APPLICATION CONTROLS B) Range check

C) Logic check
1.Which of the following is not a key feature of D) Echo check
input validation controls in CIS application Answer: D
controls?
A) Ensuring transactions are properly authorized 7. Which of the following is not one of the
before being processed by the computer. controls used in data transcription (batching and
B) Allowing transactions to be converted into converting) for input validation controls?
machine readable form and recorded in the A) Sequence check
computer data files. B) Visual verification
C) Preventing loss, addition, duplication, or C) Control totals
improper changes to transactions. D) Key verification requiring data to be entered
D) Rejecting incorrect transactions without twice.
correction. Answer: A
Answer: D
8. Which of the following is not one of the
2. What role do manual cross checks play in components of processing controls in CIS
processing controls for CIS application controls? application controls?
A) Checking the validity of transactions A) Manual cross checks
B) Structuring source documents and input B) Run-to-run totals
screens C) Field checks
C) Reconciling the work of another employee D) File and program changes
reconciliations and acknowledgments Answer: C
D) Computing control totals
Answer: C 9. What is the function of a self-checking digit in
data observation and recording?
3. How does the echo check contribute to the A) Enhancing document security
transmission of transaction data in CIS B) Ensuring data accuracy
application controls? C) Detecting transposition errors in document
A) Transmitting data back to the originating numbers
terminal for comparison D) Facilitating the use of scanners
B) Transmitting additional data for redundancy Answer: C
C) Verifying the completeness of transmitted
data 10. What is the primary objective of input
D) Checking the logic of input data validation controls?
Answer: A A) Preventing unauthorized access to the
application system
4. What does the field check in edit tests of B) Ensuring data entry is authorized, accurate,
transaction data validate within the CIS and complete
application controls? C) Facilitating efficient communication between
A) The validity of transactions or data entered applications
B) The types of characters accepted in specific D) Generating machine-readable forms for all
data fields transactions
C) The reasonableness and limit of entered Answer: B
amounts
D) The sequence order of input data 11. How do input validation controls handle
Answer: B incorrect transactions in the application system?
A) Incorrect transactions are intentionally added
5. All of the following are part of Input validation for testing purposes
controls, except: B) Incorrect transactions are corrected
A) Data observation and recording automatically during processing
B) Manual cross checks of transaction data C) Incorrect transactions are rejected, corrected,
C) Edit tests of transaction data and if necessary, resubmitted on a timely basis
D) Transmission of transaction data D) Incorrect transactions are ignored and left
Answer: B unprocessed
Answer: C
6. All of the following are considered types of
edit tests of transaction data, except:
A) Field size check
12. Among the following, what is the main B) Reconciliations
function of an echo check in the transmission of C) Acknowledgments
transaction data? D) Validating programs
A) Transmitting additional data for redundancy Answer: D
B) Verifying completeness of data
C) Transmitting data back to the originating 18. Which of the following is not a characteristic
terminal for comparison with the transmitted of run-to-run totals in processing controls?
data A) Batched data is controlled during processing
D) Detecting transposition errors runs
Answer: C B) No records are omitted
C) Programs are validated
13. What is the primary purpose of completeness D) Incorrect insertion into a transaction filed is
check in the transmission of transaction data? avoided
A) Verifying data accuracy Answer: C
B) Ensuring that all required data have been
entered and transmitted 19. Which of the following controls is a processing
C) Transmitting additional data for redundancy control designed to ensure the reliability and
D) Transmitting data back for comparison accuracy of data processing?
Answer: B a. Limit test
b. Validity check test
14. All of the following are components of data
observation and recording controls, except: A) Yes, yes.
A) Self-checking data B) No, no.
B) The use of pre-numbered and pre-printed C) No, yes.
documents D) Yes, no.
C) Keeping blank forms under lock and key Answer: A
D) Online computer systems offering menu
screens, preformatted screens, use of scanners 20. Which of the following processing controls
Answer: A would be most effective in assisting a store
manager to ascertain whether the payroll
15. Which of the following is not a role of input transaction data were processed in their entirety?
validation controls in CIS application controls? A) Payroll file header record
A) Ensuring data entry is authorized, accurate, B) Transaction identification codes
and complete C) Processing control totals
B) Preventing loss, addition, duplication, or D) Programmed exception reporting
improper changes to transactions Answer: C
C) Transactions are accurately converted into
machine readable form and recorded in the 21. CIS application controls include, except
computer data files A) Controls over input
D) Converting transactions into handwritten B) Controls over processing and computer data
forms files
Answer: D C) Controls over output
D) Controls over access to systems software and
16. Which of the following is incorrect regarding documentation
transmission of transaction data controls in CIS Answer: D
application controls?
A) Echo check involves transmitting data back 22. Statement 1: Accuracy tests and
for comparison completeness tests are examples of general
B) Visual verification ensures proper authorization controls.
of transactions Statement 2: Input controls is a category of
C) Completeness check verifies that all required application controls.
data have been entered and transmitted A) False; False
D) Redundancy data check is used for B) False: True
additional data in the verification process C) True; True
Answer: B D) True; False
Answer: B
17. Which of the following is not a function of
manual cross checks in processing controls? 23. Most errors within a CIS environment occur at
A) Checking the work of another employee this stage.
A) General Control B) Validity test
B) Input Control C) Application test
C) Process Control D) Completeness test
D) Output Control Answer: C
Answer: B
29. Statement 1. Testing whether transactions
24. Statement 1: Processing controls is a category submitted for processing are properly authorized
of general controls. can be achieved using standard forms & a
Statement 2: Output controls focus on detecting signature authority.
errors after processing is completed rather than Statement 2. Incorrect transactions are rejected,
preventing errors prior to processing. corrected & then resubmitted on a timely basis -
A) True; True relates to the accuracy of accounting reports.
B) True; False A) Only statement 1 is correct
C) False: True B) Both statements are correct
D) False; False C) Both statements are false
Answer: B D) Only statement 2 is correct
Answer: B
25. It relates to the completeness of input & takes
the form of sequence checks and control totals. 30. A count of the number of items or
A) Incorrect transactions are rejected, corrected transactions being input in a given batch
& then resubmitted on a timely basis A) Field check test
B) Transactions submitted for processing are B) Hash total
properly authorized C) Item (Record) count
C) Transactions are accurately converted into D) Financial total
machine-readable form & recorded into the Answer: C
computer files
D) Transactions are not lost, added, duplicated 31. What do General Controls apply to?
or improperly changed A. Individual business processes
Answer: D B. All computerized applications
C. Manual procedures only
26. Statement 1: No matter the source of the error, D. Data edits and error reporting
its circumstances should be investigated, Answer: B
corrected & resubmitted on a timely basis, in
accordance with proper procedures. 32. What is the primary objective of Application
Statement 2: Controls over Input are designed to Controls?
ensure that data entry is authorized, accurate & A. Ensure IT general controls are effective
complete. B. Maintain overall control environment
A) Only statement 1 is correct C. Ensure input data is accurate, complete, and
B) Only statement 2 is correct authorized
C) Both statements are false D. Benchmarking effectiveness year to year
D) Both statements are correct Answer: C
Answer: D
33. Which of the following is a benefit of
27. All of the following refers to the reasonable Application Controls?
assurance of controls over input, except: A. Reliability
A) Transactions are not lost, added, duplicated B. User Authentication
or improperly changed. C. General Controls
B) Transactions are accurately converted into D. Manual intervention
machine-readable form & recorded into the Answer: A
logbook.
C) Transactions submitted for processing are 34. Which type of Application Control checks the
properly authorized. integrity of data entered into a business
D) Incorrect transactions are rejected, corrected application?
