Test Bank CIS Part 2

Mindanao State University
College of Business Administration and Accountancy

DEPARTMENT OF ACCOUNTANCY
Marawi City
AUDITING IN A CIS ENVIRONMENT

Accounting 153
MULTIPLE CHOICE. Read carefully the questions below and choose the best statement
among the choices. Write the letter corresponding to your answer on the sheet provided
along with this questionnaire. Erasures are strictly not allowed.
1. Which statement is incorrect when auditing in a CIS environment?
a. A CIS environment exists when a computer of any type or size is involved in the
processing by the entity of financial information of significance to the audit,
whether that computer is operated by the entity or by a third party.
b. The auditor should consider how a CIS environment affects the audit.
c. The use of a computer changes the processing, storage and communication of
financial information and may affect the accounting and internal control sys-
tems employed by the entity.
d. A CIS environment changes the overall objective and scope of an audit.
2. Which of the following concepts distinguishes the retention of computerized audit doc-
uments from the traditional hard copy form?
a. Analyses, conclusions and recommendations are filed on electronic media and
are therefore subject to computer system controls and security procedures.
b. Evidential support for all findings is copied and provided to local management
during the closing conference and to each person receiving the final report.
c. Computerized data files can be used in computer audit procedures.
d. Audit programs can be standardized to eliminate the need for a preliminary sur-
vey at each location.
3. Responsibility for the control of end-user computing exists at the organizational, de-
partmental and individual user level. A direct responsibility of the individual users is:
a. Acquisition of hardware and software.
b. Taking equipment inventories.
c. Strategic planning of end-user computing.
d. Physical security computer hardware.
4. Which of the following is least likely a risk characteristic associated with CIS
environment?
a. Errors embedded in an application’s program logic maybe difficult to manually
detect on a timely basis.
b. Many control procedures that would ordinarily be performed by separate
individuals in manual system maybe concentrated in CIS.
c. The potential unauthorized access to data or to alter them without visible
evidence maybe greater.
d. Initiation of changes in the master file is exclusively handled by respective
users.
5. Personal computers are susceptible to theft, physical damage, unauthorized access or
misuse of equipment. Which of the following is least likely a physical security to restrict
access to personal computers when not in use?
a. Using door locks or other security protection during non-business hours.
b. Fastening the personal computer to a table using security cables.
c. Locking the personal computer in a protective cabinet or shell.
d. Using anti-virus software programs.
6. Which of the following significance and complexity of the CIS activities should an
auditor least understand?
a. The organizational structure of the client’s CIS activities.
b. Lack of transaction trails.
c. The significance and complexity of computer processing in each significant
accounting application.
d. The use of software packages instead of customized software.
7. Which of the following is not likely a control over removable storage media to prevent
misplacement, alteration without authorization or destruction?
a. Using cryptography, which is the process of transforming programs and
information into an unintelligible form.
b. Placing responsibility for such media under personnel whose responsibilities
include duties of software custodians or librarians.
Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 1
c. Using a program and data file check-in and check-out system and locking the
designated storage locations.
d. Keeping current copies of diskettes, compact disks or back-up tapes and hard
disks in a fireproof container, either on-site, off-site or both.
8. To achieve audit efficiency and effectiveness with a personal computer, the two crucial
requirements are:
a. The appropriate audit task for personal computer applications and the appropri-
ate software to perform the selected audit tasks.
b. The appropriate software to perform the selected audit task and data that can
be accessed by the auditor’s personal computer.
c. Company data that can be accessed by the auditor’s personal computer and the
appropriate audit tasks for personal computer applications.
d. The appropriate sample of company data to test with the auditor’s personal
computer and the appropriate software to perform the selected audit tasks.
9. Which of the following least likely protects critical and sensitive information from
unauthorized access in a personal computer environment?
a. Using secret file names and hiding the files.
b. Keeping of back-up copies offsite.
c. Employing passwords.
d. Segregating data into files organized under separate file directories.
10. Which statement is incorrect regarding the general CIS controls of particular impor-
tance in a database environment?
a. Since data are shared by many users, control may be enhanced when a stan-
dard approach is used for developing each new application program and for ap-
plication program modification.
b. Several data owners should be assigned responsibility for defining access and
security rules, such as who can use the data (access) and what functions they
can perform (security).
c. User access to the database can be restricted through the use of passwords.
d. Responsibilities for performing the various activities required to design, imple-
ment and operate a database are divided among technical, design, administra-
tive and user personnel.
11. The following matters are of particular importance to the auditor in an on-line com-
puter system, except:
a. Authorization, completeness and accuracy of on-line transactions.
b. Integrity of records and processing, due to on-line access to the system by
many users and programmers.
c. Changes in the performance of audit procedures including the use of CAAT's.
d. Cost-benefit ratio of installing on-line computer system.
12. The auditor may often assume that control risk is high in personal computer systems
since, it may not be practicable or cost-effective for management to implement
sufficient controls to reduce the risks of undetected errors to a minimum level. This
least likely entail:
a. More physical examination and confirmation of assets.
b. More analytical procedures than tests of details.
c. Larger sample sizes.
d. Greater use of computer-assisted audit techniques, where appropriate.
13. Audit procedures in a database environment will be affected principally by:
a. The extent to which the data in the database are used by the accounting sys-
tem.
b. The type and significance of financial transactions being processed.
c. The nature of the database, the DBMS, the database administration tasks and
the applications.
d. The general CIS controls which are particularly important in a database environ-
ment.
14. Which statement is incorrect regarding the characteristics of a CIS organizational struc-
ture?
a. Certain data processing personnel may be the only ones with a detailed knowl-
edge of the interrelationship between the source of data, how it is processed
and the distribution and use of the output.
b. Many conventional controls based on adequate segregation of incompatible
functions may not exist, or in the absence of access and other controls, may be
less effective.
c. Transaction and master file data are often concentrated, usually in machine-
readable form, either in one computer installation located centrally or in a num-
ber of installations distributed throughout an entity.
d. Systems employing CIS methods do not include manual operations since the
number of persons involved in the processing of financial information is signifi-
cantly reduced.
15. A major exposure associated with the rapidly expanding use of microcomputers is the
absence of:
a. Adequate size of main memory and disk storage.
b. Compatible operating systems.
c. Formalized procedures for purchase justification.
d. Physical, data file, and program security.
16. System characteristics that may result from the nature of CIS processing include, ex-
cept:
a. Absence of input documents.
b. Lack of visible transaction trail.
c. Lack of visible output.
d. Difficulty of access to data and computer programs.
17. The development of CIS will generally result in design and procedural characteristics
that are different from those found in manual systems. These different design and pro-
cedural aspects of CIS include, except:
a. Consistency of performance.
b. Programmed control procedures.
c. Vulnerability of data and program storage media
d. Multiple transaction update of multiple computer files or databases.
18. Which statement is incorrect regarding internal controls in a CIS environment?
a. Manual and computer control procedures comprise the overall controls affecting
the CIS environment (general CIS controls) and the specific controls over the ac-
counting applications (CIS application controls).
b. The purpose of general CIS controls is to establish a framework of overall con-
trol over the CIS activities and to provide a reasonable level of assurance that
the overall objectives of internal control are achieved.
c. The purpose of CIS application controls is to establish specific control proce-
dures over the application systems in order to provide reasonable assurance
that all transactions are authorized and recorded, and are processed com-
pletely, accurately and on a timely basis.
d. The internal controls over computer processing, which help to achieve the over-
all objectives of internal control, include only the procedures designed into com-
puter programs.
19. General CIS controls may include, except:
a. Organization and management controls.
b. Delivery and support controls.
c. Development and maintenance controls.
d. Controls over computer data files.
20. CIS application controls include, except:
a. Controls over input.
b. Controls over processing and computer data files.
c. Controls over output.
d. Monitoring controls.
21. Which statement is incorrect regarding the review of general CIS controls and CIS appli-
cation controls?
a. The auditor should consider how these general CIS controls affect the CIS appli-
cations significant to the audit.
b. General CIS controls that relate to some or all applications are typically interde-
pendent controls in that their operation is often essential to the effectiveness of
CIS application controls.
c. Control over input, processing, data files and output may be carried out by CIS
personnel, by users of the system, by a separate control group, or may be pro-
grammed into application software.
d. It may be more efficient to review the design of the application controls before
reviewing the general controls.
22. Which statement is incorrect regarding the evaluation of general CIS controls and CIS
application controls?
a. The general CIS controls may have a pervasive effect on the processing of
transactions in application systems.
b. If general CIS controls are not effective, there may be a risk that misstatements
might occur and go undetected in the application systems.
c. Manual procedures exercised by users may provide effective control at the ap-
plication level.
d. Weaknesses in general CIS controls cannot preclude testing certain CIS applica-
tion controls.
23. An internal auditor noted the following points when conducting a preliminary survey in
connection with the audit of an EDP department. Which of the following would be con-
sidered a safeguard in the control system on which the auditor might rely?
a. Programmers and computer operators correct daily processing problems as they
arise.
b. The control group works with user organizations to correct rejected input.
c. New systems are documented as soon as possible after they begin processing
live data.
d. The average tenure of employees working in the EDP department is ten months.
24. An on-line access control that checks whether the user’s code number is authorized to
initiate a specific type of transaction or inquiry is referred to as:
a. Password.
b. Compatibility test.
c. Limit check.
d. Reasonableness test.
25. A control procedure that could be used in an on-line system to provide an immediate
check on whether an account number has been entered on a terminal accurately is a:
a. Compatibility test.
b. Record count.
c. Hash total.
d. Self-checking digit.
26. A control designed to catch errors at the point of data entry is:
a. Batch total.
b. Self-checking digit.
c. Record count.
d. Checkpoints.
27. Program documentation is a control designed primarily to ensure that:
a. Programmers have access to the tape library or information on disk files.
b. Programs do not make mathematical errors.
c. Programs are kept up to date and perform as intended.
d. Data have been entered and processed.
28. Some of the more important controls that relate to automated accounting information
systems are validity checks, limit checks, field checks, and sign tests. These are classi-
fied as:
a. Control total validation routines.
b. Output controls.
c. Hash totaling.
d. Input validation routines.
29. Most of today’s computer systems have hardware controls that are built in by the com-
puter manufacturer. Common hardware controls are:
a. Duplicate circuitry, echo check, and internal header labels
b. Tape file protection, cryptographic protection, and limit checks
c. Duplicate circuitry, echo check, and dual reading
d. Duplicate circuitry, echo check, tape file protection, and internal header labels
30. Which one of the following represents a lack of internal control in a computer-based in-
formation system?
a. The design and implementation is performed in accordance with management’s
specific authorization.
b. Any and all changes in application programs have the authorization and ap-
proval of management.
c. Provisions exist to protect data files from unauthorized access, modification, or
destruction.
d. Both computer operators and programmers have unlimited access to the pro-
grams and data files.
31. In an automated payroll processing environment, a department manager substituted
the time card for a terminated employee with a time card for a fictitious employee. The
fictitious employee had the same pay rate and hours worked as the terminated em-
