IT Audit, Chapter 12: "Assessing Control Risk and Reporting on Internal Control" flash cards

Narrative

(12.1) A written description of a client’s internal controls, including the origin, processing, and disposition of documents and records and the relevant control procedures.

Flowchart

(12.1) A diagrammatic representation of the client’s documents and records and the sequence in which they are processed.

Internal Control Questionnaire

(12.1) A series of questions about the controls in each audit area used as a means of indicating to the auditor aspects of internal control that may be inadequate.

Walkthrough

(12.1) The tracing of a selected transaction through the entire accounting process, including information systems, until it is reflected in the financial records using the same documents and IT that entity personnel use to ensure that the controls designed by management have been implemented.

Assessment of Control Risk

(12.2) A measure of the auditor’s expectation that internal controls will neither prevent material misstatements from occurring nor detect and correct them if they have occurred.

Indirect Control

(12.2) A foundational control that supports a direct control but that is not sufficiently precise to prevent or detect and correct misstatements at the detection level.

Direct Control

(12.2) A control that is precise enough to address the risk of material misstatement at the assertion level.

Control Risk Matrix

(12.2) A methodology used to help the auditor assess control risk by matching key internal controls and internal control deficiencies with audit objectives.

Key Control

(12.2) A control that is expected to have the greatest effect on meeting audit objectives (also referred to as identified/relevant controls).

Control Deficiency

(12.2) A deficiency in the design or operation of a control that does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis.

Significant Deficiency

(12.2) A deficiency or combination of deficiencies in internal control over financial reporting that is less severe than a material weakness but important enough to merit attention by those charged with governance.

Material Weakness

(12.2) A deficiency or combination of deficiencies in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected and corrected on a timely basis.

Compensating Control

(12.2) A control elsewhere in the system that offsets the absence of a key control.

Test of Controls

(12.3) The procedures used to test effectiveness of controls in support of a reduced assessed control risk.

Test Data Approach

(12.7) A method of auditing an IT system that uses the auditor’s test data to determine whether the client’s information system correctly processes valid and invalid transactions.

Parallel Simulation Testing

(12.7) An audit testing approach that involves the auditor’s use of audit software to replicate some part of a client’s application system.

Embedded Audit Module Approach

(12.7) A method of auditing transactions processed by IT whereby the auditor embeds a module in the client’s application software to identify transactions with characteristics that are of interest to the auditor. Then, the auditor analyzes these transactions on a real-time, continuous basis as client transactions are processed.

Generalized Audit Software

(12.7) Computer programs used by auditors that provide data retrieval, data manipulation, and reporting capabilities specifically oriented to the needs of auditors.