AUDITING IN A COMPUTERIZED ENVIRONMENT
1. Which statement is incorrect when auditing in
a CIS environment?
a. A CIS environment exists when a
computer of any type or size is
involved in the processing by the entity
of financial information of significance
to the audit, whether that computer is
operated by the entity or by a third
party.
b. The auditor should consider how a
CIS environment affects the audit.
c. The use of a computer changes the
processing, storage and
communication of financial information
and may affect the accounting and
internal control systems employed by
the entity.
d. A CIS environment changes the
overall objective and scope of an
audit.
2. Which of the following standards or group of
standards is mostly affected by a
computerized information system
environment?
a. General standards
b. Reporting standards
c. Second standard of field work
d. Standards of fieldwork
3. Which of the following is least considered if
the auditor has to determine whether
specialized CIS skills are needed in an audit?
a. The auditor needs to obtain a
sufficient understanding of the
accounting and internal control system
affected by the CIS environment.
b. The auditor needs to determine the
effect of the CIS environment on the
assessment of overall risk and of risk
at the account balance and class of
transactions level.
c. Design and perform appropriate tests
of controls and substantive
procedures.
d. The need of the auditor to make
analytical procedures during the
completion stage of audit.
4. It relates to materiality of the financial
statement assertions affected by the
computer processing.
a. Threshold
b. Relevance
c. Complexity
0
0
d. Significance
5. Which of the following least likely indicates a
complexity of computer processing?
a. Transactions are exchanged
electronically with other organizations
without manual review of their
propriety.
b. The volume of the transactions is such
that users would find it difficult to
identify and correct errors in
processing.
c. The computer automatically generates
material transactions or entries directly
to another applications.
d. The system generates a daily
exception report
6. The nature of the risks and the internal
characteristics in CIS environment that the
auditors are mostly concerned include the
following except:
a. Lack of segregation of functions.
b. Lack of transaction trails.
c. Dependence of other control over
computer processing.
d. Cost-benefit ratio.
7. Which of the following is least likely a risk
characteristic associated with CIS
environment?
a. Errors embedded in an application’s
program logic maybe difficult to
manually detect on a timely basis.
b. Many control procedures that would
ordinarily be performed by separate
individuals in manual system maybe
concentrated in CIS.
c. The potential unauthorized access to
data or to alter them without visible
evidence maybe greater.
d. Initiation of changes in the master file
is exclusively handled by respective
users.
8. Which of the following significance and
complexity of the CIS activities should an
auditor least understand?
a. The organizational structure of the
client’s CIS activities.
b. Lack of transaction trails.
c. The significance and complexity of
computer processing in each
significant accounting application.
 d. The use of software packages instead
of customized software.
9. Which statement is correct regarding personal
computer systems?
a. Personal computers or PCs are
economical yet powerful self-
contained general purpose computers
consisting typically of a central
processing unit (CPU), memory,
monitor, disk drives, printer cables and
modems.
b. Programs and data are stored only on
non-removable storage media.
c. Personal computers cannot be used to
process accounting transactions and
produce reports that are essential to
the preparation of financial
statements.
d. Generally, CIS environments in which
personal computers are used are the
same with other CIS environments.
10. A personal computer can be used in various
configurations, including
a. A stand-alone workstation operated by
a single user or a number of users at
different times.
b. A workstation which is part of a local
area network of personal computers.
c. A workstation connected to a server.
d. All of the above.
11. Which statement is incorrect regarding
personal computer configurations?
a. The stand-alone workstation can be
operated by a single user or a number
of users at different times accessing
the same or different programs.
b. A stand-alone workstation may be
referred to as a distributed system.
c. A local area network is an
arrangement where two or more
personal computers are linked
together through the use of special
software and communication lines.
d. Personal computers can be linked to
servers and used as part of such
systems, for example, as an intelligent
on-line workstation or as part of a
distributed accounting system.
12. Which of the following is the least likely
characteristic of personal computers?
a. They are small enough to be
transportable.
0
0
b. They are relatively expensive.
c. They can be placed in operation
quickly.
d. The operating system software is less
comprehensive than that found in
larger computer environments.
13. Which of the following is an inherent
characteristic of software package?
a. They are typically used without
modifications of the programs.
b. The programs are tailored-made
according to the specific needs of the
user.
c. They are developed by software
manufacturer according to a particular
user’s specifications.
d. It takes a longer time of
implementation.
14. Which of the following is not normally a
removable storage media?
a. Compact disk
b. Tapes
c. Diskettes
d. Hard disk
15. It is a computer program (a block of
executable code) that attaches itself to a
legitimate program or data file and uses itself
as a transport mechanism to reproduce itself
without the knowledge of the user.
a. Virus
b. System management program
c. Utility program
d. Encryption
16. Which statement is incorrect regarding
internal control in personal computer
environment?
a. Generally, the CIS environment in
which personal computers are used is
less structured than a centrally-
controlled CIS environment.
b. Controls over the system
development process and operations
may not be viewed by the developer,
the user or management as being as
important or cost-effective.
c. In almost all commercially available
operating systems, the built-in security
provided has gradually increased over
the years.
d. In a typical personal computer
environment, the distinction between
general CIS controls and CIS
 application controls is easily
ascertained.
17. Personal computers are susceptible to theft,
physical damage, unauthorized access or
misuse of equipment. Which of the following
is least likely a physical security to restrict
access to personal computers when not in
use?
a. Using door locks or other security
protection during non-business hours.
b. Fastening the personal computer to a
table using security cables.
c. Locking the personal computer in a
protective cabinet or shell.
d. Using anti-virus software programs.
18. Which of the following is not likely a control
over removable storage media to prevent
misplacement, alteration without authorization
or destruction?
a. Using cryptography, which is the
process of transforming programs and
information into an unintelligible form.
b. Placing responsibility for such media
under personnel whose
responsibilities include duties of
software custodians or librarians.
c. Using a program and data file check-in
and check-out system and locking the
designated storage locations.
d. Keeping current copies of diskettes,
compact disks or back-up tapes and
hard disks in a fireproof container,
either on-site, off-site or both.
19. 19. Which of the following least likely protects
critical and sensitive information from
unauthorized access in a personal computer
environment?
a. Using secret file names and hiding the
files.
b. Keeping of back up copies offsite.
c. Employing passwords.
d. Segregating data into files organized
under separate file directories.
20. It refers to plans made by the entity to obtain
access to comparable hardware, software
and data in the event of their failure, loss or
destruction.
a. Back-up
b. Encryption
c. Anti-virus
d. Wide Area Network (WAN)
0
0
21. The effect of personal computers on the
accounting system and the associated risks
will least likely depend on
a. The extent to which the personal
computer is being used to process
accounting applications.
b. The type and significance of financial
transactions being processed.
c. The nature of files and programs
utilized in the applications.
d. The cost of personal computers.
22. The auditor may often assume that control
risk is high in personal computer systems
since, it may not be practicable or cost-
effective for management to implement
sufficient controls to reduce the risks of
undetected errors to a minimum level. This
least likely entail
a. More physical examination and
confirmation of assets.
b. More analytical procedures than tests
of details.
c. Larger sample sizes.
d. Greater use of computer-assisted
audit techniques, where appropriate.