ployee. The best control technique to detect this action using employee identification
numbers would be a:
a. Batch total.
b. Hash total.
c. Record count.
d. Subsequent check.
32. The reporting of accounting information plays a central role in the regulation of busi-
ness operations. Preventive controls are an integral part of virtually all accounting pro-
cessing systems, and much of the information generated by the accounting system is
used for preventive control purposes. Which one of the following is not an essential ele-
ment of a sound preventive control system?
a. Separation of responsibilities for the recording, custodial, and authorization
functions.
b. Sound personnel policies.
c. Documentation of policies and procedures.
d. Implementation of state-of-the-art software and hardware.
33. An employee in the receiving department keyed in a shipment from a remote terminal
and inadvertently omitted the purchase order number. The best systems control to de-
tect this error would be:
a. Batch total.
b. Sequence check.
c. Completeness test.
d. Reasonableness test.
34. The most critical aspect regarding separation of duties within information systems is
between:
a. Project leaders and programmers.
b. Programmers and systems analysts.
c. Programmers and computer operators.
d. Data control and file librarians.
35. Compatibility tests are sometimes employed to determine whether an acceptable user
is allowed to proceed. In order to perform compatibility tests, the system must main-
tain an access control matrix. The one item that is not part of an access control matrix
is a:
a. List of all authorized user code numbers and passwords.
b. List of all files maintained on the system.
c. Record of the type of access to which each user is entitled.
d. Limit on the number of transaction inquiries that can be made by each user in a
specified time period.
36. Which one of the following input validation routines is not likely to be appropriate in a
real time operation?
a. Field check.
b. Sequence check.
c. Sign check.
d. Redundant data check.
37. Which of the following characteristics distinguishes computer processing from manual
processing?
a. Computer processing virtually eliminates the occurrence of computational error
normally associated with manual processing.
b. Errors or irregularities in computer processing will be detected soon after their
occurrences.
c. The potential for systematic error is ordinarily greater in manual processing
than in computerized processing.
d. Most computer systems are designed so that transaction trails useful for audit
do not exist.
38. Which of the following controls is a processing control designed to ensure the reliability
and accuracy of data processing?
A. Limit test. B. Validity check test.
a. Yes, yes.
b. No, no.
c. No, yes.
d. Yes, no.
39. Which of the following most likely represents a significant deficiency in the internal
control structure?
a. The systems analyst review applications of data processing and maintains sys-
tems documentation.
b. The systems programmer designs systems for computerized applications and
maintains output controls.
c. The control clerk establishes control over data received by the EDP department
and reconciles control totals after processing
d. The accounts payable clerk prepares data for computer processing and enters
the data into the computer.
40. Which of the following activities would most likely be performed in the EDP depart-
ment?
a. Initiation of changes to master records.
b. Conversion of information to machine-readable form.
c. Correction of transactional errors.
d. Initiation of changes to existing applications.
41. For control purposes, which of the following should be organizationally segregated from
the computer operations function?
a. Data conversion.
b. Systems development.
c. Surveillance of CRT messages.
d. Minor maintenance according to a schedule.
42. Which of the following is not a major reason for maintaining an audit trail for a com-
puter system?
a. Deterrent to irregularities.
b. Analytical procedures
c. Monitoring purposes.
d. Query answering.
43. In an automated payroll system, all employees in the finishing department were paid
the rate of P75 per hour when the authorized rate was P70 per hour. Which of the fol-
lowing controls would have been most effective in preventing such an error?
a. Access controls which would restrict the personnel department’s access to the
payroll master file data.
b. A review of all authorized pay rate changes by the personnel department.
c. The use of batch control totals by department.
d. A limit test that compares the pay rates per department with the maximum rate
for all employees.
44. Which of the following errors would be detected by batch controls?
a. A fictitious employee as added to the processing of the weekly time cards by
the computer operator.
b. An employee who worked only 5 hours in the week was paid for 50 hours.
c. The time card for one employee was not processed because it was lost in transit
between the payroll department and the data entry function.
d. All of the above.
45. For the accounting system of Acme Company, the amounts of cash disbursements en-
tered into an EDP terminal are transmitted to the computer that immediately transmits
the amounts back to the terminal for display on the terminal screen. This display en -
ables the operator to:
a. Establish the validity of the account number.
b. Verify the amount was entered accurately.
c. Verify the authorization of the disbursements.
d. Prevent the overpayment of the account.
46. The use of a header label in conjunction with magnetic tape is most likely to prevent
errors by the:
a. Computer operator.
b. Computer programmer.
c. Keypunch operator.
d. Maintenance technician.
47. When EDP programs or files can be accessed from terminals, users should be required
to enter a (an):
a. Parity check.
b. Self-diagnostic test.
c. Personal identification code.
d. Echo check.
48. The possibility of erasing a large amount of information stored on magnetic tape most
likely would be reduced by the use of:
a. File protection ring.
b. Completeness tests.
c. Check digits.
d. Conversion verification.
49. Which of the following controls most likely would assure that an entity can reconstruct
its financial records?
a. Hardware controls are built into the computer by the computer manufacturer.
b. Backup diskettes or tapes of files are stored away from originals.
c. Personnel who are independent of data input perform parallel simulations.
d. System flowcharts provide accurate descriptions of input and output operations.
50. Mill Co. uses a batch processing method to process its sales transactions. Data on Mill’s
sales transaction tape are electronically sorted by customer number and are subject to
programmed edit checks in preparing its invoices, sales journals, and updated cus-
tomer account balances. One of the direct outputs of the creation of this tape most
likely would be a:
a. Report showing exceptions and control totals.
b. Printout of the updated inventory records.
c. Report showing overdue accounts receivable.
d. Printout of the sales price master file.
51. Which statement is incorrect regarding internal control in personal computer
environment?
a. Generally, the CIS environment in which personal computers are used is less
structured than a centrally-controlled CIS environment.
b. Controls over the system development process and operations may not be
viewed by the developer, the user or management as being as important or
cost-effective.
c. In almost all commercially available operating systems, the built-in security
provided has gradually increased over the years.
d. In a typical personal computer environment, the distinction between general CIS
controls and CIS application controls is easily ascertained.
52. Using microcomputers in auditing may affect the methods used to review the work of
staff assistants because:
a. The audit field work standards for supervision may differ.
b. Documenting the supervisory review may require assistance of consulting ser-
vices personnel.
c. Supervisory personnel may not have an understanding of the capabilities and
limitations of microcomputers.
d. Working paper documentation may not contain readily observable details of cal-
culations.
53. An auditor anticipates assessing control risk at a low level in a computerized environ-
ment. Under these circumstances, on which of the following procedures would the audi-
tor initially focus?
a. Programmed control procedures.
b. Output control procedures.
c. Application control procedures.
d. General control procedures.
54. After the preliminary phase of the review of a client’s EDP controls, an auditor may de -
cide not to perform tests of controls (compliance tests) related to the control proce-
dures within the EDP portion of the client’s internal control structure. Which of the fol -
lowing would not be a valid reason for choosing to omit such tests?
a. The controls duplicate operative controls existing elsewhere in the structure.
b. There appear to be major weaknesses that would preclude reliance on the
stated procedure.
c. The time and costs of testing exceed the time and costs in substantive testing if
the tests of controls show the controls to be operative.
d. The controls appear adequate.
55. Computer systems are typically supported by a variety of utility software packages that
are important to an auditor because they
a. May enable unauthorized changes to data files if not properly controlled.
b. Are very versatile programs that can be used on hardware of many manufactur-
ers.
c. May be significant components of a client’s application programs.
d. Are written specifically to enable auditors to extract and sort data.
56. To obtain evidence that online access controls are properly functioning, an auditor most
likely would:
a. Create checkpoints at periodic intervals after live data processing to test for
unauthorized use of the system.
b. Examine the transaction log to discover whether any transactions were lost or
entered twice due to a system malfunction.
c. Enter invalid identification numbers or passwords to ascertain whether the sys-
tem rejects them.
d. Vouch a random sample of processed transactions to assure proper authoriza-
tion.
57. Which of the following statements most likely represents a disadvantage for an entity
that keeps microcomputer-prepared data files rather than manually prepared files?
a. Attention is focused on the accuracy of the programming process rather than er-
rors in individual transactions.
b. It is usually easier for unauthorized persons to access and alter the files.
c. Random error associated with processing similar transactions in different ways
is usually greater.
d. It is usually more difficult to compare recorded accountability with physical
count of assets.
58. Smith Corporation has numerous customers. A customer file is kept on disk storage.
Each customer file contains name, address, credit limit, and account balance. The audi-
tor wishes to test this file to determine whether the credit limits are being exceeded.
The best procedure for the auditor to follow would be to:
a. Develop test data that would cause some account balances to exceed the credit
limit and determine if the system properly detects such situations.
b. Develop a program to compare credit limits with account balances and print out
the details of any account with a balance exceeding its credit limit.
c. Request a printout of all account balances so they can be manually checked
against the credit limits.
d. Request a printout of a sample of account balances so they can be individually
checked against the credit limits.
59. An auditor would most likely be concerned with which of the following controls in a dis-
tributed data processing system?
a. Hardware controls.
b. Systems documentation controls.
c. Access controls.
d. Disaster recovery controls.
60. If a control total were computed on each of the following data items, which would best
be identified as a hash total for a payroll EDP application?
a. Total debits and total credits.
b. Net pay.
c. Department numbers.
d. Hours worked.
61. Which of the following is a computer test made to ascertain whether a given character-
istic belongs to the group?
a. Parity check.
b. Validity check.
c. Echo check.
d. Limit check.
62. A control feature in an electronic data processing system requires the central process-
ing unit (CPU) to send signals to the printer to activate the print mechanism for each
character. The print mechanism, just prior to printing, sends a signal back to the CPU
verifying that the proper print position has been activated. This type of hardware con-
trol is referred to as:
a. Echo check.
b. Signal control.
c. Validity control.
d. Check digit control.
63. Which of the following is an example of a check digit?
a. An agreement of the total number of employees to the total number of checks
printed by the computer.
b. An algebraically determined number produced by the other digits of the em-
ployee number.
c. A logic test that ensures all employee numbers are nine digits.
d. A limit check that an employee’s hours do not exceed 50 hours per work week.
64. A customer erroneously ordered Item No. 86321 rather than item No. 83621. When this
order is processed, the vendor’s EDP department would identify the error with what
type of control?
a. Key verifying.
b. Batch total.
c. Self-checking digit.
d. Item inspection.
65. Internal control is ineffective when computer department personnel:
a. Participate in computer software acquisition decisions.
b. Design documentation for computerized systems.
c. Originate changes in master file.
d. Provide physical security for program files.
66. Which of the following best describes a fundamental control weakness often associated
with electronic data processing system?
a. EDP equipment is more subject to system error than manual processing is sub-
ject to human error.
b. Monitoring is not an adequate substitute for the use of test data.
c. EDP equipment processes and records similar transactions in a similar manner.
d. Functions that would normally be separated in a manual system are combined
in the EDP system like the function of programmers and operators.
67. From an audit viewpoint, which of the following represents a potential disadvantage as-
sociated with the widespread use of microcomputers?
a. Their portability.
b. Their ease of access by novice users.
c. Their easily developed programs using spreadsheets which do not have to be
