(Information Technology Auditing 3e James A. Hall)
(Solution Manual, For Complete File, Download link at the end of this File)
Chapter 1
Auditing and Internal Control
Review Questions
1. What is the purpose of an IT audit?
Response: The purpose of an IT audit is to provide an independent assessment of some
technology- or systems-related object, such as proper IT implementation, or controls over
computer resources. Because most modern accounting information systems use IT, IT plays a
significant role in a financial (external audit), where the purpose is to determine the fairness and
accuracy of the financial statements.
2. Discuss the concept of independence within the context of a financial audit. How is
independence different for internal auditors?
Response: The auditor cannot be an advocate of the client, but must independently attest to
whether GAAP and other appropriate guidelines have been adequately met. Independence for
internal auditors is different because they are employed by the organization, and cannot be as
independent as the external auditor. Thus internal auditors must use professional judgment and
independent minds in performing IA activities.
3. What are the conceptual phases of an audit? How do they differ between general
auditing and IT auditing?
Response: The three conceptual phases of auditing are:
i. Audit planning,
ii. Tests of internal controls, and
iii. Substantive tests.
Conceptually, no difference exists between IT auditing and general auditing. IT auditing is
typically a subset of the overall audit; the portion that involves computer technology is the subset.
4. Distinguish between the internal and external auditors.
Response: External auditors represent the interests of third-party stakeholders in the
organization, such as stockholders, creditors, and government agencies. External auditing is
conducted by certified public accountants who are independent of the organization’s
management. Internal auditors represent the interests of management. Internal auditing tasks
include conducting financial audits, examining an operation’s compliance with legal obligations,
evaluating operational efficiency, detecting and pursuing fraud within the firm, and conducting IT
audits. External auditors also conduct IT audits as a subset of financial audits.
5. What are the four primary elements described in the definition of auditing?
Response:
a. auditing standards
b. systematic process
c.management assertions and audit objectives
d. obtaining evidence
6. Explain the concept of materiality.
Response: Materiality refers to the size of the effect of a transaction. From a cost-benefit
point of view, a threshold is set above which the auditor is concerned with the correct recording
and effects of transactions. Rather than using standard formulas, auditors use their professional
judgment to determine materiality.
, 7. How does the Sarbanes-Oxley Act of 2002 affect management’s responsibility for
internal controls?
Response: The Sarbanes-Oxley Act (S-OX) specifically holds management responsible for
internal controls. S-OX requires an annual report on internal controls that is the responsibility of
management; external auditors must attest to the integrity of the report. Management must assess
the effectiveness of the internal control structure and procedures for financial reporting as of the
end of the most recent fiscal year and identify any control weaknesses. An attestation by external
auditors reports on management’s assessment statement.
8. What are the four broad objectives of internal control?
Response:
a. to safeguard the assets of the firm
b. to ensure the accuracy and reliability of accounting records and information
c. to promote efficiency in the firm’s operations
d. to measure compliance with management’s prescribed policies and procedures
9. What are the four modifying assumptions that guide designers and auditors of
internal control systems?
Response: Management responsibility, reasonable assurance, methods of data processing,
and limitations.
10. Give an example of a preventive control.
Response: Locked doors, passwords, and data-entry controls for each field (e.g., range
checks).
11. Give an example of a detective control.
Response: A log of users, a comparison with computer totals and batch totals.
12. Give an example of a corrective control.
Response: Manual procedures to correct a batch that is not accepted because of an incorrect
social security number. A clerical worker would need to investigate and determine either the
correct hash total or the correct social security number that should be entered. A responsible party
is then needed to read exception reports and follow up on anomalies.
13. What are the five internal control components described in the COSO framework?
Response:
a. Control Environment
b. Risk Assessment
c. Information and Communication
d. Monitoring
e. Control Activities
14. What are the six broad classes of control activities defined by COSO?
Response: The six broad classes of control activities defined by COSO are:
a. transaction authorization,
b. segregation of duties,
c. supervision,
d. accounting records,
e. access control, and
f. independent verification.
,15. Give an example of independent verification.
