Internal Auditing and Systems Controls Paper 11

Answer (D) is correct. Validity checks, limit checks, field checks, and sign tests are all examples of input controls (input validation routines).

Answer (B) is correct. One person should not be responsible for all phases of a transaction, i.e., for authorization of transactions, recording of transactions, and custodianship of the related assets. These duties should be performed by separate individuals to reduce the opportunities to allow any person to be in a position both to perpetrate and conceal errors or fraud in the normal course of his or her duties (AU 314).

Answer (C) is correct. Viruses are computer programs that propagate themselves from one computer to another without the user’s knowledge. Trojan horses are voluntarily installed on a computer by the user because they are masquerading as programs the user wants. The Trojan horse contains codes that allow a hacker to later take over the computer or retrieve sensitive data from the computer.

Answer (B) is correct. Single sign-on can be the solution in well-managed systems environments. A single ID and password combination is required to allow a user access to all IT resources (s)he needs. A high level of maintenance and security consciousness is required to make single sign-on successful.

Answer (C) is correct. Computer operations is that section of the information systems function concerned with the day-to-day processing of data and distribution of results to the appropriate parties.

Answer (C) is correct. When a supervisor can both approve a vendor as well as initiate a transaction, segregation of duties is not properly enforced. The two functions must either be separated or monitored.

Answer (D) is correct. The payroll distribution log containing a schedule of when checks and reports are prepared with the names of individuals who are to receive the report is an output control. Receiving checks and reports are outputs, so the schedule of the receipts of the reports is an output control.

Answer (A) is correct. Physical controls limit physical access and environmental damage to computer equipment and important documents. In order to protect access to hardware, the director should consider limitation of physical access, since hardware is a tangible object.

Answer (C) is correct. Input controls provide reasonable assurance that data submitted for processing are (1) authorized, (2) complete, and (3) accurate. If the company had an input control that looked for unreasonable amounts, it would have flagged the 400 as an unreasonable number before the data were processed into the system. The input control would not have allowed this amount.

Answer (B) is correct. Mapping programs are used to search application source programs for code that is not used in the version of the program that is in use by the production system.