Auditing through the computer (CAATS)

1. In auditing through a computer, the test data method is used by the auditors to test the

Procedures contained within the program

2. PAPS 1009 (Computer-Assisted Audit Techniques) states, "Customized or
purpose-written programs perform audit tasks in specific circumstances where package
audit software is deemed unsuitable usually because system constraints make it difficult
or impossible to use." A purpose-written program may be developed by
1) The auditor
2) The entity being audited
3) An outside programmer hired by the auditor

1) Yes 2) Yes 3) Yes

3. Smith Corporation has numerous customers. A customer file is kept on disk storage.
Each customer file contains name, address, credit limit, and account balance. The
auditor wishes to test this file to determine whether credit limits are being exceeded. The
best procedure for the auditor to follow would be to

Develop a program to compare credit limits with account balances and print out the
details of any account with a balance exceeding its credit limit.
4. The employee entered "40" in the "hours worked per day" field. Which check would
detect this unintentional error?

Limit check
5. Auditors often make use of computer programs that perform routine processing functions
such as sorting and merging. These programs are made available by electronic data
processing companies and others and are specifically referred to as
Utility programs
6. An auditor who wishes to capture an entity's data as transactions are processed and
continuously test the entity's computerized information system most likely would use
which of the following techniques?

Embedded audit module

7. Which is most likely correct about "whitebox audit" or "auditing through the computer"?

The focus is more on the processing rather than the input and output components of the
system.
8. An auditor is least likely to find that a client's data is input through

Dynamic linking character reader

9. Which of the following is an incorrect statement regarding testing strategies related to
auditing through the computer?
 The test data approach involves processing the client's data on a test basis to determine
the integrity of the system.
10. It involves application of auditing procedures using the computer as an audit tool. This
includes computer programs and data the auditor uses as part of the audit procedures to
process data of audit significance contained in an entity's information systems.
Computer-assisted audit techniques
11. A primary reason auditors are reluctant to use an ITF is that it requires them to
Identify and reserve the fictitious entries to avoid contamination of master file
12.
Auditing around the computer
1. Which of the following computer-assisted auditing techniques allows fictitious and real
transactions to be processed together without client operating personnel being aware of
the testing process?

Integrated test facility approach

2. In a highly automated information processing system tests of control

May be required in some circumstances

3. An auditor most likely would introduce test data into a computerized payroll system to
test controls related to the

Discovery of invalid employee I.D. numbers

4. Which of the following computer-assisted auditing techniques processes client input data
on a controlled program under the auditor's control to test controls in the computer
system?

Parallel simulation
5. Which of the following is not among the errors that an auditor might include in the test
data when auditing a client's computer system?
Numeric characters in alphanumeric fields
6. Auditing by testing the input and output of a computer system instead of the computer
program itself will
Not detect program errors which do not show up in the output sampled
7. An auditor estimates that 10,000 checks were issued during the accounting period. If a
computer application control which performs a limit check for each request is to be
subjected to the auditor's test data approach, the sample should include

One transaction
8. Which of the following is an example of auditing "around" the computer?
The auditor traces adding machine tapes of sales order batch totals to a computer
printout of the sales journal.
9. Which of the following strategies would a CPA most likely consider in auditing an entity
that processes most of its financial data only in electronic form, such as a paperless
system?
Continuous monitoring and analysis of transaction processing with an embedded audit
module
10. The following are benefits of using IT-based controls, except

Over-reliance on computer-generated reports.

11. An ITF would be appropriate when the auditor needs to
Verify processing accuracy concurrently with processing
12. Which of the following does not support the "test data" approach?
 It allows fictitious and real transactions to be processed together without the client
operating personnel being aware of the testing process.
13. When an auditor tests a computerized accounting system, which of the following is true
of the test data approach?

Test data are processed by the client's computer programs under the auditor's control.
14. Output controls ensure that the results of computer processing are accurate, complete,
and properly distributed. Which of the following is not a typical output control?

Matching input data with information on master files and placing unmatched items in a
suspense file
15. Which of the following combinations is correct?
1) Integrated test facility
2) Test data
3) Paralel simulation
(1) Test data, live program; (2) Test data, live program; (3) Live data, test program
16. A retail entity uses electronic data interchange (EDI) in executing and recording most of
its purchase transactions. The entity's auditor recognized that the documentation of the
transactions will be retained for only a short period of time. To compensate for this
limitation, the auditor most likely would

Perform tests several times during the year, rather than only at year-end.
17. Parallel simulation is an audit technique employed to verify processing logic by making
use of audit test programs. These audit test programs "simulate" the processing logic of
an application program or programs under review. Which statement indicates the use of
parallel simulation audit technique?
Live transactions are processed using test programs
18. Which of the following statement is not true about test data?