Response:
a. the reconciliation of batch totals at periodic points during transaction processing
b. the comparison of physical assets with accounting records
c. the reconciliation of subsidiary accounts with control accounts
d. reviews by management of reports that summarize business activity
e. periodic audits by independent external auditors
f. periodic audits by internal auditors
16. Differentiate between general and application controls. Give two examples of each.
Response: General controls apply to a wide range of exposures that systematically threaten
the integrity of all applications processed within the IT environment. Some examples of general
controls would be controls against viruses and controls to protect the hardware from vandalism.
Application controls are narrowly focused on risks within specific systems. Some examples of
application controls would be a control to make sure that each employee receives only one
paycheck per pay period and a control to ensure that each invoice gets paid only once.
17. Distinguish between tests of controls and substantive testing.
Response: The tests of controls phase involves determining whether internal controls are in
place and whether they function properly. The substantive testing phase involves a detailed
investigation of specific account balances and transactions.
18. Define audit risk.
Response: Audit risk is the probability that the auditor will render an unqualified (clean)
opinion on financial statements that are, in fact, materially misstated.
19. Distinguish between errors and irregularities. Which do you think concern auditors
the most?
Response: Errors are unintentional mistakes whereas irregularities are intentional mis-
representations to perpetrate a fraud or mislead the users of financial statements. Errors are a
concern if they are numerous or sizable enough to cause the financial statements to be materially
misstated. All processes that involve human actions are highly susceptible to some amount of
human error. Computer processes should contain errors only if the programs are erroneous, if
systems operating procedures are not being closely and competently followed, or if some unusual
system malfunction has corrupted data. Errors are typically much easier to uncover than
misrepresentations. Thus auditors typically are more concerned about whether they have
uncovered any and all irregularities. Also, due to SAS No. 99 and Sarbanes-Oxley, auditors are
much more concerned with fraud (irregularities) than before.
20. Distinguish between inherent risk and control risk. How do internal controls affect
inherent risk and control risk, if at all? What is the role of detection risk?
Response: Inherent risk is associated with the unique characteristics of the business or
industry of the client. Firms in declining industries are considered to have more inherent risk than
firms in stable or thriving industries. Auditors cannot reduce inherent risk, which is not affected
by internal controls. Even in a system protected by excellent controls, financial data can be
misstated.
Control risk is the likelihood that the control structure is flawed because internal controls
are either absent or inadequate to prevent or detect errors in the accounts. Auditors assess the
level of control risk by performing tests of internal controls. Internal control does, however,
directly impact control risk. The more effective the internal controls that are in place, the lower
the level of assessed control risk.
, Detection risk is the risk that auditors are willing to take that errors not detected or
prevented by the control structure will also not be detected by the auditors. Typically, detection
risk will be lower for firms with higher inherent risk and control risk.
21. What is the relationship between tests of controls and substantive tests?
Response: The relationship between tests of controls and substantive tests is directly related
the auditor’s risk assessment. The stronger the internal controls, the less substantive testing
the auditor must do.
22. SOX contains many sections. Which sections does this chapter focus on?
Response: This chapter concentrates on internal control and audit responsibilities pursuant
to SOX Sections 302 and 404.
23. What control framework does the PCAOB recommend?
Response: The PCAOB recommends the use of COSO as the framework for control
assessment.
24. COSO identifies two broad groupings of information system controls. What are
they?
Response: The two broad groupings of information system controls identified by COSO
are application controls and general controls.
25. What are the objectives of application controls?
Response: The objectives of application controls are to ensure the validity, completeness,
and accuracy of financial transactions.
26. Give three examples of application controls?
Response: Examples include:
a. A cash disbursements batch-balancing routing that verifies the total payments to vendors
reconciles with the total postings to the accounts payable subsidiary ledger.
b. An account receivable check digit procedure that validates customer account numbers
on sales transactions.
c. A payroll system limit check that identifies employee time card records with reported
hours work in excess of the predetermined normal limit.
27. Define general controls.
Response: General controls apply to all systems. They are not application specific.
General controls include controls over IT governance, the IT infrastructure, security and access to
operation systems and databases, application acquisition and development, and program changes.
28. What is the meaning of the term attest services?
Response: The attest service is an engagement in which a practitioner is engaged to issue a
written communication that expresses a conclusion about the reliability of a written assertion that
is the responsibility of another party (SSAE No. 1, AT Sec. 100.01).
29. List four general control areas.
Response: The following are examples of general control areas:
a. It Govenance controls,
b. Security (data management controls),
c. Security (operating system and network controls),
d. systems development and program change controls,
