Internal Control and Computer Based Information Systems (CBIS)

MULTIPLE CHOICE:

1. In the weekly computer run to prepare payroll checks, a check was printed for
an employee who had been terminated the previous week. Which of the
following controls, if properly utilized, would have been most
effective in preventing the error or ensuring its prompt detection?
a. A control total for hours worked, prepared from time cards collected
by the timekeeping department. b. Requiring the treasurer's office to account
for the number of the pre-numbered checks issued to the CBIS
department for the processing of the payroll. c. Use of a check digit
for employee numbers. d. Use of a header label for the payroll input sheet.

ANSWER: A

2. An auditor is preparing test data for use in the audit of a computer based
accounts receivable application. Which of the following items would be appropriate to include
as an item in the test data?
a. A transaction record which contains an incorrect master file control
total. b. A master file record which contains an invalid customer
identification number. c. A master file record which
contains an incorrect master file control total. d. A
transaction record which contains an invalid customer identification number.

ANSWER: D

3. Unauthorized alteration of on-line records can be prevented by employing:

a. Key verification. b. Computer sequence checks.
c. Computer matching. d. Data base access
controls.

ANSWER: D

4. In auditing through a computer, the test data method is used by auditors to test the
a. Accuracy of input data. b. Validity of the output.
c. Procedures contained within the program. d. Normalcy of
distribution of test data.

ANSWER: C

5. In the preliminary survey the auditor learns that a department has

several microcomputers. Which of the following is usually true and should
be considered in planning the audit?
a. Microcomputers, though small, are capable of processing financial information,
and physical security is a control concern. b.

120
Chapter 8 Internal Control and CBIS 121

Microcomputers are limited to applications such as worksheet generation

and do not present a significant audit risk. c.
Microcomputers are generally under the control of the data processing
department and use the same control features.
d. Microcomputers are too small to contain any built-in control
features. Therefore, other controls must be relied upon.

ANSWER: A

6. The primary reason for internal auditing's involvement in the development of

new computer-based sysstems is to:
a. Plan post-implementation reviews. b. Promote adequate
controls.
c. Train auditors in CBIS techniques.
d. Reduce overall audit effort.

ANSWER: B

7. Which of the following is an advantage of generalized computer

audit packages?
a. They are all written in one identical computer
language.
b. They can be used for audits of clients that use differing CBIS equipment
and file formats. c. They have reduced the need for the auditor to study
input controls for CBIS related procedures. d. Their use can
be substituted for a relatively large part of the required control testing.

ANSWER: B

8. Processing simulated file data provides the auditor with information about the
reliability of controls from evidence that exists in simulated files. One of the techniques
involved in this approach makes use of
a. Controlled reprocessing. b. Program code
checking. c. Printout reviews. d.
Integrated test facility.

ANSWER: D

9. Which of the following statements most likely represents a disadvantage for an

entity that keeps microcomputer-prepared data files rather than manually prepared files?
a. It is usually more difficult to detect transposition errors.
b. Transactions are usually authorized before they are executed and
recorded. c. It is usually easier for unauthorized persons to
access and alter the files. d. Random error
associated with processing similar transactions in different ways is usually
greater.
122 Chapter 8 Internal Control and CBIS

ANSWER: C

10. The possibility of losing a large amount of information stored in computer files most
likely would be reduced by the use of
a. Back-up files
b. Check digits
c. Completeness tests
d. Conversion verification.

ANSWER: A

11. An integrated test facility (ITF) would be appropriate when the auditor needs to
a. Trace a complex logic path through an application system.
b. Verify processing accuracy concurrently with processing.
c. Monitor transactions in an application system continuously.
d. Verify load module integrity for production programs.

ANSWER: B

12. Where computer processing is used in significant accounting applications, internal

accounting control procedures may be defined by classifying control procedures into two
types: general and
a. Administrative. b. Specific.
c. Application. d. Authorization.