23. Computer systems that enable users to
access data and programs directly through
workstations are referred to as
a. On-line computer systems
b. Personal computer systems
c. Database management systems
(DBMS)
d. Database systems
24. On-line systems allow users to initiate various
functions directly. Such functions include:
I. Entering transactions
II. Requesting reports
III. Making inquiries
IV. Updating master files
a. I, II, III and IV
b. I and II
c. I, II and III
d. I and IV
25. Many different types of workstations may be
used in on-line computer systems. The
functions performed by these workstations
least likely depend on their
a. Logic
b. Transmission
c. Storage
d. Cost
26. Types of workstations include General
Purpose Terminals and Special Purpose
Terminals. Special Purpose Terminals
include
a. Basic keyboard and monitor
b. Point of sale devices
c. Intelligent terminal
d. Personal computers
27. Special Purpose Terminal used to initiate,
validate, record, transmit and complete
various banking transactions
a. Automated teller machines
b. Intelligent terminal
c. Point of sale devices
d. Personal computers
28. Which statement is incorrect regarding
workstations?
a. Workstations may be located either
locally or at remote sites.
b. Local workstations are connected
directly to the computer through
cables.
c. Remote workstations require the use
of telecommunications to link them to
the computer.
d. Workstations cannot be used by many
users, for different purposes, in
different locations all at the same time.
29. On-line computer systems may be classified
according to
a. How information is entered into the
system.
b. How it is processed.
c. When the results are available to the
user.
d. All of the above.
30. In an on-line/real time processing system
a. Individual transactions are entered at
workstations, validated and used to
update related computer
immediately.
b. Individual transactions are entered at
a workstation, subjected to certain
validation checks and added to a
transaction file that contains other
transactions entered during the period.
c. Individual transactions immediately
update a memo file containing
information which has been extracted
from the most recent version of the
master file.
d. The master files are updated by other
systems.
0
31. It combines on-line/real time processing and
on-line/batch processing.
a. On-Line/Memo Update (and
Subsequent Processing)
b. On-Line Downloading/Uploading
Processing
c. On-Line/Inquiry
d. On-Line/Combined Processing
32. It is a communication system that enables
computer users to share computer
equipment, application software, data and
voice and video transmissions.
a. Network
b. File server
c. Host
d. Client
33. A type of network that multiple buildings are
close enough to create a campus, but the
space between the buildings is not under the
control of the company is
a. Local Area Network (LAN)
b. Metropolitan Area Network (MAN)
c. Wide Area Network (WAN)
d. World Wide Web (WWW)
34. Which of the following is least likely a
characteristic of Wide Area Network (WAN)?
a. Created to connect two or more
geographically separated LANs.
b. Typically involves one or more long-
distance providers, such as a
telephone company to provide the
connections.
c. WAN connections tend to be faster
than LAN.
d. Usually more expensive than LAN.
35. Gateway is
a. A hardware and software solution that
files enables communications between two
dissimilar networking systems or
protocols.
b. A device that forwards frames based
on destination addresses.
c. A device that connects and passes
packets between two network
segments that use the same
communication protocol.
d. A device that regenerates and
retransmits the signal on a network.
36. A device that works to control the flow of data
between two or more network segments
a. Bridge
0
 b. Router
c. Repeater
d. Switch
37. The undesirable characteristics of on-line
computer systems least likely include
a. Data are usually subjected to
immediate validation checks.
b. Unlimited access of users to all of the
functions in a particular application.
c. Possible lack of visible transaction
trail.
d. Potential programmer access to the
system.
38. Certain general CIS controls that are
particularly important to on-line processing
least likely include
a. Access controls.
b. System development and
maintenance controls.
c. Edit, reasonableness and other
validation tests.
d. Use of anti-virus software program.
39. Certain CIS application controls that are
particularly important to on-line processing
least likely include
a. Pre-processing authorization.
b. Transaction logs.
c. Cut-off procedures.
d. Balancing.
40. Risk of fraud or error in on-line systems may
be reduced in the following circumstances,
except
a. If on-line data entry is performed at or
near the point where transactions
originate, there is less risk that the
transactions will not be recorded.
b. If invalid transactions are corrected
and re-entered immediately, there is
less risk that such transactions will not
be corrected and re-submitted on a
timely basis.
c. If data entry is performed on-line by
individuals who understand the nature
of the transactions involved, the data
entry process may be less prone to
errors than when it is performed by
individuals unfamiliar with the nature
of the transactions.
0
0
d. On-line access to data and programs
through telecommunications may
provide greater opportunity for access
to data and programs by unauthorized
persons.
41. Risk of fraud or error in on-line computer
systems may be increased for the following
reasons, except
a. If workstations are located throughout
the entity, the opportunity for
unauthorized use of a workstation and
the entry of unauthorized transactions
may increase.
b. Workstations may provide the
opportunity for unauthorized uses
such as modification of previously
entered transactions or balances.
c. If on-line processing is interrupted for
any reason, for example, due to faulty
telecommunications, there may be a
greater chance that transactions or
files may be lost and that the recovery
may not be accurate and complete.
d. If transactions are processed
immediately on-line, there is less risk
that they will be processed in the
wrong accounting period.
42. 42. The following matters are of particular
importance to the auditor in an on-line
computer system, except
a. Authorization, completeness and
accuracy of on-line transactions.
b. Integrity of records and processing,
due to on-line access to the system by
many users and programmers.
c. Changes in the performance of audit
procedures including the use of
CAAT's.
d. Cost-benefit ratio of installing on-line
computer system.
43. A collection of data that is shared and used
by a number of different users for different
purposes.
a. Database
b. Information file
c. Master file
d. Transaction file

44. Which of the following is least likely a
characteristic of a database system?
a. Individual applications share the data
in the database for different purposes.
b. Separate data files are maintained for
each application and similar data used
by several applications may be
repeated on several different files.
c. A software facility is required to keep
track of the location of the data in the
database.
d. Coordination is usually performed by a
group of individuals whose
responsibility is typically referred to as
"database administration."
45. Database administration tasks typically
include
I. Defining the database structure.
II. Maintaining data integrity, security and
completeness.
III. Coordinating computer operations
related to the database.
IV. Monitoring system performance.
V. Providing administrative support.
a. All of the above
b. All except I
c. II and V only
d. II, III and V only
46. Due to data sharing, data independence and
other characteristics of database systems
a. General CIS controls normally have a
greater influence than CIS application
controls on database systems.
b. CIS application controls normally have
a greater influence than general CIS
controls on database systems.
c. General CIS controls normally have an
equal influence with CIS application
controls on database systems.
d. CIS application controls normally have
no influence on database systems.
47. Which statement is incorrect regarding the
general CIS controls of particular importance
in a database environment?
a. Since data are shared by many users,
control may be enhanced when a
standard approach is used for
developing each new application
program and for application program
modification.
0
0
b. Several data owners should be
assigned responsibility for defining
access and security rules, such as
who can use the data (access) and
what functions they can perform
(security).
c. User access to the database can be
restricted through the use of
passwords.
d. Responsibilities for performing the
various activities required to design,
implement and operate a database are
divided among technical, design,
administrative and user personnel.
48. These require a database administrator to
assign security attributes to data that cannot
be changed by database users.
a. Discretionary access controls
b. Name-dependent restrictions
c. Mandatory access controls
d. Content-dependent restrictions.
49. A discretionary access control wherein users
are permitted or denied access to data
resource depending on the time series of
accesses to and actions they have
undertaken on data resources.
a. Name-dependent restrictions
b. Context-dependent restriction
c. Content-dependent restriction
d. History-dependent restriction
50. The effect of a database system on the
accounting system and the associated risks
will least likely depend on:
a. The extent to which databases are
being used by accounting applications.
b. The type and significance of financial
transactions being processed.
c. The nature of the database, the
DBMS, the database administration
tasks and the applications.
d. The CIS application controls.