documented.
68. Which of the following functions would have the least effect on an audit if it was not
properly segregated?
a. The systems analyst and the programmer functions.
b. The computer operator and programmer functions.
c. The computer operator and the user functions.
d. The applications programmer and the systems programmer.
69. To obtain evidence that user identification and password control procedures are func-
tioning as designed, an auditor would most likely:
a. Attempt to sign on to the system using invalid user identifications and pass-
words.
b. Write a computer program that simulates the logic of the client’s access control
software.
c. Extract a random sample of processed transactions and ensure that the transac-
tions were appropriately authorized.
d. Examine statements signed by employees stating that they have not divulged
their user identifications and passwords to any other person.
70. Which of the following procedures would an entity most likely include in its disaster re-
covery plan?
a. Convert all data from external formats to an internal company format.
b. Maintain a program to prevent illegal activity.
c. Develop an auxiliary power supply to provide uninterrupted electricity.
d. Store duplicate copies of files in a location away from the computer center.
71. On-line real-time systems and electronic data interchange systems have the advan-
tages of providing more timely information and reducing the quantity of documents as-
sociated with less automated systems. The advantages, however, may create some
problems for the auditor. Which of the following characteristics of these systems does
not create an audit problem?
a. The lack of traditional documentation of transactions creates a need for greater
attention to programmed controls at the point of transaction input.
b. Hard copy may not be retained by the client for long periods of time, thereby
necessitating more frequent visits by the auditor.
c. Control testing may be more difficult given the increased vulnerability of the
client's files to destruction during the testing process.
d. Consistent on-line processing of recurring data increases the incidence of errors.
72. Compared to a manual system, a CIS generally
A. Reduces segregation of duties.
B. Increases segregation of duties.
C. Decreases manual inspection of processing results.
D. Increases manual inspection of processing results.
a. A and C.
b. A and D.
c. B and C.
d. B and D.
that keeps microcomputer-prepared data files rather than manually prepared files?
a. It is usually more difficult to detect transposition errors.
b. Transactions are usually authorized before they are executed and recorded.
c. It is usually easier for unauthorized persons to access and alter the files.
d. Random error associated with processing similar transactions in different ways
is usually greater.
74. Risk of fraud or error in on-line computer systems may be increased for the following
reasons, except:
a. If workstations are located throughout the entity, the opportunity for unautho-
rized use of a workstation and the entry of unauthorized transactions may in-
crease.
b. Workstations may provide the opportunity for unauthorized uses such as modifi-
cation of previously entered transactions or balances.
c. If on-line processing is interrupted for any reason, for example, due to faulty
telecommunications, there may be a greater chance that transactions or files
may be lost and that the recovery may not be accurate and complete.
d. If transactions are processed immediately on-line, there is less risk that they will
be processed in the wrong accounting period.
75. A service auditor's report on a service center should include a(n):
a. Detailed description of the service center's internal control.
b. Statement that the user of the report may assess control risk at the minimum
level.
c. Indication that no assurance is provided.
d. Opinion on the operating effectiveness of the service center's internal control.
76. Which of the following is a password security problem?
a. Users are assigned passwords when accounts are created, but do not change
them.
b. Users have accounts on several systems with different passwords.
c. Users copy their passwords on note paper, which is kept in their wallets.
d. Users select passwords that are not listed in any online dictionary.
77. Which of the following is least likely to be a general control over computer activities?
a. Procedures for developing new programs and systems.
b. Requirements for system documentation.
c. A change request log.
d. A control total.
78. Which of the following computer related employees should not be allowed access to
program listings of application programs?
a. The systems analyst.
b. The programmer.
c. The operator.
d. The librarian.
79. Which of the following standards or group of standards is mostly affected by a
computerized information system environment?
a. General standards.
b. Reporting standards.
c. Second standard of field work.
d. Standards of fieldwork.
80. Which of the following is least considered if the auditor has to determine whether
specialized CIS skills are needed in an audit?
a. The auditor needs to obtain a sufficient understanding of the accounting and
internal control system affected by the CIS environment.
b. The auditor needs to determine the effect of the CIS environment on the
assessment of overall risk and of risk at the account balance and class of
transactions level.
c. Design and perform appropriate tests of controls and substantive procedures.
d. The need of the auditor to make analytical procedures during the completion
stage of audit.
81. It relates to materiality of the financial statement assertions affected by the computer
processing.
a. Threshold.
b. Relevance.
c. Complexity.
d. Significance.
82. Which of the following is an example of general computer control?
a. Input validation checks.
b. Control total.
c. Operations manual.
d. Generalized audit software.
83. Which of the following would the auditors consider to be a weakness in an IT system?
a. Operators have access to terminals.
b. Programmers are allowed access to the file library.
c. Reprocessing of exceptions detected by the computer is handled by a data
control group.
d. More than one employee is present when the computer facility is in use.
84. A problem for a CPA associated with advanced IT systems is that:
a. The audit trail normally does not exist.
b. The audit trail is sometimes generated only in machine readable form.
c. The client's internal auditors may have been involved at the design stage.
d. Tests of controls are not possible.
85. General controls over IT systems are typically tested using:
a. Generalized audit software.
b. Observation, inspection and inquiry.
c. Program analysis techniques.
d. Test data.
86. Which of the following personnel is responsible for determining the computer process-
ing needs of the various users?
a. The application programmer.
b. The computer operator.
c. The systems analyst.
d. The systems programmer.
87. The best method of achieving internal control over advanced IT systems is through the
use of:
a. Batch controls.
b. Controls written into the computer system.
c. Equipment controls.
d. Documentation controls.
88. Which of the following personnel is responsible for the proper functioning of the
security features built into the operating system?
a. The systems programmer.
b. The application programmer.
c. The computer operator.
d. The telecommunications specialist.
89. When designing the physical layout of a data processing center, which of the following
would be least likely to be a necessary control that is considered?
a. Design of controls to restrict access.
b. Adequate physical layout space for the operating system.
c. Inclusions of an adequate power supply system with surge protection.
d. Consideration of risks related to other uses of electricity in the area.
90. Which of the following is not a data transmission control?
a. Data encryption.
b. Parity check.
c. Message acknowledgment techniques.
d. Distributed data processing.
91. If a control total were to be computed on each of the following data items, which would
best be identified as a hash total for a payroll computer application?
a. Net pay.
b. Department numbers.
c. Hours worked.
d. Total debits and total credits.
92. In their consideration of a client's IT controls, the auditors will encounter general
controls and application controls. Which of the following is an application control?
a. The operations manual.
b. Hash total.
c. Systems documentation.
d. Control over program changes.
93. When erroneous data are detected by computer program controls, such data may be
excluded from processing and printed on an exception report. The exception report
should most probably be reviewed and followed up on by the:
a. Supervisor of computer operations.
b. Systems analyst.
c. Data control group.
d. Computer programmer.
94. An auditor may decide not to perform tests of controls related to the control activities
within the computer portion of the client's internal control. Which of the following
would not be a valid reason for choosing to omit such test?
a. The controls duplicate operative controls existing elsewhere.
b. There appear to be major weaknesses that would preclude reliance on the
stated procedure.
c. The time and dollar costs of testing exceed the time and dollar savings in sub-
stantive testing if the tests show the controls to be operative.
d. The controls appear adequate.
95. A control feature in a computer system requires the central processing unit (CPU) to
send signals to the printer to activate the print mechanism for each character. The
print mechanism, just prior to printing, sends a signal back to the CPU verifying that
the proper print position has been activated. This type of data transmission is referred
to as:
a. Echo control.
b. Validity control.
c. Signal control.
d. Check digit control.
96. Which of the following constitutes a weakness in the internal control of a computer sys-
tem?
a. One generation of backup files is stored in an off-premises location.
b. Machine operators distribute error messages to the control group.
c. Machine operators do not have access to the complete systems manual.
d. Machine operators are supervised by the programmer.
97. The completeness of computer-generated sales figures can be tested by comparing the
number of items listed on the daily sales report with the number of items billed on the
actual invoices. This process uses:
a. Self-checking numbers.
b. Control totals.
c. Validity tests.
d. Process tracing data.
98. In the weekly computer run to prepare payroll checks, a check was printed for an em-
ployee who had been terminated the previous week. Which of the following controls, if
properly utilized, would have been most effective in preventing the error or ensuing its
prompt detection?
a. A control total for hours worked, prepared from time cards collected by the
timekeeping department.
b. Requiring the treasurer's office to account for the numbers of the prenumbered
checks issued to the computer department for the processing of the payroll.
c. Use of a check digit for employee numbers.
d. Use of a header label for the payroll input sheet.
99. The primary reason for internal auditing's involvement in the development of new
computer-based systems is to:
a. Plan post-implementation reviews.
b. Promote adequate controls.
c. Train auditors in CIS techniques.
d. Reduce overall audit effort
100. The increased presence of the microcomputer in the workplace has resulted in an in-
creasing number of persons having access to the computer. A control that is often
used to prevent unauthorized access to sensitive programs is:
a. Backup copies of the diskettes.
b. Passwords for each of the users.
c. Disaster-recovery procedures.
d. Record counts of the number of input transactions in a batch being processed.
101. Checklists, systems development methodology, and staff hiring are examples of what
type of controls?
a. Detective.
b. Preventive.
c. Subjective.
d. Corrective.
102. When an on-line, real-time computer-based processing system is in use, internal con-
trol can be strengthened by:
a. Providing for the separation of duties between keypunching and error listing op-
erations.
b. Attaching plastic file protection rings to reels of magnetic tape before new data
can be entered on the file.
c. Making a validity check of an identification number before a user can obtain ac-
cess to the computer files.
d. Preparing batch totals to provide assurance that file updates are made for the
entire input.
103. Company A has recently converted its manual payroll to a computer-based system.
Under the old system, employees who had resigned or been terminated were occasion-
ally kept on the payroll and their checks were claimed and cashed by other employees,
in collusion with shop foremen. The controller is concerned that this practice not be al-
lowed to continue under the new system. The best control for preventing this form of
"payroll padding" would be to:
a. Conduct exit interviews with all employees leaving the company, regardless of
reason.
b. Require foremen to obtain a signed receipt from each employee claiming a pay-
roll check.
c. Require the human resources department to authorize all hires and terminations,
and to forward a current computerized list of active employee numbers to payroll
prior to processing. Program the computer to reject inactive employee numbers.
d. Install time clocks for use by all hourly employees.
104. One of the major problems in a CIS is that incompatible functions may be performed
by the same individual. One compensating control for this is the use of:
a. Echo checks.
b. A self-checking digit system.
c. Computer generated hash totals.
d. A computer log.
105. These require a database administrator to assign security attributes to data that can-
not be changed by database users.
a. Discretionary access controls.
b. Name-dependent restrictions
c. Mandatory access controls.
d. Content-dependent restrictions.
106. A discretionary access control wherein users are permitted or denied access to data
resource depending on the time series of accesses to and actions they have under-
taken on data resources.
a. Name-dependent restrictions.
b. Context-dependent restrictions.
c. Content-dependent restrictions.
d. History-dependent restrictions.
107. The effect of a database system on the accounting system and the associated risks
will least likely depend on:
