Auditing in a CIS (IT) Environment

Flashcards on Auditing in a CIS (IT) Environment, Risk Assessments, and Internal Control.

Characteristics of a CIS organizational structure

Concentration of functions and knowledge, and concentration of programs and data.

Absence of input documents in CIS processing

Data may be entered directly into the computer system without supporting documents.

Lack of visible audit trail in CIS processing

The transaction trail may be partly in machine-readable form and may exist only for a limited period.

Lack of visible output in CIS processing

Certain transactions or results of processing may not be printed, or only summary data may be printed.

Ease of access to data and computer programs in CIS

Data and computer programs may be assessed and altered at the computer or through computer equipment at remote locations.

General CIS Controls

Establish a framework of overall control over CIS activities to provide reasonable assurance that internal control objectives are achieved.

Organization and management controls in CIS

Designed to define strategic direction and establish an organizational framework over CIS activities.

Development and maintenance controls in CIS

Designed to provide reasonable assurance that systems are developed, acquired, implemented, and maintained in an authorized and efficient manner.

Delivery and support controls in CIS

Designed to control the delivery of CIS services.

Monitoring controls in CIS

Designed to ensure that CIS controls are working effectively as planned.

CIS Application Controls

Establish specific control procedures over application systems to provide reasonable assurance that all transactions are authorized, recorded, and processed completely, accurately, and on a timely basis.

Controls over Input in CIS

Ensure transactions are authorized, accurately converted, and not lost, added, or duplicated.

Controls over processing and computer data files in CIS

Ensure transactions are properly processed and that processing errors are identified and corrected.

Controls over output in CIS

Ensure results of processing are accurate, access is restricted, and output is provided to authorized personnel.

Various configurations of a personal computer (PC)

Stand-alone workstation, workstation part of a LAN, workstation connected to a server.

On-line computer systems

Enable users to access data and programs directly through terminal devices.

Functions users can directly initiate in on-line systems

Entering transactions, making inquiries, requesting reports, updating master files, electronic commerce activities.

On-line/real time processing

Individual transactions are entered at terminal devices, validated, and used to update related computer files immediately.

On-line/batch processing

Individual transactions are entered at a terminal device, subjected to validation checks, and added to a transaction file. Later, the transaction file updates the master file.

Network environment

Communication system that enables computer users to share computer equipment, application software, data, and voice and video transmissions.

File server

Computer with an operating system that allows multiple users in a network to access software applications and data files.

Basic types of networks

Local area network (LAN), Wide area network (WAN), Metropolitan area network (MAN).

Database

Collection of data that is shared and used by many different users for different purposes.

Database management system (DBMS)

Software that creates, maintains, and operates the database

Characteristics of database systems

Data sharing and Data independence.

Software

Computer programs which instruct the computer hardware to perform the desired processing.

Operating System

Controls the functioning of the CPU and its peripheral equipment.

Multiprogramming

Processes a program until an input/output operation is required.

Multiprocessing

Multiple CPUs process data while sharing peripheral devices, allowing two or more programs to be process simultaneously.

Virtual Storage

The operating system separates user programs into segment pages automatically.

Database Management System (DBMS)

Software package for the purpose of creating, accessing, and maintaining a database.

Electronic Data Interchange (EDI)

Electronic exchange of transactions, from one entity’s computer to another entity’s computer through an electronic communications network.

Authentication in EDI

Controls must exist over the origin, proper submission, and proper delivery of EDI communications to ensure that the EDI messages are accurately sent and received to and from authorized customers and suppliers.

Encryption in EDI

Involves conversion of plain text data to cipher text data to make EDI messages unreadable to unauthorized persons.

Auditing around the computer

The auditor ignores or bypasses the computer processing function of an entity’s EDP system.

Auditing with the computer

The computer is used as an audit tool.

Auditing through the computer

The auditor enters the client’s system and examines directly the computer and its system and application software.

Program analysis

Techniques that allow the auditor to gain an understanding of the client’s program.

Code review

Involves actual analysis of the logic of the program’s processing routines.

Comparison programs

Programs that allow the auditor to compare computerized files.

Flowcharting software

Used to produce a flowchart of a program’s logic and may be used both in mainframe and microcomputer environments.

Program tracing

Technique in which instruction executed is listed along with control information affecting that instruction.

Program mapping

Identifies sections of code which may be potential source of abuse.

Snapshot

Technique that “takes a picture” of the status of program execution, intermediate results, or transaction data at specified processing points I the program processing.

Program testing

Involves the use of auditor-controlled actual or simulated data.

Historical audit techniques

Test the audit computer controls at a point in time.

Test data

Set of dummy transactions specifically designed to test the control activities that management claims to have incorporated into the processing programs.

Integrated test facility (ITF)

Variation of test of data whereby simulated data and actual data are run simultaneously with the client’s program and computer results are compared with auditor’s predetermined results.

Parallel simulation

Involves of processing client’s live (actual) data utilizing an auditor’s generalized audit software.