& then resubmitted on a timely basis. A. Processing Controls
Answer: B B. Output Controls
C. Integrity Controls
28. Which of the following is not an example of D. User Control Activities
controls over input Answer: C
A) Limit test
35. What does User Authentication involve? A. Input Controls
A. Checking processing totals B. Processing Controls
B. Managing user accounts C. Output Controls
C. Verifying the identity of users D. Integrity Controls
D. Ensuring data is processed as intended Answer: C
Answer: C
43. What is the role of MANAGEMENT TRAIL in
36. Which User Control Activity involves defining Application Controls?
user privileges? A. Verify user identity
A. User Authentication B. Monitor data consistency
B. User Authorization C. Track the process of data from input to output
C. User Account Management D. Check processing totals
D. Secure User Administration Answer: C
Answer: B
44. What do APPLICATION CONTROLS specifically
37. What is the purpose of User Account address in computerized systems?
Management? A. Overall control environment
A. Verify user identity B. Separation of business functions
B. Secure management of user accounts C. User Authentication
C. Benchmarking user privileges D. User Authorization
D. Checking input data integrity Answer: B
Answer: B
45. What is the primary focus of GENERAL
38. Which type of Application Control ensures CONTROLS in a computerized environment?
processing is complete, accurate, and A. Data edits
authorized? B. Separation of business functions
A. Input Controls C. Benchmarking
B. Processing Controls D. Overall control environment
C. Output Controls Answer: D
D. Management Trail
Answer: B 46. What does USER AUTHORIZATION involve in
User Control Activities?
39. What is the primary purpose of Output A. Verifying user identity
Controls? B. Granting or denying access to specific actions
A. Monitoring data being processed or resources
B. Comparing output with input C. Managing user accounts
C. Ensuring data is stored correctly D. Monitoring data consistency
D. Benchmarking application controls Answer: B
Answer: B
47. Which type of Application Control ensures
40. Which aspect of User Control involves that processing is automated, accurate, and
enforcing security policies to protect against authorized?
unauthorized access or malicious activities? A. Input Controls
A. User Authentication B. Processing Controls
B. User Authorization C. Output Controls
C. Secure User Administration D. Integrity Controls
D. General Controls Answer: B
Answer: C
48. What is the primary benefit of APPLICATION
41. What is the primary objective of INPUT CONTROLS in terms of reliability?
CONTROLS in Application Controls? A. Benchmarking
A. Ensure IT general controls are effective B. Time and cost savings
B. Monitor data consistency C. Reducing errors due to manual intervention
C. Check the integrity of data entered D. Ensuring IT general controls effectiveness
D. Verify user identity Answer: C
Answer: C
49. Which User Control Activity involves creating,
42. Which type of Application Control involves maintaining, and controlling user accounts within
checking the output against the intended result? a computer system or network?
A. User Authentication
B. User Authorization
C. User Account Management
D. Secure User Administration
Answer: C
50. What is the primary purpose of OUTPUT
CONTROLS in Application Controls?
A. Monitor data consistency
B. Check the integrity of data entered
C. Compare output results with intended results
D. Granting or denying user access
Answer: C
51. Which type of Application Control involves
monitoring data being processed and in storage
to ensure consistency and correctness?
A. Input Controls
B. Processing Controls
C. Integrity Controls
D. Output Controls
Answer: C
52. What is the primary objective of
MANAGEMENT TRAIL in Application Controls?
A. Verify user identity
B. Monitor effectiveness of other controls
C. Track the process of data from input to output
D. Benchmarking application controls
Answer: C
53. What does SECURE USER ADMINISTRATION
involve in User Control Activities?
A. Checking processing totals
B. Setting up user accounts
C. Verifying user identity
D. Implementing practices to ensure secure user
account management
Answer: D
54. Which aspect of USER CONTROL ACTIVITIES
refers to actions taken by individuals within an
organization to ensure the effectiveness of
application controls?
A. User Authentication
B. User Authorization
C. Secure User Administration
D. Overall control environment
Answer: D
55. What is the primary focus of INPUT CONTROLS
in Application Controls?
A. Monitor data consistency
B. Check the integrity of data entered
C. Ensure processing is complete and authorized
D. Verify user identity
Answer: B
56. What is the primary purpose of OUTPUT
CONTROLS ?
A. Monitor data consistency
B. Ensure data is processed as intended
C. Compare output with input
D. Granting or denying user access
Answer: C
57. What is the key aspect of USER
AUTHENTICATION in User Control Activities?
A. Verifying user identity
B. Defining user privileges
C. Setting up user accounts
D. Monitoring data consistency
Answer: A
58. Which type of Application Control provides
an automated means to ensure processing is
complete, accurate, and authorized?
A. Input Controls
B. Processing Controls
C. Output Controls
D. Integrity Controls
Answer: B
59. What does GENERAL CONTROLS apply to in a
computerized environment?
A. All computerized applications
B. Separation of business functions
C. User Authentication
D. Benchmarking
Answer: A
60. Which User Control Activity involves the
implementation of practices, policies, and
technologies to ensure secure user account
management?
A. User Authentication
B. User Authorization
C. Secure User Administration
D. User Account Management
Answer: C
APPLICATION CONTROLS (3RDYR)
1. The four objectives of input controls are
A. Validity, Completeness, Existence, Valuation
B. Completeness, Existence, Efficiency, Validity
C. Efficiency, Validity, Completeness, Valuation
D. Valuation, Validity, Existence, Efficiency
ANSWER: C
2. What is the only input control that underpins all
of the objectives of an input control?
A. Completeness check
B. Validity Test
C. Reasonableness Check
D. Closed loop verification
ANSWER: B
 ANSWER: C
3. This control provides automated means to
ensure processing is complete, accurate, and 9. For the accounting system of ACME
authorized. Company, the amounts of cash disbursements
A. Input Control entered into an EDP terminal are transmitted
B. Access Control to the computer that immediately transmits
C. Processing Control the amounts back to the terminal for display
D. Mandatory Control System on the terminal screen. This display enables the
Answer: C operator to
A. Establish the validity of the account
4. These are the domain of processing controls to number
ensure that input data has been processed B. Verify the amount was entered accurately
accurately and completely, except; C. Verify the authorization of the
A. Password administration disbursements
B. Audit trial and overrides D. Prevent the overpayment of the account
C. Data extraction, filtering, and reporting ANSWER: B
D. Automated functionality and aging 10. A finance application is processing a
Answer: A transaction. Which integrity control can help
confirm that the account number provided by
5. An unauthorized employee took computer the user is correct?
printouts from output bins accessible to all A. Closed Loop Verification
employees. Which of the following controls B. Reasonableness Check
would have prevented this occurrence? C. Check Digit
A. Output review control D. Key Verification
B. Storage/ retention control Answer: C
C. Report distribution control
D. Spooler file control 11. Limit Test is an application control that can
ANSWER: C be employed on
Input Process
6. Reconciling processing controls totals is an A. Yes ; No
example of B. Yes ; Yes
A. Processing control C. No ; Yes
B. Output control D. No ; No
C. Input control ANSWER: B
D. Both a and b
ANSWER: B 12. Computer information system application
controls include, except
A. Controls over input.
7. The following are the General Factors for B. Controls over processing and
Authenticating a subject, except; computer data files.
A. Something a person knows C. Controls over output.
B. Something a person needs D. Monitoring controls.
C. Something a person has ANSWER: D
D. Something a person is
ANSWER: B 13. Statement 1: Almost all of the input controls
can also serve as processing controls.
Statement 2: A record “key” is the group of
8. In the Access to program documentation values in a designated field that uniquely
objectives, the auditor should; identifies the record and no application process
A. Test to see that access to systems software is should be able to alter the data in these key
limited by terminal address. fields.
B. Interview the person responsible for access to A. Only Statement 1 is correct.
system software. B. Only Statement 2 is correct.
C. Observe the storage location of C. Both Statement 1 and Statement 2 are correct.
documentation if it is kept in printed form or D. Both Statement 1 and Statement 2 are
determine how access to on-line documentation incorrect.
is restricted. ANSWER: C
D. Test to see that there is a limit on the number
of unsuccessful attempts to sign on (or login).
14. Which of the following is not a possible test for
data extraction, filtering, and reporting in
processing controls?
A. Review process to assess extracted data for
completeness and validity.
B. Review access to set and amend configurable
parameters on interfaces.
C. Review supervisory assessment of output from
extract routine for evidence of regular review
and challenges.
D. Review the design of the extract routine
against the data files used.
ANSWER: B
15. Which of the following statement/s is/are
correct?
I. Protection of information resources requires a
well-designed set of controls.
II. Output controls establish that date are
complete and accurate during the updating.
III. All application controls are used in every
information system.
IV. Some systems require more controls than
others, depending on the importance of the
data and nature of the application.
A. I,II,III
B. I, III, IV
C. I only
D. I and IV only
ANSWER: D
16. Which statement is incorrect regarding the
review of general CIS controls and CIS
application controls?
