Midterm On Information Technology Auditing.docx

Mindanao State Univeristy- Iligan Institue of Technology Midterm on CIS 1. Distinguish between ethical issues and legal issues Some acts may not be against the law, but they may be considered unethical. For example, it may not be illegal to simultaneously accept two job offers verbally while trying to decide between the two companies; however, ethically, this type of behavior is considered to be undesirable. 2. Some argue against corporate involvement in socially responsible behavior because the costs incurred by such behavior place the org at a disadvantage in a competitive market. Discuss the merits and flaws of this argument. The costs of socially responsible behavior include those associated with environmental protection, improving worker safety, and affirmative action. In the short run, when one firm incurs these costs and its competitor does not, the latter has a competitive advantage over the former. However, the socially responsive firm can maximize its profitability in the long run by accruing goodwill in society and avoiding the negative effects of government regulations. 3. Although top management's attitude toward ethics sets the tone for business practice, sometimes it is the role of lower level management to uphold a firm's ethical standards. John, an operations level manager, discovers the company is illegally dumping toxic materials and is in violation of environmental regulations. John's immediate supervisor is involved in the duping. What action should John take Normally, the resolution of an ethical problem on the job would involve consultation between the subordinate and the immediate supervisor. When the supervisor is part of the problem, the matter should be taken to the next higher-level person in the organization structure. 4. When a company has a strong internal control structure, stockholders can expect elimination of fraud. Comment on the soundness of this statement. A strong internal control structure provides a very good shield against fraud. However, these shields are not 100 percent bulletproof, especially when employees collude and/or top management is involved. A strong internal control structure coupled with good employee morals and ethics is the best deterrence against fraud. 5. Distinguish between employee fraud and management fraud Employee fraud is committed by non-management employees, and it is generally designed to directly convert cash and other assets for the employee's personal benefit. In cases of employee fraud, weak internal controls are usually present. Management frauds, however, are usually committed at a level above the one to which internal controls generally relate. These frauds are typically shrouded in a nexus of transactions and are difficult to disentangle. 6. The estimates of losses annually resulting from computer fraud vary widely. Why do you think obtaining a good estimate of this figure is difficult The top management team of publicly traded organizations is often reluctant to publicly admit that they have been the victim of computer crime because of fear of public opinion regarding their internal control structure. Also, many organizations may not be fully aware of the extent of their damages due to computer fraud.

7. How has SOX had a significant impact on corporate governance The Sarbanes-Oxley Act requires all audit committee members to be independent and requires the audit committee to hire and oversee the external auditors. This provision is consistent with many investors who consider the board composition to be a critical investment factor. For example, a Thomson Financial survey revealed that most institutional investors want corporate boards to be composed of at least 75 percent independent directors. 8. Discuss the non accounting services that external auditors no longer can provide to audit clients The act addresses auditor independence by creating more separation between a firm's attestation and non-auditing activities. This is intended to specify categories of services that a public accounting firm cannot perform for its client. These include the following functions: bookkeeping or other services related to the accounting records or financial statements; financial information systems design and implementation; appraisal or valuation services, fairness opinions, or contribution-in-kind reports; actuarial services; internal audit outsourcing services; management functions or human resources; broker or dealer, investment advisor, or investment banking services; legal services and expert services unrelated to the audit; and any other service that PCAOB determines is impermissible. While the Sarbanes-Oxley Act prohibits auditors from providing the above services to their audit clients, they are not prohibited from performing such services for non-audit clients or privately held companies. 9. Discuss whether a firm with fewer employees than there are incompatible tasks should rely more heavily on general authority than specific authority Small firms with fewer employees than there are incompatible tasks should rely more heavily on specific authorizations. More approvals of decision by management and increased supervision should be imposed in order to somewhat compensate for the lack of separation of duties. An organization's internal audit department is usually considered an effective control mechanism structure. The Birch Company's internal auditing function reports directly to the controller. Comment on the effectiveness of this org strucuture. Having the internal auditing function report to the controller is unacceptable. If the controller is aware of or involved in a fraud or defalcation, then he/she may give false or inaccurate information to the auditors. The possibility that the auditors may lose their jobs if they do not keep certain matters quiet also exists. Further, the fraud may be occurring at a level higher than the controller, and the controller may fear losing his/her job if the matter is pursued. The best route is to have the internal auditing function report directly to the board of directors. Discuss the key features of section 302 of SOX Section 302 requires that corporate management (including the CEO) certify quarterly and annually their organization's internal controls over financial reporting. The certifying

