Other IT Considerations

I. Hardware versus Software

A. Hardware ­­ The central processing unit (CPU) and all the other related equipment.

B. Software ­­ The systems programs and all the applications programs:

1. Operating system ­­ The set of instructions that runs the CPU and the relatedperipheral equipment.

2. Compiler ­­ Translates the source program into object program:

a. Source program ­­ Written in a specific programming language (for example,FORTRAN, COBOL).

b. Object program ­­ The instructions in machine readable form.

II. Modes of Operation

Related to when the transactions are processed:

A. Batch processing ­­ When transactions are collected for periodic processing (for example, dailyupdates for an ATM machine).

B. Online, real­time processing ­­

1. "Online" ­­ Means that the user is in direct communication with the computer's centralprocessing unit (CPU).

2. "Real­time" ­­ Means that the data files are immediately updated.

III. Service Organizations

Independent computer centers may be engaged to process a client's transactional data; using such aservice organization is a form of "outsourcing" and represents an alternative to having a company's ownIT department.

IV. Distributed Systems

Involves a single database, which is literally distributed across multiple computers connected by acommunication link. In other words, a network of remote computers connected to the main system (i.e.a "host" server) whereby each location can then have input/output, processing, and printing capabilities.

V. Database Systems

A set of interconnected files that eliminates the redundancy associated with maintaining separate filesfor different subsets of the organization; a key concern is limiting the users' access to the appropriateparts of the database as authorized.

VI. "Hierarchical" vs. "Relational" Database Structures

A. Hierarchical ­­ Data elements at one level encompass the data elements immediately below(constructed like a company's "organizational chart"). These structures are largely outdated.

B. Relational ­­ An integrated database having the structure of a spreadsheet (where each rowconsists of fields related to a particular customer or item and each column consists of a specificinformation field that is applicable to each customer or item).

VII. Networks

Basic definitions

A. Local area network (LAN) ­­ A network of hardware and software interconnectedthroughout a building or campus (usually limited to a few miles in scope).

B. Wide area network (WAN) ­­ A larger version of a LAN that might span a whole city orcountry.

C. Value added network (VAN) ­­ A network that facilitates "EDI" transactions (see the sectionon e­commerce below) between the buying and selling companies in such transactions, but theVAN is maintained by an independent company.

D. Internet ­­ A worldwide network of privately controlled computers.

E. Intranet ­­ A local area network that uses internet technology to facilitate communicationsthroughout a particular organization (perhaps using a "firewall" to insulate the organization'ssystem from unauthorized, outside entry).

F. Extranet ­­ Same as "intranet," except that important external constituents (e.g. majorcustomers or suppliers) are also connected.

VIII. Electronic Commerce

A. Electronic funds transfer (EFT) ­­ Involves the transfer of monies between financialaccounts (usually associated with financial institutions).

B. Electronic data interchange (EDI) ­­ Involves an electronic transaction between companies(one is selling, the other is buying).

1. The usual hardcopy documents (e.g. purchase orders, sales invoices) don't exist!

2. The goal is greater efficiency and less paperwork ­ should result in lowerreceivable/payable balances.

3. Point­to­point (point of sale) transactions ­­ Involve direct computer­to­computercommunication between the parties.

4. Value Added Network ­­ As indicated above, an independent company may developthe electronic infrastructure to facilitate these electronic business activities (along withsupport services).

IX. Using the Internet

Security and information reliability remain major concerns, although no direct investment is specificallyrequired to engage in e­commerce transactions. Note that the AICPA developed "WebTrust" as anassurance service to address such concerns for a consumer/buyer.

FlashcardsFlashcard #1 (FC0349)

Define "Distributed Systems." A network of remote computers connected to themain system, allowing simple processing functions tobe delegated to the employees at the remote sites.

Flashcard #2 (FC0348)

Define "Service Organization." Independent organizations to whom an entity mayoutsource the processing of its transactional data.

Flashcard #3 (FC0347)

Define "database system." A set of interconnected files that eliminates theredundancy associated with maintaining separate filesfor different subsets of the organization.

Flashcard #4 (FC0346)

Define "Real Time Processing." The processing of data whereby the data files areimmediately updated.

Flashcard #5 (FC0345)

Define "On­line Processing." The processing of data whereby the user is in directcommunication with the computer's central processingunit.

