- Shuffle
Toggle OnToggle Off
- Alphabetize
Toggle OnToggle Off
- Front First
Toggle OnToggle Off
- Both Sides
Toggle OnToggle Off
Front
How to study your flashcards.
Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key
Up/Down arrow keys: Flip the card between the front and back.down keyup key
H key: Show hint (3rd side).h key
PLAY BUTTON
PLAY BUTTON
27 Cards in this Set
- Front
- Back
|
When conducting an audit, why do auditors collect evidence?
|
To support the auditor's opinion.
|
|
Describe professional skepticism.
|
Professional skepticism is the attitude an auditor should have when evaluating a business. This attitude means that an auditor should not immediately accept management assertions at face value. The auditor should use enough measures to assure himself that the assertions are credible. This includes gathering and analyzing evidence needed to evaluate those assertions. Professional skepticism is important to auditing, because it allows an auditor to perform an effective audit. It helps the auditor to determine where problems could arise and the types of testing that should be used.
|
|
T/F: When it comes to working with the implementation team, auditors generally should be involved in an advisory capacity as well as executing the controls to be implemented.
|
False
|
|
Describe the 6 basic steps that you can take to build a partnership relation between IT auditors and IT organizations.
|
i) Be intentional about regular updates and meetings with IT management.
ii) Establish formal audit liaisons with different IT organizations. iii) Get yourself invited to key meetings. iv) Cultivate an attitude of collaboration and cooperation. v) Implement job swaps with the IT organization. vi) Involve the IT organization in IT audit hiring decisions. |
|
Explain:
a. What is an Embedded Audit Module (EAM)? b. List a key benefit of an EAM. |
a. An EAM is software that is attached to the accounting system that allows the auditor to set up parameters that allow it to group or extract sets of information or transactions for the auditor to review. These parameters are typically set up to identify unusual transactions or inputs into the database so that the auditor can review them.
b. One key benefit of EAMs is that they are extremely useful in helping to detect errors, abuse, and fraud. |
|
Why should accountants and auditors understand data normalization?
|
Accountants and auditors should understand normalization because data anomalies can have serious effects on the quality of information. Update anomalies may create conflicting and obsolete database values. Insertion anomalies may lead to unrecorded transactions and incomplete audit trails. Deletion anomalies can lead to the loss of records and audit trails. Also, normalization has internal control implications and is important to data extraction.
|
|
Consider the design of relational databases.
a. Name the six phases in designing relational databases. b. For each phase, provide a brief explanation. |
i. Identify Entities
- In the first phase, one must identify the primary entities of the organization and construct a data model of their relationships. ii. Construct a data model showing entity associations - One must determine the associations between entities and model the associations into an ER diagram. iii. Add primary keys and attributes - One must assign primary keys to all entities in the model to uniquely identify records. - Each attribute should appear in one or more user views. iv. Normalize and add foreign keys - One must remove repeating groups, partial and transitive dependencies and assign foreign keys to be able to link tables. v. Construct the physical database - One must create physical tables and populate tables with data vi. Prepare the user views - The normalized tables should support all require views of system users. - User views should restrict users from having access to unauthorized data. Correctly naming the 6 phases will merit half of the credit, with the explanation of each phase being considered the final pieces of the remaining credit. Understanding the process of designing the database is as important as how it works. |
|
Why is Generalized Audit Software (GAS) so popular for IT auditors? What should an IT auditor be aware of when he/she uses GAS?
|
GAS is popular because:
- It is easy to use and requires little computer background. - Many products are platform independent, works on mainframes and PCs. - Auditors can perform tests independently of IT staff. - GAS can be used to audit the data currently being stored in most file structures and formats. - GAS can be applied in simple structures and complex structures. IT auditors should be aware of the following when using GAS: - Auditor must sometime rely on IT personnel to produce files/data. - Risk that data integrity is compromised by extraction procedures. - Auditors skilled in programming better prepared to avoid these pitfalls. |
|
What is the Pareto concept?
|
The Pareto Concept is the notion that it is not always practical for 100% of a risk to be mitigated when developing control solutions. The cost may be too high to completely eliminate risk. On the other hand, a certain level of risk could be mitigated for a reasonable cost.
|
|
T/F: Access controls are the “heart” of accounting information integrity.