ANSWER: C

13. The increased presence of the microcomputer in the workplace has resulted in an
increasing number of persons having access to the computer. A control that is
often used to prevent unauthorized access to sensitive programs is:
a. Backup copies of the diskettes. b. Passwords for each of
the users. c. Disaster-recovery procedures. d.
Record counts of the number of input transactions in a batch being
processed.

ANSWER: B

14. Checklists, systems development methodology, and staff hiring are examples of
what type of controls?
a. Detective. b. Preventive.
c. Subjective. d. Corrective.

ANSWER: B
Chapter 8 Internal Control and CBIS 123

15. When an on-line, real-time (OLRT) computer-based processing system is in use,

internal control can be strengthened by
a. Providing for the separation of duties between keypunching
and error listing operations. b. Attaching plastic file protection rings to
reels of magnetic tape before new data can be entered on the file.
c. Making a validity check of an identification number before a user
can obtain access to the computer files. d. Preparing batch totals to provide assurance
that file updates are made for the entire input.

ANSWER: C

16. When auditing "around" the computer, the independent auditor focuses solely upon
the source documents and
a. Test data. b. CBIS processing.
c. Control techniques. d. CBIS output.

ANSWER: D

17. One of the features that distinguishes computer processing from manual
processing is
a. Computer processing virtually eliminates the occurrence of
computational error normally associated with manual processing.
b. Errors or fraud in computer processing will be
detected soon after their occurrences. c. The potential for systematic
error is ordinarily greater in manual processing than in computerized
processing.
d. Most computer systems are designed so that transaction trails useful
for audit purposes do not exist.

ANSWER: A

18. Given the increasing use of microcomputers as a means for accessing data bases, along
with on-line real-time processing, companies face a serious challenge relating to data
security. Which of the following is not an appropriate means for meeting this challenge?
a. Institute a policy of strict identification and password controls housed in the
computer software that permit only specified individuals to access the computer
files and perform a given function.
b. Limit terminals to perform only certain transactions.
c. Program software to produce a log of transactions showing date, time, type of
transaction, and operator.
d. Prohibit the networking of microcomputers and do not permit users to access
centralized data bases.

ANSWER: D
124 Chapter 8 Internal Control and CBIS

19. What type of computer-based system is characterized by data that are assembled from
more than one location and records that are updated immediately?
a. Microcomputer system. b. Minicomputer system.
c. Batch processing system. d. Online real-time
system.

ANSWER: D

20. Company A has recently converted its manual payroll to a computer-based system.
Under the old system, employees who had resigned or been terminated were occasionally
kept on the payroll and their checks were claimed and cashed by other employees, in
collusion with shop foremen. The controller is concerned that this practice not be
allowed to continue under the new system. The best control for preventing this form of
"payroll padding" would be to
a. Conduct exit interviews with all employees leaving the company, regardless of
reason.
b. Require foremen to obtain a signed receipt from each employee claiming a
payroll check.
c. Require the human resources department to authorize all hires and terminations,
and to forward a current computerized list of active employee numbers to payroll
prior to processing. Program the computer to reject inactive employee numbers.
d. Install time clocks for use by all hourly employees.

ANSWER: C

21. Compared to a manual system, a CBIS generally

1. Reduces segregation of duties. 2. Increases segregation of
duties. 3. Decreases manual inspection of processing results.
4. Increases manual inspection of processing results.
a. 1 and 3. b. 1 and 4
c. 2 and 3 d. 2 and 4.

ANSWER: A

22. One of the major problems in a CBIS is that incompatible functions may
be performed by the same individual. One compensating control for this is the
use of
a. Echo checks. b. A self-checking digit system.
c. Computer generated hash totals. d. A computer log.

ANSWER: D

23. Which of the following processing controls would be most effective in assisting a
store manager to ascertain whether the payroll transaction data were processed in their
entirety?
Chapter 8 Internal Control and CBIS 125

a. Payroll file header record. b. Transaction

identification codes. c. Processing control totals. d.
Programmed exception reporting.

