Testbank - Acctg 5 CIS
Testbank - Acctg 5 CIS
Testbank - Acctg 5 CIS
MULTIPLE CHOICE. Read carefully the questions below and choose the best statement among the choices. Write
the letter corresponding to your answer on the sheet provided along with this questionnaire. Erasures are strictly not
allowed.
1. Which statement is incorrect when auditing in a CIS environment?
a. A CIS environment exists when a computer of any type or size is involved in the processing by the
entity of financial information of significance to the audit, whether that computer is operated by the
entity or by a third party.
b. The auditor should consider how a CIS environment affects the audit.
c. The use of a computer changes the processing, storage and communication of financial information
and may affect the accounting and internal control systems employed by the entity.
d. A CIS environment changes the overall objective and scope of an audit.
2. Which of the following concepts distinguishes the retention of computerized audit documents from the
traditional hard copy form?
a. Analyses, conclusions and recommendations are filed on electronic media and are therefore subject
to computer system controls and security procedures.
b. Evidential support for all findings is copied and provided to local management during the closing
conference and to each person receiving the final report.
c. Computerized data files can be used in computer audit procedures.
d. Audit programs can be standardized to eliminate the need for a preliminary survey at each location.
3. Responsibility for the control of end-user computing exists at the organizational, departmental and individual
user level. A direct responsibility of the individual users is:
a. Acquisition of hardware and software.
b. Taking equipment inventories.
c. Strategic planning of end-user computing.
d. Physical security computer hardware.
4. Which of the following is least likely a risk characteristic associated with CIS environment?
a. Errors embedded in an application’s program logic maybe difficult to manually detect on a timely
basis.
b. Many control procedures that would ordinarily be performed by separate individuals in manual
system maybe concentrated in CIS.
c. The potential unauthorized access to data or to alter them without visible evidence maybe greater.
d. Initiation of changes in the master file is exclusively handled by respective users.
5. Personal computers are susceptible to theft, physical damage, unauthorized access or misuse of equipment.
Which of the following is least likely a physical security to restrict access to personal computers when not in
use?
a. Using door locks or other security protection during non-business hours.
b. Fastening the personal computer to a table using security cables.
c. Locking the personal computer in a protective cabinet or shell.
d. Using anti-virus software programs.
6. Which of the following significance and complexity of the CIS activities should an auditor least understand?
a. The organizational structure of the client’s CIS activities.
b. Lack of transaction trails.
c. The significance and complexity of computer processing in each significant accounting application.
d. The use of software packages instead of customized software.
7. Which of the following is not likely a control over removable storage media to prevent misplacement,
alteration without authorization or destruction?
a. Using cryptography, which is the process of transforming programs and information into an
unintelligible form.
b. Placing responsibility for such media under personnel whose responsibilities include duties of
software custodians or librarians.
c. Using a program and data file check-in and check-out system and locking the designated storage
locations.
d. Keeping current copies of diskettes, compact disks or back-up tapes and hard disks in a fireproof
container, either on-site, off-site or both.
8. To achieve audit efficiency and effectiveness with a personal computer, the two crucial requirements are:
a. The appropriate audit task for personal computer applications and the appropriate software to
perform the selected audit tasks.
1
The appropriate software to perform the selected audit task and data that can be accessed by the
auditor’s personal computer.
b. Company data that can be accessed by the auditor’s personal computer and the appropriate audit
tasks for personal computer applications.
c. The appropriate sample of company data to test with the auditor’s personal computer and the
appropriate software to perform the selected audit tasks.
9. Which of the following least likely protects critical and sensitive information from unauthorized access in a
personal computer environment?
a. Using secret file names and hiding the files.
b. Keeping of back-up copies offsite.
c. Employing passwords.
d. Segregating data into files organized under separate file directories.
10. Which statement is incorrect regarding the general CIS controls of particular importance in a database
environment?
a. Since data are shared by many users, control may be enhanced when a standard approach is used for
developing each new application program and for application program modification.
b. Several data owners should be assigned responsibility for defining access and security rules, such as
who can use the data (access) and what functions they can perform (security).
c. User access to the database can be restricted through the use of passwords.
d. Responsibilities for performing the various activities required to design, implement and operate a
database are divided among technical, design, administrative and user personnel.
11. The following matters are of particular importance to the auditor in an on-line computer system, except:
a. Authorization, completeness and accuracy of on-line transactions.
b. Integrity of records and processing, due to on-line access to the system by many users and
programmers.
c. Changes in the performance of audit procedures including the use of CAAT's.
d. Cost-benefit ratio of installing on-line computer system.
12. The auditor may often assume that control risk is high in personal computer systems since, it may not be
practicable or cost-effective for management to implement sufficient controls to reduce the risks of
undetected errors to a minimum level. This least likely entail:
a. More physical examination and confirmation of assets.
b. More analytical procedures than tests of details.
c. Larger sample sizes.
d. Greater use of computer-assisted audit techniques, where appropriate.
13. Audit procedures in a database environment will be affected principally by:
a. The extent to which the data in the database are used by the accounting system.
b. The type and significance of financial transactions being processed.
c. The nature of the database, the DBMS, the database administration tasks and the applications.
d. The general CIS controls which are particularly important in a database environment.
14. Which statement is incorrect regarding the characteristics of a CIS organizational structure?
a. Certain data processing personnel may be the only ones with a detailed knowledge of the
interrelationship between the source of data, how it is processed and the distribution and use of the
output.
b. Many conventional controls based on adequate segregation of incompatible functions may not exist,
or in the absence of access and other controls, may be less effective.
c. Transaction and master file data are often concentrated, usually in machine-readable form, either in
one computer installation located centrally or in a number of installations distributed throughout an
entity.
d. Systems employing CIS methods do not include manual operations since the number of persons
involved in the processing of financial information is significantly reduced.
15. A major exposure associated with the rapidly expanding use of microcomputers is the absence of:
a. Adequate size of main memory and disk storage.
b. Compatible operating systems.
c. Formalized procedures for purchase justification.
d. Physical, data file, and program security.
16. System characteristics that may result from the nature of CIS processing include, except:
a. Absence of input documents.
b. Lack of visible transaction trail.
c. Lack of visible output.
d. Difficulty of access to data and computer programs.
17. The development of CIS will generally result in design and procedural characteristics that are different from
those found in manual systems. These different design and procedural aspects of CIS include, except:
a. Consistency of performance.
2
b. Programmed control procedures.
c. Vulnerability of data and program storage media
d. Multiple transaction update of multiple computer files or databases.
18. Which statement is incorrect regarding internal controls in a CIS environment?
a. Manual and computer control procedures comprise the overall controls affecting the CIS
environment (general CIS controls) and the specific controls over the accounting applications (CIS
application controls).
b. The purpose of general CIS controls is to establish a framework of overall control over the CIS
activities and to provide a reasonable level of assurance that the overall objectives of internal control
are achieved.
c. The purpose of CIS application controls is to establish specific control procedures over the
application systems in order to provide reasonable assurance that all transactions are authorized and
recorded, and are processed completely, accurately and on a timely basis.
d. The internal controls over computer processing, which help to achieve the overall objectives of
internal control, include only the procedures designed into computer programs.
19. General CIS controls may include, except:
a. Organization and management controls.
b. Delivery and support controls.
c. Development and maintenance controls.
d. Controls over computer data files.
20. CIS application controls include, except:
a. Controls over input.
b. Controls over processing and computer data files.
c. Controls over output.
d. Monitoring controls.
21. Which statement is incorrect regarding the review of general CIS controls and CIS application controls?
a. The auditor should consider how these general CIS controls affect the CIS applications significant to
the audit.
b. General CIS controls that relate to some or all applications are typically interdependent controls in
that their operation is often essential to the effectiveness of CIS application controls.
c. Control over input, processing, data files and output may be carried out by CIS personnel, by users
of the system, by a separate control group, or may be programmed into application software.
d. It may be more efficient to review the design of the application controls before reviewing the
general controls.
22. Which statement is incorrect regarding the evaluation of general CIS controls and CIS application controls?
a. The general CIS controls may have a pervasive effect on the processing of transactions in
application systems.
b. If general CIS controls are not effective, there may be a risk that misstatements might occur and go
undetected in the application systems.
c. Manual procedures exercised by users may provide effective control at the application level.
d. Weaknesses in general CIS controls cannot preclude testing certain CIS application controls.
23. An internal auditor noted the following points when conducting a preliminary survey in connection with the
audit of an EDP department. Which of the following would be considered a safeguard in the control system
on which the auditor might rely?
a. Programmers and computer operators correct daily processing problems as they arise.
b. The control group works with user organizations to correct rejected input.
c. New systems are documented as soon as possible after they begin processing live data.
d. The average tenure of employees working in the EDP department is ten months.
24. An on-line access control that checks whether the user’s code number is authorized to initiate a specific type
of transaction or inquiry is referred to as:
a. Password.
b. Compatibility test.
c. Limit check.
d. Reasonableness test.
25. A control procedure that could be used in an on-line system to provide an immediate check on whether an
account number has been entered on a terminal accurately is a:
a. Compatibility test.
b. Record count.
c. Hash total.
d. Self-checking digit.
26. A control designed to catch errors at the point of data entry is:
a. Batch total.
b. Self-checking digit.
3
c. Record count.
d. Checkpoints.
27. Program documentation is a control designed primarily to ensure that:
a. Programmers have access to the tape library or information on disk files.
b. Programs do not make mathematical errors.
c. Programs are kept up to date and perform as intended.
d. Data have been entered and processed.
28. Some of the more important controls that relate to automated accounting information systems are validity
checks, limit checks, field checks, and sign tests. These are classified as:
a. Control total validation routines.
b. Output controls.
c. Hash totaling.
d. Input validation routines.
29. Most of today’s computer systems have hardware controls that are built in by the computer manufacturer.
Common hardware controls are:
a. Duplicate circuitry, echo check, and internal header labels
b. Tape file protection, cryptographic protection, and limit checks
c. Duplicate circuitry, echo check, and dual reading
d. Duplicate circuitry, echo check, tape file protection, and internal header labels
30. Which one of the following represents a lack of internal control in a computer-based information system?
a. The design and implementation is performed in accordance with management’s specific
authorization.
b. Any and all changes in application programs have the authorization and approval of management.
c. Provisions exist to protect data files from unauthorized access, modification, or destruction.
d. Both computer operators and programmers have unlimited access to the programs and data files.
31. In an automated payroll processing environment, a department manager substituted the time card for a
terminated employee with a time card for a fictitious employee. The fictitious employee had the same pay rate
and hours worked as the terminated employee. The best control technique to detect this action using
employee identification numbers would be a:
a. Batch total.
b. Hash total.
c. Record count.
d. Subsequent check.
32. The reporting of accounting information plays a central role in the regulation of business operations.
Preventive controls are an integral part of virtually all accounting processing systems, and much of the
information generated by the accounting system is used for preventive control purposes. Which one of the
following is not an essential element of a sound preventive control system?
a. Separation of responsibilities for the recording, custodial, and authorization functions.
b. Sound personnel policies.
c. Documentation of policies and procedures.
d. Implementation of state-of-the-art software and hardware.
