Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Chapter 17 page
1. MULTIPLE CHOICE
1. A
2. A
3. D
2. PROBLEMS
Chapter 17 page
1. DESIGN TESTS OF APPLICATION CONTROLS
The auditor will create the following test data and perform the following
a. Test data should consist of a complete set of valid and invalid inventory
receiving transactions. Test transactions should be designed to test all
possible input errors, logical processes, and irregularities pertinent to the
audit objective. Results from testing will be in the form of routine output
b. TESTING ACCURACY OF POSTINGS TO INVENTORY ACCOUNTS.
The auditor would create a master file of inventory records (AR). The
transactions would consist of a wide range of transactions to see if the
control is functioning properly. This test data is used to see if approved
Chapter 17 page
c. TESTING THE THREE-WAY MATCH. This test involves creating two test
master files: a purchase order file and a receiving report file. The
transaction in this case is the supplier’s invoice. The test data should be
designed to contain discrepancies that fall both within and outside of
d. TESTING MULTILEVEL SECURITY AND ACCESS PRIVILEGES IN THE
PURCHASES/AP SYSTEM. This test involves creating several master
files: purchase order file; inventory file; receiving report file; and general
2. COMPUTER FRAUD AND CONTROLS
Type of Fraud
Explanation
Identification and Description of
Protection Methods
to pay overtime or an extra salary.
Chapter 17 page
3. AUDIT PLAN FOR TRUE, BLUE, AND SMITH
System Access and Security
AUDIT OBJECTIVES RELATED TO SUVERSIVE THREATS
The audit objective is to verify that network controls (1) can prevent and detect
illegal access both internally and from the Internet, (2) will render useless any
Chapter 17 page
AUDIT PROCEDURES
1. Review the adequacy of firewall controls in terms of the following criteria:
•Proxy services. Adequate proxy applications should be in place to
•Filtering. Strong filtering techniques should be designed to deny all
services that are not explicitly permitted. In other words, the firewall should
•Audit tools. The firewall should provide a thorough set of audit and
•Probe for weaknesses. To validate security, the auditor (or a
professional security analyst) should periodically probe the firewall for
2. Verify that an Intrusion Prevention Systems (IPS) with deep packet
AUDIT OBJECTIVES RELATED TO USER ACCESS PRIVILEGES
Chapter 1 Page 2
The audit objective is to verify that access privileges are granted in a manner
AUDIT PROCEDURES
Review the organization’s policies for separating incompatible functions
descriptions and positions.
Review personnel records to determine whether privileged employees
undergo an adequately intensive security clearance check in
compliance with company policy.
Review the users permitted logon times. Permission should be
AUDIT OBJECTIVES RELATING TO PASSWORD POLICY
The audit objective here is to ensure that the organization has an adequate
AUDIT PROCEDURES
Verify that all users are required to have passwords.
Determine that procedures are in place to identify weak passwords.
Assess the adequacy of password standards such as length and
expiration interval.
Chapter 1 Page 3
AUDIT OBJECTIVE RELATING TO SECURITY THREATS FROM VIRUSES
AND MALWARE
The audit objective is to verify that effective policies and procedures are in
AUDIT PROCEDURES
Through interviews with system users, determine that they have been
educated about computer viruses and are aware of the risky computing
Verify that the current version of antiviral software is installed on the server
and that upgrades are regularly downloaded to workstations.
AUDIT OBJECTIVES RELATED TO AUTOMATED AUDIT TRAILS
The audit objective is to ensure that the auditing of users and events is
AUDIT PROCEDURES
The auditor can use general-purpose data extraction tools such as ACL for
accessing archived log files to search for defined conditions such as:
Unauthorized or terminated user.
Chapter 1 Page 4
Access to specific files or applications.
The auditor should select a sample of security violation cases and
AUDIT OBJECTIVES RELATED TO SYSTEMS DEVELOPMENT
The audit objectives are to ensure that (1) systems development activities are
applied consistently and in accordance with management’s policies to all
systems development projects, (2) the system as originally implemented was
AUDIT PROCEDURES
The auditor should select a sample of completed projects and review the
Chapter 1 Page 5
AUDIT OBJECTIVES RELATED TO PROGRAM CHANGES.
The audit objective is to detect unauthorized program changes (which may
have resulted in significant processing errors or fraud) and to determine that 1.
AUDIT PROCEDURES
To establish that program changes were authorized, the auditor should
examine the audit trail of program changes and confirm that authorization
procedures were followed by performing the following tests of controls.
Organizational Structure Controls
Chapter 1 Page 6
AUDIT OBJECTIVES RELATED TO ORGANIZATIONAL STRUCTURE
The audit objective is to verify that individuals in incompatible areas are
AUDIT PROCEDURES
The following tests of controls would enable the auditor to achieve the control
objectives.
Review relevant documentation, including the current organizational chart,
mission statement, and job descriptions for key functions, to determine
Through observation, determine that segregation policy is being followed
in practice. Review operations room access logs to determine whether