A. The auditor should consider how these general
CIS controls affect the CIS applications
significant to the audit.
B. General CIS controls that relate to some or
all applications are typically interdependent
controls in that their operation is often
essential to the effectiveness of CIS
application controls.
C. Control over input, processing, data files
and output may be carried out by CIS personnel,
by users of the system, by a separate control
group, or may be programmed into application
software.
D. It may be more efficient to review the design
of the application controls before reviewing
the general controls.
ANSWER: D
17. Which of the following is an Access Control
Objective?
A. Access to Security System
B. Access to Product Documentation
C. Access to Program Production
D. Access to On-line Systems
ANSWER: D
18. Statement 1: Authorization is the method of
controlling access of objects by the subject.
Statement 2: Identification describes a method of
ensuring that an object is the entity it claims to
be.
A. Only Statement 1 is True
B. Statement 2 is False
C. Both Statement 1 and Statement 2 are True
D. Only Statement 2 is True
ANSWER: A
19. Closed Loop Verification refers to
A. Presenting data for review before completing
the forms
B. Tells the user that the account number that
has been input does not match.
C. Present data for review after completing
before submitting.
D. Data is crossed reference to database.
ANSWER: C
20. During data entry, the following are controls
that help the system verify the accuracy of a
product code entered by a user, except
A. Reasonableness Check
B. Integrity Test or Validity Test
C. Closed Loop Verification
D. Check Digit
ANSWER: C
21. An employee in the receiving department
keyed in a shipment from a remote terminal and
inadvertently omitted the purchase order
number. What is the best input control to detect
this error?
A. Integrity test
B. Closed loop verification
C. Completeness test
D. Reasonableness test
ANSWER: C
22. In an automated payroll system, all
employees in the finishing department were paid
the rate of P75 per hour when the authorized
rate was P70 per hour. Which of the following
controls would have been most effective in
preventing such an error?
A. Access controls which would restrict the
personnel department’s access to the payroll
master file data.
B. A review of all authorized pay rate changes by
the personnel department.
C. The use of batch control totals by department.
D. A limit test that compares the pay rates per
department with the maximum rate for all
employees.
ANSWER: D
23. Which of the following is an example of a Statament 2: Run control totals is both a
check digit? processing and output control.
A. An agreement of the total number of Statement 3: Control totals is an output control
employees to the total number of checks printed which refers to totals established beforehand for
by the computer. input and processing transactions.
B. An algebraically determined number A. Only 1 statement is correct
produced by the other digits of the employee B. Only 2 statements are correct.
number. C. All statements are correct.
C. A logic test that ensures all employee D. All statements are incorrect.
numbers are nine digits. ANSWER: B
D. An eight-digit combination that ends with the
number 7. 29. Which of the following statements is incorrect?
ANSWER: B A. General controls include all policies and
procedures an organization put in place.
24. An employee in the receiving department B. Specific controls are less effective at catching
keyed in a shipment from a remote terminal and errors than general controls.
inadvertently omitted the purchase order C. General controls serve as the foundation for
number. The best systems control to detect this the application controls.
error would be D. All statements are true.
A. Validity check ANSWER: B
B. Sequence test
C. Completeness test 30. Without the following documentation the
D. Reasonable test reviewer of the Access control may not be able
ANSWER: C to determine how access to systems software is
controlled, in what kind of restrictive area
25. A control that ensures that records are not systems software is kept, who are authorized to
added or lost during the processing runs. access and change systems software, and
A. Run-to-run total whether certain powerful utilities are being used
B. Error detection control to circumvent access controls to systems
C. Checkpoint restart capacity software, except;
D. Key Integrity A. Systems software
ANSWER: A B. Production programs and job control
language
26. Which of the following is not one of the main C. Security Camera footage
purposes of processing controls? D. Production data files
A. Prevention ANSWER: C
B. Detection
C. Correction 31. It is the least restrictive access control model
D. Authorization which allows multiple administrators to control
ANSWER: D access to a property.
A. Discretionary access control
27. The following are examples of output controls, B. Mandatory access control
except C. Discretionary Control System
A. Reconciling computer-produced output to D. Mandatory Control System
manual control totals ANSWER: A
B. Verifying dates and times of processing to
identify any out-of-sequence processing 32. Statement 1: Access controls are designed to
C. Reviewing process for validation and test allow unlimited access to documentation, files,
operation and programs.
D. Comparing a sample of transaction output to Statement 2: A weakness in or lack of access
input source documents controls decreases the opportunity for
ANSWER: C unauthorized modification to files and programs,
as well as misuse of the computer Hardware.
28. Which of the following statement/s is/are A. Statement 1 and Statement 2 are both correct
correct? B. Only Statement 1 is correct
Statement 1: Run control totals balance the total C. Only Statement 2 is correct
of transactions processed with total number of D. Both Statement 1 and Statement are incorrect
transactions input or output. ANSWER:D
33. Is Captcha, a program that tests users with
images, a form of integrity control? Select the
best choice given.
A. No, because captcha only focuses on
verifying that the user is a human and not
automated bots.
B. No, because anyone can access captcha
C. Yes, Because it can tell whether the user is a
robot or a human user.
D. None of the choices given.
ANSWER: A
34. A manager’s password has been changed
due to numerous attempts by an unknown
person to gain access to his account. What
integrity control must be employed to prevent
the recurrence of the event?
A. Check Digit
B. Integrity Test or Validity Test
C. Key Verification
D. Closed Loop Verification
ANSWER: C
35. In an e-commerce industry platform, a
shipping address system was programmed to
employ an integrity control, focusing on
reasonableness test. A customer ordered and
the system indicated or has flagged the input
address as being unusual. Given the situation,
why might this control be essential to the industry?
A. To prevent users from entering invalid and
fake addresses.
B. To cross reference addresses from a different
region.
C. To validate the completeness of user profiles.
D. To ensure all addresses are from validated
regions.
ANSWER: A
36. In the weekly computer run to prepare
payroll checks, a check was printed for an
employee who had been terminated the
previous week. Which of the following controls, if
properly utilized, would have been most effective
in preventing the error or ensuring its prompt
detection?
A. A control total for hours worked, prepared
from time cards collected by the timekeeping
department
B. Requiring the treasurer's office to account
for the number of the pre-numbered checks
issued to the CBIS department for the
processing of the payroll
C. Use of a check digit for employee numbers
D. Use of a header label for the payroll input
sheet
ANSWER: A
37. Accounts payable program posted a
payable to a vendor not included in the on-line
vendor master file. A control which would
prevent this error is a
A. Validity check
B. Range check
C. Reasonableness test
D. Limit check
ANSWER: A
38. In a computerized sales processing system,
which of the following controls is most effective in
preventing sales invoice pricing errors?
A. Sales invoices are reviewed by the product
managers before being mailed to customers
B. Current sales prices are stored in the computer,
and, as stock numbers are entered from sales
orders, the computer automatically prices the
orders
C. Sales prices, as well as product numbers, are
entered as sales orders are entered at remote
terminal locations
D. Sales prices are reviewed and updated on a
quarterly basis
ANSWER: B
39. The following controls ensure that input data
has been processed accurately and completely,
which of the following is excluded?
A. File extracts from debtors listing to provide
management with data on aged transactions.
B. Comparison of individual files to expected
dates, times, sizes, etc.
C. Automated tracking and highlighting of
overrides to normal processes.
D. All of the above are included
ANSWER: D
40. Which of the following statements is incorrect?
A. Test sample of listing transactions to validate
the appropriateness of aging processing.
B. In the interface balancing, processes are
reviewed to assess the extracted data for
reasonableness and sequence.
C. Inspect evidence of match reports, checks,
and error file processing to check balances on
both systems match.
D. Access to override normal processes is
reviewed for automated tracking and
highlighting.
ANSWER: B
41. It ensures that errors occurring in the
individual transaction during the processing are
rejected
A. Key verification
B. Completeness check
C. Error detection controls
D. Existence check
ANSWER: C
42. Which of the following statements best D. A method of measuring that a subject is the
describes application controls? entity it claims to be
A. Application controls include automated ANSWER: C
procedures but not manual procedures.