Test data must consist of all possible valid and invalid conditions.
19.
Internal control in a CIS environment
1. In traditional information systems, computer operators are generally responsible for
backing up software and data files on a regular basis. In distributed or cooperative
systems, ensuring that adequate backups are taken is the responsibility of
User management
2. To reduce security exposure when transmitting proprietary data over communication
lines, a company should use

Cryptographic devices
3. A company using EDI (electronic data interchange) made it a practice to track the
functional acknowledgments from trading partners and to issue warning messages if
acknowledgments did not occur within a reasonable length of time. What risk was the
company attempting to address by this practice?

Transmission of EDI transactions to trading partners may sometimes fail.

4. Using microcomputers in auditing may affect the methods used to review the work of
staff assistants because

Working paper documentation may not contain readily observable details of calculations.
5. Which of the following procedures would an entity most likely include in its computer
disaster recovery plan?

Store duplicate copies of critical files in a location away from the computer center.
6. Adequate control over access to data processing may help deter improper use or
alteration of data files. The control can best be provided by
User and terminal identification controls, such as passwords
7. Totals of amounts in computer-record data fields, which are not usually added but are
used only for data processing control purposes are called

Hash totals
8. An auditor anticipates assessing control risk at a low level in a CIS environment. Under
these circumstances, on which of the following procedures would the auditor initially
focus?

General control procedures

9. Which function or activity is not performed in the user department?

Conversion of data to machine-readable format

10. Where computers are used, the effectiveness of internal control depends, in part, upon
whether the organizational structure includes any incompatible functions. Such a
combination would exist when there is no separation of duties between

Programming and computer operator

11. A widely used disaster recovery approach includes
 Regular backups
12. Which of the following is a risk that is higher when an electronic fnewunds transfer (EFT)
system is used?
Unauthorized access and activity
13. The internal auditor is reviewing a new policy on electronic mail. Appropriate elements of
such a policy would include all of the following except:
Erasing all employee's electronic mail immediately upon employment termination
14. A manufacturer is considering using bar-code identification for recording information on
parts used by the manufacturer. A reason to use bar codes rather than other means of
identification is to ensure that

The movement of parts is easily and quickly recorded.

15. Which of the following is a password security problem?
Users are assigned passwords when accounts are created, but do not change them.
16. Which of the following passwords would be most difficult to crack?
12 HOUSE 24
17. A critical aspect of a disaster recovery plan is to be able to regain operational capability
as soon as possible. In order to accomplish this, an organization can have an
arrangement with its computer hardware vendor to have a fully operational facility
available that is configured to the user's specific needs. This is best known as a (n)

Hot site
18. Client/server architecture may potentially involve a variety of hardware, systems
software, and application software from many vendors. The best way to protect a
client/server system from unauthorized access is through
A combination of application and general access control techniques
19. After the preliminary phase of the review of a client's computer controls, an auditor may
decide not to perform tests of controls (compliance tests) related to the controls within
the computer portion of the client's internal control. Which of the following would not be a
valid reason for choosing to omit such tests?

The controls appear adequate.

20. Which of the following is correct about check digits?

They are designed to detect transcription errors.

21. A company often revises its production processes. The changes may entail revisions to
processing programs. Ensuring that changes have a minimal impact on processing and
result in minimal risk to the system is a function of

Change control
22. In planning the portions of the audit which may be affected by the client's CIS
environment, the auditor should obtain an understanding of the significance and
 complexity of the CIS activities and the availability of data for use in the audit. The
following relate to the complexity of CIS activities except when

Material financial statement assertions are affected by the computer processing.

23. The internal controls over computer processing include both manual procedures and
procedures designed into computer programs (programmed control procedures). These
manual and programmed control procedures comprise the general CIS controls and CIS
application controls. The purpose of general CIS controls is to

Establish a framework of overall controls over the CIS activities and to provide a
reasonable level of assurance that the overall objectives of internal control are achieved.
24. Mill Co. uses a batch processing method to process its sales transactions. Data on Mill's
sales transaction tape are electronically sorted by customer number and are subjected to
programmed edit checks in preparing its invoices, sales journals, and updated customer
account balances. One of the direct outputs of the creation of this tape most likely would
be a
Report showing exceptions and control totals
25. The auditor shall consider the entity's CIS environment in designing audit procedures to
reduce risk to an acceptably low level. Which of the following statements is incorrect?