a. The extent to which databases are being used by accounting applications.
c. The nature of the database, the DBMS, the database administration tasks and
the applications.
d. The CIS application controls.
108. Which of the following processing controls would be most effective in assisting a
store manager to ascertain whether the payroll transaction data were processed in
their entirety?
a. Payroll file header record.
b. Transaction identification codes.
c. Processing control totals.
d. Programmed exception reporting.
109. An organizational control over CIS operations is:
a. Run-to-run balancing of control totals.
b. Check digit verification of unique identifiers.
c. Separation of operating and programming functions.
d. Maintenance of output distribution logs.
110. An unauthorized employee took computer printouts from output bins accessible to all
employees. A control which would have prevented this occurrence is:
a. A storage/retention control.
b. A spooler file control.
c. An output review control.
d. A report distribution control.
111. Which of the following audit techniques most likely would provide an auditor with the
most assurance about the effectiveness of the operation of an internal control proce-
dure?
a. Inquiry of client personnel.
b. Recomputation of account balance amounts.
c. Observation of client personnel.
d. Confirmation with outside parties.
112. Adequate technical training and proficiency as an auditor encompasses an ability to
understand a CIS sufficiently to identify and evaluate:
a. The processing and imparting of information.
b. Essential accounting control features.
c. All accounting control features.
d. The degree to which programming conforms with application of generally ac-
cepted accounting principles.
113. Adequate control over access to data processing is required to:
a. Prevent improper use or manipulation of data files and programs.
b. Ensure that only console operators have access to program documentation.
c. Minimize the need for backup data files.
d. Ensure that hardware controls are operating effectively and as designed by the
computer manufacturer.
114. In studying a client's internal controls, an auditor must be able to distinguish between
prevention controls and detection controls. Of the following data processing controls,
which is the best detection control?
a. Use of data encryption techniques.
b. Review of machine utilization logs.
c. Policy requiring password security.
d. Backup and recovery procedure.
115. A control to verify that the dollar amounts for all debits and credits for incoming
transactions are posted to a receivables master file is the:
a. Generation number check.
b. Master reference check.
c. Hash total.
d. Control total.
116. The program flowcharting symbol representing a decision is a:
a. Triangle.
b. Circle.
c. Rectangle.
d. Diamond.
117. CIS controls are frequently classified as to general controls and application controls.
Which of the following is an example of an application control?
a. Programmers may access the computer only for testing and "debugging" pro-
grams.
b. All program changes must be fully documented and approved by the informa-
tion systems manager and the user department authorizing the change.
c. A separate data control group is responsible for distributing output, and also
compares input and output on a test basis.
d. In processing sales orders, the computer compares customer and product num-
bers with internally stored lists.
118. After a preliminary phase of the review of a client's CIS controls, an auditor may de-
cide not to perform further tests related to the control procedures within the CIS por-
tion of the client's internal control system. Which of the following would not be a valid
reason for choosing to omit further testing?
a. The auditor wishes to further reduce assessed risk.
b. The controls duplicate operative controls existing elsewhere in the system.
c. There appear to be major weaknesses that would preclude reliance on the
stated procedures.
d. The time and dollar costs of testing exceed the time and dollar savings in sub-
stantive testing if the controls are tested for compliance.
119. For good internal control over computer program changes, a policy should be estab-
lished requiring that:
a. The programmer designing the change adequately tests the revised program.
b. All program changes be supervised by the CIS control group.
c. Superseded portions of programs be deleted from the program run manual to
avoid confusion.
d. All proposed changes be approved in writing by a responsible individual.
120. Which of the following is not a technique for testing data processing controls?
a. The auditor develops a set of payroll test data that contain numerous errors.
The auditor plans to enter these transactions into the client's system and ob-
serve whether the computer detects and properly responds to the error condi-
tions.
b. The auditor utilizes the computer to randomly select customer accounts for con-
firmation.
c. The auditor creates a set of fictitious customer accounts and introduces hypo-
thetical sales transactions, as well as sales returns and allowances, simultane-
ously with the client's live data processing.
d. At the auditor's request, the client has modified its payroll processing program
so as to separately record any weekly payroll entry consisting of 60 hours or
more. These separately recorded ("marked") entries are locked into the system
and are available only to the auditor.
121. Which of the following would lessen internal control in a CIS?
a. The computer librarian maintains custody of computer program instructions and
detailed listings.
b. Computer operators have access to operator instructions and detailed program
listings.
c. The control group is solely responsible for the distribution of all computer out-
put.
d. Computer programmers write and debug programs which perform routines de-
signed by the systems analyst.
122. Access control in an on-line CIS can best be provided in most circumstances by:
a. An adequate librarianship function controlling access to files.
b. A label affixed to the outside of a file medium holder that identifies the con-
tents.
c. Batch processing of all input through a centralized, well-guarded facility.
d. User and terminal identification controls, such as passwords.
123. Reconciling processing control totals is an example of:
a. An input control.
b. An output control.
c. A processing control.
d. A file management control.
124. The completeness of computer-generated sales figures can be tested by comparing
the number of items listed on the daily sales report with the number of items billed on
the actual invoices. This process uses:
a. Check digits.
b. Control totals.
c. Validity tests.
d. Process tracing data.
125. Which of the following controls would be most efficient in reducing common data in-
put errors?
a. Keystroke verification.
b. A set of well-designed edit checks.
c. Balancing and reconciliation.
d. Batch totals.
126. Which of the following is a computer test made to ascertain whether a given charac-
teristic belongs to the group?
a. Parity check.
b. Validity check.
c. Echo check.
d. Limit check.
127. An auditor's consideration of a company's computer control activities has disclosed
the following four circumstances. Indicate which circumstance constitutes a significant
deficiency in internal control.
a. Computer operators do not have access to the complete software support docu-
mentation.
b. Computer operators are closely supervised by programmers.
c. Programmers are not authorized to operate computers.
d. Only one generation of backup files is stored in an off premises location
128. Accounting functions that are normally considered incompatible in a manual system
are often combined by computer software. This necessitates an application control that
prevents unapproved:
a. Access to the computer library.
b. Revisions to existing software.
c. Usage of software.
d. Testing of modified software.
129. In a computer system, hardware controls are designed to:
a. Arrange data in a logical sequence for processing.
b. Correct errors in software.
c. Monitor and detect errors in source documents.
d. Detect and control errors arising from use of equipment.
130. The normal sequence of documents and operations on a well-prepared systems flow-
chart is:
a. Top to bottom, left to right.
b. Bottom to top, left to right.
c. Top to bottom, and right to left.
d. Bottom to top and right to left.
131. To obtain evidential matter about control risk, an auditor ordinarily selects tests from
a variety of techniques including
a. Analysis.
b. Confirmations.
c. Reprocessing.
d. Comparison.
132. A procedural control used in the management of a computer center to minimize the
possibility of data or program file destruction through operator error includes:
a. Control figures.
b. Crossfooting tests.
c. Limit checks.
d. External labels.
133. In updating a computerized accounts receivable file, which one of the following would
be used as a batch control to verify the accuracy of the posting of cash receipts remit-
tances?
a. The sum of the cash deposits plus the discounts less the sales returns.
b. The sum of the cash deposits plus the discounts taken by customers.
c. The sum of the cash deposits.
d. The sum of the cash deposits less the discounts taken by customers.
134. The client’s computerized exception reporting system helps an auditor to conduct a
more efficient audit because it:
a. Condenses data significantly.
b. Highlights abnormal conditions.
c. Decreases the tests of computer control requirements.
d. Is efficient computer input control.
135. Which of the following computer documentation would an auditor most likely utilize in
obtaining an understanding of the internal control system?
a. Systems flowchart.
b. Record counts.
c. Program listings.
d. Record layouts.
136. An EDP input control is designed to ensure that:
a. Machine processing is accurate.
b. Only authorized personnel have access to the computer area.
c. Data received for processing are properly authorized and converted to machine-
readable form.
d. Electronic data processing has been performed as intended for the particular
application.
137. Which of the following most likely represents a weakness in the financial controls of
an EDP system?
a. The systems analyst reviews output and controls the distribution of output from
the EDP department.
b. The accounts payable clerk prepares data for computer processing and enters
the data into the computer.
c. The systems programmer designs the operating and control functions of pro-
grams and participates in testing operating systems.
d. The control clerk establishes control over data received by the EDP department
and reconciles control totals after processing.
138. When an accounting application is processed by computer, an auditor cannot verify
the reliable operation of programmed control procedures by:
a. Manually comparing detail transaction files used by an edit program to the pro-
gram’s generated error listings in order to determine that errors were properly
identified by the edit program.
b. Constructing a processing system for accounting applications and processing
actual data from throughout the period through both the client’s program and
the auditor’s program.
c. Manually reperforming, as at a given point in time, the processing of input data
and comparing the simulated results to the actual results.
d. Periodically submitting auditor-prepared test data to the same computer
process and evaluating the results.
139. Which of the following is a general control that most likely would assist an entity
whose systems analyst left the entity in the middle of a major project?
a. Grandfather-father-son record retention.
b. Input and output validation routines.
c. Systems documentation.
d. Check digit verification.
140. Control procedures within the computer system may leave no visible evidence indi-
cating that the procedures were performed. In such instances, the auditor should test
these computer controls by:
a. Making corroborative inquiries.
b. Observing the separation of duties of personnel.
c. Reviewing transactions submitted for processing and comparing them to related
output.
d. Reviewing the run manual.
‘
141. To gain access to a bank’s on-line customer systems, users must validate themselves
by means of a user identification code and password. The purpose of this procedure is
to provide:
a. Data security.
b. Physical security.
c. Context-dependent security.
d. Write-protection security.
142. A hash total of employee numbers is part of the input to a payroll master file update
program. The program compares the hash total to the total computed for transactions
applied to the master file. The purpose of this procedure is to:
a. Verify that employee numbers are valid.
b. Verify that only authorized employees are paid.
c. Detect errors in payroll calculations.
d. Detect the omission of transaction processing.
143. An accounts payable program posted a payable to a vendor not included in the on-
line vendor master file. A control which would prevent this error is a:
a. Validity check.
b. Range check.
c. Reasonableness test.
d. Parity check.
144. In a computerized sales processing system, which of the following controls is most
effective in preventing sales invoice pricing errors?
a. Sales invoices are reviewed by the product managers before being mailed to cus-
tomers.
b. Current sales prices are stored in the computer, and, as stock numbers are en-
tered from sales orders, the computer automatically prices the orders.
c. Sales prices, as well as product numbers, are entered as sales orders are entered
at remote terminal locations.
d. Sales prices are reviewed and updated on a quarterly basis.
145. Which of the following is likely to be of least importance to an auditor in reviewing
the internal control in a company with a CIS?
a. The segregation of duties within the data processing center.
b. The control over source documents.
c. The documentation maintained for accounting applications.
d. The cost/benefit ratio of data processing operations.
146. In a distributed data base environment, control tests for access control administra-
tion can be designed which focus on:
a. Prohibition of random access.
b. Analysis of system generated core dumps.
c. Reconciliation of batch control totals.
d. Examination of logged activity.
147. To ensure that goods received are the same as those shown on the purchase invoice,
a computerized system should:
a. Match selected fields of the purchase invoice to goods received.