ANSWER: C

24. An organizational control over CBIS operations is

a. Run-to-run balancing of control totals. b. Check digit
verification of unique identifiers. c. Separation of operating and programming
functions. d. Maintenance of output distribution logs.

ANSWER: C

25. Which of the following methods of testing application controls

utilizes a generalized audit software package prepared by the auditors?
a. Parallel simulation. b. Integrated testing facility
approach. c. Test data approach. d.
Exception report tests.

ANSWER: A

26. An unauthorized employee took computer printouts from output bins accessible
to all employees. A control which would have prevented this occurrence is
a. A storage/retention control. b. A spooler file control.
c. An output review control. d. A report distribution
control.

ANSWER: D

27. Which of the following is a disadvantage of the integrated test facility approach?

a. In establishing fictitious entities, the auditor may be compromising audit

independence.
b. Removing the fictitious transactions from the system is somewhat difficult and, if
not done carefully, may contaminate the client's files.
c. ITF is simply an automated version of auditing "around" the computer.
d. The auditor may not always have a current copy of the authorized version of the
client's program.

ANSWER: B

28. Totals of amounts in computer-record data fields which are not usually
added for other purposes but are used only for data processing control purposes are
called
a. Record totals. b. Hash totals.
c. Processing data totals. d. Field totals.
126 Chapter 8 Internal Control and CBIS

ANSWER: B

29. A hash total of employee numbers is part of the input to a payroll master file
update program. The program compares the hash total to the total computed for
transactions applied to the master file. The purpose of this procedure
is to:
a. Verify that employee numbers are valid. b. Verify that only
authorized employees are paid. c. Detect errors in payroll calculations.
d. Detect the omission of transaction processing.

ANSWER: D

30. Matthews Corp. has changed from a system of recording time worked on clock cards
to a computerized payroll system in which employees record time in and out with
magnetic cards. The CBIS automatically updates all payroll records. Because of this
change
a. A generalized computer audit program must be used. b. Part of the
audit trail is altered. c. The potential for payroll related fraud is
diminished. d. Transactions must be processed in batches.

ANSWER: B

31. Generalized audit software is of primary interest to the auditor in terms of its
capability to
a. Access information stored on computer files. b. Select a
sample of items for testing. c. Evaluate sample test results.
d. Test the accuracy of the client's calculations.

ANSWER: A

32. An accounts payable program posted a payable to a vendor not included in the on-
line vendor master file. A control which would prevent this error is a
a. Validity check. b. Range check.
c. Reasonableness test. d. Parity check.

ANSWER: A

33. In a computerized sales processing system, which of the following controls is most
effective in preventing sales invoice pricing errors?
a. Sales invoices are reviewed by the product managers before being mailed to
customers.
b. Current sales prices are stored in the computer, and, as stock numbers are entered
from sales orders, the computer automatically prices the orders.
c. Sales prices, as well as product numbers, are entered as sales orders are entered at
remote terminal locations.
Chapter 8 Internal Control and CBIS 127

d. Sales prices are reviewed and updated on a quarterly basis.

ANSWER: B

34. Which of the following is likely to be of least importance to an auditor in

reviewing the internal control in a company with a CBIS?
a. The segregation of duties within the data processing center.
b. The control over source documents. c. The documentation
maintained for accounting applications.
d. The cost/benefit ratio of data processing operations.

ANSWER: D

35. For the accounting system of Acme Company, the amounts of cash
disbursements entered into an CBIS terminal are transmitted to the
computer that immediately transmits the amounts back to the terminal for display on
the terminal screen. This display enables the operator to
a. Establish the validity of the account number. b. Verify the
amount was entered accurately. c. Verify the authorization of the
disbursement. d. Prevent the overpayment of the account.

ANSWER: B

36. Which of the following audit techniques most likely would provide an auditor
with the most assurance about the effectiveness of the operation of an internal control
procedure?
a. Inquiry of client personnel. b. Recomputation of account
balance amounts. c. Observation of client personnel. d.
Confirmation with outside parties.