51. Audit procedures in a database environment
will be affected principally by
a. The extent to which the data in the
database are used by the accounting
system.
b. The type and significance of financial
transactions being processed.
 c. The nature of the database, the a. Manual and computer control
DBMS, the database administration procedures comprise the overall
tasks and the applications. controls affecting the CIS environment
d. The general CIS controls which are (general CIS controls) and the specific
particularly important in a database controls over the accounting
environment. applications (CIS application controls).
b. The purpose of general CIS controls is
52. Which statement is incorrect regarding the to establish a framework of overall
characteristics of a CIS organizational control over the CIS activities and to
structure? provide a reasonable level of
a. Certain data processing personnel assurance that the overall objectives
may be the only ones with a detailed of internal control are achieved.
knowledge of the interrelationship c. The purpose of CIS application
between the source of data, how it is controls is to establish specific control
processed and the distribution and use procedures over the application
of the output. systems in order to provide
b. Many conventional controls based on reasonable assurance that all
adequate segregation of incompatible transactions are authorized and
functions may not exist, or in the recorded, and are processed
absence of access and other controls, completely, accurately and on a timely
may be less effective. basis.
c. Transaction and master file data are
often concentrated, usually in
machine-readable form, either in one d. The internal controls over computer
computer installation located centrally processing, which help to achieve the
or in a number of installations overall objectives of internal control,
distributed throughout an entity. include only the procedures designed
d. Systems employing CIS methods do into computer programs.
not include manual operations since
the number of persons involved in the 56. General CIS controls may include, except:
processing of financial information is a. Organization and management
significantly reduced. controls.
b. Delivery and support controls.
53. System characteristics that may result from c. Development and maintenance
the nature of CIS processing include, except controls.
a. Absence of input documents. d. Controls over computer data files.
b. Lack of visible transaction trail.
c. Lack of visible output. 57. 57. CIS application controls include, except
d. Difficulty of access to data and a. Controls over input.
computer programs. b. Controls over processing and
computer data files.
54. The development of CIS will generally result c. Controls over output.
in design and procedural characteristics that d. Monitoring controls.
are different from those found in manual
systems. These different design and 58. Which statement is incorrect regarding the
procedural aspectsof CIS include, except: review of general CIS controls and CIS
a. Consistency of performance. application controls?
b. Programmed control procedures. a. The auditor should consider how these
c. Vulnerability of data and program general CIS controls affect the CIS
storage media applications significant to the audit.
d. Multiple transaction update of multiple b. General CIS controls that relate to
computer files or databases. some or all applications are typically
interdependent controls in that their
55. Which statement is incorrect regarding operation is often essential to the
internal controls in a CIS environment? effectiveness of CIS application
controls.

0
0
 c. Control over input, processing, data
files and output may be carried out by
CIS personnel, by users of the system,
by a separate control group, or may be
programmed into application software.
d. It may be more efficient to review the
design of the application controls
before reviewing the general controls.
59. Which statement is incorrect regarding the
evaluation of general CIS controls and CIS
application controls?
a. The general CIS controls may have a
pervasive effect on the processing of
transactions in application systems.
b. If general CIS controls are not
effective, there may be a risk that
misstatements might occur and go
undetected in the application systems.
c. Manual procedures exercised by users
may provide effective control at the
application level.
d. Weaknesses in general CIS controls
cannot preclude testing certain CIS
application controls.
60. The applications of auditing procedures using
the computer as an audit tool refer to
a. Integrated test facility
b. Auditing through the computer
c. Data-based management system
d. Computer assisted audit techniques
61. Which statement is incorrect regarding
CAATs?
a. CAATs are often an efficient means of
testing a large number of transactions
or controls over large populations.
b. To ensure appropriate control
procedures, the presence of the
auditor is not necessarily required at
the computer facility during the
running of a CAAT.
c. The general principles outlined in
PAPS 1009 apply in small entity IT
environments.
d. Where smaller volumes of data are
processed, the use of CAATs is more
cost effective.
62. Consists of generalized computer programs
designed to perform common audit tasks or
standardized data processing functions.
a. Package or generalized audit software
b. Utility programs
0
0
c. Customized or purpose-written
programs
d. System management programs
63. Audit automation least likely include
a. Expert systems.
b. Tools to evaluate a client’s risk
management procedures.
c. Manual working papers.
d. Corporate and financial modeling
programs for use as predictive audit
tests.
64. An internal auditor noted the following points
when conducting a preliminary survey in
connection with the audit of an EDP
department. Which of the following would be
considered a safeguard in the control system
on which the auditor might rely?
a. Programmers and computer operators
correct daily processing problems as
they arise.
b. The control group works with user
organizations to correct rejected input.
c. New systems are documented as
soon as possible after they begin
processing live data.
d. The average tenure of employees
working in the EDP department is ten
months.
65. An on-line access control that checks whether
the user’s code number is authorized to
initiate a specific type of transaction or inquiry
is referred to as
a. Password
b. Compatibility test
c. Limit check
d. Reasonableness test
66. A control procedure that could be used in an
on-line system to provide an immediate check
on whether an account number has been
entered on a terminal accurately is a
a. Compatibility test
b. Record count
c. Hash total
d. Self-checking digit
67. A control designed to catch errors at the point
of data entry is
a. Batch total
 b. Self-checking digit 72. Which one of the following represents a lack
c. Record count of internal control in a computer-based
d. Checkpoints information system?
a. The design and implementation is
68. Program documentation is a control designed performed in accordance with
primarily to ensure that management’s specific authorization.
a. Programmers have access to the tape b. Any and all changes in application
library or information on disk files. programs have the authorization and
b. Programs do not make mathematical approval of management.
errors. c. Provisions exist to protect data files
c. Programs are kept up to date and from unauthorized access,
perform as intended. modification, or destruction.
d. Data have been entered and d. Both computer operators and
processed. programmers have unlimited access to
the programs and data files.
69. Some of the more important controls that
relate to automated accounting information 73. In an automated payroll processing
systems are validity checks, limit checks, field environment, a department manager
checks, and sign tests. These are classified substituted the time card for a terminated
as employee with a time card for a fictitious
a. Control total validation routines employee. The fictitious employee had the
b. Output controls same pay rate and hours worked as the
c. Hash totaling terminated employee. The best control
d. Input validation routines technique to detect this action using
employee identification numbers would be a
70. Most of today’s computer systems have a. Batch total
hardware controls that are built in by the b. Hash total
computer manufacturer. Common hardware c. Record count
controls are d. Subsequent check
a. Duplicate circuitry, echo check, and
internal header labels 74. An employee in the receiving department
b. Tape file protection, cryptographic keyed in a shipment from a remote terminal
protection, and limit checks and inadvertently omitted the purchase order
c. Duplicate circuitry, echo check, and number. The best systems control to detect
dual reading this error would be
d. Duplicate circuitry, echo check, tape a. Batch total
file protection, and internal header b. Sequence check
labels c. Completeness test
d. Reasonableness test

75. The reporting of accounting information plays

71. Computer manufacturers are now installing
software programs permanently inside the
computer as part of its main memory to
provide protection from erasure or loss if there
is interrupted electrical power. This concept is
known as
a. File integrity
b. Random access memory (RAM)
c. Software control
d. Firmware
a central role in the regulation of business
operations. Preventive controls are an integral
part of virtually all accounting processing
systems, and much of the information
generated by the accounting system is used
for preventive control purposes. Which one of
the following is not an essential element of a
sound preventive control system?
a. Separation of responsibilities for the
recording, custodial, and authorization
functions.
b. Sound personnel policies.
c. Documentation of policies and
procedures.

0
0
 d. Implementation of state-of-the-art
software and hardware.