33. An employee in the receiving department keyed in a shipment from a remote terminal and inadvertently
omitted the purchase order number. The best systems control to detect this error would be:
a. Batch total.
b. Sequence check.
c. Completeness test.
d. Reasonableness test.
34. The most critical aspect regarding separation of duties within information systems is between:
a. Project leaders and programmers.
b. Programmers and systems analysts.
c. Programmers and computer operators.
d. Data control and file librarians.
35. Compatibility tests are sometimes employed to determine whether an acceptable user is allowed to proceed.
In order to perform compatibility tests, the system must maintain an access control matrix. The one item that
is not part of an access control matrix is a:
a. List of all authorized user code numbers and passwords.
b. List of all files maintained on the system.
c. Record of the type of access to which each user is entitled.
d. Limit on the number of transaction inquiries that can be made by each user in a specified time
period.
36. Which one of the following input validation routines is not likely to be appropriate in a real time operation?
a. Field check.
4
b. Sequence check.
c. Sign check.
d. Redundant data check.
37. Which of the following characteristics distinguishes computer processing from manual processing?
a. Computer processing virtually eliminates the occurrence of computational error normally associated
with manual processing.
b. Errors or irregularities in computer processing will be detected soon after their occurrences.
c. The potential for systematic error is ordinarily greater in manual processing than in computerized
processing.
d. Most computer systems are designed so that transaction trails useful for audit do not exist.
38. Which of the following controls is a processing control designed to ensure the reliability and accuracy of data
processing?
A. Limit test. B. Validity check test.
a. Yes, yes.
b. No, no.
c. No, yes.
d. Yes, no.
39. Which of the following most likely represents a significant deficiency in the internal control structure?
a. The systems analyst review applications of data processing and maintains systems documentation.
b. The systems programmer designs systems for computerized applications and maintains output
controls.
c. The control clerk establishes control over data received by the EDP department and reconciles
control totals after processing
d. The accounts payable clerk prepares data for computer processing and enters the data into the
computer.
40. Which of the following activities would most likely be performed in the EDP department?
a. Initiation of changes to master records.
b. Conversion of information to machine-readable form.
c. Correction of transactional errors.
d. Initiation of changes to existing applications.
41. For control purposes, which of the following should be organizationally segregated from the computer
operations function?
a. Data conversion.
b. Systems development.
c. Surveillance of CRT messages.
d. Minor maintenance according to a schedule.
42. Which of the following is not a major reason for maintaining an audit trail for a computer system?
a. Deterrent to irregularities.
b. Analytical procedures
c. Monitoring purposes.
d. Query answering.
43. In an automated payroll system, all employees in the finishing department were paid the rate of P75 per hour
when the authorized rate was P70 per hour. Which of the following controls would have been most effective
in preventing such an error?
a. Access controls which would restrict the personnel department’s access to the payroll master file
data.
b. A review of all authorized pay rate changes by the personnel department.
c. The use of batch control totals by department.
d. A limit test that compares the pay rates per department with the maximum rate for all employees.
44. Which of the following errors would be detected by batch controls?
a. A fictitious employee as added to the processing of the weekly time cards by the computer operator.
b. An employee who worked only 5 hours in the week was paid for 50 hours.
c. The time card for one employee was not processed because it was lost in transit between the payroll
department and the data entry function.
d. All of the above.
45. For the accounting system of Acme Company, the amounts of cash disbursements entered into an EDP
terminal are transmitted to the computer that immediately transmits the amounts back to the terminal for
display on the terminal screen. This display enables the operator to:
a. Establish the validity of the account number.
b. Verify the amount was entered accurately.
c. Verify the authorization of the disbursements.
d. Prevent the overpayment of the account.
5
46. The use of a header label in conjunction with magnetic tape is most likely to prevent errors by the:
a. Computer operator.
b. Computer programmer.
c. Keypunch operator.
d. Maintenance technician.
47. When EDP programs or files can be accessed from terminals, users should be required to enter a (an):
a. Parity check.
b. Self-diagnostic test.
c. Personal identification code.
d. Echo check.
48. The possibility of erasing a large amount of information stored on magnetic tape most likely would be
reduced by the use of:
a. File protection ring.
b. Completeness tests.
c. Check digits.
d. Conversion verification.
49. Which of the following controls most likely would assure that an entity can reconstruct its financial records?
a. Hardware controls are built into the computer by the computer manufacturer.
b. Backup diskettes or tapes of files are stored away from originals.
c. Personnel who are independent of data input perform parallel simulations.
d. System flowcharts provide accurate descriptions of input and output operations.
50. Mill Co. uses a batch processing method to process its sales transactions. Data on Mill’s sales transaction tape
are electronically sorted by customer number and are subject to programmed edit checks in preparing its
invoices, sales journals, and updated customer account balances. One of the direct outputs of the creation of
this tape most likely would be a:
a. Report showing exceptions and control totals.
b. Printout of the updated inventory records.
c. Report showing overdue accounts receivable.
d. Printout of the sales price master file.
51. Which statement is incorrect regarding internal control in personal computer environment?
a. Generally, the CIS environment in which personal computers are used is less structured than a
centrally-controlled CIS environment.
b. Controls over the system development process and operations may not be viewed by the developer,
the user or management as being as important or cost-effective.
c. In almost all commercially available operating systems, the built-in security provided has gradually
increased over the years.
d. In a typical personal computer environment, the distinction between general CIS controls and CIS
application controls is easily ascertained.
52. Using microcomputers in auditing may affect the methods used to review the work of staff assistants because:
a. The audit field work standards for supervision may differ.
b. Documenting the supervisory review may require assistance of consulting services personnel.
c. Supervisory personnel may not have an understanding of the capabilities and limitations of
microcomputers.
d. Working paper documentation may not contain readily observable details of calculations.
53. An auditor anticipates assessing control risk at a low level in a computerized environment. Under these
circumstances, on which of the following procedures would the auditor initially focus?
a. Programmed control procedures.
b. Output control procedures.
c. Application control procedures.
d. General control procedures.
54. After the preliminary phase of the review of a client’s EDP controls, an auditor may decide not to perform
tests of controls (compliance tests) related to the control procedures within the EDP portion of the client’s
internal control structure. Which of the following would not be a valid reason for choosing to omit such tests?
a. The controls duplicate operative controls existing elsewhere in the structure.
b. There appear to be major weaknesses that would preclude reliance on the stated procedure.
c. The time and costs of testing exceed the time and costs in substantive testing if the tests of controls
show the controls to be operative.
d. The controls appear adequate.
55. Computer systems are typically supported by a variety of utility software packages that are important to an
auditor because they
a. May enable unauthorized changes to data files if not properly controlled.
b. Are very versatile programs that can be used on hardware of many manufacturers.
6
c. May be significant components of a client’s application programs.
d. Are written specifically to enable auditors to extract and sort data.
56. To obtain evidence that online access controls are properly functioning, an auditor most likely would:
a. Create checkpoints at periodic intervals after live data processing to test for unauthorized use of the
system.
b. Examine the transaction log to discover whether any transactions were lost or entered twice due to a
system malfunction.
c. Enter invalid identification numbers or passwords to ascertain whether the system rejects them.
d. Vouch a random sample of processed transactions to assure proper authorization.
57. Which of the following statements most likely represents a disadvantage for an entity that keeps
microcomputer-prepared data files rather than manually prepared files?
a. Attention is focused on the accuracy of the programming process rather than errors in individual
transactions.
b. It is usually easier for unauthorized persons to access and alter the files.
c. Random error associated with processing similar transactions in different ways is usually greater.
d. It is usually more difficult to compare recorded accountability with physical count of assets.
58. Smith Corporation has numerous customers. A customer file is kept on disk storage. Each customer file
contains name, address, credit limit, and account balance. The auditor wishes to test this file to determine
whether the credit limits are being exceeded. The best procedure for the auditor to follow would be to:
a. Develop test data that would cause some account balances to exceed the credit limit and determine if
the system properly detects such situations.
b. Develop a program to compare credit limits with account balances and print out the details of any
account with a balance exceeding its credit limit.
c. Request a printout of all account balances so they can be manually checked against the credit limits.
d. Request a printout of a sample of account balances so they can be individually checked against the
credit limits.
59. An auditor would most likely be concerned with which of the following controls in a distributed data
processing system?
a. Hardware controls.
b. Systems documentation controls.
c. Access controls.
d. Disaster recovery controls.
60. If a control total were computed on each of the following data items, which would best be identified as a hash
total for a payroll EDP application?
a. Total debits and total credits.
b. Net pay.
c. Department numbers.
d. Hours worked.
61. Which of the following is a computer test made to ascertain whether a given characteristic belongs to the
group?
a. Parity check.
b. Validity check.
c. Echo check.
d. Limit check.
62. A control feature in an electronic data processing system requires the central processing unit (CPU) to send
signals to the printer to activate the print mechanism for each character. The print mechanism, just prior to
printing, sends a signal back to the CPU verifying that the proper print position has been activated. This type
of hardware control is referred to as:
a. Echo check.
b. Signal control.
c. Validity control.
d. Check digit control.
63. Which of the following is an example of a check digit?
a. An agreement of the total number of employees to the total number of checks printed by the
computer.
b. An algebraically determined number produced by the other digits of the employee number.
c. A logic test that ensures all employee numbers are nine digits.
d. A limit check that an employee’s hours do not exceed 50 hours per work week.
64. A customer erroneously ordered Item No. 86321 rather than item No. 83621. When this order is processed,
the vendor’s EDP department would identify the error with what type of control?
a. Key verifying.
b. Batch total.
c. Self-checking digit.
7
d. Item inspection.
65. Internal control is ineffective when computer department personnel:
a. Participate in computer software acquisition decisions.
b. Design documentation for computerized systems.
c. Originate changes in master file.
d. Provide physical security for program files.
66. Which of the following best describes a fundamental control weakness often associated with electronic data
processing system?
a. EDP equipment is more subject to system error than manual processing is subject to human error.
b. Monitoring is not an adequate substitute for the use of test data.
c. EDP equipment processes and records similar transactions in a similar manner.
d. Functions that would normally be separated in a manual system are combined in the EDP system
like the function of programmers and operators.
67. From an audit viewpoint, which of the following represents a potential disadvantage associated with the
widespread use of microcomputers?
a. Their portability.
b. Their ease of access by novice users.
c. Their easily developed programs using spreadsheets which do not have to be documented.
d. All of the above.
68. Which of the following functions would have the least effect on an audit if it was not properly segregated?
a. The systems analyst and the programmer functions.
b. The computer operator and programmer functions.
c. The computer operator and the user functions.
d. The applications programmer and the systems programmer.