officers are required to: a. have designed internal controls. b. disclose any material changes in the company's internal controls that have occurred during the most recent fiscal quarter. 10. Discuss the key features of section 404 of SOX Section 404 requires the management of public companies to assess the effectiveness of their organization's internal controls over financial reporting and provide an annual report addressing the following points: 1) A statement of management's responsibility for establishing and maintaining adequate internal control. 2) An assessment of the effectiveness of the company's internal controls over financial reporting. 3) A statement that the organization's external auditors has issued an attestation report on management's assessment of the company's internal controls. 4) An explicit written conclusion as to the effectiveness of internal control over financial reporting. 5) A statement identifying the framework used by management to conduct their assessment of internal controls. 11. Prior to SOX, external auditors were required to be familiar with the client orgs internal controls, but not to test them. Explain why Auditors had the option of not relying on internal controls in the conduct of an audit and therefore did not need to test them. Instead, auditors could focus primarily on substantive tests. Under SOX, management is required to make specific assertions regarding the effectiveness of internal controls. To attest to the validity of these assertions, auditors are required to test the controls. Does a qualified opinion on internal controls over the financial reporting system necessitate a qualified opinion on financial statements. Explain why or why not No. Auditors are permitted to simultaneously render a qualified opinion on management's assessment of internal controls and render an unqualified opinion on the financial statements. In other words, it is technically possible for auditors to find internal controls over financial reporting to be weak, but conclude through substantive tests that the weakness did not cause the financial statements to be materially misrepresented. 12. The PCAOB standard 5 specifically requires auditors to understand transaction flows in designing their tests of controls. What steps does this entail This involves: a. Selecting the financial accounts that have material implications for financial reporting. b. Identifying the application controls related to those accounts. c. Identifying the general controls that support the application controls. The sum of these controls, both application and general, constitute the relevant internal controls over financial reporting that need to be reviewed. 13. What fraud detection responsibilities (if any) does SOX impose on auditors Auditing Standard No. 2 places new responsibility on auditors to detect fraudulent activity. The standard emphasizes the importance of controls designed to prevent or detect fraud that could lead to material misstatement of the financial statements. Management is responsible for implementing such controls and auditors are expressly required to test them. 14. Discuss the difference between the attest function and assurance services The attest service is defined as an engagement in which a practitioner is engaged to issue, or does issue, a written communication that expresses a conclusion about the

reliability of a written assertion that is the responsibility of another party. The following requirements apply to attestation services: Attestation services require written assertions and a practitioner's written report. Attestation services require the formal establishment of measurement criteria or their description in the presentation. The levels of service in attestation engagements are limited to examination, review, and application of agreed-upon procedures. Assurance services constitute a broader concept that encompasses, but is not limited to, attestation. Assurance services are professional services that are designed to improve the quality of information, both financial and nonfinancial, used by decision makers. Assurance services are intended help people make better decisions by improving information. This information may come as a by-product of the attest function or it may ensue from an independently motivated review. 15. Discuss how the process of obtaining audit evidence in an IT environment is inherently different from obtaining it in a manual system In the IT environment, the data needed to perform audit tests are contained in computer files that must be extracted using specialized audit software. Some internal controls can be tested objectively. Discuss some internal controls that you think are relatively more subjective to assess in terms of adequacy than others Assessing systems development controls require more judgment than some of the other areas. 16. Explain the role of Statement of Standards for Attestation Engagements No. 16 (SSAE 16) report in the review of external controls SSAE 16 is an internationally recognized third party attestation report designed for service organizations such as IT outsourcing vendors. SSAE 16, was promulgated by the Auditing Standards Board (ASB) of the AICPA and replaced Statement on Auditing Standards No. 70 (SAS 70). The SSAE 16 report, which is prepared by the service provider's auditor, attests to the functionality of the vendor's system and the adequacy of its internal controls. This is the means by which an outsourcing vendor can obtain a single attest report that may be used by its clients' auditors and thus preclude the need for each client firm auditor to conduct its own audit of the vendor organization's facilities and internal controls. Why is human behavior considered one of the biggest potential threats to operating system integrity Unfortunately, some computer hackers enjoy the challenge of creating devices, such as viruses and logic bombs, to damage systems. They gain nothing of monetary or financial value; they just enjoy knowing they accomplished their goal of penetrating and affecting an operating system. 17. Why would a systems programmer create a back door if he or she has access to the program in his or her day to day tasks A backdoor is created so that the programmer may gain future access to the program without needing a user password (in other words after the programmer no longer has a valid password). The backdoor may be used legitimately to gain easy access to perform

