(Information Technology Auditing, 4e James A. Hall)
(Solution Manual all Chapters)
CHAPTER 1
AUDITING AND INTERNAL CONTROL
REVIEW QUESTIONS
1. What is the purpose of an IT audit?
Response: The purpose of an IT audit is to provide an independent assessment of some
technology- or systems-related object, such as proper IT implementation, or controls over
computer resources. Because most modern accounting information systems use IT, IT
plays a significant role in a financial (external audit), where the purpose is to determine the
fairness and accuracy of the financial statements.
2. Discuss the concept of independence within the context of a financial audit. How is
independence different for internal auditors?
Response: The auditor cannot be an advocate of the client, but must independently attest to
whether GAAP and other appropriate guidelines have been adequately met. Independence
for internal auditors is different because they are employed by the organization, and cannot
be as independent as the external auditor. Thus internal auditors must use professional
judgment and independent minds in performing IA activities.
3. What are the conceptual phases of an audit? How do they differ between general
auditing and IT auditing?
Response: The three conceptual phases of auditing are:
i. Audit planning,
ii. Tests of internal controls, and
iii. Substantive tests.
Conceptually, no difference exists between IT auditing and general auditing. IT auditing is
typically a subset of the overall audit; the portion that involves computer technology is the
subset.
4. Distinguish between the internal and external auditors.
Response: External auditors represent the interests of third-party stakeholders in the
organization, such as stockholders, creditors, and government agencies. External auditing is
conducted by certified public accountants who are independent of the organization’s
management. Internal auditors represent the interests of management. Internal auditing
tasks include conducting financial audits, examining an operation’s compliance with legal
obligations, evaluating operational efficiency, detecting and pursuing fraud within the firm,
and conducting IT audits. External auditors also conduct IT audits as a subset of financial
audits.
5. What are the four primary elements described in the definition of auditing?
Response:
a. auditing standards
b. systematic process
c. management assertions and audit objectives
d. obtaining evidence
6. Explain the concept of materiality.
Response: Materiality refers to the size of the effect of a transaction. From a cost-benefit
point of view, a threshold is set above which the auditor is concerned with the correct
recording and effects of transactions. Rather than using standard formulas, auditors use
, their professional judgment to determine materiality.
7. How does the Sarbanes-Oxley Act of 2002 affect management’s responsibility for
internal controls?
Response: The Sarbanes-Oxley Act (S-OX) specifically holds management responsible for
internal controls. S-OX requires an annual report on internal controls that is the
responsibility of management; external auditors must attest to the integrity of the report.
Management must assess the effectiveness of the internal control structure and procedures
for financial reporting as of the end of the most recent fiscal year and identify any control
weaknesses. An attestation by external auditors reports on management’s assessment
statement.
8. What are the four broad objectives of internal control?
Response:
a. to safeguard the assets of the firm
b. to ensure the accuracy and reliability of accounting records and information
c. to promote efficiency in the firm’s operations
d. to measure compliance with management’s prescribed policies and procedures
9. What are the four modifying assumptions that guide designers and auditors of
internal control systems?
Response: Management responsibility, reasonable assurance, methods of data processing,
and limitations.
10. Give an example of a preventive control.
Response: Locked doors, passwords, and data-entry controls for each field (e.g., range
checks).
11. Give an example of a detective control.
Response: A log of users, a comparison with computer totals and batch totals.
12. Give an example of a corrective control.
Response: Manual procedures to correct a batch that is not accepted because of an
incorrect social security number. A clerical worker would need to investigate and
determine either the correct hash total or the correct social security number that should be
entered. A responsible party is then needed to read exception reports and follow up on
anomalies.
13. What are the five internal control components described in the COSO framework?
Response:
a. Control Environment
b. Risk Assessment
c. Information and Communication
d. Monitoring
e. Control Activities
14. What are the six broad classes of control activities defined by COSO?
Response: The six broad classes of control activities defined by COSO are:
a. transaction authorization,
b. segregation of duties,
c. supervision,
, d. accounting records,
e. access control, and
f. independent verification.