69. To obtain evidence that user identification and password control procedures are functioning as designed, an
auditor would most likely:
a. Attempt to sign on to the system using invalid user identifications and passwords.
b. Write a computer program that simulates the logic of the client’s access control software.
c. Extract a random sample of processed transactions and ensure that the transactions were
appropriately authorized.
d. Examine statements signed by employees stating that they have not divulged their user
identifications and passwords to any other person.
70. Which of the following procedures would an entity most likely include in its disaster recovery plan?
a. Convert all data from external formats to an internal company format.
b. Maintain a program to prevent illegal activity.
c. Develop an auxiliary power supply to provide uninterrupted electricity.
d. Store duplicate copies of files in a location away from the computer center.
71. On-line real-time systems and electronic data interchange systems have the advantages of providing more
timely information and reducing the quantity of documents associated with less automated systems. The
advantages, however, may create some problems for the auditor. Which of the following characteristics of
these systems does not create an audit problem?
a. The lack of traditional documentation of transactions creates a need for greater attention to
programmed controls at the point of transaction input.
b. Hard copy may not be retained by the client for long periods of time, thereby necessitating more
frequent visits by the auditor.
c. Control testing may be more difficult given the increased vulnerability of the client's files to
destruction during the testing process.
d. Consistent on-line processing of recurring data increases the incidence of errors.
72. Compared to a manual system, a CIS generally
A. Reduces segregation of duties.
B. Increases segregation of duties.
C. Decreases manual inspection of processing results.
D. Increases manual inspection of processing results.
b. A and C.
c. A and D.
d. B and C.
e. B and D.
73. Which of the following statements most likely represents a disadvantage for an entity that keeps
microcomputer-prepared data files rather than manually prepared files?
a. It is usually more difficult to detect transposition errors.
b. Transactions are usually authorized before they are executed and recorded.
8
c. It is usually easier for unauthorized persons to access and alter the files.
d. Random error associated with processing similar transactions in different ways is usually greater.
74. Risk of fraud or error in on-line computer systems may be increased for the following reasons, except:
a. If workstations are located throughout the entity, the opportunity for unauthorized use of a
workstation and the entry of unauthorized transactions may increase.
b. Workstations may provide the opportunity for unauthorized uses such as modification of previously
entered transactions or balances.
c. If on-line processing is interrupted for any reason, for example, due to faulty telecommunications,
there may be a greater chance that transactions or files may be lost and that the recovery may not be
accurate and complete.
d. If transactions are processed immediately on-line, there is less risk that they will be processed in the
wrong accounting period.
75. A service auditor's report on a service center should include a(n):
a. Detailed description of the service center's internal control.
b. Statement that the user of the report may assess control risk at the minimum level.
c. Indication that no assurance is provided.
d. Opinion on the operating effectiveness of the service center's internal control.
76. Which of the following is a password security problem?
a. Users are assigned passwords when accounts are created, but do not change them.
b. Users have accounts on several systems with different passwords.
c. Users copy their passwords on note paper, which is kept in their wallets.
d. Users select passwords that are not listed in any online dictionary.
77. Which of the following is least likely to be a general control over computer activities?
a. Procedures for developing new programs and systems.
b. Requirements for system documentation.
c. A change request log.
d. A control total.
78. Which of the following computer related employees should not be allowed access to program listings of
application programs?
a. The systems analyst.
b. The programmer.
c. The operator.
d. The librarian.
79. Which of the following standards or group of standards is mostly affected by a computerized information
system environment?
a. General standards.
b. Reporting standards.
c. Second standard of field work.
d. Standards of fieldwork.
80. Which of the following is least considered if the auditor has to determine whether specialized CIS skills are
needed in an audit?
a. The auditor needs to obtain a sufficient understanding of the accounting and internal control system
affected by the CIS environment.
b. The auditor needs to determine the effect of the CIS environment on the assessment of overall risk
and of risk at the account balance and class of transactions level.
c. Design and perform appropriate tests of controls and substantive procedures.
d. The need of the auditor to make analytical procedures during the completion stage of audit.
81. It relates to materiality of the financial statement assertions affected by the computer processing.
a. Threshold.
b. Relevance.
c. Complexity.
d. Significance.
82. Which of the following is an example of general computer control?
a. Input validation checks.
b. Control total.
c. Operations manual.
d. Generalized audit software.
83. Which of the following would the auditors consider to be a weakness in an IT system?
a. Operators have access to terminals.
b. Programmers are allowed access to the file library.
c. Reprocessing of exceptions detected by the computer is handled by a data control group.
d. More than one employee is present when the computer facility is in use.
9
84. A problem for a CPA associated with advanced IT systems is that:
a. The audit trail normally does not exist.
b. The audit trail is sometimes generated only in machine readable form.
c. The client's internal auditors may have been involved at the design stage.
d. Tests of controls are not possible.
85. General controls over IT systems are typically tested using:
a. Generalized audit software.
b. Observation, inspection and inquiry.
c. Program analysis techniques.
d. Test data.
86. Which of the following personnel is responsible for determining the computer processing needs of the various
users?
a. The application programmer.
b. The computer operator.
c. The systems analyst.
d. The systems programmer.
87. The best method of achieving internal control over advanced IT systems is through the use of:
a. Batch controls.
b. Controls written into the computer system.
c. Equipment controls.
d. Documentation controls.
88. Which of the following personnel is responsible for the proper functioning of the security features built into
the operating system?
a. The systems programmer.
b. The application programmer.
c. The computer operator.
d. The telecommunications specialist.
89. When designing the physical layout of a data processing center, which of the following would be least likely
to be a necessary control that is considered?
a. Design of controls to restrict access.
b. Adequate physical layout space for the operating system.
c. Inclusions of an adequate power supply system with surge protection.
d. Consideration of risks related to other uses of electricity in the area.
90. Which of the following is not a data transmission control?
a. Data encryption.
b. Parity check.
c. Message acknowledgment techniques.
d. Distributed data processing.
91. If a control total were to be computed on each of the following data items, which would best be identified as
a hash total for a payroll computer application?
a. Net pay.
b. Department numbers.
c. Hours worked.
d. Total debits and total credits.
92. In their consideration of a client's IT controls, the auditors will encounter general controls and application
controls. Which of the following is an application control?
a. The operations manual.
b. Hash total.
c. Systems documentation.
d. Control over program changes.
93. When erroneous data are detected by computer program controls, such data may be excluded from processing
and printed on an exception report. The exception report should most probably be reviewed and followed up
on by the:
a. Supervisor of computer operations.
b. Systems analyst.
c. Data control group.
d. Computer programmer.
94. An auditor may decide not to perform tests of controls related to the control activities within the computer
portion of the client's internal control. Which of the following would not be a valid reason for choosing to
omit such test?
a. The controls duplicate operative controls existing elsewhere.
b. There appear to be major weaknesses that would preclude reliance on the stated procedure.
10
c. The time and dollar costs of testing exceed the time and dollar savings in substantive testing if the
tests show the controls to be operative.
d. The controls appear adequate.
95. A control feature in a computer system requires the central processing unit (CPU) to send signals to the
printer to activate the print mechanism for each character. The print mechanism, just prior to printing, sends a
signal back to the CPU verifying that the proper print position has been activated. This type of data
transmission is referred to as:
a. Echo control.
b. Validity control.
c. Signal control.
d. Check digit control.
96. Which of the following constitutes a weakness in the internal control of a computer system?
a. One generation of backup files is stored in an off-premises location.
b. Machine operators distribute error messages to the control group.
c. Machine operators do not have access to the complete systems manual.
d. Machine operators are supervised by the programmer.
97. The completeness of computer-generated sales figures can be tested by comparing the number of items listed
on the daily sales report with the number of items billed on the actual invoices. This process uses:
a. Self-checking numbers.
b. Control totals.
c. Validity tests.
d. Process tracing data.
98. In the weekly computer run to prepare payroll checks, a check was printed for an employee who had been
terminated the previous week. Which of the following controls, if properly utilized, would have been most
effective in preventing the error or ensuing its prompt detection?
a. A control total for hours worked, prepared from time cards collected by the timekeeping department.
b. Requiring the treasurer's office to account for the numbers of the prenumbered checks issued to the
computer department for the processing of the payroll.
c. Use of a check digit for employee numbers.
d. Use of a header label for the payroll input sheet.
99. The primary reason for internal auditing's involvement in the development of new computer-based systems is
to:
a. Plan post-implementation reviews.
b. Promote adequate controls.
c. Train auditors in CIS techniques.
d. Reduce overall audit effort
100.The increased presence of the microcomputer in the workplace has resulted in an increasing number of
persons having access to the computer. A control that is often used to prevent unauthorized access to
sensitive programs is:
a. Backup copies of the diskettes.
b. Passwords for each of the users.
c. Disaster-recovery procedures.
d. Record counts of the number of input transactions in a batch being processed.
101.Checklists, systems development methodology, and staff hiring are examples of what type of controls?
a. Detective.
b. Preventive.
c. Subjective.
d. Corrective.
102.When an on-line, real-time computer-based processing system is in use, internal control can be strengthened
by:
a. Providing for the separation of duties between keypunching and error listing operations.
b. Attaching plastic file protection rings to reels of magnetic tape before new data can be entered on the
file.
c. Making a validity check of an identification number before a user can obtain access to the computer
files.
d. Preparing batch totals to provide assurance that file updates are made for the entire input.
103.Company A has recently converted its manual payroll to a computer-based system. Under the old system,
employees who had resigned or been terminated were occasionally kept on the payroll and their checks were
claimed and cashed by other employees, in collusion with shop foremen. The controller is concerned that this
practice not be allowed to continue under the new system. The best control for preventing this form of
"payroll padding" would be to:
a. Conduct exit interviews with all employees leaving the company, regardless of reason.
11
b. Require foremen to obtain a signed receipt from each employee claiming a payroll check.
c. Require the human resources department to authorize all hires and terminations, and to forward a
current computerized list of active employee numbers to payroll prior to processing. Program the
computer to reject inactive employee numbers.
d. Install time clocks for use by all hourly employees.
104.One of the major problems in a CIS is that incompatible functions may be performed by the same individual.
One compensating control for this is the use of:
a. Echo checks.
b. A self-checking digit system.
c. Computer generated hash totals.
d. A computer log.
105.These require a database administrator to assign security attributes to data that cannot be changed by database
users.
a. Discretionary access controls.
b. Name-dependent restrictions
c. Mandatory access controls.
d. Content-dependent restrictions.
106.A discretionary access control wherein users are permitted or denied access to data resource depending on the
time series of accesses to and actions they have undertaken on data resources.
a. Name-dependent restrictions.
b. Context-dependent restrictions.
c. Content-dependent restrictions.
d. History-dependent restrictions.
107.The effect of a database system on the accounting system and the associated risks will least likely depend on:
a. The extent to which databases are being used by accounting applications.
b. The type and significance of financial transactions being processed.
c. The nature of the database, the DBMS, the database administration tasks and the applications.
d. The CIS application controls.