ANSWER: C

37. Adequate technical training and proficiency as an auditor encompasses an

ability to understand a CBIS sufficiently to identify and evaluate
a. The processing and imparting of information. b. Essential
accounting control features. c. All accounting control features.
d. The degree to which programming conforms with
application of generally accepted accounting principles.

ANSWER: B

38. Which of the following is not a major reason why an accounting

audit trail should be maintained for a computer system?
a. Query answering. b. Deterrent to fraud.
c. Monitoring purposes. d. Analytical review.
128 Chapter 8 Internal Control and CBIS

ANSWER: D

39. Adequate control over access to data processing is required to

a. Prevent improper use or manipulation of data files and programs.
b. Ensure that only console operators have access to program
documentation. c. Minimize the need for backup data files.
d. Ensure that hardware controls are operating effectively and as
designed by the computer manufacturer.

ANSWER: A

40. When testing a computerized accounting system, which of the following is not true
of the test data approach?
a. The test data need consist of only those valid and invalid
conditions in which the auditor is interested. b. Only one transaction of each type
need be tested. c. Test data are processed by the client's computer
programs under the auditor's control. d. The test data must consist of
all possible valid and invalid conditions.

ANSWER: D

41. In studying a client's internal controls, an auditor must be able to distinguish between
prevention controls and detection controls. Of the following data
processing controls, which is the best detection control?
a. Use of data encryption techniques. b. Review of machine
utilization logs. c. Policy requiring password security. d.
Backup and recovery procedure.

ANSWER: B

42. Which of the following procedures is an example of auditing "around" the computer?
a. The auditor traces adding machine tapes of sales order
batch totals to a computer printout of the sales
journal.
b. The auditor develops a set of hypothetical sales
transactions and, using the client's computer program,
enters the transactions into the system and observes
the processing flow.
c. The auditor enters hypothetical transactions into the
client's processing system during client processing of
live" data.
d. The auditor observes client personnel as they process the
biweekly payroll. The auditor is primarily concerned with computer
rejection of data that fails to meet reasonableness limits.

ANSWER: A
Chapter 8 Internal Control and CBIS 129

43. Auditing by testing the input and output of a computer-based system instead of the
computer program itself will
a. Not detect program errors which do not show up in the output
sampled. b. Detect all program errors, regardless of the nature
of the output. c. Provide the auditor with the
same type of evidence. d. Not provide the auditor with confidence in the results
of the auditing procedures.

ANSWER: A

44. Which of the following is an acknowledged risk of using test data when auditing
CBIS records?
a. The test data may not include all possible types of transactions.
b. The computer may not process a simulated transaction in the same way
it would an identical actual transaction. c. The method cannot be used with simulated
master records.
d. Test data may be useful in verifying the correctness of account balances, but
not in determining the presence of processing controls.

ANSWER: A

45. When the auditor encounters sophisticated computer-based systems, he or she may need
to modify the audit approach. Of the following conditions, which one is not a valid
reason for modifying the audit approach?
a. More advanced computer systems produce less
documentation, thus reducing the visibility of the
audit trail.
b. In complex comuter-based systems, computer verification of data at the point of
input replaces the manual verification found in less sophisticated data processing
systems.
c. Integrated data processing has replaced the more traditional separation of duties
that existed in manual and batch processing systems.
d. Real-time processing of transactions has enabled the auditor to concentrate less on
the completeness assertion.

ANSWER: D

46. If a control total were to be computed on each of the following data

items, which would best be identified as a hash total for a payroll CBIS application?
a. Net pay. b. Department numbers.
c. Hours worked. d. Total debits and total credits.

ANSWER: B
130 Chapter 8 Internal Control and CBIS

47. In a distributed data base (DDB) environment, control tests for access control
administration can be designed which focus on
a. Reconciliation of batch control totals. b. Examination of logged
activity. c. Prohibition of random access. d.
Analysis of system generated core dumps.

ANSWER: B

48. A control to verify that the dollar amounts for all debits and credits for
incoming transactions are posted to a receivables master file is the:
a. Generation number check. b. Master reference
check. c. Hash total. d.
Control total.

