Deck 14: Auditing It Controls Part I: Sarbanes-Oxley and It Governance

A)Auditors must determine whether changes in internal control have materially affected (or are likely to affect) internal control over financial reporting.
B)Auditors must interview management regarding significant changes in the design or operation of internal control that occurred since the last audit.
C)The board of directors must certify quarterly and annually their organization's internal controls over financial reporting.
D)Management must disclose any material changes in the company's internal controls that have occurred during the most recent fiscal quarter.

A)rapid turnover of systems professionals complicates management's task of assessing the competence and honesty of prospective employees
B)many systems professionals have direct and unrestricted access to the organization's programs and data
C)rapid changes in technology make staffing the systems environment challenging
D)systems professionals and their supervisors work at the same physical location

A)systems development from data processing
B)data operations from data librarian
C)data preparation from data control
D)data control from data librarian

A)weakens database access security
B)allows programmers access to make unauthorized changes to applications during execution
C)results in inadequate documentation
D)results in master files being inadvertently erased

A)backups of systems software
B)backups of application software
C)documentation and blank forms
D)results of the latest test of the disaster recovery program

A)an internally provided backup
B)a recovery operations center
C)an empty shell
D)a mutual aid pact

A)off-site storage of backups
B)computer services function
C)second site backup
D)critical applications identified

A)A statement of management's responsibility for establishing and maintaining adequate internal control user satisfaction.
B)A statement that the organization's internal auditors has issued an attestation report on management's assessment of the company's internal controls.
C)A statement identifying the framework used by management to conduct their assessment of internal controls.
D)An explicit written conclusion as to the effectiveness of internal control over financial reporting.

A)month-end adjustments
B)accounts receivable
C)accounts payable
D)order entry/billing

A)natural disasters such as fires
B)unauthorized access
C)data corruption caused by program errors
D)system crashes

A)program coding from program operations
B)program operations from program maintenance
C)program maintenance from program coding
D)All of the above duties should be separated.

A)lack of separation of duties
B)system incompatibilities
C)system interdependency
D)lack of documentation standards

A)the host site may be unwilling to disrupt its processing needs to process the critical applications of the disaster stricken company
B)intense competition for shell resources during a widespread disaster
C)maintenance of excess hardware capacity
D)the control of the shell site is an administrative drain on the company

A)separate systems development from systems maintenance
B)separate systems analysis from application programming
C)separate systems development from data processing
D)separate database administrator from data processing

A)it is an inexpensive solution
B)the initial recovery period is very quick
C)the company has sole control over the administration of the center
D)none of the above are advantages of the recovery operations center

A)substantive testing
B)tests of controls
C)post-audit testing
D)audit planning

A)Auditors must maintain independence.
B)IT auditors attest to the integrity of the computer system.
C)IT auditing is independent of the general financial audit.
D)IT auditing can be performed by both external and internal auditors.

A)internal auditors represent the interests of the organization and external auditors represent outsiders
B)internal auditors perform IT audits and external auditors perform financial statement audits
C)internal auditors focus on financial statement audits and external auditors focus on operational audits and financial statement audits
D)external auditors assist internal auditors but internal auditors cannot assist external auditors

A)that all of the assets and equities on the balance sheet exist
B)that all employees are properly trained to carry out their assigned duties
C)that all transactions on the income statement actually occurred
D)that all allocated amounts such as depreciation are calculated on a systematic and rational basis

A)completing questionnaires
B)interviewing management
C)observing activities
D)confirming accounts receivable

A)exists because all control structures are flawed in some ways.
B)is the likelihood that material misstatements exist in the financial statements of the firm.
C)is associated with the unique characteristics of the business or industry of the client.
D)is the likelihood that the auditor will not find material misstatements.

A)In the CBIS environment, auditors gather evidence relating only to the contents of databases, not the reliability of the computer system.
B)Conducting an audit is a systematic and logical process that applies to all forms of information systems.
C)Substantive tests establish whether internal controls are functioning properly.
D)IT auditors prepare the audit report if the system is computerized.