108.Which of the following processing controls would be most effective in assisting a store manager to ascertain
whether the payroll transaction data were processed in their entirety?
a. Payroll file header record.
b. Transaction identification codes.
c. Processing control totals.
d. Programmed exception reporting.
109.An organizational control over CIS operations is:
a. Run-to-run balancing of control totals.
b. Check digit verification of unique identifiers.
c. Separation of operating and programming functions.
d. Maintenance of output distribution logs.
110.An unauthorized employee took computer printouts from output bins accessible to all employees. A control
which would have prevented this occurrence is:
a. A storage/retention control.
b. A spooler file control.
c. An output review control.
d. A report distribution control.
111.Which of the following audit techniques most likely would provide an auditor with the most assurance about
the effectiveness of the operation of an internal control procedure?
a. Inquiry of client personnel.
b. Recomputation of account balance amounts.
c. Observation of client personnel.
d. Confirmation with outside parties.
112.Adequate technical training and proficiency as an auditor encompasses an ability to understand a CIS
sufficiently to identify and evaluate:
a. The processing and imparting of information.
b. Essential accounting control features.
c. All accounting control features.
d. The degree to which programming conforms with application of generally accepted accounting
principles.
113.Adequate control over access to data processing is required to:
a. Prevent improper use or manipulation of data files and programs.
b. Ensure that only console operators have access to program documentation.
c. Minimize the need for backup data files.
12
d. Ensure that hardware controls are operating effectively and as designed by the computer
manufacturer.
114.In studying a client's internal controls, an auditor must be able to distinguish between prevention controls and
detection controls. Of the following data processing controls, which is the best detection control?
a. Use of data encryption techniques.
b. Review of machine utilization logs.
c. Policy requiring password security.
d. Backup and recovery procedure.
115.A control to verify that the dollar amounts for all debits and credits for incoming transactions are posted to a
receivables master file is the:
a. Generation number check.
b. Master reference check.
c. Hash total.
d. Control total.
116.The program flowcharting symbol representing a decision is a:
a. Triangle.
b. Circle.
c. Rectangle.
d. Diamond.
117.CIS controls are frequently classified as to general controls and application controls. Which of the following
is an example of an application control?
a. Programmers may access the computer only for testing and "debugging" programs.
b. All program changes must be fully documented and approved by the information systems manager
and the user department authorizing the change.
c. A separate data control group is responsible for distributing output, and also compares input and
output on a test basis.
d. In processing sales orders, the computer compares customer and product numbers with internally
stored lists.
118.After a preliminary phase of the review of a client's CIS controls, an auditor may decide not to perform
further tests related to the control procedures within the CIS portion of the client's internal control system.
Which of the following would not be a valid reason for choosing to omit further testing?
a. The auditor wishes to further reduce assessed risk.
b. The controls duplicate operative controls existing elsewhere in the system.
c. There appear to be major weaknesses that would preclude reliance on the stated procedures.
d. The time and dollar costs of testing exceed the time and dollar savings in substantive testing if the
controls are tested for compliance.
119.For good internal control over computer program changes, a policy should be established requiring that:
a. The programmer designing the change adequately tests the revised program.
b. All program changes be supervised by the CIS control group.
c. Superseded portions of programs be deleted from the program run manual to avoid confusion.
d. All proposed changes be approved in writing by a responsible individual.
120.Which of the following is not a technique for testing data processing controls?
a. The auditor develops a set of payroll test data that contain numerous errors. The auditor plans to
enter these transactions into the client's system and observe whether the computer detects and
properly responds to the error conditions.
b. The auditor utilizes the computer to randomly select customer accounts for confirmation.
c. The auditor creates a set of fictitious customer accounts and introduces hypothetical sales
transactions, as well as sales returns and allowances, simultaneously with the client's live data
processing.
d. At the auditor's request, the client has modified its payroll processing program so as to separately
record any weekly payroll entry consisting of 60 hours or more. These separately recorded
("marked") entries are locked into the system and are available only to the auditor.
121.Which of the following would lessen internal control in a CIS?
a. The computer librarian maintains custody of computer program instructions and detailed listings.
b. Computer operators have access to operator instructions and detailed program listings.
c. The control group is solely responsible for the distribution of all computer output.
d. Computer programmers write and debug programs which perform routines designed by the systems
analyst.
122.Access control in an on-line CIS can best be provided in most circumstances by:
a. An adequate librarianship function controlling access to files.
b. A label affixed to the outside of a file medium holder that identifies the contents.
c. Batch processing of all input through a centralized, well-guarded facility.
13
d. User and terminal identification controls, such as passwords.
123.Reconciling processing control totals is an example of:
a. An input control.
b. An output control.
c. A processing control.
d. A file management control.
124.The completeness of computer-generated sales figures can be tested by comparing the number of items listed
on the daily sales report with the number of items billed on the actual invoices. This process uses:
a. Check digits.
b. Control totals.
c. Validity tests.
d. Process tracing data.
125.Which of the following controls would be most efficient in reducing common data input errors?
a. Keystroke verification.
b. A set of well-designed edit checks.
c. Balancing and reconciliation.
d. Batch totals.
126.Which of the following is a computer test made to ascertain whether a given characteristic belongs to the
group?
a. Parity check.
b. Validity check.
c. Echo check.
d. Limit check.
127.An auditor's consideration of a company's computer control activities has disclosed the following four
circumstances. Indicate which circumstance constitutes a significant deficiency in internal control.
a. Computer operators do not have access to the complete software support documentation.
b. Computer operators are closely supervised by programmers.
c. Programmers are not authorized to operate computers.
d. Only one generation of backup files is stored in an off premises location
128.Accounting functions that are normally considered incompatible in a manual system are often combined by
computer software. This necessitates an application control that prevents unapproved:
a. Access to the computer library.
b. Revisions to existing software.
c. Usage of software.
d. Testing of modified software.
129.In a computer system, hardware controls are designed to:
a. Arrange data in a logical sequence for processing.
b. Correct errors in software.
c. Monitor and detect errors in source documents.
d. Detect and control errors arising from use of equipment.
130.The normal sequence of documents and operations on a well-prepared systems flowchart is:
a. Top to bottom, left to right.
b. Bottom to top, left to right.
c. Top to bottom, and right to left.
d. Bottom to top and right to left.
131.To obtain evidential matter about control risk, an auditor ordinarily selects tests from a variety of techniques
including
a. Analysis.
b. Confirmations.
c. Reprocessing.
d. Comparison.
132.A procedural control used in the management of a computer center to minimize the possibility of data or
program file destruction through operator error includes:
a. Control figures.
b. Crossfooting tests.
c. Limit checks.
d. External labels.
133.In updating a computerized accounts receivable file, which one of the following would be used as a batch
control to verify the accuracy of the posting of cash receipts remittances?
a. The sum of the cash deposits plus the discounts less the sales returns.
b. The sum of the cash deposits plus the discounts taken by customers.
c. The sum of the cash deposits.
14
d. The sum of the cash deposits less the discounts taken by customers.
134.The client’s computerized exception reporting system helps an auditor to conduct a more efficient audit
because it:
a. Condenses data significantly.
b. Highlights abnormal conditions.
c. Decreases the tests of computer control requirements.
d. Is efficient computer input control.
135.Which of the following computer documentation would an auditor most likely utilize in obtaining an
understanding of the internal control system?
a. Systems flowchart.
b. Record counts.
c. Program listings.
d. Record layouts.
136.An EDP input control is designed to ensure that:
a. Machine processing is accurate.
b. Only authorized personnel have access to the computer area.
c. Data received for processing are properly authorized and converted to machine-readable form.
d. Electronic data processing has been performed as intended for the particular application.
137.Which of the following most likely represents a weakness in the financial controls of an EDP system?
a. The systems analyst reviews output and controls the distribution of output from the EDP department.
b. The accounts payable clerk prepares data for computer processing and enters the data into the
computer.
c. The systems programmer designs the operating and control functions of programs and participates in
testing operating systems.
d. The control clerk establishes control over data received by the EDP department and reconciles
control totals after processing.
138.When an accounting application is processed by computer, an auditor cannot verify the reliable operation of
programmed control procedures by:
a. Manually comparing detail transaction files used by an edit program to the program’s generated
error listings in order to determine that errors were properly identified by the edit program.
b. Constructing a processing system for accounting applications and processing actual data from
throughout the period through both the client’s program and the auditor’s program.
c. Manually reperforming, as at a given point in time, the processing of input data and comparing the
simulated results to the actual results.
d. Periodically submitting auditor-prepared test data to the same computer process and evaluating the
results.
139.Which of the following is a general control that most likely would assist an entity whose systems analyst left
the entity in the middle of a major project?
a. Grandfather-father-son record retention.
b. Input and output validation routines.
c. Systems documentation.
d. Check digit verification.
140.Control procedures within the computer system may leave no visible evidence indicating that the procedures
were performed. In such instances, the auditor should test these computer controls by:
a. Making corroborative inquiries.
b. Observing the separation of duties of personnel.
c. Reviewing transactions submitted for processing and comparing them to related output.
d. Reviewing the run manual.
‘
141.To gain access to a bank’s on-line customer systems, users must validate themselves by means of a user
identification code and password. The purpose of this procedure is to provide:
a. Data security.
b. Physical security.
c. Context-dependent security.
d. Write-protection security.
142.A hash total of employee numbers is part of the input to a payroll master file update program. The program
compares the hash total to the total computed for transactions applied to the master file. The purpose of this
procedure is to:
a. Verify that employee numbers are valid.
b. Verify that only authorized employees are paid.
c. Detect errors in payroll calculations.
d. Detect the omission of transaction processing.
143.An accounts payable program posted a payable to a vendor not included in the on-line vendor master file. A
15
control which would prevent this error is a:
a. Validity check.
b. Range check.
c. Reasonableness test.
d. Parity check.
144.In a computerized sales processing system, which of the following controls is most effective in preventing
sales invoice pricing errors?
a. Sales invoices are reviewed by the product managers before being mailed to customers.
b. Current sales prices are stored in the computer, and, as stock numbers are entered from sales orders,
the computer automatically prices the orders.
c. Sales prices, as well as product numbers, are entered as sales orders are entered at remote terminal
locations.
d. Sales prices are reviewed and updated on a quarterly basis.
145.Which of the following is likely to be of least importance to an auditor in reviewing the internal control in a
company with a CIS?
a. The segregation of duties within the data processing center.
b. The control over source documents.
c. The documentation maintained for accounting applications.
d. The cost/benefit ratio of data processing operations.
146.In a distributed data base environment, control tests for access control administration can be designed which
focus on:
a. Prohibition of random access.
b. Analysis of system generated core dumps.
c. Reconciliation of batch control totals.
d. Examination of logged activity.
147.To ensure that goods received are the same as those shown on the purchase invoice, a computerized system
should:
a. Match selected fields of the purchase invoice to goods received.
b. Maintain control totals of inventory value.
c. Calculate batch totals for each input.
d. Use check digits in account numbers.