maintenance or it may be used by a programmer who has no legitimate reason to be accessing the system in that manner or at all. Explain the 3 ways that audit trails can be used to support security objectives Audit trails can be used to support security objectives in three ways: 1. detecting unauthorized access to the system, 2. facilitating the reconstruction of events, and 3. promoting personal accountability. DETECTING UNAUTHORIZED ACCESS. Detecting unauthorized access can occur in real time or after the fact. The primary objective of real-time detection is to protect the system from outsiders who are attempting to breach system controls. After-the-fact detection logs can be stored electronically and reviewed periodically or as needed. When properly designed, they can be used to determine if unauthorized access was accomplished, or attempted and failed. RECONSTRUCTING EVENTS. Audit analysis can be used to reconstruct the steps that led to events such as system failures, security violations by individuals, or application processing errors. Knowledge of the conditions that existed at the time of a system failure can be used to assign responsibility and to avoid similar situations in the future. PERSONAL ACCOUNTABILITY. Audit trails can be used to monitor user activity at the lowest level of detail. This capability is a preventive control that can be used to influence behavior. Individuals are less likely to violate an organization's security policy if they know that their actions are recorded in an audit log. An audit log can also serve as a detective control to assign personal accountability for actions taken. Serious errors and the abuse of authority are of particular concern. 18. Many authorities believe that the employer does not prosecute 90% of all computer fraud acts. What you think accounts for the lack of prosecution. Discuss the importance of the establishment of a formal policy for taking disciplinary or legal action against security violations A common belief by management of publicly traded firms is that the public will perceive fraudulent acts which have taken place as a sign of control weaknesses. The management teams may prefer to handle the computer fraud by dismissal of the employee rather than have the stockholders and analysts lose faith in the internal control procedures of the firm. Unfortunately, this type of behavior by employers sends the wrong message to potential perpetrators. The message from top management needs to be clear regarding fraudulent acts-they are not tolerated and any acts will be prosecuted. The message means absolutely nothing if the firm does not back up this policy with actions if such crimes are committed. 19. How can passwords actually circumvent security. What actions can be taken to minimize this Users may share their the passwords, write-down their passwords, or use easily guessed passwords. Protection against these include software that allow only "smart" passwords and one-time passwords used in conjunction with smart cards. What are the objectives of auditors in auditing data management The specific objective for auditing the data management is to determine: a. that backup of the data files is adequate to facilitate the recovery of lost, destroyed, or corrupted data, b. that individuals who are authorized to use the database are limited to accessing data