76. The most critical aspect regarding separation
of duties within information systems is
between
a. Project leaders and programmers
b. Programmers and systems analysts
c. Programmers and computer operators
d. Data control and file librarians
77. Whether or not a real time program contains
adequate controls is most effectively
determined by the use of
a. Audit software
b. A tracing routine
c. An integrated test facility
d. A traditional test deck
78. Compatibility tests are sometimes employed
to determine whether an acceptable user is
allowed to proceed. In order to perform
compatibility tests, the system must maintain
an access control matrix. The one item that is
not part of an access control matrix is a
a. List of all authorized user code
numbers and passwords.
b. List of all files maintained on the
system.
c. Record of the type of access to which
each user is entitled.
d. Limit on the number of transaction
inquiries that can be made by each
user in a specified time period.
79. Which one of the following input validation
routines is not likely to be appropriate in a real
time operation?
a. Field check
b. Sequence check
c. Sign check
d. Redundant data check
80. Which of the following controls is a processing
control designed to ensure the reliability and
accuracy of data processing?
Limit test Validity check test
a. Yes Yes
b. No No
c. No Yes
d. Yes No
81. Which of the following characteristics
distinguishes computer processing from
manual processing?
a. Computer processing virtually
eliminates the occurrence of
computational error normally
associated with manual processing.
b. Errors or irregularities in computer
processing will be detected soon after
their occurrences.
c. The potential for systematic error is
ordinarily greater in manual
processing than in computerized
processing.
d. Most computer systems are designed
so that transaction trails useful for
audit do not exist.
82. Which of the following most likely represents
a significant deficiency in the internal control
structure?
a. The systems analyst review
applications of data processing and
maintains systems documentation.
b. The systems programmer designs
systems for computerized applications
and maintains output controls.
c. The control clerk establishes control
over data received by the EDP
department and reconciles control
totals after processing
d. The accounts payable clerk prepares
data for computer processing and
enters the data into the computer.
83. Which of the following activities would most
likely be performed in the EDP Department?
a. Initiation of changes to master
records.
b. Conversion of information to machine-
readable form.
c. Correction of transactional errors.
d. Initiation of changes to existing
applications.
84. For control purposes, which of the following
should be organizationally segregated from
the computer operations function?
a. Data conversion
b. Systems development
c. Surveillance of CRT messages
d. Minor maintenance according to a
schedule
85. Which of the following is not a major reason
for maintaining an audit trail for a computer
system?
a. Deterrent to irregularities
b. Analytical procedures

0
0
 c. Monitoring purposes
d. Query answering
86. In an automated payroll system, all
employees in the finishing department were
paid the rate of P75 per hour when the
authorized rate was P70 per hour. Which of
the following controls would have been most
effective in preventing such an error?
a. Access controls which would restrict
the personnel department’s access to
the payroll master file data.
b. A review of all authorized pay rate
changes by the personnel department.
c. The use of batch control totals by
department.
d. A limit test that compares the pay
rates per department with the
maximum rate for all employees.
87. Which of the following errors would be
detected by batch controls?
a. A fictitious employee as added to the
processing of the weekly time cards by
the computer operator.
b. An employee who worked only 5 hours
in the week was paid for 50 hours.
c. The time card for one employee was
not processed because it was lost in
transit between the payroll department
and the data entry function.
d. All of the above.
88. The use of a header label in conjunction with
magnetic tape is most likely to prevent errors
by the
a. Computer operator
b. Computer programmer
c. Keypunch operator
d. Maintenance technician
89. For the accounting system of ACME
Company, the amounts of cash
disbursements entered into an EDP terminal
are transmitted to the computer that
immediately transmits the amounts back to
the terminal for display on the terminal
screen. This display enables the operator to
a. Establish the validity of the account
number
b. Verify the amount was entered
accurately
c. Verify the authorization of the
disbursements
d. Prevent the overpayment of the
account
0
0
90. When EDP programs or files can be accessed
from terminals, users should be required to
enter a(an)
a. Parity check
b. Self-diagnostic test
c. Personal identification code
d. Echo check
91. The possibility of erasing a large amount of
information stored on magnetic tape most
likely would be reduced by the use of
a. File protection ring
b. Completeness tests
c. Check digits
d. Conversion verification
92. Which of the following controls most likely
would assure that an entity can reconstruct its
financial records?
a. Hardware controls are built into the
computer by the computer
manufacturer.
b. Backup diskettes or tapes of files are
stored away from originals.
c. Personnel who are independent of
data input perform parallel simulations.
d. System flowcharts provide accurate
descriptions of input and output
operations.
93. Mill Co. uses a batch processing method to
process its sales transactions. Data on Mill’s
sales transaction tape are electronically
sorted by customer number and are subject to
programmed edit checks in preparing its
invoices, sales journals, and updated
customer account balances. One of the direct
outputs of the creation of this tape most likely
would be a
a. Report showing exceptions and
control totals.
b. Printout of the updated inventory
records.
c. Report showing overdue accounts
receivable.
d. Printout of the sales price master file.
94. Using microcomputers in auditing may affect
the methods used to review the work of staff
assistants because
a. The audit field work standards for
supervision may differ.
b. Documenting the supervisory review
may require assistance of consulting
services personnel.

c. Supervisory personnel may not have
an understanding of the capabilities
and limitations of microcomputers.
d. Working paper documentation may not
contain readily observable details of
calculations.
95. An auditor anticipates assessing control risk
at a low level in a computerized environment.
Under these circumstances, on which of the
following procedures would the auditor initially
focus?
a. Programmed control procedures
b. Output control procedures
c. Application control procedures
d. General control procedures
96. After the preliminary phase of the review of a
client’s EDP controls, an auditor may decide
not to perform tests of controls (compliance
tests) related to the control procedures within
the EDP portion of the client’s internal control
structure. Which of the following would not be
a valid reason for choosing to omit such
tests?
a. The controls duplicate operative
controls existing elsewhere in the
structure.
b. There appear to be major weaknesses
that would preclude reliance on the
stated procedure.
c. The time and costs of testing exceed
the time and costs in substantive
testing if the tests of controls show the
controls to be operative.
d. The controls appear adequate.
97. Which of the following client electronic data
processing (EDP) systems generally can be
audited without examining or directly testing
the EDP computer programs of the system?
a. A system that performs relatively
uncomplicated processes and
produces detailed output.
b. A system that affects a number of
essential master files and produces a
limited output.
c. A system that updates a few essential
master files and produces no printed
output other than final balances.
d. A system that performs relatively
complicated processing and produces
very little detailed output.
0
0
98. Computer systems are typically supported by
a variety of utility software packages that are
important to an auditor because they
a. May enable unauthorized changes to
data files if not properly controlled.
b. Are very versatile programs that can
be used on hardware of many
manufacturers.
c. May be significant components of a
client’s application programs.
d. Are written specifically to enable
auditors to extract and sort data.
99. To obtain evidence that online access
controls are properly functioning, an auditor
most likely would
a. Create checkpoints at periodic
intervals after live data processing to
test for unauthorized use of the
system.
b. Examine the transaction log to
discover whether any transactions
were lost or entered twice due to a
system malfunction
c. Enter invalid identification numbers or
passwords to ascertain whether the
system rejects them.
d. Vouch a random sample of processed
transactions to assure proper
authorization
100. Which of the following statements
most likely represents a disadvantage for an
entity that keeps microcomputer-prepared
data files rather than manually prepared files?
a. Attention is focused on the accuracy of
the programming process rather than
errors in individual transactions.
b. It is usually easier for unauthorized
persons to access and alter the files.
c. Random error associated with
processing similar transactions in
different ways is usually greater.
d. It is usually more difficult to compare
recorded accountability with physical
count of assets.