ANSWER: D

49. The program flowcharting symbol representing a decision is a

a. Triangle. b. Circle.
c. Rectangle. d. Diamond.

ANSWER: D

50. An update program for bank account balances calculates check digits for account
numbers. This is an example of
a. An input control. b. A file management control.
c. Access control. d. An output control.

ANSWER: A

51. CBIS controls are frequently classified as to general controls and application controls.
Which of the following is an example of an application control?
a. Programmers may access the computer only for testing and "debugging"
programs.
b. All program changes must be fully documented and approved by the information
systems manager and the user department authorizing the change.
c. A separate data control group is responsible for distributing output, and also
compares input and output on a test basis.
d. In processing sales orders, the computer compares customer and product numbers
with internally stored lists.

ANSWER: D

52. After a preliminary phase of the review of a client's CBIS controls, an auditor
may decide not to perform further tests related to the control procedures within the
CBIS portion of the client's internal control system. Which of the
following would not be a valid reason for choosing to omit further testing?
Chapter 8 Internal Control and CBIS 131

a. The auditor wishes to further reduce assessed risk. b. The controls

duplicate operative controls existing elsewhere in the system.
c. There appear to be major weaknesses that would preclude reliance on the
stated procedures. d. The time and dollar costs of testing exceed the time
and dollar savings in substantive testing if the
controls are tested for compliance.

ANSWER: A

53. For good internal control over computer program changes, a policy should
be established requiring that
a. The programmer designing the change adequately test the revised program.
b. All program changes be supervised by the CBIS control group.
c. Superseded portions of programs be deleted from the program run manual
to avoid confusion. d. All proposed changes be approved in writing by a
responsible individual.
ANSWER: D

54. Which of the following is not a technique for testing data processing controls?
a. The auditor develops a set of payroll test data that contain numerous errors. The
auditor plans to enter these transactions into the client's system and observe
whether the computer detects and properly responds to the error conditions.
b. The auditor utilizes the computer to randomly select customer accounts for
confirmation.
c. The auditor creates a set of fictitious customer
accounts and introduces hypothetical sales
transactions, as well as sales returns and allowances, simultaneously with the
client's live data processing.
d. At the auditor's request, the client has modified its payroll processing program so
as to separately record any weekly payroll entry consisting of 60 hours or more.
These separately recorded ("marked") entries are locked into the system and are
available only to the auditor.

ANSWER: B

55. Which of the following would lessen internal control in a CBIS?

a. The computer librarian maintains custody of computer program
instructions and detailed listings. b. Computer operators have access to operator
instructions and detailed program listings. c. The control
group is solely responsible for the distribution of all computer output.
d. Computer programmers write and debug programs which
perform routines designed by the systems analyst.

ANSWER: B

56. Access control in an on-line CBIS can best be provided in most circumstances by
132 Chapter 8 Internal Control and CBIS

a. An adequate librarianship function controlling access to

files. b. A label affixed to the outside of a file
medium holder that identifies the contents. c. Batch
processing of all input through a centralized, well-guarded facility.
d. User and terminal identification controls, such as passwords.

ANSWER: D

57. While entering data into a cash receipts transaction file, an employee
transposed two numbers in a customer code. Which of the following controls
could prevent input of this type of error?
a. Sequence check. b. Record check.
c. Self-checking digit. d. Field-size check.

ANSWER: C

58. What is the computer process called when data processing is performed
concurrently with a particular activity and the results are available soon enough to
influence the particular course of action being taken or the decision being made?
a. Batch processing. b. Real time processing.
c. Integrated data processing. d. Random access
processing.

ANSWER: B

59. Reconciling processing control totals is an example of

a. An input control. b. An output control.
c. A processing control. d. A file management control.

ANSWER: B

60. A disadvantage of auditing around the computer is that it

a. Permits no assessment of actual processing. b. Requires
highly skilled auditors. c. Demands intensive use of machine
resources. d. Interacts actively with auditee applications.