148.Which of the following is correct concerning batch processing of transactions?
a. Transactions are processed in the order they occur, regardless of type.
b. It has largely been replaced by on-line real-time processing in all but legacy systems.
c. It is more likely to result in an easy-to-follow audit trail than is on-line transaction processing.
d. It is used only in non-database applications.
149.Which of the following strategies would a CPA most likely consider in auditing an entity that processes most
of its financial data only in electronic form, such as a paperless system?
a. Continuous monitoring and analysis of transaction processing with an embedded audit module.
b. Increased reliance on internal control activities that emphasize the segregation of duties.
c. Verification of encrypted digital certificates used to monitor the authorization of transactions.
d. Extensive testing of firewall boundaries that restrict the recording of outside network traffic.
150.Computer systems are typically supported by a variety of utility software packages that are important to an
auditor because they:
a. May enable unauthorized changes to data files if not properly controlled.
b. Are very versatile programs that can be used on hardware of many manufacturers.
c. May be significant components of a client’s application programs.
d. Are written specifically to enable auditors to extract and sort data.
151.Which of the following types of evidence would an auditor most likely examine to determine whether internal
control is operating as designed?
a. Gross margin information regarding the client’s industry.
b. Confirmations of receivables verifying account balances.
c. Client records documenting the use of computer programs.
d. Anticipated results documented in budgets or forecasts.
152.Which of the following is not considered an exposure involved with electronic data interchange (EDI)
systems as compared to other systems?
a. Increased reliance upon computer systems.
b. Delayed transaction processing time.
c. Possible loss of confidentiality of information.
d. Increased reliance upon third parties.
153.Which of the following is usually a benefit of transmitting transactions in an electronic data interchange
(EDI) environment?
16
a. A compressed business cycle with lower year-end receivables balances.
b. A reduced need to test computer controls related to sales and collections transactions.
c. An increased opportunity to apply statistical sampling techniques to account balances.
d. No need to rely on third-party service providers to ensure security.
154.An entity has the following invoices in a batch:
Invoice No. Product Quantity Unit price
201 F10 150 P 5.00
202 G15 200 10.00
203 H20 250 25.00
204 K35 300 30.00
a. FGJK80.
b. 4.
c. 810.
d. 900.
155.A company's management has expressed concern over the varied system architectures that the organization
uses. Potential security and control concerns would include all of the following except:
a. Users may have different user ID codes and passwords to remember for the several systems that they
use.
b. There are difficulties in developing uniform security standards for the various platforms.
c. Backup file storage administration is often decentralized.
d. Having data distributed across many computers throughout the organization increases the risk that a
single disaster would destroy large portions of the organization's data.
156.Client/server architecture may potentially involve a variety of hardware, systems software, and application
software from many vendors. The best way to protect a client/server system from unauthorized access is
through:
a. A combination of application and general access control techniques.
b. Use of a commercially available authentication system.
c. Encryption of all network traffic.
d. Thorough testing and evaluation of remote procedure calls.
157.Able Co. uses an on-line sales order processing system to process its sales transactions. Able’s sales data are
electronically sorted and subjected to edit checks. A direct output of the edit checks most likely would be a:
a. Report of all missing sales invoices.
b. File of all rejected sales transactions.
c. Printout of all user code numbers and passwords.
d. List of all voided shipping documents.
158.First Federal S & L has an on-line real-time system, with terminals installed in all of its branches. This
system will not accept a customer’s cash withdrawal instructions in excess of P1,000 without the use of a
“terminal audit key.” After the transaction is authorized by a supervisor, the bank teller then processes the
transaction with the audit key. This control can be strengthened by
a. On-line recording of the transaction on an audit override sheet.
b. Increasing the peso amount to P1,500.
c. Requiring manual, rather than on-line, recording of all such transactions.
d. Using parallel simulation.
159.Mill Co. uses a batch processing method to process its sales transactions. Data on Mill’s sales transaction tape
are electronically sorted by customer number and are subjected to programmed edit checks in preparing its
invoices, sales journals, and updated customer account balances. One of the direct outputs of the creation of
this tape most likely would be a:
a. Report showing exceptions and control totals.
b. Printout of the updated inventory records.
c. Report showing overdue accounts receivable.
d. Printout of the sales price master file.
160.Laptop computers provide automation outside of the normal office location. Which of the following would
provide the least security for sensitive data stored on a laptop computer?
a. Encryption of data files on the laptop computer.
b. Setting up a password for the screensaver program on the laptop computer.
c. Using a laptop computer with a removable hard disk drive.
d. Using a locking device that can secure the laptop computer to an immovable object.
161.When developing a new computer system that will handle customer orders and process customer payments, a
high-level systems design phase would include determination of which of the following?
a. How the new system will affect current inventory and general ledger systems.
b. How the file layouts will be structured for the customer order records.
c. Whether to purchase a turn-key system or modify an existing system.
17
d. Whether formal approval by top management is needed for the new system.
162.A company using EDI made it a practice to track the functional acknowledgments from trading partners and
to issue warning messages if acknowledgments did not occur within a reasonable length of time. What risk
was the company attempting to address by this practice?
a. Transactions that have not originated from a legitimate trading partner may be inserted into the EDI
network.
b. Transmission of EDI transactions to trading partners may sometimes fail.
c. There may be disagreement between the parties as to whether the EDI transactions form a legal
contract.
d. EDI data may not be accurately and completely processed by the EDI software.
163.Management is concerned that data uploaded from a microcomputer to the company’s mainframe system in
batch processing may be erroneous. Which of the following controls would best address this issue?
a. The mainframe computer should be backed up on a regular basis.
b. Two persons should be present at the microcomputer when it is uploading data.
c. The mainframe computer should subject the data to the same edits and validation routines that on-
line data entry would require.
d. The users should be required to review a random sample of processed data.
164.Which of the following is a risk that is higher when an electronic funds transfer (EFT) system is used?
a. Improper change control procedures.
b. Unauthorized access and activity.
c. Insufficient on-line edit checks.
d. Inadequate backups and disaster recovery procedures.
165.The use of message encryption software:
a. Guarantees the secrecy of data.
b. Requires manual distribution of keys.
c. Increases system overhead.
d. Reduces the need for periodic password changes.
166.The internal auditor is reviewing a new policy on electronic mail. Appropriate elements of such a policy
would include all of the following except:
a. Erasing all employee’s electronic mail immediately upon employment termination.
b. Encrypting electronic mail messages when transmitted over phone lines.
c. Limiting the number of electronic mail packages adopted by the organization.
d. Directing that personnel do not send highly sensitive or confidential messages using electronic mail.
167.Which of the following risks is not greater in an electronic funds transfer (EFT) environment than in a manual
system using paper transactions?
a. Unauthorized access and activity.
b. Duplicate transaction processing.
c. Higher cost per transaction.
d. Inadequate backup and recovery capabilities.
168.Methods to minimize the installation of unlicensed microcomputer software include all of the following
except:
a. Employee awareness programs.
b. Regular audits for unlicensed software.
c. Regular monitoring of network access and start-up scripts.
d. An organizational policy that includes software licensing requirements.
169.In traditional information systems, computer operators are generally responsible for backing up software and
data files on a regular basis. In distributed or cooperative systems, ensuring that adequate backups are taken is
the responsibility of:
a. User management.
b. Systems programmers.
c. Data entry clerks.
d. Tape librarians.
170.Which of the following statements is correct regarding the Internet as a commercially viable network?
a. Organizations must use firewalls if they wish to maintain security over internal data.
b. Companies must apply to the Internet to gain permission to create a homepage to engage in
electronic commerce.
c. Companies that wish to engage in electronic commerce on the Internet must meet required security
standards established by the coalition of Internet providers.
d. All of the above.
171.A widely used disaster recovery approach includes:
a. Encryption.
b. Firewalls.
18
c. Regular backups.
d. Surge protectors.
172.A “hot site” is most frequently associated with:
a. Disaster recovery.
b. On-line relational database design.
c. Source programs.
d. Temperature control for computer.
173.Output controls ensure that the results of computer processing are accurate, complete, and properly
distributed. Which of the following is not a typical output control?
a. Reviewing the computer processing logs to determine that all of the correct computer jobs executed
properly.
b. Matching input data with information on master files and placing unmatched items in a suspense file.
c. Periodically reconciling output reports to make sure that totals, formats, and critical details are
correct and agree with input.
d. Maintaining formal procedures and documentation specifying authorized recipients of output
reports, checks, or other critical documents.
174.Minimizing the likelihood of unauthorized editing of production programs, job control language, and
operating system software can best be accomplished by:
a. Database access reviews.
b. Compliance reviews.
c. Good change-control procedures.
d. Effective network security software.
175.A corporation receives the majority of its revenue from top-secret military contracts with the government.
Which of the following would be of greatest concern to an auditor reviewing a policy about selling the
company’s used microcomputers to outside parties?
a. Whether deleted files on the hard disk drive have been completely erased.
b. Whether the computer has viruses.
c. Whether all software on the computer is properly licensed.
d. Whether the computer has terminal emulation software on it.
176.A manufacturer is considering using bar-code identification for recording information on parts used by the
manufacturer. A reason to use bar codes rather than other means of identification is to ensure that:
a. The movement of all parts is recorded.
b. The movement of parts is easily and quickly recorded.
c. Vendors use the same part numbers.
d. Vendors use the same identification methods.
177.A company often revises its production processes. The changes may entail revisions to processing programs.
Ensuring that changes have a minimal impact on processing and result in minimal risk to the system is a
function of:
a. Security administration.
b. Change control.
c. Problem tracking.
d. Problem-escalation procedures.
178.Good planning will help an organization restore computer operations after a processing outage. Good
recovery planning should ensure that:
a. Backup/restart procedures have been built into job streams and programs.
b. Change control procedures cannot be bypassed by operating personnel.
c. Planned changes in equipment capacities are compatible with projected workloads.
d. Service level agreements with owners of applications are documented.
179.In a large organization, the biggest risk in not having an adequately staffed information center help desk is:
a. Increased difficulty in performing application audits.
b. Inadequate documentation for application systems.
c. Increased likelihood of use of unauthorized program code.
d. Persistent errors in user interaction with systems.
180.To properly control access to accounting database files, the database administrator should ensure that
database system features are in place to permit:
a. Read-only access to the database files.
b. Updating from privileged utilities.
c. Access only to authorized logical views.
d. User updates of their access profiles.
181.When evaluating internal control of an entity that processes sales transactions on the Internet, an auditor
would be most concerned about the
a. Lack of sales invoice documents as an audit trail.
19
b. Potential for computer disruptions in recording sales.
c. Inability to establish an integrated test facility.
d. Frequency of archiving and data retention.
182.Which of the following statements is correct concerning internal control in an electronic data interchange
(EDI) system?
a. Preventive controls generally are more important than detective controls in EDI systems.
b. Control objectives for EDI systems generally are different from the objectives for other information
systems.
c. Internal controls in EDI systems rarely permit control risk to be assessed at below the maximum.
d. Internal controls related to the segregation of duties generally are the most important controls in EDI
systems.