B. Application controls include manual 48. A customer erroneously ordered Item No.
procedures but not automated procedures. 86321 rather than item No. 83621. When this
C. Application controls include both automated order is processed, the vendor’s system would
procedures and manual procedures. identify the error with what type of control?
D. None of the choices A. Key verification
ANSWER: C B. Closed loop verification
C. Checking digit
43. Which of the following is not used as a D. Item inspection
processing control? ANSWER: C
A. Control totals
B. Report distribution logs 49. An online banking system uses a check digit
C. Computer matching system as part of their security measures. How
D. Run control totals does this control contribute to the bank’s
ANSWER: A integrity controls?
A. To ensure the uniqueness of the client’s ID.
44. Which of the following examples illustrate B. To verify the correctness of the client’s
computer matching? account number.
A. Checking to make sure transactions are in the C. To cross check the client’s information with the
right format primary data.
B. Matching employee time cards with a payroll D. To review the necessary information needed
master file and report missing or duplicate time before submitting.
cards ANSWER: B
C. Balancing the total of transactions processed
with total number of transactions input or output 50. A customer is placing the information needed
D. Both b and c to complete an order form, what’s likely to occur
ANSWER: B after or when completing the form given integrity
controls are in place?
45. Which of the following is/are included as I. Reasonableness check is employed to verify
common access and security control? that the age entered is within the valid range.
I. Identification II. The completed form is presented for review
II. Authorization before the customer submits.
III. Verification III. The system flags the customer’s input due to
IV. Authentication an unidentified card number after making errors
A. I, II, & III placing account numbers.
B. II, III, & IV A. Only I
C. I, II, & IV B. Only I and II
D. I, II, IV, & IV C. All the given choices
ANSWER: C D. None of the choices given
ANSWER: C
46. Which of the following access control
model/design is best used for businesses that 51. Company A has recently converted its
emphasize security and confidentiality? manual payroll to a computer-based system.
A. Discretionary access control Under the old system, employees who had
B. Mandatory access control resigned or been terminated were occasionally
C. Role-Based Access Control kept on the payroll and their checks were
D. Rule-Based Access Control claimed and cashed by other employees, in
ANSWER: B collusion with shop foremen. The best control for
preventing this form of "payroll padding" would
47. Authentication is best described as, be to:
A. A method of ensuring that a subject is the A. Conduct exit interviews with all employees
entity it claims to be leaving the company, regardless of reason.
B. The method of controlling access of objects by B. Require foremen to obtain a signed receipt
the subject from each employee claiming a payroll check.
C. The method of proving the subject’s identity C. Require the human resources department to
authorize all hires and terminations, and to
forward a current computerized list of active
employee numbers to payroll prior to processing.
Program the computer to reject inactive
employee numbers.
D. Install time clocks for use by all hourly
employees.
ANSWER: C
52. Computer based information system controls
are frequently classified as general controls and
application controls. Which of the following is an
example of an application control?
A. Programmers may access the computer only
for testing and "debugging" programs
B. All program changes must be fully
documented and approved by the information
systems manager and the user department
authorizing the change
C. A separate data control group is responsible
for distributing output, and also compares input
and output on a test basis
D. In processing sales orders, the computer
compares customer and product numbers with
internally stored lists
ANSWER:D
53. A checkpoint restart capacity control
A. ensures transactions are in the correct order
B. ensures application processes are in place
and cannot be altered.
C. allows to match the source documents for
verification
D. allows the job to restart from the point of
interruption.
Answer: D.
54. Which of the following statements is incorrect?
Statement 1: Table maintenance controls are
reviewed to determine who can change edits
and the tolerance level.
Statement 2: Input value and output values are
compared for most of the scenarios by walk
through and re-performance
A. Only Statement 2 is correct.
B. Only Statement 1 is correct.
C. Both Statement 1 and Statement 2 are correct.
D. Both Statement 1 and Statement 2 are
incorrect.
Answer: B
55. Which of the following statements is incorrect?
A. Software controls are used to monitor the use
of system software and prevent unauthorized
access of software programs, system software,
and computer programs.
B. Data security controls ensure that valuable
business data files on either disk or tape are
subject to unauthorized access, change, or
destruction while they are in use or in storage.
C. Computer operations control include controls
over the setup of computer processing jobs and
computer operations and backup and recovery
procedures for processing that ends abnormally.
D. Computer equipment should be specially
protected against fires and extremes of
temperature.
ANSWER: B
56. The following are types of general controls,
except
A. Software controls
B. Computer operation control
C. Administrative controls
D. Run control totals
ANSWER: D
57. To review access controls, the reviewer does
not need to obtain copies of the automated logs
or journals that record/monitor access to the
following, except;
A. Vault password
B. Production documentation and job control
language
C. Production data files
D. Critical application controls
ANSWER: C
58. Which of the following is not an example of
the general factors for authenticating a Subject?
A. Biometric
B. Password
C. Access Card
D. Paraphrase
ANSWER: D
59. Statement 1: Integrity controls are primarily
concerned with maintaining the confidentiality
of sensitive information. Statement 2: Closed loop
verification is a type of integrity control
A. Both statements are correct
B. Only statement 1 is correct
C. Only statement 2 is correct
D. Both statements are correct
ANSWER: C
60. Statement 1: Closed-Loop verification ensures
that users can modify their responses after
submitting a survey.
Statement 2: The primary purpose of closed loop
verification is to present data for user review final
submission.
A. Statement 1 is correct
B. Both Statement are correct
C. Statement 2 is correct
D. None of the statements are correct
Answer: C
CAATTs
Introduction Questions
1. Which of the following least describes
Computer Assisted Audit Techniques (CAATs)?
a. A software program used by auditors to
automate financial statements.
b. A set of tools and techniques that auditors use
to collect and analyze data from computer
systems.
c. An advanced algorithm used to detect
financial fraud.
d. A training program designed to teach auditors
how to use computers effectively.
Answer: D
2. Computer Assisted Audit Techniques may be
used in performing various auditing procedures,
except
a. Test of details of transactions and balances
b. Test of general controls
c. Analytical Procedures
d. Examination or Inspection of evidence
Answer: D
3. What is the purpose of introducing Computer-
Assisted Audit Techniques (CAATs) in the auditing
process?
a. To replace human auditors with automated
systems
b. To improve the efficiency and effectiveness of
auditing procedures
c. To eliminate the need for financial statements
and reporting
d. To increase the complexity of auditing
procedures
Answer: B
4. When computerized accounting systems
perform tasks for which no visible evidence is
available, what can auditors use to test these
tasks, especially when an entity uses advanced
CIS?
a. Physical inspection
b. Manual reconciliation
c. Computer Assisted Audit Techniques
d. Analytical procedures
Answer: C
5. What types of data can auditors use
Computer Assisted Audit Techniques to process
as part of the audit procedures?
a. Only transaction data
b. Only data related to general controls
c. Only data stored in the accounting system
d. Both transaction data and other types of data
Answer: D
Techniques for Program Analysis
1. What is the purpose of parallel simulation in
Computer Assisted Audit Techniques ?
a. To identify key features or processes of the
program under review
b. To reprocess transactions that were previously
processed by client's program
c. To compare results obtained from the
simulation with the client's output
d. To write a program that simulates the client's
program
Answer: B
2. The following are advantages of Parallel
Simulation, except
a. To emphasize exception helps auditor to focus
on items where there are differences
b. The size of the sample can be greatly
expanded at relatively little additional cost
c. Significantly cost of audit programming if
written uniquely for one client
d. Enables the valuation of effects of nonexistent
control procedures
Answer: C
3. This is a technique used for Program Analysis
a. Systems Control Audit Review Files (SCARF)
b. The Oracle
c. Parallel Simulation
d. Test Data
Answer: C
4. Which of the following methods of testing
application controls utilizes a generalized audit
software package prepared by the auditors?
a. Parallel simulation
b. Integrated testing facility approach
c. Test data approach
d. Exception report tests
Answer: A
5. The output of a parallel simulation should
always be
a. Printed on a report.
b. Compared with actual results manually.
c. Compared with actual results using a
comparison program.
d. Reconciled to actual processing output.
