Review Questions
12-3 The audit trail represents the accumulation of source documents and
records maintained by the client to serve as support for the transactions
occurring during the accounting period. The integration of IT can change the
audit trail by converting many of the traditionally paper-based source documents
and records into electronic files that cannot be visually observed. Because many
of the transactions are entered directly into the computer as they occur, some of
the documents and records are even eliminated.
12-2
12-5 In most traditional accounting systems, the duties related to authorization
of transactions, recordkeeping of transactions, and custody of assets are
segregated across three or more individuals. As accounting systems make
greater use of IT, many of the traditional manually performed tasks are now
performed by the computer. As a result, some of the traditionally segregated
duties, particularly authorization and recordkeeping, fall under the responsibility
of IT personnel. To compensate for the collapsing of duties under the IT function,
key IT tasks related to programming, operation of hardware and software, and
data control are segregated. Separation of those IT functions restricts an IT
employee’s ability to inappropriately access software and data files in order to
misappropriate assets.
12-6 General controls relate to all aspects of the IT function. They have a global
impact on all software applications. Examples of general controls include controls
related to the administration of the IT function; software acquisition and
maintenance; physical and on-line security over access to hardware, software,
and related backup; back-up planning in the event of unexpected emergencies;
and hardware controls. Application controls apply to the processing of individual
transactions. An example of an application control is a programmed control that
verifies that all time cards submitted are for valid employee id numbers included
in the employee master file.
12-7 The typical duties often segregated within an IT function include systems
development, computer operations, and data control. Systems development
involves the acquisition or programming of application software. Systems
development personnel work with test copies of programs and data files to
develop new or improved application software programs. Computer operations
personnel are responsible for executing live production jobs in accordance with a
job schedule and for monitoring consoles for messages about computer
efficiency and malfunctions. Data control personnel are responsible for data input
and output control. They often independently verify the quality of input and the
reasonableness of output. By separating these functions, no one IT employee
can make changes to application software or underlying master files and then
operate computer equipment to use those changed programs or data files to
process transactions.
12-10 “Auditing around the computer” represents an audit approach whereby the
auditor does not use computer controls to reduce control risk. Instead, the auditor
uses non-IT controls to support a reduced control risk assessment. In these
situations, the use of IT does not significantly impact the audit trail. Typically, the
auditor obtains an understanding of internal control and performs tests of
controls, substantive tests of transactions, and account balance verification
procedures in the same manner as if the accounting system was entirely manual.
The auditor is still responsible for gaining an understanding of general and
application computer controls because such knowledge is useful in identifying
risks that may affect the financial statements.
12-11 The test data approach involves processing the auditor’s test data using
the client’s computer system and the client’s application software program to
determine whether the computer-performed controls correctly process the test
data. Because the auditor designs the test data, the auditor is able to identify
which test items should be accepted or rejected by the computer. When using
this approach the auditor should assess the following:
How effectively does the test data represent all relevant conditions
that the auditor wants to test?
How certain is the auditor that the application programs being
tested by the auditor’s test data are the same programs as those
used by the client throughout the year to process actual
transactions?
How certain is the auditor that test data is effectively eliminated
from the client’s records once testing is completed?
12-4
12-12 Often companies that purchase and install vendor developed software
applications on computer hard drives rely on IT consultants to assist in the
installation and maintenance of that software because those companies do not
have dedicated IT personnel. Also, assignment of responsibility may reside with
user departments. Companies can reduce these risks related to not having IT
personnel by performing sufficient reference and background checks about
software vendor and IT consultant reputations. In addition, companies can load
software programs onto hard drives in a format that does not permit changes by
client personnel, particularly non-IT user department personnel who may have
primary responsibility for the system. Companies should also consider
segregating key duties related to access to master files and responsibilities for
processing transactions.
12-15 An online sales ordering system poses many potential risks for an audit
client. Risks that may exist include:
12-5
These risks can be addressed by the use of firewalls, encryption
techniques, and digital signatures. A firewall is a system of hardware and
software that monitors and controls the flow of e-commerce communications by
channeling all network connections through a control gateway. A firewall protects
data, programs, and other IT resources from external users accessing the
system through networks, such as the Internet. Encryption techniques are based
on computer programs that transform a standard message into a coded
(encrypted) form. One key (the public key) is used for encoding the message and
the other key (the private key) is used to decode the message. Encryption
techniques protect the security of electronic communication during the
transmission process. Finally, the use of digital signatures can enhance internal
controls over the online sales order system by authenticating the validity of
customers and other trading partners who conduct business with the client
company.