183.Preventing someone with sufficient technical skill from circumventing security procedures and making
changes to production programs is best accomplished by
a. Reviewing reports of jobs completed.
b. Comparing production programs with independently controlled copies.
c. Running test data periodically.
d. Providing suitable segregation of duties.
184.Computer program libraries can best be kept secure by:
a. Installing a logging system for program access.
b. Monitoring physical access to program library media.
c. Restricting physical and logical access.
d. Denying access from remote terminals.
185.Which of the following security controls would best prevent unauthorized access to sensitive data through an
unattended data terminal directly connected to a mainframe?
a. Use of a screen saver with a password.
b. Use of workstation scripts.
c. Encryption of data files.
d. Automatic log-off of inactive users.
186.A customer intended to order 100 units of product Z96014, but incorrectly ordered nonexistent product
Z96015. Which of the following controls most likely would detect this error?
a. Check digit verification.
b. Record count.
c. Hash total.
d. Redundant data check.
187.The use of a header label in conjunction with magnetic tape is most likely to prevent errors by the
a. Computer operator.
b. Keypunch operator.
c. Computer programmer.
d. Maintenance technician.
188.Which of the following input controls is a numeric value computed to provide assurance that the original
value has not been altered in construction or transmission?
a. Hash total.
b. Parity check.
c. Encryption.
d. Check digit.
189.Which of the following is an example of a validity check?
a. The computer ensures that a numerical amount in a record does not exceed some predetermined
amount.
b. As the computer corrects errors and data are successfully resubmitted to the system, the causes of
the errors are printed out.
c. The computer flags any transmission for which the control field value did not match that of an
existing file record.
d. After data for a transaction are entered, the computer sends certain data back to the terminal for
comparison with data originally sent.
190.Which of the following activities most likely would detect whether payroll data were altered during
processing?
a. Monitor authorized distribution of data control sheets.
b. Use test data to verify the performance of edit routines.
c. Examine source documents for approval by supervisors.
d. Segregate duties between approval of hardware and software specifications.
191.Which of the following tools would best give a graphical representation of a sequence of activities and
decisions?
Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 20
20
a. Flowchart.
b. Control chart.
c. Histogram.
d. Run chart.
192.A well-prepared flowchart should make it easier for the auditor to
a. Prepare audit procedure manuals.
b. Prepare detailed job descriptions.
c. Trace the origin and disposition of documents.
d. Assess the degree of accuracy of financial
193.Which of the following is least likely a risk characteristic associated with CIS environment?
a. Errors embedded in an application program’s logic maybe difficult to manually detect on a timely
basis.
b. Many control procedures that would ordinarily be performed by separate individuals in manual
system maybe concentrated in CIS.
c. The potential unauthorized access to data or to alter them without visible evidence may be greater.
d. Initiation of changes in the master file is exclusively handled by respective users.
194.Corrections to transaction data in which errors have been detected should be made by the:
a. Computer operator.
b. Data control check.
c. Programmer.
d. User department.
195.In order to maintain good internal control:
a. Computer operators need to be good programmers.
b. Programmers should have control over day to day production runs.
c. Computer operators should be allowed to make changes in programs as needed in order to keep the
computer running.
d. Programmers and computer operators should be in separate organization units of the IS function.
196.Which of the following responsibilities should not be assigned to members of the IS function?
a. Designing new information systems.
b. Preparing documentation for new information systems.
c. Initiating changes to the files maintained in the database.
d. Processing transaction data.
197.Which is the most objectionable assignment of responsibilities within the IS function?
a. Programmers maintain the processing and output controls for applications.
b. Systems analysts maintain systems documentation.
c. Data processing supervisors schedule the processing time for applications.
d. Data control clerks establish controls over batches of transactions received from user departments.
198.An auditor would be most likely to assess control risk at the maximum level in an electronic environment
with automated system-generated information when:
a. Sales orders are initiated using predetermined, automated decision rules.
b. Payables are based on many transactions and large in peso amount.
c. Fixed asset transactions are few in number, but large in peso amount.
d. Accounts receivable records are based on many transactions and are large in peso amount.
199.In a highly automated information processing system, tests of control:
a. Must be performed in all circumstances.
b. May be required in some circumstances.
c. Are never required.
d. Are required in first year audits.
200.Which of the following is least likely to be considered by an auditor considering engagement of an
information technology (IT) specialist on an audit?
a. Complexity of client’s systems and IT controls.
b. Requirements to assess going concern status.
c. Client’s use of emerging technologies.
d. Extent of entity’s participation in electronic commerce.
201.A warehouse employee of a retail firm concealed the theft of merchandise inventory items by entering
adjustments to the computer based IS inventory records indicating that the items had been damaged or lost.
Which control would be most suitable for preventing this fraud?
a. Check digits in inventory item numbers.
b. Validity checks on inventory item numbers.
c. Passwords allowing changes to inventory records that are assigned only to authorized employees.
d. Removal of computer terminals from the warehouse.
21
202.Which of the following least likely protects critical and sensitive information from unauthorized access in a
personal computer environment?
a. Using secret file names and hiding the files.
b. Keeping of backup copies offsite.
c. Employing passwords.
d. Segregating data into files organized under separate file directories.
203.Which of the following represents a sound organizational control with respect to information system
activities?
a. Allowing the user departments to specify data processing standards.
b. Allowing the user departments to prepare input data.
c. Allowing the user departments to report to the head computer operator.
d. Allowing the user departments to submit data for processing directly to the computer operators.
204.Which of the following is a violation of internal control in a computer-based system?
a. Computer operators are provided program documentation.
b. The data control unit is solely responsible for the distribution of all computer output.
c. Computer programmers write programs based on specifications developed by the systems analyst.
d. Systems analysts design new computer based procedures.
205.Operating documentation is of primary interest to:
a. Computer operators.
b. Computer programmers.
c. Systems analysts.
d. Users.
206.A company performs a daily backup of critical data and software files and stores the backup tapes at an
offsite location. The back-up tapes are used to restore the files in case of a disruption. This is a:
a. Preventive control.
b. Detective control.
c. Corrective control.
d. Management control.
207.Which of the following is the most critical control over database administration (DBA)?
a. Approval of DBA activities.
b. Segregation of duties.
c. Review of access logs and activities.
d. Review of the use of database tools.
208.When a complete segregation of duties cannot be achieved in an on-line system environment, which of the
following functions should be separated from the others?
a. Authorization.
b. Origination.
c. Recording.
d. Correction.
209.In a small organization where segregation of duties is not practical, an employee performs the function of
computer operator and applications programmer. Which of the following controls should an IS auditor
recommend?
a. Automated logging of changes to development libraries.
b. Additional staff to provide segregation of duties.
c. Procedures that verify that only approved program changes are implemented.
d. Access controls to prevent the operator from making program modifications.
210.In a risk-based audit approach, the IS auditor must consider the inherent risk as well as considering:
a. How to eliminate the risk through the application of controls.
b. The balance of loss potential versus the cost of implement controls.
c. Whether the risk is material, regardless of management’s tolerance for risk.
d. Whether the residual risk is higher than the insurance coverage purchased.
211.A poor choice of passwords and transmission over unprotected communication lines are example of:
a. Vulnerabilities.
b. Threats.
c. Probabilities.
d. Impacts.
212.An IS auditor is planning an audit of a bank wire transfer systems in the context of a regulation that requires
bank to accurately report transactions. Which of the following represents the primary focus of the audit
scope?
a. Data availability.
b. Data confidentiality.
c. Data integrity.
22
d. Currency of data.
213.Which of the following least likely indicates a complexity of computer processing?
a. Transactions are exchanged electronically with other organizations without manual review of their
propriety.
b. The volume of the transactions is such that users would find it difficult to identify and correct errors
in processing.
c. The computer automatically generates material transactions or entries directly to another
applications.
d. The system generates a daily exception report.
214.In planning the portions of the audit which may be affected by the client’s CIS environment, the auditor
should obtain an understanding of the significance and complexity of the CIS activities and availability of
data for use in the audit. The following relate to the complexity of CIS activities, except when:
a. Transactions are exchanged electronically with other organizations.
b. Complicated computations of financial information are performed by the computer and/or material
transactions or entries are generated automatically without independent validation.
c. Material financial statement assertions are affected by the computer processing.
d. The volume of transactions is such that users would find it difficult to identify and correct errors in
processing.
215.Which of the following is not an advantage of a computerized accounting system?
a. Computers process transactions uniformly.
b. Computers help alleviate human errors.
c. Computers can process many transactions quickly.
d. Computers leave a thorough audit trail which can be easily followed.
216.The nature of the risks and the internal characteristics in CIS environment that the auditors are mostly
concerned include the following, except:
a. Lack of segregation of functions.
b. Lack of transaction trails.
c. Dependence of other control over computer processing.
d. Cost-benefit ratio.
217.Regardless of the nature of an entity’s information system, the auditor must consider internal control. In a CIS
environment, the auditor must, at a minimum, have:
a. A background in programming procedures.
b. An expertise in computer systems analysis.
c. A sufficient knowledge of the computer information system.
d. A sufficient knowledge of the computer’s operating system.
218.Who is ultimately responsible for the design and implementation of cost-effective control in a CIS
environment?
a. The internal audit manager.
b. The CIS director.
c. The systems analyst.
d. The entity’s management.
219.Which of the following risks is not greater in CIS than in manual systems?
a. Erroneous data conversion.
b. Erroneous source document preparation.
c. Repetition of errors.
d. Concentration of data.
220.Uninterruptible power supplies are used in computer facilities to minimize the risk of:
a. Crashing disk drive read-write heads.
b. Dropping bits in data transmission.
c. Failing to control concurrent access to data.
d. Losing data stored in main memory.
221.The significance of hardware controls is that they:
a. Ensure that run to run totals in application systems are consistent.
b. Reduce the incidence of user input errors in on-line systems.
c. Ensure correct programming of operating system functions.
d. Assure that machine instructions are executed correctly.
222.A systems analyst should have access to each of the following, except:
a. Edit criteria.
b. Source code.
c. Password identification tables.
d. User procedures.
223.The manager of computer operations prepares weekly schedule of planned computer processing and sends a
23
copy to the computer librarian. The control objective this procedure serves is to:
a. Authorize the release of data files to computer operators.
b. Specify the distribution of computer results.
c. Specify file retention and disaster recovery policies.
d. Keep improper and unauthorized transactions from entering the computer facility.
224.An entity should plan the physical location of its computer facility. Which of the following is the primary
consideration for selecting a computer site?
a. It should be in the basement or on the ground floor.
b. It should maximize the visibility of the computer.
c. It should minimize the distance that data control personnel must travel to deliver data and reports
and be easily accessible by a majority of company personnel.
d. It should provide security.