Answer: B
6. What are some potential disadvantages or
limitations of using parallel simulation for auditing
computer systems?
a. It is time consuming to perform
b. Client and auditor software may be
incompatible
c. Tracing output differences to program
differences is difficult
d. All of the above
Answer: D

7. What are some of the main functions and uses
of parallel simulation in auditing computer
systems?
a. To perform substantive testing of account
balances
b. To gather evidence on client application
control
c. To verify calculations like depreciation and
interest
d. All of the above
Answer: D
8. What auditing technique requires the auditor
to write a program that simulates key aspects of
the client's system? Transaction data is then
processed through both the auditor's simulation
and the client system, and the outputs are
compared.
a. Integrated test facility
b. Parallel simulation
c. Validation testing
d. Client simulation
Answer: B
9. What is the step-by-step involved in setting up
a parallel simulation for auditing a computer
system?
a. The auditor writes a program simulating key
processes, understands the application
functionality, identifies critical processes, creates
the simulation, runs it on test data, and evaluates
the results.
b. The auditor examines program code, designs
test data, traces data flow, compares output to
expectations, documents controls, and writes
recommendations.
c. The auditor interviews IT staff, reviews user
manuals, categorizes systems by risk level,
samples transactions, tests general controls, and
writes an audit report.
d. The auditor assesses infrastructure, catalogs
databases, performs network penetration testing,
checks backup schedules, verifies encryption is
enabled, and writes an audit memo.
Answer: A
10. In parallel simulation, the auditor writes a
program that simulates key aspects of the client's
system. Test data is run through both the auditor's
simulated program and the client's actual system.
What does the auditor compare the outputs of
these two programs in order to evaluate?
a. System accessibility
b. Network security
c. Program reliability
d. Backup readiness
Answer: C
Techniques for Program Testing
1. Program testing
a. involves individual modules only, not the full
system
b. requires creation of meaningful test data
c. need not be repeated once the system is
implemented
d. is primarily concerned with usability
Answer: B
2. An auditor used test data to verify the
existence of controls in a certain computer
program. Even though the program performed
well on the test, the auditor may still have a
concern that
a. The program tested is the same one used in
the regular production runs.
b. Generalized audit software may have been a
better tool to use.
c. Data entry procedures may change and
render the test useless.
d. The test data will not be relevant in
subsequent audit periods.
Answer: A
3. Increasing the effectiveness of auditing
software will
a. increase control risk.
b. increase detection risk.
c. reduce detection risk.
d. reduce control risk.
Answer: C
4. Which statement is incorrect regarding the
evaluation of general CIS controls and CIS
application controls?
a. The general CIS controls may have a
pervasive effect on the processing of
transactions in application systems.
b. If general CIS controls are not effective, there
may be a risk that misstatements might occur
and go undetected in the application systems.
c. Manual procedures exercised by users may
provide effective control at the application level
d. Weaknesses in general CIS controls cannot
preclude testing certain CIS application controls.
Answer: D
5. After the preliminary phase of the review of a
client's EDP controls, an auditor may decide not
to perform tests of controls (compliance tests)
related to the control procedures within the EDP
portion of the client's internal control structure.
Which of the following would not be a valid
reason for choosing to omit such tests?
a. The controls duplicate operative controls
existing elsewhere in the structure.
b. There appear to be major weaknesses that
would preclude reliance on the stated
procedure.
c. The time and costs of testing exceed the time
and costs in substantive testing if the tests of
controls show the controls to be operative.
d. The controls appear adequate.
Answer: D
6. Which of the following client electronic data
processing (EDP) systems generally can be
audited without examining or directly testing the
EDP computer programs of the system?
a. A system that performs relatively
uncomplicated processes and produces
detailed output.
b. A system that affects a number of essential
master files and produces a limited output.
c. A system that updates a few essential master
files and produces no printed output other than
final balances.
d. A system that performs relatively complicated
processing and produces very little detailed
output.
Answer: A
7. Misstatements in a batch computer system
caused by incorrect programs or data may not
be detected immediately because
a. Errors in some transactions may cause
rejection of other transactions in the batch.
b. The identification of errors in input data
typically is not part of the program.
c. There are time delays in processing
transactions in a batch system.
d. The processing of transactions in a batch
system is not uniform.
Answer: C
8. Which of the following best describes a
fundamental control weakness often associated
with electronic data processing systems?
a. EDP equipment is more subject to system error
than manual processing is subject to human error.
b. Monitoring is not an adequate substitute for
the use of test data.
c. EDP equipment processes and records similar
transactions in a similar manner.
d. Functions that would normally be separated in
a manual system are combined in the EDP
system like the function of programmers and
operators.
Answer: D
9. To obtain evidence that user identification and
password control procedures are functioning as
designed, an auditor would most likely
a. Attempt to sign on to the system using invalid
user identifications and passwords.
b. Write a computer program that simulates the
logic of the client's access control software.
c. Extract a random sample of processed
transactions and ensure that the transactions
were appropriately authorized.
d. Examine statements signed by employees
stating that they have not divulged their user
identifications and passwords to any other
person.
Answer: A
10. It is a computer program (a block of
executable code) that attaches itself to a
legitimate program or data file and uses it as a
transport mechanism to reproduce itself without
the knowledge of the user.
a. Virus
b. Utility program
c. System management program
d. Encryption
Answer: A
Techniques for Continuous Testing
1. Genesis, the auditor, sets an embedded audit
module to record all credit transactions in excess
of P100,000 and store the data in an audit log.
Genesis is using
a. An integrated test facility.
b. The snapshot technique.
c. A system control audit review file (SCARF).
d. Audit hooks.
Answer: C
2. Cordova, the auditor, sets an embedded
audit module to flag all credit transactions in
excess of P100,000. The flag causes the system
state to be recorded before and after each
transaction is processed. Cordova is using
a. An integrated test facility.
b. The snapshot technique.
c. A system control audit review file (SCARF).
d. Audit hooks
Answer: B
3. In an organization, Auditor wants to collect
evidence based on system user profiles; which
CAATT can be used by the auditor to achieve
the objective
a. CIS
b. Audit Hooks
c. Audit Trails
d. SCARF
Answer: D
4. What is the term for an embedded audit
facility in a computerized accounting system
that consists of program code or data provided
by an auditor? This designates certain files as
sensitive, logs transactions above a threshold
value to a special audit file, and restricts
alteration of that file to external auditors.
a. Integrated test facility
b. SCARF
c. Threshold logging
d. External audit trail
Answer: B
5. What auditing technique involves capturing
snapshot images of a transaction as it flows
through different processing stages in a
computer system? This allows auditors to
evaluate the various processes applied to the
data.
a. Integrated test facility
b. Transaction staging
c. Snapshot
d. Process tracking
Answer: C
Techniques for Review of Operating Systems and
other Systems
1. What auditing technique has an objective to
determine whether a client's computer program
can properly process transactions with both valid
and invalid conditions as they arise?
a. Compliance testing
b. Test data
c. Code inspection
d. Output review
Answer: B
2. In a test data, the auditor creates valid and
invalid test data to run through the client's system.
The auditor compares the actual output to
predetermined expected output. If the actual
output matches the expected, what can the
auditor conclude?
A) The program contains no logical errors
B) The output is accurately calculated
C) The program is reliable in handling different
conditions
D) There are adequate input controls
Answer: C
3. Test data technique involves an auditor
designing test data with valid and invalid
conditions to process through a client's computer
program. The objective is to evaluate the
effectiveness of internal controls in the program
to properly handle different conditions. The
auditor compares the program output to
predetermined expected results. What should
effective test data include?
a. Possible input errors only
b. Logical processes only
c. Irregularities only
d. Possible input errors, logical process, and
irregularity
Answer: D
4. When designing test data, there are several
approaches the auditor can use. Which of the
following is NOT a recommended approach?
A) Using living data and checking controls and
processing
B) Using dummy data in normal production
systems but not releasing output to live database
general ledger
C) Using dummy data in a special run on an
image copy of the database
D) Using dummy data in normal production and
allowing output to update the live database
general ledger
Answer: D
5. When designing test data for an integrated
test facility, auditors can utilize different
approaches. What is the term for an all-inclusive
set of test data meant to evaluate every possible
data and processing condition?