Flashcard #6 (FC6856)

Define "local area network (LAN)." A network of hardware and software interconnectedthroughout a building or campus.

Flashcard #7 (FC6857)

Define "Value Added Network (VAN)." A network maintained by an independent companythat facilitates Electronic Data Interchange (EDI)transactions between the buying and sellingcompanies.

Flashcard #8 (FC6858)

Define "Electronic Data Interchange (EDI)." Direct computer­to­computer communication betweena buyer and seller designed to achieve greaterefficiency and less paperwork (a paper audit trail maynot even exist).

Proficiency QuestionsQuestion #1 (PQ0735)

A "source program" is written in machine readable form.

True

False

Question #2 (PQ0736)

Access controls are particularly important to a distributed system in which remote computers arelinked to the main system.

True

False

Question #3 (PQ0737)

A database can be described as a set of interconnected files which efficiently avoids theredundancy associated with maintaining separate files for different subsets of the organization.

True

False

Question #4 (PQ0738)

In a database system, any user within the organization is able to access the entire databasewithout restrictions.

True

False

Question #5 (PQ0739)

A compiler is a program that converts instructions written in a particular computer language (thesource program) into machine­readable instructions (the object program).

True

False

Past Exam QuestionsQuestion #1 (AICPA.990514AUD­AU)

Which of the following are essential elements of the audit trail in an electronic data interchange(EDI) system?

A. Network and sender/recipient acknowledgments.

B. Message directories and header segments.

C. Contingency and disaster recovery plans.

D. Trading partner security and mailbox codes.

Question #2 (AICPA.990511AUD­AU)

Which of the following statements is correct concerning internal control in an electronic datainterchange (EDI) system?

A. Preventive controls are generally more important than detective controls in EDI systems.

B. Control objectives for EDI systems are generally different from the objectives for other informationsystems.C. Internal controls in EDI systems rarely permit control risk to be assessed at below the maximum.

D. Internal controls related to the segregation of duties are generally the most important controls inEDI systems.

Question #3 (AICPA.990509AUD­AU)

Which of the following is usually a benefit of transmitting transactions in an electronic datainterchange (EDI) environment?

A. A compressed business cycle with lower year­end receivables balances.

B. A reduced need to test computer controls related to sales and collections transactions.

C. An increased opportunity to apply statistical sampling techniques to account balances.

D. No need to rely on third­party service providers to ensure security.

Question #4 (AICPA.990508AUD­AU)

Which of the following is usually a benefit of using electronic funds transfer for international cashtransactions?

A. Improvement of the audit trail for cash receipts and disbursements.

B. Creation of self­monitoring access controls.

C. Reduction of the frequency of data entry errors.

D. Off­site storage of source documents for cash transactions.

Question #5 (AICPA.990423AUD­AU)

Which of the following strategies would a CPA most likely consider in auditing an entity thatprocesses most of its financial data only in electronic form, such as a paperless system?

A. Continuous monitoring and analysis of transaction processing with an embedded audit module.

B. Increased reliance on internal control activities that emphasize the segregation of duties.

C. Verification of encrypted digital certificates used to monitor the authorization of transactions.

D. Extensive testing of firewall boundaries that restrict the recording of outside network traffic.

Question #6 (AICPA.990422AUD­AU)

Which of the following is an engagement attribute for an audit of an entity that processes most ofits financial data in electronic form, without any paper documentation?

A. Discrete phases of planning, interim, and year­end field work.

B. Increased effort to search for evidence of management fraud.

C. Performance of audit tests on a continuous basis.

D. Increased emphasis on the completeness assertion.

Question #7 (AICPA.990413AUD­AU)

Which of the following is an essential element of the audit trail in an electronic data interchange(EDI) system?

A. Disaster recovery plans that ensure proper backup of files.

B. Encrypted hash totals that authenticate messages.

C. Activity logs that indicate failed transactions.

D. Hardware security modules that store sensitive data.

Question #8 (AICPA.990412AUD­AU)

Which of the following statements is correct concerning the security of messages in an electronicdata interchange (EDI) system?

A. When the confidentiality of data is the primary risk, message authentication is the preferredcontrol, rather than encryption.B. Encryption performed by physically secure hardware devices is more secure than encryptionperformed by software.C. Message authentication in EDI systems performs the same function as segregation of duties inother information systems.D. Security at the transaction phase in EDI systems is not necessary because problems at that levelwill usually be identified by the service provider.

