Internal Auditing and Systems Controls Paper 10

Answer (C) is correct. A check digit, or self-checking number, is an input control to determine if an error might have been made on an identification number. The digit is an extra number on the end of the identification number (creating a new ID number) that is calculated by an algorithm on the original part of the ID number. If the ID is miskeyed, the algorithm will produce a number different from the check digit and an error will be detected and reported.

Answer (C) is correct. Complete, up-to-date documentation of all programs and associated operating procedures is necessary for efficient operation of a computer installation. Maintenance of programs is important to provide for continuity and consistency of data processing services to users. Program documentation (the program run manual) consists of problem statements, systems flowcharts, operating instructions, record lay-outs, program

Answer (D) is correct. Compatibility tests restrict access to the computer system by determining whether access by a given user (or device) is compatible with the nature of the attempted use. A series of passwords or identification numbers may be required to gain access to the system, to examine data files, and to perform processing using particular programs. Thus, a clerk might be authorized only to read the data in a given file while using a specified terminal, but his or her superior might be able to update the file. Compatibility tests require online storage of authorization tables or matrices that specify the access permitted to specified codes and devices. The number of authorized inquiries per user is not included in such a table.

Answer (B) is correct. An integrated test facility involves the use of a fictitious entity, such as a dummy customer in accounts receivable, against which data transactions are processed. The results are then compared with those previously determined. This technique can be used without computer operator knowledge during routine system operation. The ITF is relatively inexpensive and requires no special processing. It is employed in auditing online, real-time systems.

Answer (D) is correct. Segregation of duties is important in any environment in which control is a concern. In particular, programmers and computer operators should be kept separate because programmers have the ability to modify programs, files, and controls. Thus, they should not be allowed to also operate the computer

Answer (A) is correct. Application controls relate to specific tasks performed by the IT department. Their function is to provide reasonable assurance that recording, processing, and reporting of data are performed properly. Application controls are often categorized as input controls, processing controls, and output controls.

Answer (D) is correct. A compatibility test is an access control used to ascertain whether a code number is compatible with the use to be made of the information requested. For example, a user may be authorized to enter only certain kinds of transaction data, to gain access only to certain information, to have access to but not update files, or to use the system only during certain hours.

Answer (B) is correct. In validity tests, values entered into the system are compared against master files of valid data. In this case, a master file of all zip codes recognized in the U.S. is held in memory and each time a clerk enters data in the zip code field, the clerk’s entry is compared to the list of valid values. If the zip code entered does not match any entry in the master file, data entry is halted and the clerk is advised to reenter the data.

Answer (A) is correct. A turnaround document is a computer output prepared in such a way that it can eventually be used as a source document for an input transaction. For example, an optical character recognition (OCR) document might be used as a sales invoice to be mailed to a customer and returned with payment. Thus, no new document would have to be prepared to record the payment. Utility bills are often mailed to customers in the form of turnaround documents.

Answer (A) is correct. Editing (validation) of data should produce a cumulative error listing that includes not only errors found in the current processing run but also uncorrected errors from earlier runs. Each error should be identified and described, and the date and time of detection should be given. Sometimes, the erroneous transactions may need to be recorded in a suspense file. This process is the basis for developing appropriate reports.