A) Sample data set
B) Comprehensive data set
C) Base case system evaluation (BCSE)
D) Integrated data set
Answer: C
6. What type of test data is used to perform an
electronic walk through of an application's
internal logic? This traces test data through all
processing steps and listings out all lines of code
executed.
a. Comprehensive data set
b. Base case system evaluation
c. Integrated data set
d. Tracing
Answer: D
7. What technique integrates the processing of
fictitious test data transactions with actual client
data transactions? This allows the auditor to
evaluate reliability without management's
awareness. Output related to the fake entities is
compared to predetermined results.
a. Test data
b. Integrated test facility (ITF)
c. Base case system evaluation (BCSE)
d. Process walkthrough
Answer: B
8. The following are advantages of using
Integrated test facility (ITF), except
a. Testing can be unscheduled and unknown to
other staff.
b. Economically tested without disrupting the
user's operations and without the intervention of
computer services personnel.
c. Supports continuous monitoring of controls.
d. The potential of corrupting data files with test c. Providing solutions for finance professionals
data that may end up in the financial reporting d. Focusing on tax authorities worldwide
process. Answer: B
Answer: D
5. How is the reporting format determined when
9. The following are some potential using Generalized Audit Software (GAS)?
disadvantages or limitations of using test data in a. Specified by the auditor
auditing computer systems, except b. Automatically generated by the software
a. It is expensive to construct and manually c. Randomly selected by the computer
predetermine output d. Not specified, left to the discretion of the
b. It only tests controls, not other areas software
c. Usually fairly simple to operate Answer: A
d. All of the above
Answer: C 6. How is the computer-assisted audit tool
commonly used in the audit process?
10. In an integrated test facility, the auditor a. Documenting audit evidence
creates fake entities or units in the client's live b. Identifying anomalies, errors, and omissions in
system and processes test data through them. data
What does the auditor then compare the output c. Creating custom storage media
for those dummy units to in order to evaluate the d. Developing on-the-fly audit techniques
system? Answer: B
a. Sample data output
b. Previous test data runs 7. What is Audit Command Language (ACL)?
c. Predetermined expected results a. A network security tool that performs
d. Other employee outputs penetration testing
Answer: C b. A data analysis software that can test 100% of
available data
Generalized Audit Softwares c. A database auditing tool that examines
1. What is the commonly used example of storage and access
generalized audit software? d. A scripting language for automating audit
a. CAAT procedures
b. IDEA Answer: B
c. COBIT
d. None of the above 8. What is Interactive Data Extraction and
Answer: A Analysis (IDEA) software used for in auditing?
a. Automating the extraction of data from
2. What is the primary purpose of audit databases and files for analysis
command language (ACL)? b. Reviewing network and system logs for security
a. Sample data for analysis issues
b. Remain current with changing technology c. Testing backup and recovery systems
c. Perform analysis and audit tests on 100% of d. Submitting audit reports to tax authorities
available data Answer: A
d. Identify potential fraud patterns through
random sampling 9. How does the Computer-Assisted Audit Tool
Answer: C (CAAT) assist IT Auditors in obtaining evidence?
a. By generating large quantities of data
3. Who are the main users of Interactive Data b. By maintaining application systems
Extraction & Analysis (IDEA)? c. By providing direct access to computerized
a. Only tax authorities records
b. Finance professionals d. By documenting evidence indirectly
c. Auditors and compliance professionals Answer: C
d. Industry practitioners and tax authorities
Answer: C 10. What type of software can auditors use to set
up parallel simulations?
4. In addition to audits, what is another significant a. Penetration testing tools
use of IDEA? b. Generalized audit software
a. Conducting random data analyses c. Network monitoring packages
b. Interrogating taxpayer transactions and d. IT operations analytics
system data Answer: B

Functions of GAS
1. Generalized audit software could not be used
for the following audit task
a. Test calculations and make computations
b. Evaluate control risk assessment
c, Summarize, re-consequence and reformat
data
d. Compare audit evidence from manual audit
procedures to company needs
Answer: B
2. The essential advantages of a generalized
audit software package would not include
a. Same software can be used in various client’s
computer systems
b. Large number of GAS packages are currently
available
c. Software packages are inexpensive
d. Ability to control and modify program to
auditor’s need Answer: C
3. The use of generalized audit software
package
a. Relieves an auditor of the typical tasks of
investigating exceptions, verifying sources of
information, and evaluating reports.
b. Is a major aid in retrieving information from
computerized files.
c. Overcomes the need for an auditor to learn
much about computers.
d. Is a form of auditing around the computer.
Answer: B
4. Test data, integrated test data and parallel
simulation each require an auditor to prepare
data and computer programs. CPAs who lack
either the technical expertise or time to prepare
programs should request from the manufacturers
or EDP consultants for
a. The program Code
b. Flowchart checks
c. Generalized audit software
d. Application controls Answer: C
5. Which of the following tasks could not be
performed when using a generalized audit
software package?
a. Selecting inventory items for observations.
b. Physical count of inventories.
c. Comparison of inventory test counts with
perpetual records.
d. Summarizing inventory turnover statistics for
obsolescence analysis.
Answer: B
6. Which of the following is not seen as an
advantage to using generalized audit software
(GAS)?
a. Auditors can learn the software in a short
period of time.
b. It can be applied to a variety of clients after
detailed customization.
c. It can be applied to a variety of clients with
minimal adjustments to the software.
d. It greatly accelerates audit testing over
manual procedures.
Answer: B
7. What is the primary function of GAS related to
file or database access?
a. Performing arithmetic calculations
b. Extracting data for further audit testing
c. Generating reports
d. Conducting statistical analysis
Answer: B
8. When is the function to compare data on
separate files useful?
a. Examining records for correctness
b. Preparing various documents and reports
c. Determining compatibility between
information on separate files
d. Supporting various types of audit sampling
Answer: C
9. Which of the following are common functions
Generalized Audit Software (GAS) can perform
to assist auditors?
a. Arithmetic calculations on transactions and
databases
b. Statistical analysis like audit sampling methods
c. Generate customized audit reports
d. All of the above
Answer: D
10. What is highlighted as a disadvantage of GAS
in terms of verifying programming logic?
a. Reduced risk by testing entire populations
b. High initial cost of development
c. Limited ability due to directed application to
client files
d. Involvement in auditing while data is being
processed
Answer: C
CAATTs (3RDYR)
Techniques for Program Analysis Parallel
Simulation
1. The following statements pertain to the audit
objective and scope for entities that uses
Computerized Information System.
I. The overall objective and scope of the audit
changes when the audit client employs
computers.
II. The auditors' evaluation of the entity's internal
controls as well as their substantive tests are
affected when the audit client employs
computerized information system.
A. Only statement I is correct
B. Only statement II is correct
C. Both statements are correct
D. Both statements are incorrect
Answer: B
2. Computer programs and data that the auditor
may use as part of the audit procedures to
process data of audit significance contained in
an entity's information system are called:
A. CAATs
B. DEERS
C. DOOGS
D. FUUDS
Answer: A
3. When forming necessary audit conclusions
regarding the impact of the computerized
accounting system on the audit client, the
auditor can:
A. Delegate its responsibility to the internal audit
team of the audit client so that the audit is done
efficiently.
B. Never delegate his responsibility.
C. Ignore the impact of the computerized
accounting system for as long as the financial
records are available.
D. All of the choices are incorrect.
Answer: B
4. An auditor most likely would test for the
presence of unauthorized computer program
changes by running a:
A. Black box approach
B. Validation check
C. Source code comparison program
D. Programs that compute the hash totals
Answer: C
5. An entity has recently converted its payroll
system from a manual processing to an online,
real-time processing system. Which is the most
probable result associated with the conversion to
the new computerized processing system?
A. Less segregation of traditional duties.
B. Increase in processing time.
C. Reduction of information risk.
D. Increase in processing errors.
Answer: A
6. Which of the following is not a common type of
white box approach?
A. Test data
B. Auditing around the computer
C. Integrated test facility
D. Parallel simulation
Answer: B
7. Which of the following statements is/are false?
Statement 1: The overall objectives and scope of
an audit do not change when an audit is
conducted in a computer information
technology (IT) environment.
Statement 2: CAATs may improve the
effectiveness and efficiency of auditing
procedures.
A. Statement 1
B. Statement 2
C. Both statements are correct
D. Both statements are incorrect
Answer: C
8. Which of the following is not one of the factors
to consider in using CAAT?