b. Maintain control totals of inventory value.
c. Calculate batch totals for each input.
d. Use check digits in account numbers.
148. Which of the following is correct concerning batch processing of transactions?
a. Transactions are processed in the order they occur, regardless of type.
b. It has largely been replaced by on-line real-time processing in all but legacy
systems.
c. It is more likely to result in an easy-to-follow audit trail than is on-line
transaction processing.
d. It is used only in non-database applications.
149. Which of the following strategies would a CPA most likely consider in auditing an
entity that processes most of its financial data only in electronic form, such as a
paperless system?
a. Continuous monitoring and analysis of transaction processing with an
embedded audit module.
b. Increased reliance on internal control activities that emphasize the segregation
of duties.
c. Verification of encrypted digital certificates used to monitor the authorization of
transactions.
d. Extensive testing of firewall boundaries that restrict the recording of outside
network traffic.
150. Computer systems are typically supported by a variety of utility software packages
that are important to an auditor because they:
a. May enable unauthorized changes to data files if not properly controlled.
b. Are very versatile programs that can be used on hardware of many
manufacturers.
c. May be significant components of a client’s application programs.
d. Are written specifically to enable auditors to extract and sort data.
151. Which of the following types of evidence would an auditor most likely examine to
determine whether internal control is operating as designed?
a. Gross margin information regarding the client’s industry.
b. Confirmations of receivables verifying account balances.
c. Client records documenting the use of computer programs.
d. Anticipated results documented in budgets or forecasts.
152. Which of the following is not considered an exposure involved with electronic data
interchange (EDI) systems as compared to other systems?
a. Increased reliance upon computer systems.
b. Delayed transaction processing time.
c. Possible loss of confidentiality of information.
d. Increased reliance upon third parties.
153. Which of the following is usually a benefit of transmitting transactions in an electronic
data interchange (EDI) environment?
a. A compressed business cycle with lower year-end receivables balances.
b. A reduced need to test computer controls related to sales and collections
transactions.
c. An increased opportunity to apply statistical sampling techniques to account
balances.
d. No need to rely on third-party service providers to ensure security.
154. An entity has the following invoices in a batch:
Invoice No. Product Quantity Unit price
201 F10 150 P 5.00
202 G15 200 10.00
203 H20 250 25.00
204 K35 300 30.00
Which of the following numbers represents a hash total?
a. FGJK80.
b. 4.
c. 810.
d. 900.
155. A company's management has expressed concern over the varied system
architectures that the organization uses. Potential security and control concerns would
include all of the following except:
a. Users may have different user ID codes and passwords to remember for the
several systems that they use.
b. There are difficulties in developing uniform security standards for the various
platforms.
c. Backup file storage administration is often decentralized.
d. Having data distributed across many computers throughout the organization
increases the risk that a single disaster would destroy large portions of the
organization's data.
156. Client/server architecture may potentially involve a variety of hardware, systems
software, and application software from many vendors. The best way to protect a
client/server system from unauthorized access is through:
a. A combination of application and general access control techniques.
b. Use of a commercially available authentication system.
c. Encryption of all network traffic.
d. Thorough testing and evaluation of remote procedure calls.
157. Able Co. uses an on-line sales order processing system to process its sales
transactions. Able’s sales data are electronically sorted and subjected to edit checks. A
direct output of the edit checks most likely would be a:
a. Report of all missing sales invoices.
b. File of all rejected sales transactions.
c. Printout of all user code numbers and passwords.
d. List of all voided shipping documents.
158. First Federal S & L has an on-line real-time system, with terminals installed in all of its
branches. This system will not accept a customer’s cash withdrawal instructions in
excess of P1,000 without the use of a “terminal audit key.” After the transaction is
authorized by a supervisor, the bank teller then processes the transaction with the
audit key. This control can be strengthened by
a. On-line recording of the transaction on an audit override sheet.
b. Increasing the peso amount to P1,500.
c. Requiring manual, rather than on-line, recording of all such transactions.
d. Using parallel simulation.
159. Mill Co. uses a batch processing method to process its sales transactions. Data on
Mill’s sales transaction tape are electronically sorted by customer number and are
subjected to programmed edit checks in preparing its invoices, sales journals, and
updated customer account balances. One of the direct outputs of the creation of this
tape most likely would be a:
a. Report showing exceptions and control totals.
b. Printout of the updated inventory records.
c. Report showing overdue accounts receivable.
d. Printout of the sales price master file.
160. Laptop computers provide automation outside of the normal office location. Which of
the following would provide the least security for sensitive data stored on a laptop
computer?
a. Encryption of data files on the laptop computer.
b. Setting up a password for the screensaver program on the laptop computer.
c. Using a laptop computer with a removable hard disk drive.
d. Using a locking device that can secure the laptop computer to an immovable
object.
161. When developing a new computer system that will handle customer orders and
process customer payments, a high-level systems design phase would include
determination of which of the following?
a. How the new system will affect current inventory and general ledger systems.
b. How the file layouts will be structured for the customer order records.
c. Whether to purchase a turn-key system or modify an existing system.
d. Whether formal approval by top management is needed for the new system.
162. A company using EDI made it a practice to track the functional acknowledgments
from trading partners and to issue warning messages if acknowledgments did not
occur within a reasonable length of time. What risk was the company attempting to
address by this practice?
a. Transactions that have not originated from a legitimate trading partner may be
inserted into the EDI network.
b. Transmission of EDI transactions to trading partners may sometimes fail.
c. There may be disagreement between the parties as to whether the EDI
transactions form a legal contract.
d. EDI data may not be accurately and completely processed by the EDI software.
163. Management is concerned that data uploaded from a microcomputer to the
company’s mainframe system in batch processing may be erroneous. Which of the
following controls would best address this issue?
a. The mainframe computer should be backed up on a regular basis.
b. Two persons should be present at the microcomputer when it is uploading data.
c. The mainframe computer should subject the data to the same edits and
validation routines that on-line data entry would require.
d. The users should be required to review a random sample of processed data.
164. Which of the following is a risk that is higher when an electronic funds transfer (EFT)
system is used?
a. Improper change control procedures.
b. Unauthorized access and activity.
c. Insufficient on-line edit checks.
d. Inadequate backups and disaster recovery procedures.
165. The use of message encryption software:
a. Guarantees the secrecy of data.
b. Requires manual distribution of keys.
c. Increases system overhead.
d. Reduces the need for periodic password changes.
166. The internal auditor is reviewing a new policy on electronic mail. Appropriate
elements of such a policy would include all of the following except:
a. Erasing all employee’s electronic mail immediately upon employment
termination.
b. Encrypting electronic mail messages when transmitted over phone lines.
c. Limiting the number of electronic mail packages adopted by the organization.
d. Directing that personnel do not send highly sensitive or confidential messages
using electronic mail.
167. Which of the following risks is not greater in an electronic funds transfer (EFT)
environment than in a manual system using paper transactions?
a. Unauthorized access and activity.
b. Duplicate transaction processing.
c. Higher cost per transaction.
d. Inadequate backup and recovery capabilities.
168. Methods to minimize the installation of unlicensed microcomputer software include
all of the following except:
a. Employee awareness programs.
b. Regular audits for unlicensed software.
c. Regular monitoring of network access and start-up scripts.
d. An organizational policy that includes software licensing requirements.
169. In traditional information systems, computer operators are generally responsible for
backing up software and data files on a regular basis. In distributed or cooperative
systems, ensuring that adequate backups are taken is the responsibility of:
a. User management.
b. Systems programmers.
c. Data entry clerks.
d. Tape librarians.
170. Which of the following statements is correct regarding the Internet as a commercially
viable network?
a. Organizations must use firewalls if they wish to maintain security over internal
data.
b. Companies must apply to the Internet to gain permission to create a homepage
to engage in electronic commerce.
c. Companies that wish to engage in electronic commerce on the Internet must
meet required security standards established by the coalition of Internet
providers.
171. A widely used disaster recovery approach includes:
a. Encryption.
b. Firewalls.
c. Regular backups.
d. Surge protectors.
172. A “hot site” is most frequently associated with:
a. Disaster recovery.
b. On-line relational database design.
c. Source programs.
d. Temperature control for computer.
173. Output controls ensure that the results of computer processing are accurate,
complete, and properly distributed. Which of the following is not a typical output
control?
a. Reviewing the computer processing logs to determine that all of the correct
computer jobs executed properly.
b. Matching input data with information on master files and placing unmatched
items in a suspense file.
c. Periodically reconciling output reports to make sure that totals, formats, and
critical details are correct and agree with input.
d. Maintaining formal procedures and documentation specifying authorized
recipients of output reports, checks, or other critical documents.
174. Minimizing the likelihood of unauthorized editing of production programs, job control
language, and operating system software can best be accomplished by:
a. Database access reviews.
b. Compliance reviews.
c. Good change-control procedures.
d. Effective network security software.
175. A corporation receives the majority of its revenue from top-secret military contracts
with the government. Which of the following would be of greatest concern to an auditor
reviewing a policy about selling the company’s used microcomputers to outside
parties?
a. Whether deleted files on the hard disk drive have been completely erased.
b. Whether the computer has viruses.
c. Whether all software on the computer is properly licensed.
d. Whether the computer has terminal emulation software on it.
176. A manufacturer is considering using bar-code identification for recording information
on parts used by the manufacturer. A reason to use bar codes rather than other means
of identification is to ensure that:
a. The movement of all parts is recorded.
b. The movement of parts is easily and quickly recorded.
c. Vendors use the same part numbers.
d. Vendors use the same identification methods.
177. A company often revises its production processes. The changes may entail revisions
to processing programs. Ensuring that changes have a minimal impact on processing
and result in minimal risk to the system is a function of:
a. Security administration.
b. Change control.
c. Problem tracking.
d. Problem-escalation procedures.
178. Good planning will help an organization restore computer operations after a
processing outage. Good recovery planning should ensure that:
a. Backup/restart procedures have been built into job streams and programs.
b. Change control procedures cannot be bypassed by operating personnel.
c. Planned changes in equipment capacities are compatible with projected
workloads.
d. Service level agreements with owners of applications are documented.
179. In a large organization, the biggest risk in not having an adequately staffed
information center help desk is:
a. Increased difficulty in performing application audits.
b. Inadequate documentation for application systems.
c. Increased likelihood of use of unauthorized program code.
d. Persistent errors in user interaction with systems.
180. To properly control access to accounting database files, the database administrator
should ensure that database system features are in place to permit:
a. Read-only access to the database files.
b. Updating from privileged utilities.
c. Access only to authorized logical views.
d. User updates of their access profiles.
181. When evaluating internal control of an entity that processes sales transactions on the
Internet, an auditor would be most concerned about the
a. Lack of sales invoice documents as an audit trail.
b. Potential for computer disruptions in recording sales.
c. Inability to establish an integrated test facility.
d. Frequency of archiving and data retention.
182. Which of the following statements is correct concerning internal control in an
electronic data interchange (EDI) system?
a. Preventive controls generally are more important than detective controls in EDI
systems.
b. Control objectives for EDI systems generally are different from the objectives for
other information systems.
c. Internal controls in EDI systems rarely permit control risk to be assessed at
