Identifying Risks Arising from the Use of Information Technology (RAIT)

Vocabulary-style flashcards covering the foundations of RAIT, the auditor's role, IT department functions, application controls, and various CAATs as detailed in the lecture notes.

Risks Arising from the use of IT (RAIT)

Risks to the integrity of information or control effectiveness caused by ineffective design or operation of an entity's IT processes.

Information-Processing Controls

Low-level, specific controls embedded within individual applications, such as an automated three-way match in a payables system.

General IT Controls (GITCs)

High-level, broad controls supporting the IT environment foundation, including password policies, backup procedures, and change management.

SAS No. 145 Mandate

An auditing standard requiring auditors to understand information flow and identify specific RAITs that could lead to material misstatements.

Interfaced Systems

Systems that communicate with each other via data transfers, increasing the risk assessment for RAIT.

Unauthorized Access (Cybersecurity)

A risk where external or internal parties gain entry to a system, potentially leading to data destruction or recording fictitious transactions.

Privileged Access Issues

A risk where users or IT staff have excessive access, such as an administrator able to both create users and approve transactions, breaking segregation of duties.

Master File Changes

Unauthorized edits to permanent data, such as supplier bank account details or customer credit limits, resulting in fraudulent payments.

Application Changes

Unauthorized or poorly tested software updates that may introduce errors or bypass controls, such as disabling a validation check.

Inappropriate Intervention

Manual overrides that bypass automated controls, such as forcing an invoice through without required approvals.

Data Loss

The inability to access data due to hardware failures or lack of backups, causing incomplete records for audit procedures.

Systems Analysis

The IT function responsible for designing information systems and determining how they meet operational needs.

Application Programming

The IT function that develops and codes computer programs based on system designs.

Database Administration

The IT function that designs, manages, and controls the organization's database to ensure organization and security.

Program and File Library

The IT function that protects system programs, master files, and important records from loss or unauthorized use.

Data Control

The IT function that reviews input procedures, monitors processing, manages exception reports, and distributes system outputs.

Systems Programming

The IT function that maintains and upgrades operating systems and ensures compatibility with application programs.

Quality Assurance (QA)

The IT function that tests systems to ensure they meet user requirements and documentation standards.

Continuous Monitoring

Regular IT assessment using performance measures, defect identification, and security monitoring for threats like cyberattacks.

Grandfather-Father-Son Principle

A backup retention principle using multiple generations of backups ($daily, weekly, monthly$) to allow restoration to different points in time.

Reciprocal Agreement

A disaster recovery option where two entities agree to share backup facilities (also known as a Mutual Aid Pact).

Hot Site

A fully equipped backup facility with real-time data replication, offering minimal downtime at a high cost.

Warm Site

A partially equipped backup facility requiring setup and data restoration before use.

Cold Site

A basic backup facility with power and cooling but no equipment; the slowest and cheapest recovery option.

IT Application Controls

Controls embedded within software or transaction cycles to ensure authorization, completeness, accuracy, and validity of data.

Limit Test

An input control that checks upper or lower reasonableness limits, such as a transaction amount $\le ₱1,000,000$.

Validity Test

An input control that compares input against a master file or table to check if a code, such as a customer code, exists.

Self-Checking Digit

A redundant check digit embedded in an account number used to validate the number's accuracy.

Completeness Check

A control that verifies all required fields are supplied, triggering an error message if data is missing.

Control Total

The use of batch totals, such as financial totals or record counts, to verify that input amounts match the batch total.

Field Check

A control that checks for proper character types, such as ensuring an age field contains only numeric characters.

Field Size Check

A control ensuring data length is within specific limits, such as a phone number being exactly $11$ digits.

Logic Tests

Processing controls that reject illogical encoded data, such as an invoice date occurring after the payment date.

Auditing Around the Computer

A Black Box approach where the auditor ignores internal system logic and only examines inputs and outputs.

Auditing Through the Computer

A White Box approach where the auditor tests the internal logic and procedures of the IT system directly.

Computer-Assisted Auditing Techniques (CAATs)

Software tools used for detailed analysis of system configurations, vulnerabilities, and logs during an audit.

Code Review

A CAAT for program analysis that examines source code to detect errors, inefficiencies, or control weaknesses.

Parallel Simulation

A program testing CAAT where the auditor reprocesses client data using an independent program to compare results with the client's output.

Integrated Test Facility (ITF)

A CAAT that creating a dummy entity (Minicompany) within the live system to process test transactions alongside real data.

System Control Audit Review File (SCARF)

A log created by an embedded audit module used to collect specific transaction information for subsequent review.

Audit Hooks

Exit points in an application program used to activate audit modules for transaction tagging.

Generalized Audit Software (GAS)

Software that performs various audit tasks including sampling, calculations, and organizing digital audit files.

Automated Working Software

Microcomputer-based software used to generate trial balances, lead sheet schedules, and other digital workpapers.

Text Retrieval Software

Software used to access standard-setting bodies and accounting information databases for research.