A. Degree of technical competence in CIS
B. Availability of CAATs
C. Impracticability of computerized tests
D. Timing of tests
Answer: C
9. Which of the following is not one of the
common applications of CAATs?
A. Testing large volumes of data accurately and
quickly
B. Testing automated controls such as
configuration parameters, or general IT controls
such as passwords
C. Testing transactions and balance calculations
D. Testing the printouts from the system which
could be incorrect
Answer: D
10. Which of the following statements is false?
Statement 1: In contrast to the test data and IFT
techniques which require the auditor to create
test inputs (data) and process these data using
the client’s computer program, parallel
simulation requires the auditor to write a program
that simulates key features of the program under
review.
Statement 2: Parallel simulation is then used to
reprocess transactions that were previously
processed by the auditor’s program, and
compares the results from the simulation.
Statement 3: If an entity’s control has been
operating efficiently, the client’s software should
generate the same expectations as the auditor’s
software.
Statement 4: Program tracing is a technique in
which the instruction executed is listed along with
control information affecting that instruction.
A. Statement 1
B. Statement 2
C. Statement 3
D. Statement 4
Answer: B
11. Which of the following statements is false?
Statement 1: Program analysis allows the auditor
to gain an understanding of the client’s program.
Statement 2: Parallel simulations are relatively
time-consuming and require a high level of
computer expertise. Hence, they are infrequently
used in financial statement audits.
A. Only statement I is incorrect
B. Only statement II is incorrect
C. Both statements are correct
D. Both statements are incorrect
Answer: B
12. Which of the following statements is/are false?
Statement 1: Snapshot involves actual analysis of
the logic of the program’s processing routines.
Statement 2: Comparison programs allow the
auditor to compare computerized files.
A. Statement 1
B. Statement 2
C. Both statements are correct
D. Both statements are incorrect
Answer: A
Techniques for Program Testing
13. It involves the application of auditing
procedures using the computer as an audit tool.
This includes computer programs and data the
auditor uses as part of the audit procedures to
process data of audit significance contained in
an entity's information systems.
A. Test data approach
B. Computer-assisted audit techniques
C. Generalized audit software
D. Auditing around the computer
ANSWER: B.
14. Which of the following best describes the test
data approach?
A. Auditors process their own data using the
client’s computer system and application
program.
B. Auditors process their own test data using their
own computers that simulate the client’s
computer system.
C. Auditors use auditor-controlled software to do
the same operations that the client’s software
does, using the same data files.
D. Auditors use client-controlled software to do
the same operations that the client’s software
does, using auditor created data files.
ANSWER: A.
15. When auditing a computerized system, an
auditor may use the test data approach as an
audit tool. This technique
A. Is more applicable to independent audits
than internal audits.
B. Involves introducing simulated transactions
into the client’s actual application programs.
C. Is a commonly used audit technique for
auditing around the computer.
D. Should not involve the actual application
programs the client uses throughout the year
since use of the actual programs would
contaminate the client’s accounting data.
ANSWER: A
16. An integrated text facility (ITF) would be
appropriate when the auditor needs to
A. Trace a complex logic path through an
application system.
B. Verify processing accuracy concurrently with
processing.
C. Monitor transactions in an application system
continuously.
D. Verify load module integrity for production
programs.
ANSWER: B.
17. A primary reason auditors are reluctant to use
an ITF is that it requires them to
A. Reserve specific master file records and
process them at regular intervals
B. Collect transaction and master file records in a
separate file
C. Notify user personnel so they can make
manual adjustments to output
D. Identify and reverse the fictitious entries to
avoid contamination of the master file
ANSWER: D.
18. TMSP Corporation has numerous customers. A
customer file is kept on disk storage. Each
account in the customer file contains name,
address, credit limit, and account balance. The
auditor wishes to test this file to determine
whether credit limits are being exceeded. The
best procedure for the auditor to follow would
be to:
A. Develop test data that would cause some
account balance to exceed the credit limit and
determine if the system properly detects such
situations.
B. Develop a program to compare credit limits
with account balance sand print out the details
of any account with a balance exceeding its
credit limit.
C. Require a printout of all account balances so
they can be manually checked against the
credit limits.
D. Request a printout of a sample of account
balance so they can be individually checked
against the credit limits.
ANSWER: B.

19. Which of the following is a disadvantage of
the integrated test facility approach?
A. In establishing fictitious entities, the auditor
may be compromising audit independence.
B. Removing the fictitious transactions from the
system is somewhat difficult and, if not done
carefully, may contaminate the client’s files.
C. ITF is simply an automated version of auditing
“around” the computer.
D. The auditor may not always have a current
copy of the authorized version of the client’s
program.
ANSWER: B.
20. Which of the following statements is not true
to the test data approach when testing a
computerized accounting system?
A. The test needs to consist of only those valid
and invalid conditions which interest the auditor.
B. Only one transaction of each type need be
tested.
C. The test date must consist of all possible valid
and invalid conditions.
D. Test data are processed by the client’s
computed programs under the auditor’s control.
ANSWER: C.
21. When an auditor test a computerized
accounting system, which if the following is true
of the test data approach?
A. Several transactions of each type must be
tested.
B. Test data must consist of all possible valid and
invalid conditions.
C. The program tested is different from the
program used throughout the year by the client.
D. Test data should include data that the client’s
system should accept or reject.
ANSWER: D.
22. Which of the following is NOT a common type
of white box approach?
A. Test data
B. Auditing around the computer
C. Integrated test facility
D. Parallel simulation
ANSWER: B.
23. An auditor used test data to verify the
existence of controls in a certain computer
program. Even though the program performed
well on the test, the auditor may still have a
concern that
A. The program tested is the same one used
in the regular production runs.
B. Generalized audit software may have been a
better tool to use.
C. Data entry procedures may change and
render the test useless.
D. The test data will not be relevant in
subsequent audit periods
ANSWER: A.
24. The test data method is used by auditors to
test the
25. A. Accuracy of the input data
B. Validity of the output
C. Procedures contained within the programs
D. Normalcy pf distribution of test data.
ANSWER: C.
Techniques for Continuous Testing
25. Snapshots help in continuous testing by
A. Automating data analysis
B. Identifying behavioral anomalies in users
C. Assess authenticity of processing
D. Generating compliance reports
Answer: C
26. The computer process whereby data
processing is performed concurrently with a
particular activity and the results are available
soon enough to influence the course of action
being taken or the decision being made is
called:
A. Random access sampling
B. On-line, real-time system
C. Integrated data processing
D. Batch processing system
Answer: B
27. Which of the following computer-assisted
audit techniques inserts an audit module in the
client’s application system to identify specific
types of transactions?
A. Parallel Simulation testing
B. Test Data approach
C. Embedded Audit Module
D. Generalized Audit Software testing
Answer: C
28. What does the auditor use to continuously
monitor the system and collect audit evidence
while live data are being processed?
A. Analysis of program logic
B. Concurrent auditing techniques
C. Test data processing
D. Micro-computer-aided auditing approach
Answer: B
29. Audit automation would least likely include
A. Expert systems
B. Tools to evaluate a client’s risk management
procedures
C. Corporate and financial modeling programs
for use as predictive audit tests
D. Manual working papers 35. Which of the following is not one of the three
Answer: D categories of testing strategies when auditing
through the computer?
30. Which statement is incorrect regarding A. Test data approach
CAATs? B. Parallel simulation
A. CAATs are often an efficient means of testing C. Pilot simulation
a large number of transactions or controls over D. Embedded audit module
large populations. Answer: C
B. To ensure appropriate control procedures,
the presence of the auditor is not necessarily 36. On-line real-time systems and electronic
required at the computer facility during the data interchange systems have the advantages
running of a CAAT. of providing more timely information and
C. The general principles outlined in PAPS 1009 reducing the quantity of documents
apply in small entity IT environments. associated with less automated systems. The
D. Where smaller volumes of data are advantages, however, may create some
processed, the use of CAATs is more cost problems for the auditor. Which of the following
effective. characteristics of these systems does not create
Answer: D an audit problem?