below the maximum.
d. Internal controls related to the segregation of duties generally are the most
important controls in EDI systems.
183. Preventing someone with sufficient technical skill from circumventing security
procedures and making changes to production programs is best accomplished by
a. Reviewing reports of jobs completed.
b. Comparing production programs with independently controlled copies.
c. Running test data periodically.
d. Providing suitable segregation of duties.
184. Computer program libraries can best be kept secure by:
a. Installing a logging system for program access.
b. Monitoring physical access to program library media.
c. Restricting physical and logical access.
d. Denying access from remote terminals.
185. Which of the following security controls would best prevent unauthorized access to
sensitive data through an unattended data terminal directly connected to a
mainframe?
a. Use of a screen saver with a password.
b. Use of workstation scripts.
c. Encryption of data files.
d. Automatic log-off of inactive users.
186. A customer intended to order 100 units of product Z96014, but incorrectly ordered
nonexistent product Z96015. Which of the following controls most likely would detect
this error?
a. Check digit verification.
b. Record count.
c. Hash total.
d. Redundant data check.
187. The use of a header label in conjunction with magnetic tape is most likely to prevent
errors by the
b. Keypunch operator.
c. Computer programmer.
d. Maintenance technician.
188. Which of the following input controls is a numeric value computed to provide
assurance that the original value has not been altered in construction or transmission?
a. Hash total.
b. Parity check.
c. Encryption.
d. Check digit.
189. Which of the following is an example of a validity check?
a. The computer ensures that a numerical amount in a record does not exceed
some predetermined amount.
b. As the computer corrects errors and data are successfully resubmitted to the
system, the causes of the errors are printed out.
c. The computer flags any transmission for which the control field value did not
match that of an existing file record.
d. After data for a transaction are entered, the computer sends certain data back
to the terminal for comparison with data originally sent.
190. Which of the following activities most likely would detect whether payroll data were
altered during processing?
a. Monitor authorized distribution of data control sheets.
b. Use test data to verify the performance of edit routines.
c. Examine source documents for approval by supervisors.
d. Segregate duties between approval of hardware and software specifications.
191. Which of the following tools would best give a graphical representation of a sequence
of activities and decisions?
a. Flowchart.
b. Control chart.
c. Histogram.
d. Run chart.
192. A well-prepared flowchart should make it easier for the auditor to
a. Prepare audit procedure manuals.
b. Prepare detailed job descriptions.
c. Trace the origin and disposition of documents.
d. Assess the degree of accuracy of financial
193. Which of the following is least likely a risk characteristic associated with CIS environ-
ment?
a. Errors embedded in an application program’s logic maybe difficult to manually
detect on a timely basis.
b. Many control procedures that would ordinarily be performed by separate individ-
uals in manual system maybe concentrated in CIS.
c. The potential unauthorized access to data or to alter them without visible evi-
dence may be greater.
d. Initiation of changes in the master file is exclusively handled by respective
users.
194. Corrections to transaction data in which errors have been detected should be made
by the:
b. Data control check.
c. Programmer.
d. User department.
195. In order to maintain good internal control:
a. Computer operators need to be good programmers.
b. Programmers should have control over day to day production runs.
c. Computer operators should be allowed to make changes in programs as needed
in order to keep the computer running.
d. Programmers and computer operators should be in separate organization units
of the IS function.
196. Which of the following responsibilities should not be assigned to members of the IS
function?
a. Designing new information systems.
b. Preparing documentation for new information systems.
c. Initiating changes to the files maintained in the database.
d. Processing transaction data.
197. Which is the most objectionable assignment of responsibilities within the IS function?
a. Programmers maintain the processing and output controls for applications.
b. Systems analysts maintain systems documentation.
c. Data processing supervisors schedule the processing time for applications.
d. Data control clerks establish controls over batches of transactions received from
user departments.
198. An auditor would be most likely to assess control risk at the maximum level in an
electronic environment with automated system-generated information when:
a. Sales orders are initiated using predetermined, automated decision rules.
b. Payables are based on many transactions and large in peso amount.
c. Fixed asset transactions are few in number, but large in peso amount.
d. Accounts receivable records are based on many transactions and are large in
peso amount.
199. In a highly automated information processing system, tests of control:
a. Must be performed in all circumstances.
b. May be required in some circumstances.
c. Are never required.
d. Are required in first year audits.
200. Which of the following is least likely to be considered by an auditor considering
engagement of an information technology (IT) specialist on an audit?
a. Complexity of client’s systems and IT controls.
b. Requirements to assess going concern status.
c. Client’s use of emerging technologies.
d. Extent of entity’s participation in electronic commerce.
201. A warehouse employee of a retail firm concealed the theft of merchandise inventory
items by entering adjustments to the computer based IS inventory records indicating
that the items had been damaged or lost. Which control would be most suitable for
preventing this fraud?
a. Check digits in inventory item numbers.
b. Validity checks on inventory item numbers.
c. Passwords allowing changes to inventory records that are assigned only to
authorized employees.
d. Removal of computer terminals from the warehouse.
202. Which of the following least likely protects critical and sensitive information from
unauthorized access in a personal computer environment?
a. Using secret file names and hiding the files.
b. Keeping of backup copies offsite.
c. Employing passwords.
d. Segregating data into files organized under separate file directories.
203. Which of the following represents a sound organizational control with respect to
information system activities?
a. Allowing the user departments to specify data processing standards.
b. Allowing the user departments to prepare input data.
c. Allowing the user departments to report to the head computer operator.
d. Allowing the user departments to submit data for processing directly to the
computer operators.
204. Which of the following is a violation of internal control in a computer-based system?
a. Computer operators are provided program documentation.
b. The data control unit is solely responsible for the distribution of all computer
output.
c. Computer programmers write programs based on specifications developed by
the systems analyst.
d. Systems analysts design new computer based procedures.
205. Operating documentation is of primary interest to:
a. Computer operators.
b. Computer programmers.
c. Systems analysts.
d. Users.
206. A company performs a daily backup of critical data and software files and stores the
backup tapes at an offsite location. The back-up tapes are used to restore the files in
case of a disruption. This is a:
a. Preventive control.
b. Detective control.
c. Corrective control.
d. Management control.
207. Which of the following is the most critical control over database administration
(DBA)?
a. Approval of DBA activities.
b. Segregation of duties.
c. Review of access logs and activities.
d. Review of the use of database tools.
208. When a complete segregation of duties cannot be achieved in an on-line system
environment, which of the following functions should be separated from the others?
a. Authorization.
b. Origination.
c. Recording.
d. Correction.
209. In a small organization where segregation of duties is not practical, an employee
performs the function of computer operator and applications programmer. Which of the
following controls should an IS auditor recommend?
a. Automated logging of changes to development libraries.
b. Additional staff to provide segregation of duties.
c. Procedures that verify that only approved program changes are implemented.
d. Access controls to prevent the operator from making program modifications.
210. In a risk-based audit approach, the IS auditor must consider the inherent risk as well
as considering:
a. How to eliminate the risk through the application of controls.
b. The balance of loss potential versus the cost of implement controls.
c. Whether the risk is material, regardless of management’s tolerance for risk.
d. Whether the residual risk is higher than the insurance coverage purchased.
211. A poor choice of passwords and transmission over unprotected communication lines
are example of:
a. Vulnerabilities.
b. Threats.
c. Probabilities.
d. Impacts.
212. An IS auditor is planning an audit of a bank wire transfer systems in the context of a
regulation that requires bank to accurately report transactions. Which of the following
represents the primary focus of the audit scope?
a. Data availability.
b. Data confidentiality.
c. Data integrity.
d. Currency of data.
213. Which of the following least likely indicates a complexity of computer processing?
a. Transactions are exchanged electronically with other organizations without
manual review of their propriety.
b. The volume of the transactions is such that users would find it difficult to
identify and correct errors in processing.
c. The computer automatically generates material transactions or entries directly
to another applications.
d. The system generates a daily exception report.
214. In planning the portions of the audit which may be affected by the client’s CIS envi -
ronment, the auditor should obtain an understanding of the significance and complex-
ity of the CIS activities and availability of data for use in the audit. The following relate
to the complexity of CIS activities, except when:
a. Transactions are exchanged electronically with other organizations.
b. Complicated computations of financial information are performed by the com-
puter and/or material transactions or entries are generated automatically with-
out independent validation.
c. Material financial statement assertions are affected by the computer process-
ing.
d. The volume of transactions is such that users would find it difficult to identify
and correct errors in processing.
215. Which of the following is not an advantage of a computerized accounting system?
a. Computers process transactions uniformly.
b. Computers help alleviate human errors.
c. Computers can process many transactions quickly.
d. Computers leave a thorough audit trail which can be easily followed.
216. The nature of the risks and the internal characteristics in CIS environment that the
auditors are mostly concerned include the following, except:
a. Lack of segregation of functions.
b. Lack of transaction trails.
c. Dependence of other control over computer processing.
d. Cost-benefit ratio.
217. Regardless of the nature of an entity’s information system, the auditor must consider
internal control. In a CIS environment, the auditor must, at a minimum, have:
a. A background in programming procedures.
b. An expertise in computer systems analysis.
c. A sufficient knowledge of the computer information system.
d. A sufficient knowledge of the computer’s operating system.
218. Who is ultimately responsible for the design and implementation of cost-effective
control in a CIS environment?
a. The internal audit manager.
b. The CIS director.
c. The systems analyst.
d. The entity’s management.
219. Which of the following risks is not greater in CIS than in manual systems?
a. Erroneous data conversion.
b. Erroneous source document preparation.
c. Repetition of errors.
d. Concentration of data.
220. Uninterruptible power supplies are used in computer facilities to minimize the risk of:
a. Crashing disk drive read-write heads.
b. Dropping bits in data transmission.
c. Failing to control concurrent access to data.
d. Losing data stored in main memory.
221. The significance of hardware controls is that they:
a. Ensure that run to run totals in application systems are consistent.
b. Reduce the incidence of user input errors in on-line systems.
c. Ensure correct programming of operating system functions.
d. Assure that machine instructions are executed correctly.
222. A systems analyst should have access to each of the following, except:
a. Edit criteria.
b. Source code.
c. Password identification tables.
d. User procedures.
223. The manager of computer operations prepares weekly schedule of planned computer
processing and sends a copy to the computer librarian. The control objective this pro-
cedure serves is to:
a. Authorize the release of data files to computer operators.
b. Specify the distribution of computer results.
c. Specify file retention and disaster recovery policies.
d. Keep improper and unauthorized transactions from entering the computer facil-
ity.
224. An entity should plan the physical location of its computer facility. Which of the fol-
lowing is the primary consideration for selecting a computer site?
a. It should be in the basement or on the ground floor.
b. It should maximize the visibility of the computer.
c. It should minimize the distance that data control personnel must travel to de-
liver data and reports and be easily accessible by a majority of company per-
sonnel.
d. It should provide security.
225. Which of the following statements regarding security concerns for notebook comput-
ers is false?
a. The primary methods of control usually involve application controls.
b. Centralized control over the selection and acquisition of hardware and software
is a major concern.
c. Some conventional controls such as segregation of duties may not be feasible.
d. As their use becomes more sophisticated, the degree of concern regarding