Question #9 (AICPA.911133AUD­AU)

Which of the following statements most likely represents a disadvantage for an entity that keepsmicrocomputer­prepared data files rather than manually prepared files?

A. Random error associated with processing similar transactions in different ways is usually greater.

B. It is usually more difficult to compare recorded accountability with physical count of assets.

C. Attention is focused on the accuracy of the programming process, rather than on errors inindividual transactions.D. It is usually easier for unauthorized persons to access and alter the files.

Question #10 (AICPA.010518AUD­AU)

In building an electronic data interchange (EDI) system, what process is used to determine whichelements in the entity's computer system correspond to the standard data elements?

A. Mapping.

B. Translation.

C. Encryption.

D. Decoding.

Question #11 (AICPA.010505AUD­AU)

Which of the following is a computer program that appears to be legitimate, but performs someillicit activity when it is run?

A. Hoax virus.

B. Web crawler.

C. Trojan horse.

D. Killer application.

Question #12 (AICPA.010417AUD­AU)

Which of the following computer­assisted auditing techniques processes client input data on acontrolled program under the auditor's control to test controls in the computer system?

A. Test data.

B. Review of program logic.

C. Integrated test facility.

D. Parallel simulation.

Question #13 (AICPA.010407AUD­AU)

Which of the following characteristics distinguishes electronic data interchange (EDI) from otherforms of electronic commerce?

A. EDI transactions are formatted using standards that are uniform worldwide.

B. EDI transactions need not comply with generally accepted accounting principles.

C. EDI transactions are ordinarily processed without the Internet.

D. EDI transactions are usually recorded without security or privacy concerns.

Proficiency Question AnswersQuestion #1 : False

Question #2 : True

Question #3 : True

Question #4 : False

Question #5 : True

Past Exam Question AnswersQuestion #1 (AICPA.990514AUD­AU)

A. (Correct!) Network and sender/recipient acknowledgments document the trail of accounting data (andtransactions) through the system. In doing so, they serve as essential elements of the audit trail in an EDIsystem.

B. Message directories and header segments identify file contents. They do not necessarily serve as essentialelements of the audit trail.

C. Contingency and disaster recovery plans address a company's ability to maintain an operating informationsystem in the event of a disaster. They do not provide documentation of accounting transactions and are notessential elements of the audit trail.

D. Trading partner security and mailbox codes help to ensure that messages and data are viewed only byauthorized parties. They do not aid in documenting the trail of an accounting transaction through the system.

Question #2 (AICPA.990511AUD­AU)

A. (Correct!) Preventive controls are controls that attempt to deter problems before they occur. Detectivecontrols are controls that discover problems after they occur. In an EDI system, the emphasis would be onpreventive controls rather than on detective controls, due to the volume and speed of processing. Waiting todiscover problems could result in an unacceptable loss of millions of dollars.

B. The control objectives for EDI systems are the same as the objectives for other information systems. Forexample, ensuring that system processing is complete, accurate, timely, and authorized would be goals for anyinformation system.

C. The verification of effective operation of relevant internal controls in EDI systems would enable control risk tobe assessed below maximum. It may be more difficult both to understand and to test internal controls in an EDIsystem due to the additional complexity of the EDI system. The use of an information technology specialist maybe needed. Regardless of the effort required, however, if EDI controls can be tested and are found to be operatingeffectively, the control risk assessment can be lowered.

D. Adequate segregation of duties is just one category of the general controls considered essential to an EDIsystem. Additional general controls include physical and online security, backup and contingency planning, andsystems development. Adequate segregation of duties, for example, would not compensate for lack of physicalsecurity.

Question #3 (AICPA.990509AUD­AU)

A. (Correct!) An electronic data interchange environment enables the business cycle to be reduced (orcompressed). For example, sales may be invoiced immediately, with the resultant speed­up of cash collections andreduction of receivable balances.

B. An electronic data interchange environment will increase the need to test computer controls related to salesand collections transactions. The reduction in paper documents and the transfer of manual functions to thecomputer will result in decreased segregation of duties. As a result, it will become extremely important to ensurethat computer controls over these areas are functioning properly.

