYN flood attacks, DDos attacks |
| smurf attacks controlling | organizations can program firewalls to ignore an attacking site, once identified |
| controlling SYN flood attacks | get internet hosts to use firewalls that block invalid IP addresses, use security software that scan for half open connections |
| controlling DDos attacks | IPS works with a firewall filter that removes malicious packets from the flow before they can affect servers and networks, DPI searches for protocol non compliance and employs predefined criteria to decide if a packet can proceed to its destination |
| advance encryption standard | a 128 bit encryption technique that has become a US government standard for private key encryption, uses a single key known to both sender and receiver |
| triple data encryption standard | considerable improvement over single encryption techniques, use of multiple keys greatly reduces chances of breaking the cipher, thought to be very secure but very slow |
| all private key techniques have a common problem | the more individuals who need to know the key, the greater the probability of it falling into the wrong hands, the solution to this problem is public key encryption |
| public key encryption | each recipient has a private key that is kept secret and a public key that is published |
| digital signature | authentication technique using public key encryption to ensure that transmitted message originated w/ the authorized sender, message was not tampered w/ after the signature was applied |
| digital certificate | like an electronic id card used with a public key encryption system, verifies the authenticity of the message sender |
| message sequence numbering | sequence number used to detect missing messages |
| message transaction log | listing of all incoming and outgoing messages to detect the efforts of hackers |
| request response technique | random control messages are sent from the sender to ensure messages are received |
| call back devices | receiver calls the sender back at a pre authorized phone number before transmission is completed |
| audit objectives for subversive threats | verify security and integrity of financial transactions by determining that the network controls can prevent and detect illegal internal and internet network access, render useless any data captured by a perpetrator |
| audit procedures for subversive threats | review firewall effectiveness in terms of flexibility, proxy services, filtering segregation of systems, audit tools, and probing for weaknesses, review data encryption security procedures, verify encryption by testing, review msg trans logs |
| audit objectives for equipment failures | verify the integrity of the electronic commerce trans by determining that controls are in place to detect and correct msg loss due to an equipment failue |
| audit procedures for equipment failure | using a sample of a sample of messages from the trans log: examine them for garbled contents caused by line noise, verify that all corrupted msgs are successfully retransmitted |
| What is the SDLC | the system development life cycle is a multiphase process used to develop, maintain, and assess an information system |
| steps in an SDLC | determine user needs, develop a plan, write program instructions, test the program, document the program, train program users, install and use the system, maintain system, audit system |
| auditing objectives for system maintenance program changes | to detect unauthorized program maintenance and determine that maintenance procedures protect apps from unauthorized changes, apps are free from material errors, program libraries are protected from unauthorized access |
| what is a source program library | library of applications and software, place where programs are developed and modified, once compiled into machine language, no longer vulnerable |
| purpose of the SPL mgmt system | to protect the SPL by controlling the following functions: storing programs on the SPL, retrieving programs for maintenance purposes, deleting obsolete programs from the library, documenting program changes to provide an audit trail of the changes |
| COSO identifies 2 types of IT controls | general controls and application controls |
| general controls | apply to all systems and address IT governance and infrastructure, security of operating systems and databases, and application and program acquisition |
| application controls | apply to specific apps and programs to ensure data validity, completeness, and accuracy |
| what is the goal of application input and output controls | input controls-to ensure valid, accurate, and complete input data output controls-to ensure that system output is not lost, misdirected, or corrupted, and that privacy is not violated |
| what are 3 application processing controls | batch controls, run-to-run controls, audit trail controls |
| batch controls | reconcile system output w/ the input originally entered into the system |
| run to run controls | use batch figures to monitor the batch as it moves from one programmed procedure to another |
| audit trail controls | numerous logs used so that every trans can be traced through each stage of processing from its economic source to its presentation in financial statements |
| what are the 2 classes of techniques for auditing apps | testing of application internal controls, substantive testing through examination of transaction details and acct balances |
| what are 2 general approaches for testing application internal controls | black box-around the computer, auditor focuses on input procedures and output results white box- through the computer, auditor focuses on understanding the internal logic of processes b/w input and output |
| when auditing through the computer what 3 techniques are used | test data method, integrated test facility, parallel simulation |
| test data method | testing for logic or control problems |
| integrated test facility | an on going technique that enables the auditor to test an application's logic and controls during normal operation |
| parallel simulation | auditor writes simulation programs and runs actual transactions of the client through the system |
| name 2 technologies commonly used to substantive testing to selct, access, and organize data | embedded audit module, generalized audit software |
| check digits | input control |
| batch controls | processing control |
| missing data checks | input control |
| run to run checks | processing control |
| numeric alphabetic checks | input control |
| limit checks | input control |
| audit trail checks | processing control |
| range checks | input control |
| reasonableness checks | input control |
| validity checks | input control |
| 2 major paths a company takes in developing info systems | moderate and large firms with unique info needs may develop their info systems in house, a greater number of companies purchase info systems from software vendors |
| SDLC | 1. systems strategy 2. project initiation 3. in-house development 4. commercial packages 5. maintenance and support |
| audit objectives for SDLC | activities are applied consistently and in accordance with mgmt's policies, system as originally implemented was free from material errors and fraud, the systems judged to be necessary and justified at various checkpoints, system doc is sufficient |
| audit procedures for SDLC | new systems must be formally authorized, feasibility studies were conducted, user needs were analyzed and addressed, cost-benefit analysis was done, proper documentation was completed, all program modules must be thoroughly tested before they started |
| maintenance phase of SDLC | last, longest and most costly phase, may constitute up to 80 to 90% of entire cost of system |
| auditing objectives for system maintenance program change | maintenance procedures protect apps from unauthorized changes, apps are free from material errors, program libraries are protected from unauthorized access |
| auditing procedures for system maintenance program change | ID and correction of unauthorized program changes, ID and correction of app errors, control of access to systems libraries |
| SPL mgmt systems | protect the SPL by controlling the following functions: storing programs on the SPL, retrieving programs for maintenance purposes, deleting obsolete programs from the library, documenting program changes to provide an audit trail of the changes |
| SPL control features | password control, separation of test libraries, audit trails, reports that enhance mgmt control and the audit function, assigns program version numbers automatically, controlled access to maintenance commands |
| goal of input controls | valid, accurate, and complete input data |
| 2 common causes of input errors | transcription errors-wrong character or value, transposition errors- right character or value in wrong place |
| goal of output controls | to ensure that system output is not lost, misdirected, or corrupted, and that privacy is not violated |
| output spooling | creates a file during the printing process that may be inappropriately accessed |
| printing creates 2 risks: | production of unauthorized copies of output, employee browsing of sensitive data |
Created by:
1401120066