12-6
TRANSACTION-RELATED COMPUTER-BASED
MISSTATEMENT AUDIT OBJECTIVE CONTROLS
12-7
6. A customer order was Recorded transactions Preprocessing
filled and shipped to a exist authorization
former customer that had Preprocessing
already filed bankruptcy. review
Programmed
controls (e.g.,
comparison to
customer file)
7. The sales manager Transactions are stated Preprocessing
approved the price of at the correct amounts review
goods ordered by a
Programmed
customer, but he wrote
controls (e.g.,
down the wrong price.
comparison to the
on-line authorized
price list)
8. Several remittance Existing transactions are Control totals
advices were batched recorded reconciled to
together for inputting. The manual totals of all
Transactions are
cash receipts clerk batches
recorded on the correct
stopped for coffee, set Computer accounts
dates
them on a box, and failed for numerical
to deliver them to the data sequence of
input personnel. batches submitted
12-20
* This solution assumes the data control procedures will serve as a check
on the computer operator and will allocate work across both persons.
d. If all five functions were performed by one person, internal control would
certainly be weakened. However, the company need not be unauditable, for two
reasons: First, there may be controls outside the IT function which accomplish
good control. For example, users may reconcile all input and output data on a
regular basis. Second, the auditor is not required to rely on internal control. He or
she may take a substantive approach to the audit assuming adequate evidence
is available in support of transactions and balances.
12-8
12-21 a. The important controls and related sales transaction-related
audit objectives are:
12-9
b. Among the audit procedures to be applied to a sample of the invoices and
source documents are the following:
6 Test of control
12-10
12-22 (continued)
KIND OF TEST OR TESTS PROCEDURE FOR WHICH
DATA FILE OR FILES THE AUDITOR CAN GAS IS LIKELY TO BE
PROCEDURE NEEDED PERFORM USING GAS INAPPROPRIATE
1. Foot listing and trace to Accounts payable master file Verifying footings Tracing total to general
G/L ledger
3. Review of changes in Accounts payable master file Match items on two files Examination of vendor's
accounts payable listing at beginning and end of year to identify those that statements
changed in excess of
$500
12-11
4. Test of unit costs Purchase transaction file Selecting items for Comparison to price lists
testing and catalogs
5. Cutoff tests Purchases transaction file Selecting items for Verifying receiving dates
testing with respect to dates
recorded
6. Test of authorization and Purchases transaction file; Match payment and Verifying proper
cash discount and cash disbursements file purchase files to test authorization (approval)
whether discount taken
12-11
12-23 a. The major problems the auditor faces in verifying sales and
accounts receivable include:
1. Determining that both cash and credit sales are valid, and
that all were recorded in the proper amount.
2. Determining that accounts receivable balances are proper
and that transactions were recorded in the proper amount
and to the proper customer.
3. Determining whether the internal controls are adequate, so
that he or she may rely on the system to provide correct
information.
1. The test data must comprise all relevant conditions that the
auditor desires to test so as to test every conceivable
deficiency possible in the system.
2. The program tested by the auditor's test data must be the
same program that is used throughout the year by the client
to ensure the validity of results.
3. The test data will probably have to be eliminated from most
of the client's records since the auditor's purchases would
not be part of the company's regular business.
12-12
12-23 (continued)
1. By setting the date in the register for the day, there will be no
need to enter the date.
2. Same as 1 for store code number and sales clerk number.
3. There is no need to enter cash sale or credit sale since
entering the customer account number implies a credit sale.
4. Install optical scanning point of sale equipment.
5. Have the computer pull unit prices based on product number
from price list master file.
12-13
12-24 (continued)
12-14
12-25 a. Strengths of current systems development and program change
processes at Granger Container:
12-15
·12-25(continued)
12-16
program subject to change.
·12-25(continued)
12-26
12-17
6 MC Recorded payroll transactions exist (i.e., are
for time actually worked)
12-26 (continued)
12-28 a. The following deficiencies in the Parts for Wheels, Inc. online sales
system may lead to material misstatements in the financial
statements:
12-19
12-28 (continued)
12-20
12-28 (continued)
12-21
Case
12-29
12-22
Melinda is experienced in Jacobson’s IS function, having been
employed by the company for 12 years. She has served in several
IS roles at Jacobsons. Thus, she offers stability for the IS function.
Melinda performs extensive background checks before offering
candidates employment in IS functions.
Melinda has successfully maintained a fairly stable IS staff.
12-29 (continued)
12-23
also requires an unauthorized change to systems software.
Programmers are responsible for maintaining secondary storage of live
programs and data files. Thus, programmers are able to make
unauthorized changes to live production copies of programs and
data files.
12-24
Data control personnel review exception listings and submit
requests for correction on a timely basis.