C. An increased opportunity to utilize statistical sampling is not a benefit in an EDI environment. Statisticalsampling is a methodology that uses the laws of probability to select and quantitatively evaluate the results of asample. In large populations, computer usage might be required to select the sample. An EDI environment doesnot necessarily provide an increased opportunity to utilize statistical sampling, nor would such usage necessarilybe a benefit.

D. Third­party service providers may become more important in ensuring security in an EDI environment,particularly as the entity will not be able to directly control security in its EDI partners.

Question #4 (AICPA.990508AUD­AU)

A. In an electronic environment, the audit trail is often reduced, rather than improved. The audit trail is the path

followed by a transaction through the accounting records. Fewer paper documents and temporary electronic datatransaction files can greatly reduce an audit trail.

B. The creation of self­monitoring access controls with regard to international cash transfers would not be abenefit. Instead, if such controls were actually used, they would represent a limitation of an electronic system.

C. (Correct!) Using electronic funds transfer for international cash transactions reduces the manual handlingand data entry related to such transfers. As a result, the frequency of data entry errors is reduced. As a generalrule, whenever the data must be "touched" by human hands, the opportunity for error is introduced. The less thedata are touched, the fewer the opportunities for error.

D. In an electronic environment, source documents are eliminated. Thus, off­site storage of source documents forcash transactions would not occur.

Question #5 (AICPA.990423AUD­AU)

A. (Correct!) An audit of an entity with primarily electronic data systems would be more likely to includecontinuous monitoring and analysis via an embedded audit module because, in such environments, transactionsor accounting records may be available on a temporary basis and in machine­readable form only. As a result,testing would need to be performed continuously, rather than at a single time. An embedded audit module is acomputer program inserted by the auditor into the client's application system. The audit module selectstransactions, e.g., large or unusual transactions, for further review and testing by the auditor.

B. In electronic data systems, all of the general controls, not just segregation of duties, would require evaluation.For example, the auditor would also be concerned with physical and online security.

C. The verification of encrypted digital certificates addresses just a portion of one of the general controls thatwould be of concern to the auditor. In addition, such testing would occur at a single point in time and theauditor's greater concern would be continuous monitoring of the client's system.

D. Extensive testing of firewalls addresses just a portion of one of the general controls that would be of concern tothe auditor. The auditor would be more concerned with the continuous monitoring of the client's system.

Question #6 (AICPA.990422AUD­AU)

A. Discrete phases of planning, interim, and year­end field work would imply the testing of controls at a singletime. The transitory nature of transactions and/or accounting records would require continuous auditing, ratherthan one­time testing.

B. The risk of management fraud is not necessarily increased by electronic data processing. Instead, the risk ofmanagement fraud would be increased by factors such as inadequate monitoring by management of significantcontrols over electronic data processing or the continued employment of ineffective information technology staff.

C. (Correct!) An audit of an entity with primarily electronic data systems would be more likely to includecontinuous audit testing because in such environments transactions or accounting records may be available on atemporary basis and in machine­readable form only. As a result, testing would need to be performedcontinuously, rather than at one time.

D. Electronic data processing does not necessarily result in a loss of transactions (thus requiring increasedemphasis on the completeness assertion). A failure to maintain adequate input, processing, and storage controlsover electronic data resulting in loss of data would result in increased emphasis on completeness.

Question #7 (AICPA.990413AUD­AU)

A. Proper backup will only ensure that the data at a point in time are not lost. It does not necessarily enable anaccounting transaction to be traced through the system. For example, certain files, such as transaction files, maybe maintained on a temporary basis only and may not even appear in the backup copies.

B. Message authentication provides assurance that the message has not been altered and identifies the sender ofthe message. It does not necessarily enable an accounting transaction to be traced through the system.

C. (Correct!) The audit trail is the means by which an accounting transaction can be traced through anaccounting information system. In an EDI system, the audit trail would include activity logs that indicate failedtransactions, as they identify the disposition of those transactions.

D. Storage of sensitive data does not necessarily provide information about the processing of an accountingtransaction. As a result, it may not enable an accounting transaction to be traced through the system.

Question #8 (AICPA.990412AUD­AU)

A. If confidentiality of data is the primary risk, the relevant control would ensure protection of the data andverification of the user. Encryption ensures that the data cannot be read without the encryption key, thuspreventing viewing by an unauthorized user. Message authentication ensures message integrity and verificationof the sender. It would not ensure that the recipient was the intended user.

