Deck 11: Information Technology Auditing

A)Is a component of IT auditing
B)Has one objective - to ensure that IT is used strategically to fulfill an organization's mission
C)Is intended to ensure both the strategic use of IT and control over IT resources
D)Is primarily intended to deter IT fraud

A)efficiency and effectiveness of operations
B)compliance with laws and regulations
C)reliability of internal and external reporting
D)managing day to day operations of business units

A)The file information is not human readable
B)The volume of transaction records and master file records is usually much larger in computerized systems than in manual systems
C)An audit trail does not exist in a computerized AIS
D)Computerized systems often use remote real-time data processing, thus complicating the tracing of transaction records to their sources

A)CISAs must comply with the Code of Professional Ethics
B)Maintaining the CISA designation requires substantial continuing professional education
C)The CISA exam covers a variety of job practice areas relevant to IT auditing
D)The CISA exam is administered by the Institute of Internal Auditors

A)A degree in information systems or technology
B)A degree which combines the study of accounting with the study of information systems
C)No college degree, but work experience in information systems
D)An accounting degree

A)Are never used in compliance testing
B)May be used for substantive and compliance testing
C)Are used primarily when auditing around the computer
D)Are good tools for auditors who are lacking in technical computer skills

A)Use test data
B)Verify that the output from the computerized processing was correct for the input data used to generate it
C)Never use a surprise audit because of the amount of time and work involved
D)Prepare a profile of a computer file and check the processed data with the profile thus obtained

A)The emphasis which is placed on testing data processing exceptions
B)Use of live data
C)The minimal disturbance of a company's records
D)both b and c

A)Requirements to use an IT auditor to evaluate controls
B)Regulations governing executive reporting and conduct
C)Rules about financial statement reporting
D)Audit committee/corporate governance requirements

A)Confirmation sampling
B)Test data
C)Tests of program authorization
D)Embedded audit modules

A)Documentation of all program changes on proper change-request forms
B)Proper costing of all program change requests
C)A review of each program change request by an internal auditor
D)Matches between program documentation and the production version of a computer program

A)It requires the construction of a high volume of test data
B)It introduces artificial transactions into the transaction stream
C)It produces overkill in the audit function
D)It is not broad enough to cover the entire spectrum of activities involved in the AIS

A)Allows auditors to evaluate transactions in an operational setting
B)Can test every exception transaction as opposed to test data which includes only a limited set of such transactions
C)Works best at evaluating input controls
D)Has no disadvantages

A)Section 404
B)Section 201
C)Section 103
D)Section 302

A)People skills are more important than technical skills
B)An example of people skills would be the ability to work on a team
C)In the case of protecting against computer viruses, technical skills matter more than people skills
D)Many internal controls evaluated by auditors concern human behavior

A)Test data
B)Integrated test facility
C)Evaluation of program change control
D)Parallel simulation

A)Uses the computer to process transaction data under normal processing conditions
B)Uses the computer as a tool to assist in various other auditing tasks
C)Relies heavily upon test data to evaluate the presence or absence of specific computer controls
D)Must also use an integrated test facility

A)They provide for continuous auditing of application processing
B)The auditor does not have to be involved in the development of these programs
C)Once implemented, the system can capture information that is useful to the auditor on an ongoing basis
D)With this approach, the application program incorporates subroutines for audit purposes

A)Exception reporting technique
B)Transaction tagging technique
C)Snapshot technique
D)Parallel simulation technique

A)Sequential access program systems
B)Positive confirmation audit systems
C)Embedded audit modules
D)Generalized auditing packages

A)Provide guidance on the planning and execution of IT assurance activities
B)Provide guidance on the attributes of the IT auditing profession
C)Provide guidance on the nature of communications issued by the IT auditor
D)Provide guidance on the distribution of IT audit reports

A)Does not include checking to see that all program changes are properly documented
B)Does not include a check of librarian functions
C)Does not include checking to see that program change requests are properly costed
D)Includes a cross-check of program changes against in-use programs

A)Auditing through-the-computer
B)Auditing around-the-computer
C)Auditing of manual accounting systems
D)Non-auditing procedures performed by a firm's accounting subsystem employees

A)Test only the computer programs of an AIS
B)Test only the manual operations of an AIS
C)Test both the programs and the manual operations of an AIS in an operational setting
D)Test the computer programs, the manual operations, and the auditing procedures of a company using a computerized AIS

A)A minimum password length of six digits
B)Restriction of passwords to numeric characters only
C)Required use of words that can be found in a dictionary
D)A requirement for a minimum interval (such as one day)before a password may be changed

A)A decentralized approach to IT acquisition
B)Using IT strategically to carry out the objectives of an organization
C)Ensuring effective management of an organization's IT resources
D)Control over IT-related risks

A)Test data, integrated test facilities, and parallel simulation
B)Test data, edit checks, and integrated test facilities
C)Test data, program change control, and parallel simulation
D)Program change control, edit checks, and parallel simulation

A)An example of an integrated test facility
B)A generalized audit software program
C)A tool used for continuous auditing
D)A query language used by auditors to retrieve and manipulate data

A)Use of embedded audit modules
B)Testing of outputs to verify processing
C)Computer program testing
D)Validation of computer programs

A)Internal auditing outsourcing services
B)Expert services related to the audit
C)Actuarial services
D)Implementation of a financial information system

A)In governmental agencies
B)To audit accounting systems
C)To achieve organizational objectives
D)To hire the board of directors

A)Weak access controls prevent unauthorized use of systems
B)Access controls allow auditors to employ continuous auditing techniques
C)Access controls make test data more effective
D)Weak access controls can allow users to bypass many other controls

A)To increase recruiting of IT specialists
B)To abandon the CISA certification
C)To stop using cloud computing
D)To increase their focus on debits and credits

A)Failure to remove fake transactions from the client's system
B)High costs of building the facility
C)Discovery of many control weaknesses
D)none of the above

A)Focusing most of the audit effort near the year-end
B)Alerting auditors to potential problems when the problems occur
C)Protecting the privacy of the auditors
D)Facilitating parallel simulation

A)Enron's CEO, Jeffrey Skilling, claimed he did not know about the company's financial shenanigans because he was not involved in their accounting
B)Public perception was that auditors were having conflicts of interest with respect to the auditing and consulting services they provided
C)The FASB has long been thought to be ineffective
D)Congress wanted to restore investor confidence in the wake of a rash of corporate scandals

A)Provide guidance on the planning and execution of IT assurance activities
B)Provide guidance on the attributes of the IT auditing profession
C)Provide guidance on the nature of communications issued by the IT auditor
D)Provide guidance on the distribution of IT audit reports