physical security increases.
226. The advent of personal computers has resulted in a(n):
a. Decentralization of data processing activities.
b. Increased concern over the accuracy of computerized processing.
c. Decrease in the number of local area networks.
d. Increase for general computer control activities.
227. Which of the following is most likely to include user group development and
execution of certain computer applications?
a. Telecommunication transmission systems.
b. Database administration.
c. End user computing.
d. Electronic data interchange systems.
228. Which of the following is not a data transmission control?
a. Echo checks.
b. Data encryption.
c. File labels.
d. Parity checks.
229. Which of the following is not one of the responsibilities of a database administrator?
a. Develop application programs to access the database.
b. Design the content and organization of the database.
c. Protect the database and its software.
d. Monitor and improve the efficiency of the database.
230. Which of the following groups should have the operational responsibility for the accu-
racy and completeness of computer based information?
a. External auditors.
b. Internal auditors.
c. Users.
d. Top management.
231. The major risk in relying on anti-virus software is that it may:
a. Consume too many system resources.
b. Interfere with system operations.
c. Not detect certain viruses.
d. Make software installation too complex.
232. The best control to permit new employees to understand internally developed pro-
grams is:
a. Adequate backups are made for spreadsheet models.
b. User of end-user computing resources is monitored.
c. End user computing efforts are consistent with strategic plans.
d. Documentation standards exist and are followed.
233. An entity updates its accounts receivable master file weekly and retains the master
files and corresponding update transactions for the most recent two-week period. The
purpose of this periodic retention of master files and transaction data is to:
a. Validate groups of update transactions for each version.
b. Permit reconstruction of the master file if needed.
c. Verify run to run control totals for receivables.
d. Match internal labels to avoid writing on the wrong volume.
234. Which of the following contingency plan arrangements would be considered too ven-
dor dependent when vital operations require almost immediate availability of computer
resources?
a. A cold site arrangement.
b. A hot site arrangement.
c. A warm site arrangement.
d. Using excess capacity at another data center within the entity.
235. An auditor has recommended biometric authentication for workers entering a client’s
building. The recommendation might include devices that verify all of the following:
a. Fingerprints.
b. Password patterns.
c. Speech patterns.
d. Retina patterns.
236. Which of the following best describes the process called authentication?
a. The user identifies himself/herself to the system.
b. The system verifies the identity of the user.
c. The user indicates to the system that the transaction was processed correctly.
d. The system verifies that the user is entitled to enter the transactions requested.
237. Which of the following is the most likely source of errors in a fully operational com-
puter based system?
a. Systems analysis and programming.
b. Operator error.
c. Processing.
d. Input.
238. Which of the following provides the most valuable information for detecting unautho-
rized input from a terminal?
a. User error report.
b. Transaction log.
c. Error file.
d. Console log printout.
239. Which of the following data conversion methods is the most difficult to audit?
a. Keying data to disk for online processing.
b. Keying data to disk for batch processing.
c. Reading source data using optical character recognition.
d. Keying data to source documents for magnetic ink character recognition.
240. Which of the following best describes the online data processing control called pre-
formatting?
a. The display of a document with blanks for data items to be entered by the ter-
minal operator.
b. A program initiated prior to regular input to discover errors in data before entry
so that the errors can be corrected.
c. A series of requests for required input data that requires an acceptable re-
sponse to each request before a subsequent request is made.
d. A check to determine if all data items for a transaction have been entered by
the terminal operator.
241. If a payroll system continues to pay employees who have been terminated, control
weaknesses most likely exist because:
a. Input file label checking routines built into the program were ignored by the op-
erator.
b. Programmed controls such as limit checks should have been built into the sys-
tem.
c. Procedures were not implemented to verify and control the receipt by the com-
puter processing department of all transactions prior to processing.
d. There were inadequate manual controls maintained outside the computer sys-
tem.
242. A wholesaler of automotive parts has a computerized billing system. Because of cleri-
cal error while entering information from the sales order, one of its customers was
billed for only three of the five items ordered and received. Which of the following
would have prevented or promptly detected this clerical error?
a. Periodic comparison of total accounts receivable per accounts receivable master
file with total accounts receivable per accounts receivable control account.
b. A completeness check that does not allow a sales invoice to be processed if key
fields are blank.
c. Pre-numbered shipping documents together with a procedure for follow up any-
time there is not a one-to-one relationship between shipping documents and
sales invoices.
d. Matching line control counts produced by the computer with predetermined line
control counts.
243. Which of the following computerized control procedures would most likely provide
reasonable assurance that data uploaded from personal computers to a mainframe are
complete and that no additional data are added?
a. Field edit controls that test each field for alphanumeric integrity.
b. Self-checking digits to ensure that only authorized part numbers are added to
the database.
c. Batch control totals, including financial totals and has totals.
d. Passwords that effectively limit access to only those authorized to upload the
data to the mainframe.
244. An entity’s labor distribution report requires extensive corrections each month be-
cause of labor hours charged to inactive jobs. Which of the following data processing
input controls appears to be missing?
a. Validity check.
b. Limit check.
c. Missing data check.
d. Control total.
245. If, in reviewing an application system, it is noted that batch controls are not used,
which of the following statement by the user of the system is acceptable as a compen-
sating control?
a. “The volume of transactions prohibits batching.”
b. “We do a 100% physical review of the input document to the output document.”
c. “We do a 100% key verification of all data input.”
d. “The supervisor must approve all inputs.”
246. Which of the following is the major purpose of the auditor’s study and evaluation of
the company’s computer processing operations?
a. Ensure the exercise of due professional care.
b. Evaluate the reliability and integrity of financial information.
c. Become familiar with the company’s means of identifying, measuring, classify-
ing and reporting information.
d. Evaluate the competence of computer processing operating personnel.
247. The following statements relate to the auditor’s assessment of control risk in an en-
tity’s computer environment. Which is correct?
a. The auditor usually can ignore the computer system if he/she can obtain an un-
derstanding of the controls outside the CIS.
b. If the general controls are ineffective, the auditor ordinarily can assess control
risk at a low level if the application controls are effective.
c. The auditor’s objectives with respect to the assessment of control risk are the
same as in a manual system.
d. The auditor must obtain an understanding of the internal control and test con-
trols in computer environments.
248. Which of the following should be a responsibility of the IS function?
a. Correcting errors in transaction data.
b. Initiating changes to programs.
c. Processing transactions.
249. Which of the following is least affected by the presence of computer-based
processing?
a. Security measures.
b. Control objectives.
c. General controls.
d. Accounting controls.
250. General controls include controls:
a. Designed to ascertain that all transaction data are accurate.
b. That relate to the correction and resubmission of data that were initially correct.
c. For documenting and approving programs and changes to programs.
d. Designed to assure the reliability of output.
251. The use of a programmed check or edit test with respect to transaction data is an
example of a:
a. Preventive control.
b. Detective control.
c. Corrective control.
d. Retroactive control.
252. Which of the following statements accurately describes the impact that automation
has on the controls normally present in a manual system?
a. Transaction trail are more extensive in CIS than in a manual system because
there is always on to one correspondence between data entry and output.
b. Responsibility for custody of information assets is more concentrated in user de-
partments in CIS than it is in a manual system.
c. Controls must be more explicit in CIS because many processing points that
present opportunities for human judgment in a manual system are eliminated.
d. The quality of documentation becomes less critical in CIS than it is in a manual
system because data records are stored in machine-readable files.
253. A common difficulty in auditing a computerized accounting system is:
a. Data can be erased from the computer with no visible evidence.
b. Because of the lack of an audit trail, computer systems have weaker controls
and more substantive testing is required.
c. Because of the uniform nature of transaction processing, computer systems
have strong controls and less substantive testing is required.
d. The large dissemination of entry points into the computer system leads to weak
overall reliance on information generated by a computer.
254. How have electronic data interchange (EDI) systems affected audits?
a. Since orders and billing transactions are done over the computer, source docu-
ments cannot be obtained.
b. Auditors often need to plan ahead to capture information about selected trans-
actions over the EDI.
c. There is no audit trail in an EDI system, so controls are typically assessed as
weak.
d. Since all transactions occur over the computer, reliability is high and little sub-
stantive testing is needed.
255. How can a computer system be modified to compensate for the lack of segregation of
duties?
a. The computer system should be under the direction of the internal audit depart-
ment.
b. The computer system should be accessible to various competent parties so they
can check each other’s work.
c. Strong controls should be built into both the computer software and hardware to
limit access and manipulation.
d. Many companies run complete parallel manual and automated accounting sys-
tems for a cross check on input and output.
256. Of the following data processing controls, which is the best detection control?
a. Use of data encryption techniques.
b. Review of machine utilization logs.
c. Policy requiring password security.
d. Backup and recovery procedure.
257. Which of the following characteristics of on-line/real time systems and EDI systems
does not create an audit problem?
a. The lack of traditional documentation of transactions creates a need for greater
attention to programmed controls at the point of transaction input.
b. Hard copy may not be retained by the client for long periods of time, thereby
necessitating more frequent visits by the auditor.
c. Control testing may be more difficult given the increased vulnerability of the
client’s files to destruction during the testing process.
d. Consistent on-line processing of recurring data increases the incidence of errors.
258. Computer systems are more vulnerable to unauthorized access because:
a. Hardware design considerations have declined.
b. Software cannot be readily written to control access.
c. Systems documentation must be available to all users.
d. Access can be gained electronically without physical entry to the facilities.
259. A system flowchart:
a. Is synonymous with a program flowchart.
b. Is necessary for only computer processes.
c. Shows general flow and sequence but not processing details.
d. Is necessary for only manual processes.
260. When a database administrator’s position exists within a client organization, the audi-
tor must be aware of the:
a. Output effectiveness/ efficiency consideration.
b. Need for coded program files.
c. Use of encrypted dialog in a two-way authentication process.
d. Inherent violation of the principle of separation of duties.
261. Which of the following functions would have the least effect on an audit if they are
not properly segregated?
a. The systems analyst and the programmer functions.
b. The computer operator and programmer functions.
c. The computer operator and the user functions.
d. The applications programmer and the systems programmer.
262. Which of the following represent examples of general, application and user control
activities, respectively, in the computer environment?
a. Manual checks of computer output, control over access to programs and com-
puter exception reports.
b. Computer exception reports, control over access to programs and manual
checks of computer output.
c. Control over access to programs, computer exception reports and manual
checks of computer output.
d. Manual checks of computer output, computer exception reports and control
over access to programs.
263. A computer report which is designed to create an audit trail for each on-line
transaction.
a. Transaction log.
b. Master file.
c. IT log.
d. Transaction file.
264. Which of the following would not be an appropriate procedure for testing the general
control activities of an information system?
a. Inquiries of client personnel.
b. Inspecting computer logs.
c. Testing for the serial sequence of source documents.
d. Examination of the organizational chart to determine the segregation of duties.
265. The employees in a manufacturing area made many errors as they wrote their clock