15. Give an example of independent verification.
Response:
a. the reconciliation of batch totals at periodic points during transaction processing
b. the comparison of physical assets with accounting records
c. the reconciliation of subsidiary accounts with control accounts
d. reviews by management of reports that summarize business activity
e. periodic audits by independent external auditors
f. periodic audits by internal auditors
16. Differentiate between general and application controls. Give two examples of each.
Response: General controls apply to a wide range of exposures that systematically threaten
the integrity of all applications processed within the IT environment. Some examples of
general controls would be controls against viruses and controls to protect the hardware
from vandalism. Application controls are narrowly focused on risks within specific
systems. Some examples of application controls would be a control to make sure that each
employee receives only one paycheck per pay period and a control to ensure that each
invoice gets paid only once.
17. Distinguish between tests of controls and substantive testing.
Response: The tests of controls phase involves determining whether internal controls are
in place and whether they function properly. The substantive testing phase involves a
detailed investigation of specific account balances and transactions.
18. Define audit risk.
Response: Audit risk is the probability that the auditor will render an unqualified (clean)
opinion on financial statements that are, in fact, materially misstated.
19. Distinguish between errors and irregularities. Which do you think concern auditors
the most?
Response: Errors are unintentional mistakes whereas irregularities are intentional mis-
representations to perpetrate a fraud or mislead the users of financial statements. Errors are
a concern if they are numerous or sizable enough to cause the financial statements to be
materially misstated. All processes that involve human actions are highly susceptible to
some amount of human error. Computer processes should contain errors only if the
programs are erroneous, if systems operating procedures are not being closely and
competently followed, or if some unusual system malfunction has corrupted data. Errors
are typically much easier to uncover than misrepresentations. Thus auditors typically are
more concerned about whether they have uncovered any and all irregularities. Also, due to
SAS No. 99 and Sarbanes-Oxley, auditors are much more concerned with fraud
(irregularities) than before.
20. Distinguish between inherent risk and control risk. How do internal controls affect
inherent risk and control risk, if at all? What is the role of detection risk?
Response: Inherent risk is associated with the unique characteristics of the business or
industry of the client. Firms in declining industries are considered to have more inherent
risk than firms in stable or thriving industries. Auditors cannot reduce inherent risk, which
is not affected by internal controls. Even in a system protected by excellent controls,
, financial data can be misstated.
Control risk is the likelihood that the control structure is flawed because internal controls
are either absent or inadequate to prevent or detect errors in the accounts. Auditors assess
the level of control risk by performing tests of internal controls. Internal control does,
however, directly impact control risk. The more effective the internal controls that are in
place, the lower the level of assessed control risk.
Detection risk is the risk that auditors are willing to take that errors not detected or
prevented by the control structure will also not be detected by the auditors. Typically,
detection risk will be lower for firms with higher inherent risk and control risk.
21. What is the relationship between tests of controls and substantive tests?
Response: The relationship between tests of controls and substantive tests is directly related
to the auditor’s risk assessment. The stronger the internal controls, the less substantive
testing the auditor must do.
22. SOX contains many sections. Which sections does this chapter focus on?
Response: This chapter concentrates on internal control and audit responsibilities pursuant
to SOX Sections 302 and 404.
23. What control framework does the PCAOB recommend?
Response: The PCAOB recommends the use of COSO as the framework for control
assessment.
24. COSO identifies two broad groupings of information system controls. What are they?
Response: The two broad groupings of information system controls identified by COSO
are application controls and general controls.
25. What are the objectives of application controls?
Response: The objectives of application controls are to ensure the validity, completeness,
and accuracy of financial transactions.
26. Give three examples of application controls?
Response: Examples include:
a. A cash disbursements batch-balancing routing that verifies the total payments to vendors
reconciles with the total postings to the accounts payable subsidiary ledger.
b. An account receivable check digit procedure that validates customer account numbers on
sales transactions.
c. A payroll system limit check that identifies employee time card records with reported
hours work in excess of the predetermined normal limit.
27. Define general controls.
Response: General controls apply to all systems. They are not application specific.
General controls include controls over IT governance, the IT infrastructure, security and
access to operation systems and databases, application acquisition and development, and
program changes.
28. What is the meaning of the term attest services?
Response: The attest service is an engagement in which a practitioner is engaged to issue a
written communication that expresses a conclusion about the reliability of a written
assertion that is the responsibility of another party (SSAE No. 1, AT Sec. 100.01).