The methods of applying audit procedures to gather audit evidence are not influenced by
the methods of computer processing.
26. Which of the following statements is correct concerning the security of messages in an
electronic data interchange (EDI) system?

Encryption performed by physically secure hardware devices is more secure than

encryption performed by software.
27. Which of the following statements is correct concerning internal control when a client is
using an electronic data interchange system for its sales?

Encryption controls may help to assure that messages are unreadable to unauthorized
persons.
28. An entity installed antivirus software on all its personal computers. The software was
designed to prevent initial infections, stop replication attempts, detect infections after
their occurrence, mark affected system components, and remove viruses from infected
components. The major risk in relying on antivirus software is that it may

Not detect certain viruses.

29. Which of the following is a computer test made to ascertain whether a given
characteristic belongs to the group?

Validity check
30. A corporation receives the majority of its revenue from top-an secret military contracts
with the government. Which of the following would be of greatest concern to an auditor
reviewing a policy about selling the company's used microcomputers to outside parties?
Whether deleted files on the hard disk drive have been completely erased
31. Preventing someone with sufficient technical skill from circumventing security
procedures and making changes to production programs is best accomplished by

Providing suitable segregation of duties

32. If an auditor is using test data in a client's computer system to test the integrity of the
systems output, which of the following types of controls is the auditor testing?

Application controls
33. Computer program libraries can best be kept secure
Restricting physical and logical access
34. A clerk inadvertently entered an account number 12368 rather than account number
12638. In processing this transaction, the errors would be detected with which of the
following controls?

Self-checking digit
35. Which of the following would not be an appropriate procedure for testing the general
control activities of an information system?

Testing for the serial sequence of source documents.

36. Where disk files are used, the grandfather-father-son updating backup concept is
relatively difficult to implement because the

Process of updating old records is destructive.

37. An auditor would be most likely to assess control risk at the maximum level in an
electronic environment with automated system-generated information when

Fixed asset transactions are few in number, but large in peso amount.
38. Matthews Corp. has changed from a system of recording time worked on clock cards to
a computerized payroll system in which employees record time in and out with magnetic
cards. The computer system automatically updates all payroll records. Because of this
change

Part of the audit trail is altered.

39. Computer personnel least likely
validi
Originate changes in master files
40. Which of the following input controls describes a "self-checking digit"?

Data need to be added with a mathematically calculated digit to detect transposition

errors
41. Management is concerned that data uploaded from a microcomputer to the company's
mainframe system in batch processing may be erroneous. Which of the following
controls would best address this issue?

The mainframe computer should subject the data to the same edits and validation
routines that online data entry would require.
42. An entity has recently converted its purchasing cycle from a manual process to an online
computer system. Which of the following is a probable result associated with conversion
to the new IT system?
Traditional duties are less separated.
43. An auditor would most likely be concerned with which of the following controls in a
distributed data processing system?

Access controls
44. The completeness test of computer-generated sales figures can be tested by comparing
the number of items listed on the daily sales report with the number of items billed on the
actual invoices. This process uses

Control totals
45. Which of the following is an encryption feature that can be used to authenticate the
originator of a document and ensure that the message is intact and has not been
tampered with?

Digital signatures
46. Which of the following is an example of a validity check?

The computer flags any transmission for which the control field value did not match that
of an existing file record.
47. The possibility of erasing a large amount of information stored on magnetic tape most
likely would be reduced by the use of
File protection rings
48. End-user computing is most likely to occur on which of the following types of computers?

Personal computers
49. Which of the following controls most likely would assure that an entity can reconstruct its
financial records?

Backup diskettes or tapes of files are stored away from originals.

50. Which of the following is an example of how specific controls in a database environment
may differ from controls in a non-database environment?
Controls should exist to ensure that users have access to and can update only the data
elements that they have been authorized to access.
51. Able Co. uses an online sales order processing system to process its sales transactions.
Able's sales data are electronically sorted and subjected to edit checks. A direct output
of the edit checks most likely would be a

File of all rejected sales transactions

52. A "hot site" is most frequently associated with
Disaster recovery
53. If a control total were to be computed on each of the following data items, which would
best be identified as a hash total for a payroll CIS application?

Department numbers
54. The management of ABC Co. suspects that someone is tampering with pay rates by
entering changes through the Co.'s
remote terminals located in the factory. The method ABC Co. should implement to
protect the system from these unauthorized alterations to the system's files is

Passwords
55. End-user computing is an example of which of the following?