B. (Correct!) General controls are critical to any EDI system. If the general controls are not functioning properly,the application controls will not be secure. Thus, encryption performed by software could be broken if a hacker orother outside party were able to get around or into the software via access to the hardware. Thus, encryptionperformed by physically secure hardware devices would be more secure than encryption performed by software.

C. Message authentication and segregation of duties provide very different assurances. Message authenticationensures message integrity and verification of the sender. Segregation of duties ensures that potentially conflictingfunctions, such as operations, programming, and data control, are separated.

D. A service provider will be primarily concerned with security at the system level. Security at the transactionphase addresses problems arising from inappropriate access to transactional data. This type of security is usuallyaddressed by establishing authorization privileges for identified users and would typically be controlled by theservice recipient.

Question #9 (AICPA.911133AUD­AU)

A. An advantage of microcomputer­prepared data files is that random error associated with processing similartransactions in different ways is usually less common.

B. An advantage of microcomputer­prepared data files is that it can be easier to compare recorded accountabilitywith the physical count of assets, as it is easier to maintain perpetual inventory records.

C. An advantage of microcomputer­prepared data files is that attention is focused on the accuracy of theprogramming process, rather than on errors in individual transactions.

D. (Correct!) A disadvantage of microcomputer­prepared data files is that it is usually easier for unauthorizedpersons to access and alter the files.

Question #10 (AICPA.010518AUD­AU)

A. (Correct!) In an EDI system, a standard format is adopted. Mapping is the process by which the elements inthe client's computer system are related to the standard data elements.

B. Translation is the process by which messages are changed from one form to another form.

C. Encryption is the process used to encode a message from plain text to a secret code.

D. Decoding is the process used to translate an encrypted message back into plain text.

Question #11 (AICPA.010505AUD­AU)

A. A hoax virus is a message warning of a virus that doesn't really exist. Unfortunately, known hoaxes have beenused as a means of distributing real and very destructive viruses. The McAfee website notes that, "AOL4FREE began as a hoax virus warning. Then somebody distributed adestructive Trojan attached to the original hoax virus warning!"

B. A web crawler is a software program that automatically searches the web. It is also known as a spider, robot, orwanderer. A web crawler is used by a search engine to identify web contents related to a particular topic.

C. (Correct!) A Trojan horse involves the inclusion of unauthorized programming in an otherwise legitimateprogram. They are frequently included in "free" software downloadable from Internet sites. For example, freesoftware made available to AOL subscribers included special instructions that secretly forwarded the subscriber'saccount name and password to another party.

D. A killer application is a highly successful software program. It is a "killer" because it is something everyoneneeds and uses.

Question #12 (AICPA.010417AUD­AU)

A. Test data are a series of hypothetical transactions that include both valid and invalid data. The test data areused to test the client's program. They would be used in lieu of client input data.

B. A review of program logic does not involve client data and an auditor­controlled program. In a program logicreview, the auditor would examine the client program to verify the logic, completeness, and accuracy ofprocessing steps in the program. This verification requires a high level of programming language proficiency.

C. An integrated test facility uses auditor data and the client's program. It involves the processing of fictitiousrecords into a fictitious division, branch, supplier, etc. in the client's master files. Testing can be performedwithout the knowledge of company employees, as dummy and actual records are processed concurrently.

D. (Correct!) Parallel simulation is a computer­assisted auditing technique in which an auditor­written orauditor­controlled program is used to process client data. The results are then compared to those obtained usingthe client's program and differences are investigated. This technique enables the auditor to test controls in andprocessing performed by a client program.

Question #13 (AICPA.010407AUD­AU)

A. (Correct!) Electronic data interchange (EDI) utilizes standardized formats for electronically transferringinformation. By adopting EDI, a company can electronically transfer information from one system into another.The elimination of manual re­entry of data and paperwork reduces costs and increases accuracy.

B. EDI refers to the electronic transfer of data, not the reporting of accounting information. Generally acceptedaccounting principles (GAAP) govern the reporting of accounting information.

C. EDI transactions are more likely to use the Internet, although Internet use is not required. The use of EDIenables the transfer of information from one company to another; a logical route would be via the Internet.

D. Security and privacy concerns would be paramount in an EDI system. For example, transferring data via theInternet would not be feasible unless security and privacy were assured.