needed to perform their duties, and c. that individuals who are unauthorized are denied access to the database. 20. Does every organization that has LAN need a firewall Firewalls can provide protection against unauthorized access by both internal and external intruders depending on the type of firewall. An organization with a LAN with NO connections to ANY external networks may be safe without firewalls, but some sort of network security is necessary for multiple users. 21. What problem is common to all private key encryption techniques The more individuals who need to know the private key, the greater the probability of it falling into the wrong hands. If a perpetrator discovers the key, he or she can intercept and decipher coded messages. Discuss how the widespread use of laptop and notebook computers is making data encryption standards more easily penetrable Business travelers with laptop and notebook computers are just beginning to realize how carefully they should safeguard their computers while traveling on subways, planes, cars, and staying in hotels. Theft of these computers is becoming a serious problem. These computers are being stolen just as often for the information contained on the hard drives as they are for the resale values. Unfortunately, these stolen computers often have the DES keys contained on thumb drives which are stored in the carrying cases. The carrying cases are usually also stolen, or the encryption keys may be on the hard drive. Thus, the thief gains access to the key and can decode messages. 22. Discuss the unique control problems EDI creates One problem is ensuring that transactions are authorized and valid. Both the customer and supplier must establish that the transaction being processed is with a valid trading partner and is an authorized transaction. Another problem is that, in most situations, the trading partners must agree to give their trading partner access to files, which previously were entirely internal documents, such as inventory files. Prior to EDI, firms did not exchange inventory file data. Thus, the accuracy of these files AT ALL TIMES is crucial. Further, these files should not be allowed to be altered, in any fashion, by the trading partner's computer. Only the organizations application programs should be allowed to process inventory records. 23. What types of output would be considered extremely sensitive in a university setting? Give 3 examples and explain why the information would be considered sensitive. Discuss who should and shouldn't have access to each type of info One example would be students' grades. This information is considered confidential and private. The student, his/her advisor, and his/her professors should have access to this data. Other students should NOT have access to any student's grade other than their own. Prospective employers or other universities should not have access to the grades without the permission of the student. Health information kept at the university health center should be considered private. Only the student and the health professionals should have access to these individual records unless consent is given by the student. University officials may receive summary health data regarding all students, but not individual students. Also, student transcripts that contain information regarding disciplinary probation should only be accessed by the student unless permission is granted by the student to release this transcript. What are rounding error routings, and why are they used

Financial systems that calculate interest payments on bank accounts or charges on mortgages and other loans employ special rounding error applications. Rounding errors occur when the level of precision used in an interest calculation is greater than that used for reporting. For example, interest calculations on bank account balances may have a precision of five decimal places, whereas only two decimal places are reported on balances. If the remaining three decimal places are simply truncated, the total interest reported for the total number of accounts will not equal the sum of the individual calculations. Rounding error routines use an accumulator to keep track of the rounding differences (plus or minus a fraction of a cent) between calculated and reported balances. When the accumulator balance reaches plus or minus one cent, the balance is added to (or subtracted from) a randomly selected account. 24. How does the salami fraud get its name, and how does it work The salami fraud affects large numbers of victims, but each in a minimal way. The fraud scheme takes its name from the analogy of slicing a large salami (the total fraud) into many thin pieces. Each victim gets one of these small pieces and is unaware of being defrauded. For example, a programmer, or someone with access to the rounding program can modify the rounding logic to perpetrate a salami fraud as follows: at the point in the process where the algorithm should increase the current customer's account (that is, the accumulator value is > +.01), the program instead adds one cent to the perpetrator's account. Although the absolute amount of each fraud transaction is small, given the hundreds of thousands of accounts processed, the total amount of the fraud becomes significant over time. 25. Discuss the black box approach, and explain how it is different from through the computer approaches to testing application controls The black box approach (also called auditing around the computer) does not require the auditor to create test files or to obtain a detailed knowledge of the application's internal logic. Instead, auditors analyze flowcharts and interview knowledgeable personnel in the client's organization to understand the functional characteristics of the application. With an understanding of what the application is supposed to do, the auditor tests the application by reconciling actual production transactions processed with output results. The output results are analyzed to verify the application's compliance with its functional requirements. Black box testing is feasible for applications that are relatively simple, with inputs and outputs that are easily reconciled. More complex applications, however, often draw input data from multiple sources, perform a variety of complex operations, and produce multiple outputs. These applications demand more intensive through-thecomputer testing to provide the auditor with evidence of application integrity. Throughthe-computer testing employs computer-assisted audit tools and techniques (CAATTs) and requires an in-depth understanding of the internal logic of the application under review. 26. What factors do you think might cause an auditing team to spend more time than average on tests to identify application errors. For unauthorized program changes Detecting that inadequate segregation of functions exists between programmers and operators b. Finding different program versions running than expected based on documentation c. Finding undocumented program maintenance

Explain how an embedded audit module works Embedded audit module (EAM) techniques use one or more specially programmed modules embedded in a host application to select and record predetermined types of transactions for subsequent analysis. As the selected transaction is being processed by the host application, a copy of the transaction is stored in an audit file for subsequent review. The EAM approach allows material transactions to be captured throughout the audit period. Captured transactions are made available to the auditor at period end or at any time during the period, significantly reducing the amount of work the auditor must do to identify significant transactions for substantive testing.