A. The lack of traditional documentation of
31. Which of the following is not an example transactions creates a need for greater
of a computer-assisted audit technique attention to programmed controls at the point
A. Disk operating systems of transaction input
B. Integrated test data B. Hard copy may not be retained by the client
C. Audit modules for long periods of time, thereby necessitating
D. Audit hooks more frequent visits by the auditor
Answer: A C. Control testing may be more difficult given
the increased vulnerability of the client's files to
32. Embedded audit modules are segments of destruction during the testing process
program code that D. Consistent on-line processing of recurring
A. perform audit functions data increases the incidence of error
B. store transaction data Answer: D
C. generate reports
D. all of the above Techniques for Review of Operating Systems and
Answer: D Other Systems
37. An integrated group of programs that
33. Continuous and Intermittent Simulation supports the applications and facilitates their
embeds an audit module in a access to specified resources is called a(n)
A. database management system A. Operating system
B. application system B. Database management system
C. transaction log C. Utility system
D. all of the above D. Facility system
Answer: A Answer: A.

34. Which of the following statements is false? 38. The following are microcomputer-based
A. Continuous testing can improve data quality access control packages except
but not significantly reduce the risk of fraud I. TRAQNET 2000
B. Continuous testing can lead to more efficient II. STOPLOCK IV
use of resources but may increase audit costs III. RACF
initially IV. ACF2
C. Continuous testing can reduce the workload A. I
of traditional auditors but not eliminate the need B. I and II
for their expertise C. II and III
D. Continuous testing can provide real-time D. III and IV
insights and proactive risk mitigation but not Answer: D.
significantly improve detection of past errors
Answer: A 39. Which of the following best describes system
software?
A. Systems software provides programmed
services that perform management and control
functions for the computer system as a whole.
B. Systems software provides programmed
operations and services that perform
management and control functions for the
computer system as a whole.
C. Systems software provides programmed
services that perform management, organization,
and control functions for the computer system as
a whole.
D. Systems software provides programmed and
secured services that perform management and
control functions for the computer system as a
whole.
Answer: A.
40. Which of the following statements is true?
A. The auditor may wish to review the structure of
the systems software in use throughout the
period under review to gain an understanding of
the operating (and thus the potential control)
environment represented by the encoded and
programmed systems.
B. Restricted access to systems-changing utilities
and privileged operations modes is not essential
at all.
C. Review of systems logs and scanning program
libraries for unexplained changes are not
computerized techniques.
D. Adequate segregation of duties between
systems programming and other elements of the
EDP (Electronic Data Processing) environment
(operations and application programming) is an
important protection against unauthorized
changes to the operating system.
Answer: D.
41. This can be used by the auditor as a software
tool to review operating systems' performance
and interrogate operating systems files and
libraries.
A. CA-EXAMINE
B. FOCUS
C. BASIC
D. SQL
Answer: A.
42. These monitoring programs retrieve and
analyze system parameters and control
information that allow the auditor to assess the
control functions incorporated within the
operating system, except
A. FOCUS
B. SAS
C. CA-EXAMINE
D. COBOL
Answer: D.
43. What is the widely used logging function
which is IBM’s log for the OS system?
A. Data Management Facility
B. Systems Management Facility
C. Electronic System Management Facility
D. Electronic Data Management System Facility
Answer: B.
44. Depending on the type of job accounting
software and how it is implemented at the
location under review, the auditor can?
I. review the reports produced by the client in
normal processing
II. use the software to generate special reports
directly
III. use the software to create a file of requested
utilization data that can be analyzed selectively
IV. use the software to produce consolidated
reports that will be used to evaluate client’s
control procedures
A. I only
B. I and II
C. I, II, and III
D. I, II, III, and IV
Answer: C.
45. Analysis of the job accounting files may be
aided by the use of the following except
A. generalized audit software
B. specific audit procedure software
C. specialized audit programs
D. additional software packages developed
specifically for this purpose
Answer: B.
46. Which of the following statements is true?
I.The operating systems provide routines to
manage, organize, control, and log the activities
for these libraries.
II. The ZAP utility is a project within an operating
system that can be used to change data or
programs directly, bypassing normal controls
over program or data file changes.
III. At a minimum, the library management
software should log all changes to programs,
program modules, and job control language.
A. Statement I only
B. Statement II only
C. Statement III only
D. None of the above
Answer: C.
47. What are the packages that provide
functions such as logging code changes and
maintaining copies of various versions of
programs?
A. JCL and ZAP utility
B. CA-Librarian and Pan Valet
C. SQL and C++
D. CA-Examine and SMF 52. What kind of samples can be selected from
Answer: B. data files using Generalized Audit Software (GAS)?
A. Stratified statistical samples
48. Which of the following statements is false? B. Non-representative samples
I.Access and security software supplements the C. Random samples only
physical security and control measures in use in D. Extreme value samples
an installation. Answer: A.
II.Access control and security software is
designed to restrict access to systems resources 53. Which of the following shows a correct flow of
to authorized personnel. using GAS in accessing complex file structure?
III. Most programmed access/security provisions A. Flat file → GAS → transaction list
depend on some form of password or user B. Database records → DBMS utility program →
identification, usually implemented on a GAS → Flat file → transaction list
nonhierarchic basis. C. Database records → DBMS utility program →
A. Statement I Flat file → GAS → transaction list
B. Statement II D. Database records → GAS → DBMS utility
C. Statement III program → Flat file → transaction list
D. None of the above Answer: C.
Answer: C.
54. Which of the following statements is true
Generalized Audit Software about the use of GAS in accessing simple
49. What is the most widely used CAATT for IS structures?
auditing? I.GAS selects the sample records from a flat file
A. Parallel simulation and prepares a report containing the needed
B. Generalized Audit Software information
C. Embedded Audit Module II.A flat file is produced by a database
D. Mainframe system management system utility features
Answer: B. III. Auditor determines selection criteria and key
fields to be retrieved by GAS from a flat file
50. Which of the following shows some common A. I only
uses for Generalized Audit Software (GAS)? B. I and II
I.Comparing multiple files and identifying any C. I and III
differences D. All of the above
II. Footing and balancing entire files or selected Answer: C.
data items
III. Printing confirmations in either standardized or 55. What is the primary problem for the auditor
special wording when using GAS to access complex structures?
IV.Selecting and reporting detailed data A. Not all GAS products on the market may be
contained in files capable of accessing every type of file structure
A. I, II B. Limited knowledge and experience of auditors
B. I, II, IV for accessing complex structure
C. I, II, III C. GAS languages are complex to use, thus it
D. All of the above require substantial computer background on the
Answer: D. part of the auditor
D. Dependence on the client’s computer service
51. The widespread popularity of GAS is due to staff for performing tests
the following factors, except: Answer: A.
A. GAS languages are easy to use and require
little computer background on the part of the 56. What is the best course of action might
auditor auditors take if the GAS they are using cannot
B. Many GAS products can be used on both access a complex file structure?
mainframe and PC systems A. Ignore the data and proceed with the audit
C. Auditors can perform their tests dependent of without it
the client’s computer service staff B. Appeal to systems professionals to write a
D. GAS can be used to audit the data stored in special program to convert the structure into a
most file structures and formats flat-file format
Answer: C. C. Request additional training on using GAS to
widen auditor’s computer background and
technical expertise
D. Both B and C
Answer: B.

57. In accessing an inventory flat file, the

following are the key information needed for the
audit that GAS can extract, except:
A. Warehouse employee salaries
B. Warehouse location
C. Quantity on hand
D. Dollar value
Answer: A.

58. An entity needs to extract data and integrate

in a hierarchical arrangement from its three
related files, namely: customer, sales invoice,
and line item. Which of the following is correct?
A. It eliminates the need for auditors to employ
flattening process
B. Alternative files should be used instead
C. There is no need to extract data from these
files
D. Extracting audit evidence using GAS may be
difficult
Answer: D.

59. Which of the following statements is/are

correct?
I. The auditor must never rely on computer
services personnel to produce a flat file from the
complex file structures.
II. Risk of data integrity should not be a concern
for an entity in the procedure of creating the flat
file.
A. I only
B. II only
C. Both I and II
D. None of the above
Answer: D.

60. In the creation of flat files, certain fraudulent

accounts in the complex structure may be
intentionally omitted making the samples drawn
unreliable. How can auditors avoid this risk?
A. Auditors can do nothing about it
B. Write their own data extraction routines
C. Outsource the task to third-party vendors
D. Conduct manual data entry for accuracy
assurance
Answer: B