Hall 5e TB Chapter 17

Chapter 17—IT Controls Part III: Systems Development, Program Changes, and Application Controls

TR!"#A$S!

1. Programs in their compiled compiled state state are very very susceptible susceptible to the threat of unauthorized unauthorized modification. modification. ANS: F 2. aintenance access access to systems systems increases the ris! that logic logic "ill be be corrupted either by the accident or intent to defraud. ANS: # $. Source program program library controls should prevent and detect unauthorized unauthorized access access to application  programs. ANS: # %. A chec! chec! digit digit is a method method of detectin detecting g data coding coding errors errors.. ANS: # &. 'nput contro controls ls are intended intended to detect detect errors in transac transaction tion data data after processin processing. g. ANS: F (. A header header label label is an internal) internal) machine*re machine*readabl adablee label. label. ANS: # +. #he user test test and acceptance procedure procedure is the last point at "hich the the user can determine the system,s system,s acceptability prior to it going into service. ANS: # -. A run*to run*to*run *run contro controll is an eample eample of of an output output control control.. ANS: F /. Shredding Shredding compu computer ter printou printouts ts is an eampl eamplee of an output output contro control. l. ANS: # 10. 'n a 'S environm environment) ent) all input input controls controls are are implemented implemented after after data data is input. input. ANS: F 11. Achieving batch batch control ob3ectives re4uires re4uires grouping grouping similar types of input transactions transactions 5such as sales orders6 together in batches and then controlling the batches throughout data processing. ANS: #

12. #he 7"hite bo7 tests of program controls controls are also !no"n as auditing through the computer. ANS: # 1$. #he presence presence of a SP8S SP8S effectively effectively guaran guarantees tees program program integri integrity ty.. ANS: F 1%. 9hen using using the test data data method) method) the presence presence of multiple multiple error messages messages indicate indicatess a fla" in the  preparation of test transactions. transactions. ANS: F 1&. #he ase ase ase System System valuat valuation ion is a variat variation ion of the the test data data method. method. ANS: # 1(. #racing is a method method used to to verify the the logical operations eecuted eecuted by a computer application. ANS: # 1+. ;eneralized audit audit soft"are pac!ages are used to assist the the auditor in performing substantive tests. ANS: # 1-. #he results of a parallel parallel simulation simulation are compared compared to the the results of a production production run in order to to 3udge the 4uality of the application processes and controls. ANS: # 1/. Firms "ith an independent independent internal audit staff staff may conduct conduct tests of the system system development life cycle on an ongoing basis. ANS: # 20. #he programmer, programmer,ss authority authority table table "ill specify specify the librarie librariess a programmer programmer may access. access. ANS: # 21. evie" of the documentation indicates that a. a cost* cost*ben benefi efitt analy analysis sis "as "as condu conducte cted d  b. the detailed design "as "as an appropriate solution solution to the userDs problem problem c. tests tests "ere conducted conducted at at the individu individual al module module and total total system system levels levels prior to implementation d. problems problems detected detected during during the conversio conversion n period period "ere corrected corrected in the maintenan maintenance ce phase ANS:  2+. 2+. 9hich 9hich statem statement ent is not true= true= a. An audit audit ob3ective ob3ective for systems systems maintenan maintenance ce is to detect unauth unauthorize orized d access to applicat application ion databases.  b. An audit ob3ective ob3ective for systems maintenance is is to ensure that applications applications are free from errors. c. An audit audit ob3ective ob3ective for systems systems mainten maintenance ance is to verify verify that that user re4ues re4uests ts for maintenan maintenance ce reconcile to program version numbers. d. An audit audit ob3ective ob3ective for systems systems maintenan maintenance ce is to ensure that that the production production librari libraries es are  protected from unauthorized unauthorized access. ANS: A