Decentralized processing
56. ABC Co. updates its accounts receivable master file weekly and retains the master files
and corresponding update transactions for the most recent 2-week period. The purpose
of this practice is to

Permit reconstruction of the master file if needed

57. Which of the following statements concerning the Internet is incorrect?

The Internet is a private network that only allows access to authorized persons or
entities.
58. Choose the incorrect statement about General IT-controls?

They are manual or automated procedures that typically operate at a business process
level and apply to the processing of transactions by individual applications.
59. An entity should plan the physical location of its computer facility. Which of the following
is the primary consideration for selecting a computer site?

It should provide security.

60. Which of the following is unique to CIS?

Error listing
61. A customer intended to order 100 units of product Z96014, but incorrectly ordered non-
existent product Z96015. Which of the following controls most likely would detect this
error?
 Check digit verification
62. Internal control is ineffective when computer personnel
Originate changes in master files
63. A company is concerned that a power outage or disaster could impair the computer
hardware's ability to function as designed. The company desires off-site backup
hardware facilities that are fully configured and ready to operate within several hours.
The company most likely should consider a

Hot site
64. Which of the following presumptions is not correct?
The specific methods appropriate for implementing the basic auditing concepts do not
change, as systems become more complex.
65. To avoid invalid data input, a bank added an extra number at the end of each account
number and subjected the new number to an algorithm. This technique is known as
A check digit
66. General IT-controls do not include

Controls on procedures used to initiate, record, process and report transactions or other
financial data
67. Which of the following is not an example of an application control?

An equipment failure causes an error message on the monitor.

68. One major category of computer viruses is programs that attach themselves to other
programs, thus infecting the other programs. While many of these viruses are relatively
harmless, some have the potential to cause significant damage. Which of the following is
an indication that a computer virus of this category is present?

Unexplainable losses of or changes to data

69. A company's management is concerned about computer data eavesdropping and wants
to maintain the confidentiality of its information as it is transmitted. The company should
utilize

Data encryption
70. Good planning will help an organization restore computer operations after a processing
outage. Good recovery planning should ensure that

Backup/restart procedures have been built into job streams and programs.
71.
Characteristics of CIS
1. Which of the following is least likely to be considered by an auditor considering
engagement of an information technology (IT) specialist on an audit?
Requirements to assess going concern status
2. Which of the following activities would most likely be performed in the CIS department?

Conversion of information to machine-readable form

3. Which would largely change in an audit of a CIS environment?

Specific methods in implementing the basic audit concepts

4. The characteristics that distinguish computer processing from manual processing include
the following:
1)Computer processing uniformly subjects like transactions to the same instructions.
2) Computer systems always ensure that complete transaction trails useful for audit
purposes are preserved for indefinite purpose.
3) Computer processing virtually eliminates the occurrence of clerical errors normally
associated with manual processing.
4) Control procedures as to segregation of functions may no longer be necessary in
computer environment.

Only statements 1 and 3 are true

5. The characteristics that distinguish computer processing from manual processing include
the following:
1)Computer processing uniformly subjects like transactions to the same instructions.
2) Computer systems always ensure that complete transaction trails useful for audit
purposes are preserved for indefinite purpose.
3) Computer processing virtually eliminates the occurrence of clerical errors normally
associated with manual processing.
4.) Control procedures as to segregation of functions may no longer be necessary in
computer environment

Only statements 1 and 3 are true

6. Computer systems are typically supported by a variety of utility software packages that
are important to an auditor because they
May enable unauthorized changes to data files if not properly controlled.
7. A characteristic that distinguishes computer processing from manual processing is

Computer processing virtually eliminates the occurrence of computational errors

normally associated with manual processing.
8. A common difficulty in auditing a computerized accounting system is
Data can be erased from the computer with no visible evidence.
9. Manual elements in internal control may be more suitable where judgment and discretion
are required such as for the following circumstances (choose the exception):
 High volume or recurring transactions
10. Which of the following statements most likely represents a disadvantage for an entity
that keeps microcomputer-prepared data files rather than manually prepared files?

It is usually easier for unauthorized persons to access and alter the files.
11. The use of a computer changes the processing, storage, and communication of financial
information.
The overall objective and scope of an audit.
12. Which of the following is not an advantage of a computerized accounting system?

Computers leave a thorough audit trail which can be easily followed

13. Which attribute below relates more to computer processing than manual processing?

Similar transactions are uniformly subjected to similar instruction

14.