numbers on time sheets and cost distribution forms. An effective control technique
would have been the use of:
a. Batch totals.
b. Turn around documents.
c. Hash totals.
d. Record counts.
266. An advantage of having a computer maintain an automated error log in conjunction
with a computer edit process is that:
a. Reports can be developed that summarize the errors by type, cause and person
responsible.
b. Less manual work is required to determine how to correct errors.
c. Better editing techniques will result.
d. The audit trail is maintained.
267. In order to control purchasing an accounts payable, an information system must
include:
a. Purchase order, receiving reports and vendor invoices.
b. Receiving reports and vendor invoices.
c. Purchase requisition, purchase orders, receiving reports of goods needed and
vendor invoices.
d. Purchase orders, receiving reports and inventory reports of goods needed.
268. The best set of controls for a payroll system includes:
a. Sign tests, limit tests, passwords and user codes, on-line edit check and
payments by check.
b. Batch totals, record counts, user codes, proper segregation of duties and on-line
edit checks.
c. Batch and hash totals, record counts of each run, proper separation of duties,
special control over unclaimed checks and backup copies of activities and
master files.
d. Passwords and user codes, batch totals, employee s supervision and record
count of each run.
269. Testing controls without the use of computer is possible when the:
a. Computer generates visible evidence of compliance with the control.
b. Auditor does not fully understand the computer system.
c. Controls appear adequate.
d. Input/output is done in batches.
270. Which of the following employees normally would be assigned the operating respon-
sibility for designing a computerized accounting system, including documentation of
application systems?
a. Computer programmer.
b. Systems programmer.
c. Systems analyst.
d. Internal auditor.
271. The effect of personal computers on the accounting system and the associated risks
will least likely depend on:
a. The extent to which the personal computer is being used to process accounting
applications.
c. The nature of files and programs utilized in the applications.
d. The cost of personal computers.
272. Risk of fraud or error in on-line systems may be reduced in the following circum-
stances, except:
a. If on-line data entry is performed at or near the point where transactions origi-
nate, there is less risk that the transactions will not be recorded.
b. If invalid transactions are corrected and re-entered immediately, there is less
risk that such transactions will not be corrected and re-submitted on a timely
basis.
c. If data entry is performed on-line by individuals who understand the nature of
the transactions involved, the data entry process may be less prone to errors
than when it is performed by individuals unfamiliar with the nature of the trans-
actions.
d. On-line access to data and programs through telecommunications may provide
greater opportunity for access to data and programs by unauthorized persons.
273. Which of the following represents an additional cost of transmitting business
transactions by means of electronic data interchange (EDI) rather than in a traditional
paper environment?
a. Redundant data checks are needed to verify that individual EDI transactions are
not recorded twice.
b. Internal audit work is needed because the potential for random data entry
errors is increased.
c. Translation software is needed to convert transactions from the entity’s internal
format to a standard EDI format.
d. More supervisory personnel are needed because the amount of data entry is
greater in an EDI system.
274. Many entities use the Internet as a network to transmit electronic data interchange
(EDI) transactions. An advantage of using the Internet for electronic commerce rather
than a traditional value-added network (VAN) is that the Internet:
a. Permits EDI transactions to be sent to trading partners as transactions occur.
b. Automatically batches EDI transactions to multiple trading partners.
c. Possesses superior characteristics regarding disaster recovery.
d. Converts EDI transactions to a standard format without translation software.
275. Which of the following computer system risks would be increased by the installation
of a database system?
a. Programming errors.
b. Data entry errors.
c. Improper data access.
d. Loss of power.
276. Given the increasing use of microcomputers as a means for accessing data bases,
along with on-line real-time processing, companies face a serious challenge relating to
data security. Which of the following is not an appropriate means for meeting this chal-
lenge?
a. Institute a policy of strict identification and password controls housed in the
computer software that permit only specified individuals to access the computer
files and perform a given function.
b. Limit terminals to perform only certain transactions.
c. Program software to produce a log of transactions showing date, time, type of
transaction, and operator.
d. Prohibit the networking of microcomputers and do not permit users to access
centralized data bases.
277. Which of the following is likely to be a benefit of electronic data interchange (EDI)?
a. Increased transmission speed of actual documents.
b. Improved business relationships with trading partners.
c. Decreased liability related to protection of proprietary business data.
d. Decreased requirements for backup and contingency planning.
278. Where disk files are used, the grandfather-father-son updating backup concept is rel-
atively difficult to implement because the:
a. Location of information points on disks is an extremely time consuming task.
b. Magnetic fields and other environmental factors cause off-site storage to be im-
practical.
c. Information must be dumped in the form of hard copy if it is to be reviewed be -
fore used in updating.
d. Process of updating old records is destructive.
279. The possibility of losing a large amount of information stored in computer files most
likely would be reduced by the use of:
a. Back-up files.
b. Check digits.
c. Completeness tests.
d. Conversion verification.
280. The initial debugging of a computer program should normally be done by the:
a. Programmer.
b. Internal auditor.
c. Machine operator.
d. Control group.
281. Which of the following is not considered a typical risk associated with outsourcing?
a. Inflexibility.
b. Loss of control.
c. Loss of confidentiality.
d. Less availability of expert.
282. The grandfather-father-son approach to providing protection for important computer
files is a concept that is most often found in:
a. On-line/real time systems.
b. Punched cards systems.
c. Magnetic tape systems.
d. Magnetic drum systems.
283. Matthews Corp. has changed from a system of recording time worked on clock cards
to a computerized payroll system in which employees’ record time in and out with
magnetic cards. The CIS automatically updates all payroll records. Because of this
change:
a. A generalized computer audit program must be used.
b. Part of the audit trail is altered.
c. The potential for payroll related fraud is diminished.
d. Transactions must be processed in batches.
284. Certain general CIS controls that are particularly important to on-line processing least
likely include:
a. Access controls.
b. System development and maintenance controls.
c. Edit, reasonableness and other validation tests.
d. Use of anti-virus software program.
285. Certain CIS application controls that are particularly important to on-line processing
least likely include:
a. Pre-processing authorization.
b. Transaction logs.
c. Cut-off procedures.
d. Balancing.
286. Due to data sharing, data independence and other characteristics of database sys-
tems
a. General CIS controls normally have a greater influence than CIS application con-
trols on database systems.
b. CIS application controls normally have a greater influence than general CIS con-
c. General CIS controls normally have an equal influence with CIS application con-
d. CIS application controls normally have no influence on database systems.
287. To reduce security exposure when transmitting proprietary data over communication
lines, a company should use
a. Asynchronous modems.
b. Authentic techniques.
c. Call-back procedures.
d. Cryptographic devices.
288. Which of the following would an auditor ordinarily consider the greatest risk regarding
an entity’s use of electronic data interchange (EDI)?
a. Authorization of EDI transactions.
b. Duplication of EDI transmissions.
c. Improper distribution of EDI transactions.
d. Elimination of paper documents.
289. Which of the following statements is correct concerning internal control when a client
is using an electronic data interchange system for its sales?
a. Controls should be established over determining that all suppliers are included
in the system.
b. Encryption controls may help to assure that messages are unreadable to
unauthorized persons.
c. A value-added-network (VAN) must be used to assure proper control.
d. Attention must be paid to both the electronic and “paper” versions of
transactions.
that keeps microcomputer prepared data files rather than manually prepared files?
a. Random error associated with processing similar transactions in different ways
is usually greater.
b. It is usually more difficult to compare recorded accountability with physical
count of assets.
c. It is usually easier for unauthorized persons to access and alter the files.
d. Attention is focused on the accuracy of the programming process rather than
errors in individual transactions.
291. Which of the following is an example of how specific controls in a database
environment may differ from controls in a non-database environment?
a. Controls should exist to ensure that users have access to and can update only
the data elements that they have been authorized to access.
b. Controls over data sharing by diverse users within an entity should be the same
for every user.
c. The employee who manages the computer hardware should also develop and
debug the computer programs.
d. Controls can provide assurance that all processed transactions are authorized,
but cannot verify that all authorized transactions are processed.
292. A retail entity uses electronic data interchange (EDI) in executing and recording most
of its purchase transactions. The entity’s auditor recognized that the documentation of
the transactions will be retained for only a short period of time. To compensate for this
limitation, the auditor most likely would:
a. Increase the sample of EDI transactions to be selected for cutoff tests.
b. Perform tests several times during the year, rather than only at year-end.
c. Plan to make a 100% count of the entity’s inventory at or near the year-end.
d. Decrease the assessed level of control risk for the existence or occurrence
assertion.
293. Which of the following is a password security problem?
a. Users select passwords that are not listed in any on-line dictionary
b. Users are assigned passwords when accounts are created, but do not change
them.
c. Users have accounts on several systems with different passwords.
d. Users copy their passwords on note paper, which is kept in their wallets.
294. A company is concerned that a power outage or disaster could impair the computer
hardware’s ability to function as designed. The company desires off-site backup
hardware facilities that are fully configured and ready to operate within several hours.
The company most likely should consider a:
a. Cold site.
b. Cool site.
c. Warm site.
d. Hot site.
295. A company's labor distribution report requires extensive corrections each month be-
cause of labor hours charged to inactive jobs. Which of the following data processing
input controls appears to be missing?
a. Completeness test.
b. Validity test.
c. Limit test.
d. Control total.
296. Passwords for microcomputer software programs are designed to prevent:
a. Inaccurate processing of data.
b. Unauthorized access to the computer.
c. Incomplete updating of data files.
d. Unauthorized use of the software.
297. The capability for computers to communicate with physically remote terminals is an
important feature in the design of modern business information systems. Which of the
following risks associated with the use of telecommunications systems is minimized
through the use of a password control system?
a. Unauthorized access to system program and data files.
b. Unauthorized physical availability of remote terminals.
c. Physical destruction of system program and data files.
d. Physical destruction of remote terminals.
298. Consider the following computer applications:
A. At a catalog sales firm, as phone orders are entered into their computer,
both inventory and credit are immediately checked.
B. A manufacturer's computer sends the coming week's production schedule
and parts orders to a supplier's computer.
Which statement below is true for these applications?
a. Both applications are examples of EDI.
b. Both applications are examples of on-line real-time processing.
c. The first application is an example of EDI and the second is an example of on-
line real-time.
d. The first application is an example of on-line real-time and the second is an
example of EDI.
299. Unauthorized alteration of on-line records can be prevented by employing:
a. Key verification.
b. Computer sequence checks.
c. Computer matching.
d. Data base access controls.
300. In the preliminary survey the auditor learns that a department has several
microcomputers. Which of the following is usually true and should be considered in
planning the audit?
a. Microcomputers, though small, are capable of processing financial information,
and physical security is a control concern.
b. Microcomputers are limited to applications such as worksheet generation and
do not present a significant audit risk.
c. Microcomputers are generally under the control of the data processing
department and use the same control features.
d. Microcomputers are too small to contain any built-in control features.
Therefore, other controls must be relied upon.

Test Bank CIS Part 2

Uploaded by

Copyright:

Available Formats

Test Bank CIS Part 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Test Bank CIS Part 2

Uploaded by

Copyright:

Available Formats

Mindanao State University

College of Business Administration and Accountancy

AUDITING IN A CIS ENVIRONMENT

You might also like

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.