2-. 9hen the auditor reconciles reconciles the the program version numbers) numbers) "hich audit ob3ective is is being tested= a. protect protect applicati applications ons from unauthori unauthorized zed changes changes  b. ensure applications are free from error  c. protect protect produc production tion libraries libraries from unauthori unauthorized zed access access d. ensure ensure incompatib incompatible le function functionss have been been identif identified ied and segreg segregated ated ANS: A 2/. 9hen auditors auditors do not not rely on a detailed !no"ledge of of the applicationDs applicationDs internal internal logic) logic) they are  performing a. blac! blac! bo bo test testss o off prog program ram contro controls ls  b. "hite bo tests of program program controls c. subs substa tant ntiv ivee testi testing ng d. intu intuit itiv ivee test testin ing g ANS: A $0. All of the the follo"ing follo"ing concepts are associated "ith the blac! bo approach to auditing computer computer applications ecept a. the applic applicatio ation n need not be removed removed from service service and tested tested directly directly  b. auditors do not rely on on a detailed !no"ledge !no"ledge of the applicationDs applicationDs internal logic c. the auditor auditor reconcile reconciless previously previously produce produced d output output results results "ith producti production on input input transactions d. this approa approach ch is used for for comple comple transactio transactions ns that receive receive input input from many many sources sources ANS: ? $1. 9hich test is not not an eample eample of a "hite "hite bo bo test= test= a. determ determini ining ng the the fair fair valu valuee of inve invento ntory ry  b. ensuring that pass"ords pass"ords are valid c. verifying verifying that that all all pay rates are "ithin "ithin a specifie specified d range range d. recon reconcil ciling ing contro controll totals totals ANS: A $2. 9hen analyzing analyzing the results results of the test data method) the auditor auditor "ould spend the least amount of time revie"ing a. the the test test tran transa sact ctio ions ns  b. error reports c. upda update ted d mas maste terr file filess d. outp utput rep repor orts ts ANS: A $$. All of the follo" follo"ing ing are advantag advantages es of the test test data techni4u techni4uee ecept a. auditors auditors need need minima minimall computer computer epert epertise ise to use this this method method  b. this method causes minimal minimal disruption to to the firmDs operations c. the test test data data is easily easily compil compiled ed d. the auditor auditor obtains obtains eplicit eplicit evidence evidence concern concerning ing applicati application on functions functions ANS:  $%. All of the follo" follo"ing ing are disadva disadvantag ntages es of the test test data techni4u techni4uee ecept a. the test test data techni4 techni4ue ue re4uires re4uires etensiv etensivee computer computer epertis epertisee on the part of the the auditor  auditor   b. the auditor cannot be be sure that the application application being tested is a copy copy of the current application used by computer services personnel

c. the auditor auditor cannot cannot be sure sure that the the applicatio application n being being tested is is the same applic application ation used used throughout the entire year  d. preparatio preparation n of the test data is time*c time*consum onsuming ing ANS: A $&. All of the follo"in follo"ing g statements statements are true true about the integra integrated ted test facility facility 5'#F6 5'#F6 ecept ecept a. production production reports reports are are affect affected ed by '#F transa transactio ctions ns  b. '#F databases contain 7dummy7 7dummy7 records integrated "ith "ith legitimate records c. '#F permi permits ts ongoi ongoing ng appli applicat cation ion aud auditi iting ng d. '#F does not disrupt disrupt operati operations ons or re4uire re4uire the interven intervention tion of computer computer service servicess personnel personnel ANS: A $(. 9hich statement statement is is not true= true= mbedde mbedded d audit audit modules modules a. can be turne turned d on and and off off by the the audito auditor. r.  b. reduce operating efficiency. efficiency. c. may lose their their viabil viability ity in an environm environment ent "here "here programs programs are modified modified fre4ue fre4uently ntly.. d. identify identify transa transactio ctions ns to be analyzed analyzed using using "hite "hite bo tests. tests. ANS: ? $+. ;eneralize ;eneralized d audit soft"ar soft"aree pac!ages pac!ages perform all all of the follo"ing follo"ing tas!s tas!s ecept a. reca recalc lcul ulat atee data data fiel fields ds  b. compare files and identify identify differences c. strati stratify fy statis statistic tical al sample sampless d. analyz analyzee resul results ts and and form form opinio opinions ns ANS: ? S&'RT A(S)!R 

1. ontrast ontrast the source source program program library library 5SP86 managemen managementt system to the databas databasee management management system system 5?S6. ANS: #he SP8 soft"are manages program files and the ?S manages data files. 2. ?escribe ?escribe t"o methods methods used used to control control the the source source program libra library ry.. ANS:  pass"ords) separation separation of development programs programs from maintenance programs) program program management reports) program version numbers) controlling maintenance commands $. Ne" system system development development activity activity controls must focus on the authorization) development) and implementation of ne" systems and its maintenance. ?iscuss at least five control activities that are found in an effective system development life cycle. ANS: System authorization activities assure that all systems s ystems are properly authorized to ensure their economic  3ustification and and feasibility. feasibility.