A)review of fire marshal records
B)review of the test of the backup power supply
C)verification of the second site backup location
D)observation of procedures surrounding visitor access to the computer center

A)inspection of the second site backup
B)analysis of the fire detection system at the primary site
C)review of the critical applications list
D)composition of the disaster recovery team

A)clearly marked exits
B)an elaborate water sprinkler system
C)manual fire extinguishers in strategic locations
D)automatic and manual alarms in strategic locations

A)Cloud resources are used to protect an organization from the consequences of disasters and service disruptions.
B)DRaaS is the most secure disaster recovery option available to most businesses.
C)Cloud resources are used as backups in place of all traditional forms of data backup.
D)DRaaS is different than other outsourcing of the IT function because it exposes a client's data more fully than other cloud services.

A)examining the safety deposit box for stock certificates
B)reviewing systems documentation
C)completing questionnaires
D)observation

A)The auditor must have adequate technical training and proficiency.
B)The auditor must obtain sufficient, competent evidence.
C)The auditor must have independence of mental attitude.
D)All of the above are generally accepted auditing standard general standards.

A)control risk
B)legal risk
C)detection risk
D)inherent risk

A)confirming accounts receivable
B)counting inventory
C)completing questionnaires
D)counting cash

A)systems documentation is inadequate because of pressures to begin coding a new program before documenting the current program
B)illegal lines of code are hidden among legitimate code and a fraud is covered up for a long period of time
C)a new systems analyst has difficulty in understanding the logic of the program
D)inadequate systems documentation is prepared because this provides a sense of job security to the programmer

A)the probability that the auditor will render an unqualified opinion on financial statements that are materially misstated
B)associated with the unique characteristics of the business or industry of the client
C)the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts
D)the risk that errors not detected or prevented by the control structure will also not be detected by the auditor

A)Auditors gather evidence using tests of controls and substantive tests.
B)The most important element in determining the level of materiality is the mathematical formula.
C)Auditors express an opinion in their audit report.
D)Auditors compare evidence to established criteria.

A)reduce audit fees
B)ensure independence
C)represent the interests of management
D)None of the above. Internal auditors are not permitted to assist external auditors with financial audits.

A)evaluating internal controls
B)preparing financial statements
C)expressing an opinion
D)analyzing financial data

A)ability to backup computing facilities
B)improved user satisfaction
C)efficient use of resources
D)All of the above are advantages of distributed data processing.

A)When management outsources their organization's IT functions, they also outsource responsibility for internal control.
B)Once a client firm has outsourced specific IT assets, its performance becomes linked to the vendor's performance.
C)IT outsourcing may effect incongruence between a firm's IT strategic planning and its business planning functions.
D)The financial justification for IT outsourcing depends upon the vendor achieving economies of scale.

A)network management
B)systems operations
C)systems development
D)server maintenance

A)application maintenance
B)data warehousing
C)highly skilled employees
D)server maintenance

A)separating the programmer from the computer operator
B)preventing management override
C)separating the inventory process from the billing process
D)performing independent verifications by the computer operator

A)Core competency theory argues that an organization should outsource specific core assets.
B)Core competency theory argues that an organization should focus exclusively on its core business competencies.
C)Core competency theory argues that an organization should not outsource specific commodity assets.
D)Core competency theory argues that an organization should retain certain specific noncore assets in-house.

A)theft or illegal use of computer-readable information
B)theft, misuse, or misappropriation of computer equipment
C)theft, misuse, or misappropriation of assets by altering computer-readable records and files
D)theft, misuse, or misappropriation of printer supplies

A)Large-scale IT outsourcing involves transferring specific assets to a vendor.
B)Specific assets, while valuable to the client, are of little value to the vendor.
C)Once an organization outsources its specific assets, it may not be able to return to its pre-outsource state.
D)Specific assets are of value to vendors because, once acquired, vendors can achieve economies of scale by employing them with other clients.

A)altering program logic to cause the application to process data incorrectly
B)misusing the firm's computer resources
C)destroying or corrupting a program's logic using a computer virus
D)creating illegal programs that can access data files to alter, delete, or insert values