101. An auditor would least likely use
computer software to
a. Access client data files
b. Assess EDP controls
c. Prepare spreadsheets
d. Construct parallel simulations
102. A primary advantage of using
generalized audit software packages to audit
 the financial statements of a client that uses
an EDP system is that the auditor may
a. Consider increasing the use of
substantive tests of transactions in
place of analytical procedures.
b. Substantiate the accuracy of data
through self-checking digits and hash
totals.
c. Reduce the level of required tests of
controls to a relatively small amount.
d. Access information stored on
computer files while having a limited
understanding of the client’s hardware
and software features.
103. Auditors often make use of computer
programs that perform routine processing
functions such as sorting and merging. These
programs are made available by electronic
data processing companies and others and
are specifically referred to as
a. Compiler programs
b. Utility programs
c. Supervisory programs
d. User programs
104. Smith Corporation has numerous
customers. A customer file is kept on disk
storage. Each customer file contains name,
address, credit limit, and account balance.
The auditor wishes to test this file to
determine whether the credit limits are being
exceeded. The best procedure for the auditor
to follow would be to
a. Develop test data that would cause
some account balances to exceed the
credit limit and determine if the system
properly detects such situations.
b. Develop a program to compare credit
limits with account balances and print
out the details of any account with a
balance exceeding its credit limit.
c. Request a printout of all account
balances so they can be manually
checked against the credit limits.
d. Request a printout of a sample of
account balances so they can be
individually checked against the credit
limits.
105. The use of generalized audit software
package
a. Relieves an auditor of the typical tasks
of investigating exceptions, verifying
sources of information, and evaluating
reports.
0
0
b. Is a major aid in retrieving information
from computerized files.
c. Overcomes the need for an auditor to
learn much about computers.
d. Is a form of auditing around the
computer.
106. An auditor used test data to verify the
existence of controls in a certain computer
program. Even though the program performed
well on the test, the auditor may still have a
concern that
a. The program tested is the same one
used in the regular production runs.
b. Generalized audit software may have
been a better tool to use.
c. Data entry procedures may change
and render the test useless.
d. The test data will not be relevant in
subsequent audit periods.
107. An auditor most likely would introduce
test data into a computerized payroll system
to test internal controls related to the
a. Existence of unclaimed payroll checks
held by supervisors.
b. Early cashing of payroll checks by
employees.
c. Discovery of invalid employee I.D.
numbers.
d. Proper approval of overtime by
supervisors.
108. When an auditor tests a computerized
accounting system, which of the following is
true of the test data approach?
a. Test data must consist of all possible
valid and invalid conditions.
b. The program tested is different from
the program used throughout the year
by the client.
c. Several transactions of each type
must be tested.
d. Test data are processed by the client’s
computer programs under the
auditor’s control.
109. Which of the following statements is
not true to the test data approach when
testing a computerized accounting system?
a. The test need consist of only those
valid and invalid conditions which
interest the auditor
b. Only one transaction of each type
need be tested.
 c. The test data must consist of all
possible valid and invalid conditions.
d. Test data are processed by the client’s
computer programs under the
auditor’s control.
110. Which of the following is not among
the errors that an auditor might include in the
test data when auditing a client’s EDP
system?
a. Numeric characters in alphanumeric
fields.
b. Authorized code.
c. Differences in description of units of
measure.
d. Illogical entries in fields whose logic is
tested by programmed consistency
checks.
111. An auditor who is testing EDP controls
in a payroll system would most likely use test
data that contain conditions such as
a. Deductions not authorized by
employees.
b. Overtime not approved by supervisors.
c. Time tickets with invalid job numbers.
d. Payroll checks with unauthorized
signatures.
112. Auditing by testing the input and
output of an EDP system instead of the
computer program itself will
a. Not detect program errors which do
not show up in the output sampled.
b. Detect all program errors, regardless
of the nature of the output.
c. Provide the auditor with the same type
of evidence.
d. Not provide the auditor with
confidence in the results of the
auditing procedures.
113. Which of the following computer-
assisted auditing techniques allows fictitious
and real transactions to be processed
together without client operating personnel
being aware of the testing process?
a. Integrated test facility
b. Parallel simulation
c. Input controls matrix
d. Data entry monitor
114. Which of the following methods of
testing application controls utilizes a
generalized audit software package prepared
by the auditors?
0
0
a. Parallel simulation
b. Test data approach
c. Integrated testing facility approach
d. Exception report tests
115. Misstatements in a batch computer
system caused by incorrect programs or data
may not be detected immediately because
a. Errors in some transactions may
cause rejection of other transactions in
the batch.
b. The identification of errors in input
data typically is not part of the
program.
c. There are time delays in processing
transactions in a batch system.
d. The processing of transactions in a
batch system is not uniform.
116. Which of the following is not a
characteristic of a batch processed computer
system?
a. The collection of like transactions
which are sorted and processed
sequentially against a master file.
b. Keypunching of transactions, followed
by machine processing.
c. The production of numerous printouts.
d. The posting of a transaction, as it
occurs, to several files, without
immediate printouts.
117. Where disk files are used, the
grandfather-father-son updating backup
concept is relatively
118. difficult to implement because the
a. Location of information points on disks
is an extremely time consuming task.
b. Magnetic fields and other
environmental factors cause off-site
storage to be impractical.
c. Information must be dumped in the
form of hard copy if it is to be reviewed
before used in
d. Process of updating old records is
destructive.
119. An auditor would most likely be
concerned with which of the following controls
in a distributed data processing system?
a. Hardware controls
b. Access controls
c. Systems documentation controls
d. Disaster recovery controls
120. If a control total were computed on
each of the following data items, which would
best be identified as a hash total for a payroll
EDP application?
a. Total debits and total credits
b. Department numbers
c. Net pay
d. Hours worked
121. Which of the following is a computer
test made to ascertain whether a given
characteristic belongs to the group?
a. Parity check
b. Echo check
c. Validity check
d. Limit check
122. A control feature in an electronic data
processing system requires the central
processing unit (CPU) to send signals to the
printer to activate the print mechanism for
each character. The print mechanism, just
prior to printing, sends a signal back to the
CPU verifying that the proper print position
has been activated. This type of hardware
control is referred to as
a. Echo check
b. Signal control
c. Validity control
d. Check digit control
123. Which of the following is an example
of a check digit?
a. An agreement of the total number of
employees to the total number of
checks printed by the computer.
b. An algebraically determined number
produced by the other digits of the
employee number
c. A logic test that ensures all employee
numbers are nine digits.
d. A limit check that an employee’s hours
do not exceed 50 hours per work
week.
124. In a computerized system, procedure
or problem-oriented language is converted to
machine language through a(an)
a. Interpreter
b. Verifier
c. Compiler
d. Converter
125. A customer erroneously ordered Item
No. 86321 rather than item No. 83621. When
this order is processed, the vendor’s EDP
0
0
department would identify the error with what
type of control?
a. Key verifying
b. Batch total
c. Self-checking digit
d. Item inspection
126. The computer process whereby data
processing is performed concurrently with a
particular activity and the results are available
soon enough to influence the course of action
being taken or the decision being made is
called:
a. Random access sampling
b. On-line, real-time system
c. Integrated data processing
d. Batch processing system
127. Internal control is ineffective when
computer department personnel
a. Participate in computer software
acquisition decisions.
b. Design documentation for
computerized systems.
c. Originate changes in master file.
d. Provide physical security for program
files.
128. Test data, integrated test data and
parallel simulation each require an auditor to
prepare data and computer programs. CPAs
who lack either the technical expertise or time
to prepare programs should request from the
manufacturers or EDP consultants for
a. The program Code
b. Generalized audit software
c. Flowchart checks
d. Application controls
129. Which of the following best describes
a fundamental control weakness often
associated with electronic data processing
system?
a. EDP equipment is more subject to
system error than manual processing
is subject to human error.
b. Monitoring is not an adequate
substitute for the use of test data.
c. EDP equipment processes and
records similar transactions in a
similar manner.
d. Functions that would normally be
separated in a manual system are
combined in the EDP system like the
function of programmers and
operators.