ANSWER: A

61. The completeness of computer-generated sales figures can be tested by comparing

the number of items listed on the daily sales report with the number of items
billed on the actual invoices. This process uses
a. Check digits. b. Control totals.
c. Validity tests. d. Process tracing data.

ANSWER: B
Chapter 8 Internal Control and CBIS 133

62. Which of the following controls would be most efficient in reducing common data
input errors?
a. Keystroke verification. b. A set of well-
designed edit checks. c. Balancing and reconciliation.
d. Batch totals.

ANSWER: B

63. On-line real-time systems and electronic data interchange systems have the advantages of
providing more timely information and reducing the quantity of documents associated
with less automated systems. The advantages, however, may create some problems for
the auditor. Which of the following characteristics of these systems does not create an
audit problem?
a. The lack of traditional documentation of transactions creates a need for greater
attention to programmed controls at the point of transaction input.
b. Hard copy may not be retained by the client for long periods of time, thereby
necessitating more frequent visits by the auditor.
c. Control testing may be more difficult given the increased vulnerability of the
client's files to destruction during the testing process.
d. Consistent on-line processing of recurring data increases the incidence of errors.

ANSWER: D

64. Creating simulated transactions that are processed through a system to generate
results that are compared with predetermined results, is an auditing
procedure referred to as
a. Desk checking. b. Use of test data.
c. Completing outstanding jobs. d. Parallel simulation.

ANSWER: B

65. To obtain evidential matter about control risk, an auditor ordinarily selects tests
from a variety of techniques, including
a. Analysis. b. Confirmations.
c. Reprocessing. d. Comparison.

ANSWER: C

66. A major exposure associated with the rapidly expanding use of

microcomputers is the absence of:
a. Adequate size of main memory and disk storage. b. Compatible
operating systems. c. Formalized procedures for purchase justification.
d. Physical, data file, and program security.

ANSWER: D
134 Chapter 8 Internal Control and CBIS

67. To ensure that goods received are the same as those shown on the purchase invoice,
a computerized system should:
a. Match selected fields of the purchase invoice to goods received.
b. Maintain control totals of inventory value. c. Calculate batch totals
for each input. d. Use check digits in account numbers.

ANSWER: A

68. Errors in data processed in a batch computer system may not be detected immediately
because
a. Transaction trails in a batch system are available
only for a limited period of time. b. There are time delays in
processing transactions in a batch system.
c. Errors in some transactions cause rejection of other transactions in the
batch.
d. Random errors are more likely in a batch system than in an on-line system.

ANSWER: B

69. Which of the following is a computer test made to ascertain whether a given
characteristic belongs to the group?
a. Parity check. b. Validity check.
c. Echo check. d. Limit check.

ANSWER: B

COMPLETION:

70. Although computerized data processing does not affect audit objectives, the auditor may
need to modify the audit
, given complex CBIS applications.

ANSWER: APPROACH

71. In a batch processing system transactions are processed in groups, whereas in a real-time
system transactions are entered as they and are processed as they are
.

ANSWER: OCCUR, ENTERED

72. Although powerful in terms of , real- time systems are more than
batch processing systems.
Chapter 8 Internal Control and CBIS 135

ANSWER: INFORMATION CAPABILITY, COMPLEX

73. A distinguishing feature of integrated data base systems is that many files are updated
as transactions are processed.

ANSWER: SIMULTANEOUSLY

74. systems, by eliminating the need to reenter data into the accounting
system, reduce the incidence of processing errors; but, by reducing transaction
documentation, these systems also require greater attention to proper controls over the
of transactions.

ANSWER: ELECTRONIC DATA INTERCHANGE, INPUT

75. Input controls, processing controls, and output controls are categories of
controls.

ANSWER: APPLICATION

76. Some entities require completing a prior to transaction input, in order to

ensure consistency and completeness of recurring inputs.

ANSWER: TRANSACTION LOG

77. are manual control procedures applied by organizational units whose data
are processed by data processing.