225.Which of the following statements regarding security concerns for notebook computers is false?
a. The primary methods of control usually involve application controls.
b. Centralized control over the selection and acquisition of hardware and software is a major concern.
c. Some conventional controls such as segregation of duties may not be feasible.
d. As their use becomes more sophisticated, the degree of concern regarding physical security
increases.
226.The advent of personal computers has resulted in a(n):
a. Decentralization of data processing activities.
b. Increased concern over the accuracy of computerized processing.
c. Decrease in the number of local area networks.
d. Increase for general computer control activities.
227.Which of the following is most likely to include user group development and execution of certain computer
applications?
a. Telecommunication transmission systems.
b. Database administration.
c. End user computing.
d. Electronic data interchange systems.
228.Which of the following is not a data transmission control?
a. Echo checks.
b. Data encryption.
c. File labels.
d. Parity checks.
229.Which of the following is not one of the responsibilities of a database administrator?
a. Develop application programs to access the database.
b. Design the content and organization of the database.
c. Protect the database and its software.
d. Monitor and improve the efficiency of the database.
230.Which of the following groups should have the operational responsibility for the accuracy and completeness
of computer based information?
a. External auditors.
b. Internal auditors.
c. Users.
d. Top management.
231.The major risk in relying on anti-virus software is that it may:
a. Consume too many system resources.
b. Interfere with system operations.
c. Not detect certain viruses.
d. Make software installation too complex.
232.The best control to permit new employees to understand internally developed programs is:
a. Adequate backups are made for spreadsheet models.
b. User of end-user computing resources is monitored.
c. End user computing efforts are consistent with strategic plans.
d. Documentation standards exist and are followed.
233.An entity updates its accounts receivable master file weekly and retains the master files and corresponding
update transactions for the most recent two-week period. The purpose of this periodic retention of master files
and transaction data is to:
a. Validate groups of update transactions for each version.
b. Permit reconstruction of the master file if needed.
c. Verify run to run control totals for receivables.
d. Match internal labels to avoid writing on the wrong volume.
24
234.Which of the following contingency plan arrangements would be considered too vendor dependent when vital
operations require almost immediate availability of computer resources?
a. A cold site arrangement.
b. A hot site arrangement.
c. A warm site arrangement.
d. Using excess capacity at another data center within the entity.
235.An auditor has recommended biometric authentication for workers entering a client’s building. The
recommendation might include devices that verify all of the following:
a. Fingerprints.
b. Password patterns.
c. Speech patterns.
d. Retina patterns.
236.Which of the following best describes the process called authentication?
a. The user identifies himself/herself to the system.
b. The system verifies the identity of the user.
c. The user indicates to the system that the transaction was processed correctly.
d. The system verifies that the user is entitled to enter the transactions requested.
237.Which of the following is the most likely source of errors in a fully operational computer based system?
a. Systems analysis and programming.
b. Operator error.
c. Processing.
d. Input.
238.Which of the following provides the most valuable information for detecting unauthorized input from a
terminal?
a. User error report.
b. Transaction log.
c. Error file.
d. Console log printout.
239.Which of the following data conversion methods is the most difficult to audit?
a. Keying data to disk for online processing.
b. Keying data to disk for batch processing.
c. Reading source data using optical character recognition.
d. Keying data to source documents for magnetic ink character recognition.
240.Which of the following best describes the online data processing control called pre-formatting?
a. The display of a document with blanks for data items to be entered by the terminal operator.
b. A program initiated prior to regular input to discover errors in data before entry so that the errors can
be corrected.
c. A series of requests for required input data that requires an acceptable response to each request
before a subsequent request is made.
d. A check to determine if all data items for a transaction have been entered by the terminal operator.
241.If a payroll system continues to pay employees who have been terminated, control weaknesses most likely
exist because:
a. Input file label checking routines built into the program were ignored by the operator.
b. Programmed controls such as limit checks should have been built into the system.
c. Procedures were not implemented to verify and control the receipt by the computer processing
department of all transactions prior to processing.
d. There were inadequate manual controls maintained outside the computer system.
242.A wholesaler of automotive parts has a computerized billing system. Because of clerical error while entering
information from the sales order, one of its customers was billed for only three of the five items ordered and
received. Which of the following would have prevented or promptly detected this clerical error?
a. Periodic comparison of total accounts receivable per accounts receivable master file with total
accounts receivable per accounts receivable control account.
b. A completeness check that does not allow a sales invoice to be processed if key fields are blank.
c. Pre-numbered shipping documents together with a procedure for follow up anytime there is not a
one-to-one relationship between shipping documents and sales invoices.
d. Matching line control counts produced by the computer with predetermined line control counts.
243.Which of the following computerized control procedures would most likely provide reasonable assurance that
data uploaded from personal computers to a mainframe are complete and that no additional data are added?
a. Field edit controls that test each field for alphanumeric integrity.
b. Self-checking digits to ensure that only authorized part numbers are added to the database.
c. Batch control totals, including financial totals and has totals.
d. Passwords that effectively limit access to only those authorized to upload the data to the mainframe.
25
244.An entity’s labor distribution report requires extensive corrections each month because of labor hours charged
to inactive jobs. Which of the following data processing input controls appears to be missing?
a. Validity check.
b. Limit check.
c. Missing data check.
d. Control total.
245.If, in reviewing an application system, it is noted that batch controls are not used, which of the following
statement by the user of the system is acceptable as a compensating control?
a. “The volume of transactions prohibits batching.”
b. “We do a 100% physical review of the input document to the output document.”
c. “We do a 100% key verification of all data input.”
d. “The supervisor must approve all inputs.”
246.Which of the following is the major purpose of the auditor’s study and evaluation of the company’s computer
processing operations?
a. Ensure the exercise of due professional care.
b. Evaluate the reliability and integrity of financial information.
c. Become familiar with the company’s means of identifying, measuring, classifying and reporting
information.
d. Evaluate the competence of computer processing operating personnel.
247.The following statements relate to the auditor’s assessment of control risk in an entity’s computer
environment. Which is correct?
a. The auditor usually can ignore the computer system if he/she can obtain an understanding of the
controls outside the CIS.
b. If the general controls are ineffective, the auditor ordinarily can assess control risk at a low level if
the application controls are effective.
c. The auditor’s objectives with respect to the assessment of control risk are the same as in a manual
system.
d. The auditor must obtain an understanding of the internal control and test controls in computer
environments.
248.Which of the following should be a responsibility of the IS function?
a. Correcting errors in transaction data.
b. Initiating changes to programs.
c. Processing transactions.
d. All of the above.
249.Which of the following is least affected by the presence of computer-based processing?
a. Security measures.
b. Control objectives.
c. General controls.
d. Accounting controls.
250.General controls include controls:
a. Designed to ascertain that all transaction data are accurate.
b. That relate to the correction and resubmission of data that were initially correct.
c. For documenting and approving programs and changes to programs.
d. Designed to assure the reliability of output.
251.The use of a programmed check or edit test with respect to transaction data is an example of a:
a. Preventive control.
b. Detective control.
c. Corrective control.
d. Retroactive control.
252.Which of the following statements accurately describes the impact that automation has on the controls
normally present in a manual system?
a. Transaction trail are more extensive in CIS than in a manual system because there is always on to
one correspondence between data entry and output.
b. Responsibility for custody of information assets is more concentrated in user departments in CIS
than it is in a manual system.
c. Controls must be more explicit in CIS because many processing points that present opportunities for
human judgment in a manual system are eliminated.
d. The quality of documentation becomes less critical in CIS than it is in a manual system because data
records are stored in machine-readable files.
253.A common difficulty in auditing a computerized accounting system is:
a. Data can be erased from the computer with no visible evidence.
b. Because of the lack of an audit trail, computer systems have weaker controls and more substantive
testing is required.
26
c. Because of the uniform nature of transaction processing, computer systems have strong controls and
less substantive testing is required.
d. The large dissemination of entry points into the computer system leads to weak overall reliance on
information generated by a computer.
254.How have electronic data interchange (EDI) systems affected audits?
a. Since orders and billing transactions are done over the computer, source documents cannot be
obtained.
b. Auditors often need to plan ahead to capture information about selected transactions over the EDI.
c. There is no audit trail in an EDI system, so controls are typically assessed as weak.
d. Since all transactions occur over the computer, reliability is high and little substantive testing is
needed.
255.How can a computer system be modified to compensate for the lack of segregation of duties?
a. The computer system should be under the direction of the internal audit department.
b. The computer system should be accessible to various competent parties so they can check each
other’s work.
c. Strong controls should be built into both the computer software and hardware to limit access and
manipulation.
d. Many companies run complete parallel manual and automated accounting systems for a cross check
on input and output.
256.Of the following data processing controls, which is the best detection control?
a. Use of data encryption techniques.
b. Review of machine utilization logs.
c. Policy requiring password security.
d. Backup and recovery procedure.
257.Which of the following characteristics of on-line/real time systems and EDI systems does not create an audit
problem?
a. The lack of traditional documentation of transactions creates a need for greater attention to
programmed controls at the point of transaction input.
b. Hard copy may not be retained by the client for long periods of time, thereby necessitating more
frequent visits by the auditor.
c. Control testing may be more difficult given the increased vulnerability of the client’s files to
destruction during the testing process.
d. Consistent on-line processing of recurring data increases the incidence of errors.
258.Computer systems are more vulnerable to unauthorized access because:
a. Hardware design considerations have declined.
b. Software cannot be readily written to control access.
c. Systems documentation must be available to all users.
d. Access can be gained electronically without physical entry to the facilities.
259.A system flowchart:
a. Is synonymous with a program flowchart.
b. Is necessary for only computer processes.
c. Shows general flow and sequence but not processing details.
d. Is necessary for only manual processes.
260.When a database administrator’s position exists within a client organization, the auditor must be aware of the:
a. Output effectiveness/ efficiency consideration.
b. Need for coded program files.
c. Use of encrypted dialog in a two-way authentication process.
d. Inherent violation of the principle of separation of duties.
261.Which of the following functions would have the least effect on an audit if they are not properly segregated?
a. The systems analyst and the programmer functions.
b. The computer operator and programmer functions.
c. The computer operator and the user functions.
d. The applications programmer and the systems programmer.
262.Which of the following represent examples of general, application and user control activities, respectively, in
the computer environment?
a. Manual checks of computer output, control over access to programs and computer exception reports.
b. Computer exception reports, control over access to programs and manual checks of computer output.
c. Control over access to programs, computer exception reports and manual checks of computer output.
d. Manual checks of computer output, computer exception reports and control over access to programs.
263.A computer report which is designed to create an audit trail for each on-line transaction.
a. Transaction log.
b. Master file.
27
c. IT log.
d. Transaction file.
264.Which of the following would not be an appropriate procedure for testing the general control activities of an
information system?
a. Inquiries of client personnel.
b. Inspecting computer logs.
c. Testing for the serial sequence of source documents.
d. Examination of the organizational chart to determine the segregation of duties.