130. Which of the following tasks could not
be performed when using a generalized audit
software package?
a. Selecting inventory items
observations.
b. Physical count of inventories.
c. Comparison of inventory test counts
with perpetual records.
d. Summarizing inventory turnover
statistics for obsolescence analysis.
131. All of the following are <auditing
through the computer= techniques except
a. Reviewing source code
b. Automated tracking and mapping
c. Test-decking
d. Integrated test facility
132. The output of a parallel simulation
should always be
a. Printed on a report.
b. Compared with actual results
manually.
c. Compared with actual results using a
comparison program.
d. Reconciled to actual processing
output.
133. Generalized audit software is a
computer-assisted audit technique. It is one of
the widely used technique for auditing
computer application systems. Generalized
audit software is most often used to
a. Verify computer processing.
b. Process data fields under the control
of the operation manager.
c. Independently analyze data files.
d. Both a and b.
134. From an audit viewpoint, which of the
following represents a potential disadvantage
associated with the widespread use of
microcomputers?
a. Their portability.
b. Their ease of access by novice users.
c. Their easily developed programs using
spreadsheets which do not have to be
documented.
d. All of the above.
135. Which of the following functions would
have the least effect on an audit if it was not
properly segregated?
0
a. The systems analyst and the
programmer functions.
b. The computer operator and
programmer functions.
for c. The computer operator and the user
functions.
d. The applications programmer and the
systems programmer.
136. To obtain evidence that user
identification and password control
procedures are functioning as designed, an
auditor would most likely
a. Attempt to sign on to the system using
invalid user identifications and
passwords.
b. Write a computer program that
simulates the logic of the client’s
access control software.
c. Extract a random sample of processed
transactions and ensure that the
transactions were appropriately
authorized. Examine statements
signed by employees stating that they
have not divulged their user
identifications and passwords to any
other person.
137. In considering a client's internal
control structure in a computer environment,
the auditor will encounter general controls
and application controls. Which of the
following is an application control?
a. Organization charts.
b. Hash total.
c. Systems flowcharts.
d. Control over program changes
138. Auditing by testing the input and
output of a computer system--i.e., auditing
"around" the computer--instead of the
computer software itself will
a. Not detect program errors that do not
appear in the output sampled.
b. Detect all program errors, regardless
of the nature of the output.
c. Provide the auditor with the same type
of evidence.
d. Not provide the auditor with
confidence in the results of the
auditing procedures.
139. Smith Corporation has numerous
customers. A customer file is kept on disk.
Each customer file contains the name,
address, credit limit, and account balance.
0
 The auditor wishes to test this file to
determine whether credit limits are being
exceeded. The best procedure for the auditor
to follow would be to
a. Develop test data that would cause
some account balances to exceed the
credit limit and determine if the system
properly detects such situations.
b. Develop a program to compare credit
limits with account balances and print
out the details of any account with a
balance exceeding its credit limit.
c. Request a printout of all account
balances so they can be manually
checked against the credit limits.
d. Request a printout of a sample of
account balances so they can be
individually checked against the credit
limits.
140. Which of the following methods of
testing application controls utilizes software
prepared by the auditors and applied to the
client's data?
a. Parallel simulation.
b. Integrated test facility.
c. Test data.
d. Exception report tests.
141. The test–data method is used by
auditors to test the
a. Accuracy of input data.
b. Validity of the output.
c. Procedures contained within the
program.
d. Normalcy of distribution of test data.
142. Which of the following is true of
generalized audit software?
a. They can be used only in auditing on-
line computer systems.
b. They can be used on any computer
without modification.
c. They each have their own
characteristics, which the auditor must
carefully consider before using in a
given audit situation.
d. They enable the auditor to perform all
manual compliance test procedures
less expensively.
143. Assume that an auditor estimated that
10,000 checks were issued during the
accounting period. If an application control
that performs a limit check for each check
request is to be subjected to the auditor's
0
0
test–data approach, the sample should
include:
a. Approximately 1,000 test items.
b. A number of test items determined by
the auditor to be sufficient under the
circumstances.
c. A number of test items determined by
the auditor's reference to the
appropriate sampling tables.
d. One transaction.
144. PC DOS, MS DOS, and AppleDOS
are examples of
a. Application software.
b. Generalized audit software.
c. Database management systems.
d. Operating software.
145. Which of the following is not an
example of a computer-assisted audit
technique?
a. Integrated test data.
b. Audit modules.
c. Disk operating systems.
d. Audit hooks.
146. Which of the following statements
most likely represents a disadvantage for an
entity that maintains computer data files
rather than manual files?
a. It's usually more difficult to detect
transposition errors.
b. Transactions are usually authorized
before they are executed and
recorded.
c. It's usually easier for unauthorized
persons to access and alter the files.
d. Random error is more common when
similar transactions are processed in
different ways.
147. Which of the following statements best
describes a weakness often associated with
computers?
a. Computer equipment is more subject
to systems error than manual
processing is subject to human error.
b. Computer equipment processes and
records similar transactions in a
similar manner.
c. Control activities for detecting invalid
and unusual transactions are less
effective than manual control activities.
d. Functions that would normally be
separated in a manual system are
combined in a computer system.

148. Accounting functions that are normally
considered incompatible in a manual system
are often combined by computer software.
This necessitates an application control that
prevents unapproved
a. Access to the computer library.
b. Revisions to existing software.
c. Usage of software.
d. Testing of modified software.
149. When software or files can be
accessed from on-line servers, users should
be required to enter
a. A parity check.
b. A personal identification code.
c. A self-diagnosis test.
d. An echo check.
150. An auditor's consideration of a
company's computer control activities has
disclosed the following four circumstances.
Indicate which circumstance constitutes a
significant deficiency in internal control.
a. Computer operators do not have
access to the complete software
support documentation.
b. Computer operators are closely
supervised by programmers.
c. Programmers are not authorized to
operate computers.
d. Only one generation of backup files is
stored in an off-premises location.
151. In a computer system, hardware
controls are designed to
a. Arrange data in a logical sequence for
processing.
b. Correct errors in software.
c. Monitor and detect errors in source
documents.
d. Detect and control errors arising from
use of equipment.
152. In the weekly computer run to prepare
payroll checks, a check was printed for an
employee who had been terminated the
previous week. Which of the following
controls, if properly utilized, would
have been most effective in preventing the
error or ensuring its prompt detection?
a. A control total for hours worked,
prepared from time cards collected by
the timekeeping department.
b. Requiring the treasurer's office to
account for the number of the pre-
0
0
numbered checks issued to the CBIS
department for the processing of the
payroll
c. Use of a check digit for employee
numbers
d. Use of a header label for the payroll
input sheet
153. An auditor is preparing test data for
use in the audit of a computer based
accounts receivable application. Which of the
following items would be appropriate to
include as an item in the test data?
a. A transaction record which contains an
incorrect master file control total
b. A master file record which contains an
invalid customer identification number
c. A master file record which contains an
incorrect master file control total
d. A transaction record which contains an
invalid customer identification number.
154. Unauthorized alteration of on-line
records can be prevented by employing:
a. Key verification
b. Computer sequence checks
c. Computer matching
d. Data base access controls
155. In auditing through a computer, the
test data method is used by auditors to
test the
a. Accuracy of input data
b. Validity of the output
c. Procedures contained within the
program
d. Normalcy of distribution of test data.