ANSWER: USER CONTROLS

78. In on-line real-time systems the most effective means for assuring limited access to data
bases is by the use of properly controlled .

ANSWER: PASSWORDS

79. Programmed controls for testing the validity of customer numbers, product numbers,
employee numbers, and vendor numbers, as well as tests for reasonableness, are
collectively referred to as controls.

ANSWER: INPUT EDITING

80. In a ____________ __________ system, users own their own

data, whereas in _________ ______ systems, users share a single operating system
housed in a central location.

ANSWER: FLAT FILE, MULTI-USER

136 Chapter 8 Internal Control and CBIS

MATCHING:

81. Indicate by letter whether each of the listed auditing procedures is a general control test,
an application control test, or a substantive audit test.

G = General control test

A = Application control test
S = Substantive audit test

____1. The auditor utilizes the services of the firm’s computer

audit specialist assist in testing controls over the electronic processing of customer
remittances.

____2. In testing the sales processing set of controls, the

auditor has designed a set of transactions that include
unauthorized sales prices, invalid customer numbers, and
lack of credit authorization.

____3. The auditor interviews the client’s information systems

manager to clear exceptions detected when the auditor
reviewed data processing job descriptions for
incompatible functions.

____4. The auditor confirmed a sample of customer accounts

receivable to evaluate the correctness of year-end balances in
customer accounts.

____5. Using generalized audit software, the auditor reprocessed

a sample of the client’s weekly payroll and compared
the resulting output with the client’s payroll summary for the same period.

____6. The auditor attempted to access the client’s computerized

data files using the passwords of terminated employees.

____7. By examining vendors’ invoices supporting debits to the

account “Machinery and Equipment,” the auditor was able
to gain satisfaction as to the account balance at year end.

____8. The auditor examined authorizations and studied

documentation relating to CBIS modifications made
by the client during the year under audit.

____9. The auditor examined and tested the client’s anti virus
software for effectiveness.

____10. The auditor examined printouts from network monitoring

Chapter 8 Internal Control and CBIS 137

software and observed data input for proper functioning

of protocol controls and data encryption.

SOLUTION:

1. A
2. A
3. G
4. S
5. A
6. G
7. S
8. G
9. G
10. G

PROBLEM/ESSAY:

82. For each of the following independent situations, identify the control weakness
that permitted the error or fraud, and
indicate how the weakness should be corrected.

A. In a computerized sales processing system, numerous

pricing errors appeared on customer invoices.

B. Joshua Ness, a computer programmer for a bank, set up

a demand deposit account in his name. He then wrote a
program subroutine that automatically transferred funds from
accounts that had shown no activity for at least three months to the newly-
established account.

C. In a computerized payroll system, foremen, in collusion

with employees, were able to inflate pay rates. In
addition, terminated employees were retained on the
payroll and the fraudulent checks were endorsed by
a foreman or employee and deposited in his or her
personal account.

D. After implementing a newly-designed EDI system with

its vendors, Hilo Enterprises discovered numerous
errors in type, pricing, and quantity of goods received versus goods
ordered.
138 Chapter 8 Internal Control and CBIS

SOLUTION:

A. Computer did not verify selling prices. A master list

of current sales prices should be housed in the
computer and updated as prices change. The computer
should then be programmed to price the invoices.

B. Ness was able to access data files for the purpose of

establishing an unauthorized account. Programmers should not
have access to data files except for testing
and debugging programs. Moreover, formal authorization
of new accounts should be a part of the internal
control system.

C. The foremen were able to alter pay rates and retain

terminated employees on the payroll. To correct this
weakness, all new hires and terminations, as well as pay rate
changes, should require authorization of the human resources department.
A current master list of employee numbers and pay rates should then be
housed in the computer, and the computer programmed to perform
validity tests of rates and numbers as payrolls are
processed.

D. Controls were not designed to prevent vendor errors.

Protocol controls should be installed to detect and log
errors; and the EDI hardware should include an echo
check that returns messages from the vendor’s computer to Hilo’s
computer to verify correctness of orders received by the vendor.