265.The employees in a manufacturing area made many errors as they wrote their clock numbers on time sheets
and cost distribution forms. An effective control technique would have been the use of:
a. Batch totals.
b. Turn around documents.
c. Hash totals.
d. Record counts.
266.An advantage of having a computer maintain an automated error log in conjunction with a computer edit
process is that:
a. Reports can be developed that summarize the errors by type, cause and person responsible.
b. Less manual work is required to determine how to correct errors.
c. Better editing techniques will result.
d. The audit trail is maintained.
267.In order to control purchasing an accounts payable, an information system must include:
a. Purchase order, receiving reports and vendor invoices.
b. Receiving reports and vendor invoices.
c. Purchase requisition, purchase orders, receiving reports of goods needed and vendor invoices.
d. Purchase orders, receiving reports and inventory reports of goods needed.
268.The best set of controls for a payroll system includes:
a. Sign tests, limit tests, passwords and user codes, on-line edit check and payments by check.
b. Batch totals, record counts, user codes, proper segregation of duties and on-line edit checks.
c. Batch and hash totals, record counts of each run, proper separation of duties, special control over
unclaimed checks and backup copies of activities and master files.
d. Passwords and user codes, batch totals, employee s supervision and record count of each run.
269.Testing controls without the use of computer is possible when the:
a. Computer generates visible evidence of compliance with the control.
b. Auditor does not fully understand the computer system.
c. Controls appear adequate.
d. Input/output is done in batches.
270.Which of the following employees normally would be assigned the operating responsibility for designing a
computerized accounting system, including documentation of application systems?
a. Computer programmer.
b. Systems programmer.
c. Systems analyst.
d. Internal auditor.
271.The effect of personal computers on the accounting system and the associated risks will least likely depend
on:
a. The extent to which the personal computer is being used to process accounting applications.
b. The type and significance of financial transactions being processed.
c. The nature of files and programs utilized in the applications.
d. The cost of personal computers.
272.Risk of fraud or error in on-line systems may be reduced in the following circumstances, except:
a. If on-line data entry is performed at or near the point where transactions originate, there is less risk
that the transactions will not be recorded.
b. If invalid transactions are corrected and re-entered immediately, there is less risk that such
transactions will not be corrected and re-submitted on a timely basis.
c. If data entry is performed on-line by individuals who understand the nature of the transactions
involved, the data entry process may be less prone to errors than when it is performed by individuals
unfamiliar with the nature of the transactions.
d. On-line access to data and programs through telecommunications may provide greater opportunity
for access to data and programs by unauthorized persons.
273.Which of the following represents an additional cost of transmitting business transactions by means of
electronic data interchange (EDI) rather than in a traditional paper environment?
a. Redundant data checks are needed to verify that individual EDI transactions are not recorded twice.
b. Internal audit work is needed because the potential for random data entry errors is increased.
28
c. Translation software is needed to convert transactions from the entity’s internal format to a standard
EDI format.
d. More supervisory personnel are needed because the amount of data entry is greater in an EDI
system.
274.Many entities use the Internet as a network to transmit electronic data interchange (EDI) transactions. An
advantage of using the Internet for electronic commerce rather than a traditional value-added network (VAN)
is that the Internet:
a. Permits EDI transactions to be sent to trading partners as transactions occur.
b. Automatically batches EDI transactions to multiple trading partners.
c. Possesses superior characteristics regarding disaster recovery.
d. Converts EDI transactions to a standard format without translation software.
275.Which of the following computer system risks would be increased by the installation of a database system?
a. Programming errors.
b. Data entry errors.
c. Improper data access.
d. Loss of power.
276.Given the increasing use of microcomputers as a means for accessing data bases, along with on-line real-time
processing, companies face a serious challenge relating to data security. Which of the following is not an
appropriate means for meeting this challenge?
a. Institute a policy of strict identification and password controls housed in the computer software that
permit only specified individuals to access the computer files and perform a given function.
b. Limit terminals to perform only certain transactions.
c. Program software to produce a log of transactions showing date, time, type of transaction, and
operator.
d. Prohibit the networking of microcomputers and do not permit users to access centralized data bases.
277.Which of the following is likely to be a benefit of electronic data interchange (EDI)?
a. Increased transmission speed of actual documents.
b. Improved business relationships with trading partners.
c. Decreased liability related to protection of proprietary business data.
d. Decreased requirements for backup and contingency planning.
278.Where disk files are used, the grandfather-father-son updating backup concept is relatively difficult to
implement because the:
a. Location of information points on disks is an extremely time consuming task.
b. Magnetic fields and other environmental factors cause off-site storage to be impractical.
c. Information must be dumped in the form of hard copy if it is to be reviewed before used in updating.
d. Process of updating old records is destructive.
279.The possibility of losing a large amount of information stored in computer files most likely would be reduced
by the use of:
a. Back-up files.
b. Check digits.
c. Completeness tests.
d. Conversion verification.
280.The initial debugging of a computer program should normally be done by the:
a. Programmer.
b. Internal auditor.
c. Machine operator.
d. Control group.
281.Which of the following is not considered a typical risk associated with outsourcing?
a. Inflexibility.
b. Loss of control.
c. Loss of confidentiality.
d. Less availability of expert.
282.The grandfather-father-son approach to providing protection for important computer files is a concept that is
most often found in:
a. On-line/real time systems.
b. Punched cards systems.
c. Magnetic tape systems.
d. Magnetic drum systems.
283.Matthews Corp. has changed from a system of recording time worked on clock cards to a computerized
payroll system in which employees’ record time in and out with magnetic cards. The CIS automatically
updates all payroll records. Because of this change:
a. A generalized computer audit program must be used.
29
b. Part of the audit trail is altered.
c. The potential for payroll related fraud is diminished.
d. Transactions must be processed in batches.
284.Certain general CIS controls that are particularly important to on-line processing least likely include:
a. Access controls.
b. System development and maintenance controls.
c. Edit, reasonableness and other validation tests.
d. Use of anti-virus software program.
285.Certain CIS application controls that are particularly important to on-line processing least likely include:
a. Pre-processing authorization.
b. Transaction logs.
c. Cut-off procedures.
d. Balancing.
286.Due to data sharing, data independence and other characteristics of database systems
a. General CIS controls normally have a greater influence than CIS application controls on database
systems.
b. CIS application controls normally have a greater influence than general CIS controls on database
systems.
c. General CIS controls normally have an equal influence with CIS application controls on database
systems.
d. CIS application controls normally have no influence on database systems.
287.To reduce security exposure when transmitting proprietary data over communication lines, a company should
use
a. Asynchronous modems.
b. Authentic techniques.
c. Call-back procedures.
d. Cryptographic devices.
288.Which of the following would an auditor ordinarily consider the greatest risk regarding an entity’s use of
electronic data interchange (EDI)?
a. Authorization of EDI transactions.
b. Duplication of EDI transmissions.
c. Improper distribution of EDI transactions.
d. Elimination of paper documents.
289.Which of the following statements is correct concerning internal control when a client is using an electronic
data interchange system for its sales?
a. Controls should be established over determining that all suppliers are included in the system.
b. Encryption controls may help to assure that messages are unreadable to unauthorized persons.
c. A value-added-network (VAN) must be used to assure proper control.
d. Attention must be paid to both the electronic and “paper” versions of transactions.
290.Which of the following statements most likely represents a disadvantage for an entity that keeps
microcomputer prepared data files rather than manually prepared files?
a. Random error associated with processing similar transactions in different ways is usually greater.
b. It is usually more difficult to compare recorded accountability with physical count of assets.
c. It is usually easier for unauthorized persons to access and alter the files.
d. Attention is focused on the accuracy of the programming process rather than errors in individual
transactions.
291.Which of the following is an example of how specific controls in a database environment may differ from
controls in a non-database environment?
a. Controls should exist to ensure that users have access to and can update only the data elements that
they have been authorized to access.
b. Controls over data sharing by diverse users within an entity should be the same for every user.
c. The employee who manages the computer hardware should also develop and debug the computer
programs.
d. Controls can provide assurance that all processed transactions are authorized, but cannot verify that
all authorized transactions are processed.
292.A retail entity uses electronic data interchange (EDI) in executing and recording most of its purchase
transactions. The entity’s auditor recognized that the documentation of the transactions will be retained for
only a short period of time. To compensate for this limitation, the auditor most likely would:
a. Increase the sample of EDI transactions to be selected for cutoff tests.
b. Perform tests several times during the year, rather than only at year-end.
c. Plan to make a 100% count of the entity’s inventory at or near the year-end.
d. Decrease the assessed level of control risk for the existence or occurrence assertion.
30
293.Which of the following is a password security problem?
a. Users select passwords that are not listed in any on-line dictionary
b. Users are assigned passwords when accounts are created, but do not change them.
c. Users have accounts on several systems with different passwords.
d. Users copy their passwords on note paper, which is kept in their wallets.
294.A company is concerned that a power outage or disaster could impair the computer hardware’s ability to
function as designed. The company desires off-site backup hardware facilities that are fully configured and
ready to operate within several hours. The company most likely should consider a:
a. Cold site.
b. Cool site.
c. Warm site.
d. Hot site.
295.A company's labor distribution report requires extensive corrections each month because of labor hours
charged to inactive jobs. Which of the following data processing input controls appears to be missing?
a. Completeness test.
b. Validity test.
c. Limit test.
d. Control total.
296.Passwords for microcomputer software programs are designed to prevent:
a. Inaccurate processing of data.
b. Unauthorized access to the computer.
c. Incomplete updating of data files.
d. Unauthorized use of the software.
297.The capability for computers to communicate with physically remote terminals is an important feature in the
design of modern business information systems. Which of the following risks associated with the use of
telecommunications systems is minimized through the use of a password control system?
a. Unauthorized access to system program and data files.
b. Unauthorized physical availability of remote terminals.
c. Physical destruction of system program and data files.
d. Physical destruction of remote terminals.
298.Consider the following computer applications:
A. At a catalog sales firm, as phone orders are entered into their computer, both inventory and
credit are immediately checked.
B. A manufacturer's computer sends the coming week's production schedule and parts orders to a
supplier's computer.
Which statement below is true for these applications?
a. Both applications are examples of EDI.
b. Both applications are examples of on-line real-time processing.
c. The first application is an example of EDI and the second is an example of on-line real-time.
d. The first application is an example of on-line real-time and the second is an example of EDI.
299.Unauthorized alteration of on-line records can be prevented by employing:
a. Key verification.
b. Computer sequence checks.
c. Computer matching.
d. Data base access controls.
300.In the preliminary survey the auditor learns that a department has several microcomputers. Which of the
following is usually true and should be considered in planning the audit?
a. Microcomputers, though small, are capable of processing financial information, and physical
security is a control concern.
b. Microcomputers are limited to applications such as worksheet generation and do not present a
significant audit risk.
c. Microcomputers are generally under the control of the data processing department and use the same
control features.
d. Microcomputers are too small to contain any built-in control features. Therefore, other controls must
be relied upon.
31