|
True
|
|
T/F: According to the Learning Videos, Cash Receipts are not a good candidate for the batch approach.
|
False
|
|
Which of the following procedures are commonly associated with legacy systems?
a. keypunch batch of shipping notices b. edit the program and correct any errors c. sort run on batches by the AR account number d. AR update and run billing e. all of the above. |
All of the above
|
|
Describe five advantages of using a real-time process.
|
i. Greatly shortens the cash cycle of the firm
ii. Can give a firm a competitive advantage (e.g. managing inventory better) iii. Real-time editing permits the identification of many kinds of errors as they occur, greatly reducing the efficiency and effectiveness of business processes. iv. Reduces the number of paper documents. v. Electronic audit trails are possible in real-time computer-based systems. |
|
List four input controls associated with the revenue cycle.
|
- Data Validation Controls (error logs)
- Missing data checks - Limit checks - Numeric-Alphabetic checks - Range checks - Validity checks - Check digit |
|
Give three techniques of Process Controls and briefly describe each of the techniques given
|
a. File update controls – Run-to-run bath control data to monitor data processing steps
b. Transaction code controls – process different transactions using different programming logic c. Sequence check controls – sequential files, proper sorting of transaction files required. d. Testing file update controls i. testing data that contains errors (incorrect transaction codes, out of sequence) ii. can be performed in ITF or test data iii. CAATT’s requires careful planning iv. Single audit procedure can be devised that perform all tests in one operation |
|
T/F: COSO was formed by the five major professional associations in the U.S., so it’s partially dependent on those organizations
|
False
|
|
Which professional association as below is NOT a body which forms the Committee of Sponsoring Organizations (COSO)?
a. American Accounting Association (AAA) b. Institute of Management Accountants (IMA) c. Financial Executives Institute (FEI) d. American institute of Certified Public Accountants (AICPA) e. All above associations are |
All of the above
|
|
Which of these is NOT a quality of information that COBIT highlights?
a. Compliance b. Reliability c. Integrity d. Relevance |
Relevance
|
|
What are the 11 major areas addressed by ISO 27001
|
-Security policy
Organization of information security -Asset management -Human resources security -Physical and environmental security -Communications and operations management -Access control -Information systems acquisition, development, and maintenance -Information security incident management -Business continuity management -Compliance |
|
List and briefly describe the six maturity levels in the IT Governance Maturity Model.
|
- 0(nonexistent): Management processes are not applied at all
- 1 (initial/ ad hoc): Processes are ad hoc and disorganized - 2 (repeatable but intuitive): Processes follow a regular pattern - 3 (Defined process): Processes are documented and communicated - 4 (managed and measurable): Processes are monitored and measured - 5 (optimized): Good practices are followed and highly automated |
|
T/F: Under transaction authorization as an internal control activity, from the cash disbursement standpoint, you want to make sure the purchasing department authorizes the payment.
|
False - The accounts payable department authorizes payment
|
|
Which of the following is not an input control of the Expenditure Cycle?
a. Batch controls b. Purchase authorization controls c. Accounts Payable change report d. Data validation controls |
A/P change report (its an output control)
|
|
The “payroll run” where companies pay their employees is well-suited for which type of processing?
a. Batch processing b. Random-access processing c. Ad-hoc processing d. Food processing |
Batch processing
|
|
What are the 6 categories of internal controls for expenditures?
|
a. transaction authorization,
b. separation of duties, c. supervision, d. accounting records, e. access, and f. independent verification. |
|
T/F: The EU Commission has implemented corporate governance changes that are similar to the requirements outlined in SOX. The EU Commission changes include smaller but comparable criminal sanctions and fines.
|
False- The EU does not recommend fines or criminal sanctions
|
|
Which of the following is focused on technical controls such as network perimeter protection, encryption, and workstation security.
a. HIPAA Privacy Rule b. HITECH Act c. HIPAA Security Rule d. Gramm-Leach-Bliley Act |
HIPPA Security Rule
|
|
What are the three high-level control objectives mandated by the Financial Services Modernization Act (the Gramm-Leach-Bliley Act)?
|
a. Ensuring the confidentiality of customers’ financial information.
b. Protecting against anticipated threats to customer records. c. Protecting against unauthorized access to customer information that could result in substantial impact to the customer. |