Data control clerks monitor the distribution of output.
a. There are three transactions with missing dates. There are several
negative balance transactions with no indication that they are
purchase returns.
c. There are twelve gaps and many duplicates (Gaps and Duplicates
commands). For gaps, the auditor is concerned that there may be
unrecorded purchases. For duplicates, the auditor is concerned that
purchases may be recorded more than once. In this case, no
duplicate has the same amount as the transaction with the same
document number.
12-25
12-30 (continued)
010102710 65.89 2
010102840 11859.40 3
010134420 7107.44 11
010155150 3183.60 2
010155170 5858.55 2
010207220 3223.22 2
010226620 5594.40 2
010310890 735.28 2
010311990 2157.52 1
010551340 974.96 1
010631190 1483.70 5
010803760 -2481.33 6
023946372 270.06 2
023973042 5323.64 6
024104312 435.60 2
024121332 39.20 1
024128712 3609.69 26
024128812 1271.00 2
024128932 177.99 2
024130572 31.80 1
024133112 18497.00 9
024139372 148.50 1
030030323 1210.00 3
030303343 35.32 1
030305603 310.69 3
030321663 291.27 4
030321683 946.68 3
030324883 874.20 1
030364163 644.80 1
030412553 1625.73 6
030412903 12.40 2
030934423 4407.30 2
034255003 6627.20 8
040224984 44.00 2
040225014 208.80 2
040226054 43.50 1
040240284 10293.40 4
040240664 3552.00 1
040240884 3967.50 1
040241754 6029.24 4
040247034 7650.80 3
040270354 1242.56 5
040276054 4124.50 2
12-26
12-30 (continued) Requirement d, cont.
052204515 1997.94 1
052208805 10618.25 3
052210545 0.00 1
052484425 726.24 1
052484435 864.00 5
052504005 200.94 3
052530155 122.88 32
052720305 164.00 1
052720615 15826.00 2
052770015 90.52 2
060100306 190.40 2
060100356 318.00 2
060102066 39.80 1
060102106 5014.80 2
060112296 10964.80 2
060217066 2359.80 3
070104177 -6155.52 4
070104347 144.27 1
070104397 4046.43 1
070104657 185.49 2
080101018 8.14 1
080102618 3595.20 4
080102628 413.00 2
080123438 700.29 1
080123938 2798.64 1
080126008 7919.26 31
080126308 381.12 10
080935428 20438.93 5
080938748 5.98 1
090010011 330.67 2
090069591 3647.52 4
090081001 6282.00 2
090501051 1688.80 3
090501551 2774.28 11
090504761 376.37 4
090506331 -27.20 1
090507811 7425.52 7
090508191 101.06 2
090509561 664.02 4
090585322 58702.80 3
090599912 2803.40 7
090669611 7317.00 4
093788411 907.20 8
300682.04 339
12-27
12-30 (continued)
Printout for requirement e:
Page ... 1 04/05/2007 18:08:49
Produced with ACL by: ACL Educational Edition - Not For Commercial Use
PRODNO COUNT Percent Percent AMOUNT
of Count of Field
12-28
12-30 (continued) requirement e, cont.
060217066 3 0.88 0.78 2359.80
070104177 4 1.18 -2.05 -6155.52
070104347 1 0.29 0.05 144.27
070104397 1 0.29 1.35 4046.43
070104657 2 0.59 0.06 185.49
080101018 1 0.29 0.00 8.14
080102618 4 1.18 1.20 3595.20
080102628 2 0.59 0.14 413.00
080123438 1 0.29 0.23 700.29
080123938 1 0.29 0.93 2798.64
080126008 31 9.14 2.63 7919.26
080126308 10 2.95 0.13 381.12
080935428 5 1.47 6.80 20438.93
080938748 1 0.29 0.00 5.98
090010011 2 0.59 0.11 330.67
090069591 4 1.18 1.21 3647.52
090081001 2 0.59 2.09 6282.00
090501051 3 0.88 0.56 1688.80
090501551 11 3.24 0.92 2774.28
090504761 4 1.18 0.13 376.37
090506331 1 0.29 -0.01 -27.20
090507811 7 2.06 2.47 7425.52
090508191 2 0.59 0.03 101.06
090509561 4 1.18 0.22 664.02
090585322 3 0.88 19.52 58702.80
090599912 7 2.06 0.93 2803.40
090669611 4 1.18 2.43 7317.00
093788411 8 2.36 0.30 907.20
339 99.79 99.90 300682.04
12-29
Internet Problem Solution: Assessing IT Governance
[http://www.itgi.org/ContentManagement/ContentDisplay.cfm?ContentID=19976]
12-30