156. In the preliminary survey the auditor
learns that a department has several
microcomputers. Which of the following is
usually true and should be considered in
planning the audit?
a. Microcomputers, though small, are
capable of processing financial
information, and physical security is a
control concern
b. Microcomputers are limited to
applications such as worksheet
generation and do not present a
significant audit risk
c. Microcomputers are generally under
the control of the data processing
department and use the same control
features
 d. Microcomputers are too small to
contain any built-in control features.
Therefore, other controls must be
relied upon.
157. The primary reason for internal
auditing's involvement in the development of
new computer-based sysstems is to:
a. Plan post-implementation reviews
b. Promote adequate controls
c. Train auditors in CBIS techniques
d. Reduce overall audit effort.
158. Which of the following is an advantage
of generalized computer audit packages?
a. They are all written in one identical
computer language
b. They can be used for audits of clients
that use differing CBIS equipment and
file formats
c. They have reduced the need for the
auditor to study input controls for CBIS
related procedures
d. Their use can be substituted for a
relatively large part of the required
control testing
159. Processing simulated file data
provides the auditor with information about
the reliability of controls from evidence that
exists in simulated files. One of the
techniques involved in this approach makes
use of
a. Controlled reprocessing
b. Program code checking
c. Printout reviews
d. Integrated test facility
160. Which of the following statements
most likely represents a disadvantage for an
entity that keeps microcomputer-prepared
data files rather than manually prepared files?
a. It is usually more difficult to detect
transposition errors
b. Transactions are usually authorized
before they are executed and
recorded
c. It is usually easier for unauthorized
persons to access and alter the files
d. Random error associated with
processing similar transactions in
different ways is usually greater
161. The possibility of losing a large
amount of information stored in computer files
most likely would be reduced by the use of
a. Back-up files
0
0
b. Check digits
c. Completeness tests
d. Conversion verification
162. An integrated test facility (ITF) would
be appropriate when the auditor needs to
a. Trace a complex logic path through an
application system
b. Verify processing accuracy
concurrently with processing
c. Monitor transactions in an application
system continuously
d. Verify load module integrity for
production programs
163. Where computer processing is used in
significant accounting applications, internal
accounting control procedures may be
defined by classifying control procedures into
two types: general and
a. Administrative
b. Specific
c. Application
d. Authorization
164. The increased presence of the
microcomputer in the workplace has resulted
in an increasing number of persons having
access to the computer. A control that is
often used to prevent unauthorized access to
sensitive programs is:
a. Backup copies of the diskettes
b. Passwords for each of the users
c. Disaster-recovery procedures
d. Record counts of the number of input
transactions in a batch being
processed
165. Checklists, systems development
methodology, and staff hiring are examples of
what type of controls?
a. Detective
b. Preventive
c. Subjective
d. Corrective
166. When an on-line, real-time (OLRT)
computer-based processing system is in use,
internal control can be strengthened by
a. Providing for the separation of duties
between keypunching and error listing
operations
b. Attaching plastic file protection rings to
reels of magnetic tape before new
data can be entered on the file
 c. Making a validity check of an
identification number before a user
can obtain access to the computer
files
d. Preparing batch totals to provide
assurance that file updates are made
for the entire input
167. When auditing "around" the computer,
the independent auditor focuses solely upon
the source documents and
a. Test data
b. CBIS processing
c. Control techniques
d. CBIS output
168. One of the features that distinguishes
computer processing from manual processing
is
a. Computer processing virtually
eliminates the occurrence
computational error normally
associated with manual processing
b. Errors or fraud in computer processing
will be detected soon after their
occurrences
c. The potential for systematic error is
ordinarily greater in manual
processing than in computerized
processing
d. Most computer systems are designed
so that transaction trails useful for
audit purposes do not exist
169. Given the increasing use
microcomputers as a means for accessing
data bases, along with on-line real-time
processing, companies face a serious
challenge relating to data security. Which of
the following is not an appropriate means for
meeting this challenge?
a. Institute a policy of strict identification
and password controls housed in the
computer software that permit only
specified individuals to access the
computer files and perform a given
function.
b. Limit terminals to perform only certain
transactions.
c. Program software to produce a log of
transactions showing date, time, type
of transaction, and operator.
d. Prohibit the networking
microcomputers and do not permit
users to access centralized data
bases.
0
170. What type of computer-based system
is characterized by data that are assembled
from more than one location and records that
are updated immediately?
a. Microcomputer system
b. Minicomputer system
c. Batch processing system
d. Online real-time system
171. Company A has recently converted its
manual payroll to a computer-based system.
Under the old system, employees who had
resigned or been terminated were
occasionally kept on the payroll and their
checks were claimed and cashed by other
employees, in collusion with shop foremen.
The controller is concerned that this practice
not be allowed to continue under the new
system. The best control for preventing this
of form of "payroll padding" would be to
a. Conduct exit interviews with all
employees leaving the company,
regardless of reason.
b. Require foremen to obtain a signed
receipt from each employee claiming a
payroll check.
c. Require the human resources
department to authorize all hires and
terminations, and to forward a current
computerized list of active employee
numbers to payroll prior to processing.
Program the computer to reject
inactive employee numbers.
of d. Install time clocks for use by all hourly
employees.
172. Compared to a manual system, a
CBIS generally
1) Reduces segregation of duties
2) Increases segregation of duties
3) Decreases manual inspection of
processing results
4) Increases manual inspection of
processing results.
a. 1 and 3
b. 1 and 4
c. 2 and 3
d. 2 and 4
173. One of the major problems in a CBIS
is that incompatible functions may be
performed by the same individual. One
of compensating control for this is the use of
a. Echo checks
b. A self-checking digit system
c. Computer generated hash totals
0
 d. A computer log
174. Which of the following processing
controls would be most effective in assisting a
store manager to ascertain whether the
payroll transaction data were processed in
their entirety?
a. Payroll file header record
b. Transaction identification codes
c. Processing control totals
d. Programmed exception reporting
175. An organizational control over CBIS
operations is
a. Run-to-run balancing of control totals
b. Check digit verification of unique
identifiers
c. Separation of operating and
programming functions
d. Maintenance of output distribution logs
176. Which of the following methods of
testing application controls utilizes a
generalized audit software package prepared
by the auditors?
a. Parallel simulation
b. Integrated testing facility approach
c. Test data approach
d. Exception report tests
177. An unauthorized employee took
computer printouts from output bins
accessible to all employees. A control which
would have prevented this occurrence is
a. A storage/retention control
b. A spooler file control
c. An output review control
d. A report distribution control
178. Which of the following is a
disadvantage of the integrated test facility
approach?
a. In establishing fictitious entities, the
auditor may be compromising audit
independence.
b. Removing the fictitious transactions
from the system is somewhat difficult
and, if not done carefully, may
contaminate the client's files.
c. ITF is simply an automated version of
auditing "around" the computer.
d. The auditor may not always have a
current copy of the authorized version
of the client's program.
