CHAPTER 15
AUDITING IT CONTROLS PART I:
SARBANES-OXLEY AND IT GOVERNANCE
1. REVIEW QUESTIONS
2.
Chapter 1 Page 2
2. Audit risk is the probability that the auditor will render an unqualified (clean)
3. Errors are unintentional mistakes whereas irregularities are intentional mis-
representations to perpetrate a fraud or mislead the users of financial
statements. Errors are a concern if they are numerous or sizable enough to
cause the financial statements to be materially misstated. All processes that
involve human actions are highly susceptible to some amount of human error.
4. Inherent risk is associated with the unique characteristics of the business or
industry of the client. Firms in declining industries are considered to have more
inherent risk than firms in stable or thriving industries. Control risk is the
likelihood that the control structure is flawed because internal controls are
Chapter 1 Page 3
5. The tests of controls involves determining whether internal controls are in place
and whether they function properly. The substantive testing involves a detailed
6. General controls apply to all systems. They are not application specific.
General controls include controls over IT governance, the IT infrastructure,
7. Computer fraud refers to using hardware and software to divert or acquire the
assets of the firm. Its activities include:
8. The data-collection or data-entry stage is the simplest way to commit computer
Chapter 1 Page 4
9. In a manual authorization system, management and auditors can verify
compliance with established authorization rules by observing the employees
10. In a CBIS environment, it would be inefficient and contrary to the objectives of
automation to separate such tasks and processing and recoding a transaction
Chapter 1 Page 5
13. General controls apply to a wide range of exposures that systematically
threaten the integrity of all applications processed within the CBIS
environment. Some examples of general controls are controls against viruses
14. The operations activities should be separated from systems development and
maintenance activities, and any relationships between these two groups should
be through formal and controlled channels. The systems development and
15. One problem that may occur is inadequate documentation. Documenting is not
considered as interesting a task as designing, testing, and implementing a new
system, thus a systems professional may move on to a new project rather than
spend time documenting an almost complete project. Job security may be
Chapter 1 Page 6
16. Many firms that do not use CASE tools with automatic documentation features
face this problem because the systems professionals do not find this task as
17. The role of a corporate computer services department differs in that it is not a
completely centralized model. Instead, the group plays the role of provider of
technical advice and expertise to distributed computer services. Thus, it
provides much more support than would be received in a completely distributed
18. Incompatibility, redundancy, consolidating incompatible activities, acquiring
20. Fault tolerance is the ability of the system to continue operation when part of
21. RAID is the use of parallel disks that contain redundant elements of data and
Chapter 1 Page 7
22. The purpose of an audit is to provide an independent attestation as to the
23. The auditor cannot be an advocate of the client, but must attest to whether
24. The attest service is an engagement in which a practitioner is engaged to issue
25. Assurance services are professional services that are designed to improve the
quality of information, both financial and nonfinancial, used by decision makers.
The domain of assurance services is intentionally unbounded so that it does
Chapter 1 Page 8
26. The three conceptual phases of auditing are: 1) familiarization with the
organization’s business, 2) evaluating internal controls, and 3) analyzing
27. External auditors represent the interests of third-party stakeholders in the
organization, such as stockholders, creditors, and government agencies.
External auditing is conducted by certified public accountants who are
29. Materiality refers to the size of the effect of a transaction. From a cost-benefit
30. The auditors perform an analysis and assessment of audit risk that includes an
investigation of the organization’s general controls and application controls.
Chapter 1 Page 9
31. The tests of controls phase involves determining whether adequate internal
controls are in place and whether they function properly. The substantive
32. Audit risk is the probability that the auditor will render an unqualified (clean)
33. Errors are unintentional mistakes while irregularities are intentional
misrepresentations to perpetrate a fraud or mislead the users of financial
statements. Errors are a concern if they are numerous or sizable enough to
cause the financial statements to be materially misstated. Processes that
34. Inherent risk is associated with the unique characteristics of the business or
industry of the client. Firms in declining industries are considered to have more
inherent risk than firms in stable or thriving industries. Inherent risk will not be
reduced by internal control. Control risk is the likelihood that the control
structure is flawed because internal controls are either absent or inadequate to
Chapter 1 Page 10
35. The relationship between tests of controls and substantive testing is directly
36. The following are examples of general control areas:
37. The auditor should review the current organization chart, mission statements,
job descriptions of key functions, systems maintenance records, and
39. Often-cited benefits of IT outsourcing include improved core business
40. Commodity IT assets are not unique to a particular organization and are thus
Chapter 1 Page 11
41. Specific IT assets, in contrast, are unique to the organization and support its
42. Five risks associated with IT outsourcing are: Failure to Perform, Vendor