0
0
179. Totals of amounts in computer-record
data fields which are not usually added for
other purposes but are used only for data
processing control purposes are called
a. Record totals
b. Hash totals
c. Processing data totals
d. Field totals
180. A hash total of employee numbers is
part of the input to a payroll master file update
program. The program compares the hash
total to the total computed for transactions
applied to the master file. The
purpose of this procedure is to:
a. Verify that employee numbers are
valid
b. Verify that only authorized employees
are paid
c. Detect errors in payroll calculations
d. Detect the omission of transaction
processing
181. Matthews Corp. has changed from a
system of recording time worked on clock
cards to a computerized payroll system in
which employees record time in and out with
magnetic cards. The CBIS automatically
updates all payroll records. Because of this
change
a. A generalized computer audit program
must be used
b. Part of the audit trail is altered
c. The potential for payroll related fraud
is diminished
d. Transactions must be processed in
batches
182. Generalized audit software is of
primary interest to the auditor in terms of its
capability to
a. Access information stored on
computer files
b. Select a sample of items for testing
c. Evaluate sample test results
d. Test the accuracy of the client's
calculations
183. Accounts payable program posted a
payable to a vendor not included in the on-
line vendor master file. A control which would
prevent this error is a
a. Validity check
b. Range check
c. Reasonableness test
 d. Parity check
184. In a computerized sales processing
system, which of the following controls is most
effective in preventing sales invoice pricing
errors?
a. Sales invoices are reviewed by the
product managers before being mailed
to customers
b. Current sales prices are stored in the
computer, and, as stock numbers are
entered from sales orders, the
computer automatically prices the
orders
c. Sales prices, as well as product
numbers, are entered as sales orders
are entered at remote terminal
locations
d. Sales prices are reviewed and
updated on a quarterly basis
185. Which of the following is likely to be of
least importance to an auditor in reviewing the
internal control in a company with a CBIS?
a. The segregation of duties within the
data processing center.
b. The control over source documents
c. The documentation maintained for
accounting applications.
d. The cost/benefit ratio of data
processing operations
186. For the accounting system of Acme
Company, the amounts of cash
disbursements entered into an CBIS terminal
are transmitted to the computer that
immediately transmits the amounts back to
the terminal for display on the terminal
screen. This display enables the operator to
a. Establish the validity of the account
number
b. Verify the amount was entered
accurately
c. Verify the authorization of the
disbursement
d. Prevent the overpayment of the
account
187. Which of the following audit
techniques most likely would provide an
auditor with the most assurance about the
effectiveness of the operation of an internal
control procedure?
a. Inquiry of client personnel
b. Recomputation of account balance
amounts
0
0
c. Observation of client personnel
d. Confirmation with outside parties
188. Adequate technical training and
proficiency as an auditor encompasses an
ability to understand a CBIS sufficiently to
identify and evaluate
a. The processing and imparting of
information
b. Essential accounting control features
c. All accounting control features
d. The degree to which programming
conforms with application of generally
accepted accounting principles.
189. Which of the following is not a major
reason why an accounting audit trail should
be maintained for a computer system?
a. Query answering
b. Deterrent to fraud
c. Monitoring purposes
d. Analytical review
190. Adequate control over access to data
processing is required to
a. Prevent improper use or manipulation
of data files and programs
b. Ensure that only console operators
have access to program
documentation
c. Minimize the need for backup data
files
d. Ensure that hardware controls are
operating effectively and as designed
by the computer manufacturer
191. When testing a computerized
accounting system, which of the following is
not true of the test data approach?
a. The test data need consist of only
those valid and invalid conditions in
which the auditor is interested
b. Only one transaction of each type
need be tested
c. Test data are processed by the client's
computer programs under the
auditor's control
d. The test data must consist of all
possible valid and invalid conditions
192. In studying a client's internal controls,
an auditor must be able to distinguish
between prevention controls and detection
controls. Of the following data processing
controls, which is the best detection control?
 a. Use of data encryption techniques
b. Review of machine utilization logs
c. Policy requiring password security
d. Backup and recovery procedure
193. Which of the following procedures is
an example of auditing "around" the
computer?
a. The auditor traces adding machine
tapes of sales order batch totals to a
computer printout of the sales journal
b. The auditor develops a set of
hypothetical sales transactions and,
using the client's computer program,
enters the transactions into the system
and observes the processing flow
c. The auditor enters hypothetical
transactions into the client's
processing system during client
processing of live" data
d. The auditor observes client personnel
as they process the biweekly payroll.
The auditor is primarily concerned with
computer rejection of data that fails to
meet reasonableness limits
194. Auditing by testing the input and
output of a computer-based system instead
of the computer program itself will
a. Not detect program errors which do
not show up in the output sampled
b. Detect all program errors, regardless
of the nature of the output
c. Provide the auditor with the same type
of evidence
d. Not provide the auditor with
confidence in the results of the
auditing procedures
195. Which of the following is an
acknowledged risk of using test data when
auditing CBIS records?
a. The test data may not include all
possible types of transactions
b. The computer may not process a
simulated transaction in the same way
it would an identical actual transaction
c. The method cannot be used with
simulated master records
d. Test data may be useful in verifying
the correctness of account balances,
but not in determining the presence
of processing controls
0
0
196. When the auditor encounters
sophisticated computer-based systems, he or
she may need to modify the audit approach.
Of the following conditions, which one is not a
valid reason for modifying the audit
approach?
a. More advanced computer systems
produce less documentation, thus
reducing the visibility of the audit trail
b. In complex comuter-based systems,
computer verification of data at the
point of input replaces the manual
verification found in less sophisticated
data processing systems
c. Integrated data processing has
replaced the more traditional
separation of duties that existed in
manual and batch processing
systems.
d. Real-time processing of transactions
has enabled the auditor to concentrate
less on the completeness assertion
197. If a control total were to be computed
on each of the following data items, which
would best be identified as a hash total for a
payroll CBIS application?
a. Net pay
b. Department numbers
c. Hours worked
d. Total debits and total credits
198. In a distributed data base (DDB)
environment, control tests for access control
administration can be designed which focus
on
a. Reconciliation of batch control totals
b. Examination of logged activity
c. Prohibition of random access
d. Analysis of system generated core
dumps
199. A control to verify that the dollar
amounts for all debits and credits for incoming
transactions are posted to a receivables
master file is the:
a. Generation number check
b. Master reference check
c. Hash total
d. Control total
200. The program flowcharting symbol
representing a decision is a
a. Triangle
b. Circle
c. Rectangle
 d. Diamond
201. An update program for bank account
balances calculates check digits for
account numbers. This is an example of
a. An input control
b. A file management control
c. Access control
d. An output control
202. CBIS controls are frequently classified
as to general controls and application
controls. Which of the following is an
example of an application control?
a. Programmers may access the
computer only for testing and
"debugging" programs
b. All program changes must be fully
documented and approved by the
information systems manager and the
user department authorizing the
change
c. A separate data control group is
responsible for distributing output, and
also compares input and output on a
test basis
d. In processing sales orders, the
computer compares customer and
product numbers with internally stored
lists
203. After a preliminary phase of the review
of a client's CBIS controls, an auditor may
decide not to perform further tests related to
the control procedures within the CBIS portion
of the client's internal control system. Which
of the following would not be a valid reason
for choosing to omit further testing?
a. The auditor wishes to further reduce
assessed risk
b. The controls duplicate operative
controls existing elsewhere in the
system
c. There appear to be major weaknesses
that would preclude reliance on the
stated procedures
d. The time and dollar costs of testing
exceed the time and dollar savings in
substantive testing if the controls are
tested for compliance
204. For good internal control over
computer program changes, a policy should
be established requiring that
0
0
a. The programmer designing the
change adequately test the revised
program
b. All program changes be supervised by
the CBIS control group
c. Superseded portions of programs be
deleted from the program run
manual to avoid confusion
d. All proposed changes be approved in
writing by a responsible individual.
205. Which of the following is not a
technique for testing data processing
controls?
a. The auditor develops a set of payroll
test data that contain numerous errors.
The auditor plans to enter these
transactions into the client's system
and observe whether the computer
detects and properly responds to the
error conditions
b. The auditor utilizes the computer to
randomly select customer accounts for
confirmation
c. The auditor creates a set of fictitious
custom accounts and introduces
hypothetical sales transactions, as
well as sales returns and allowances,
simultaneously with the client's live
data processing
d. At the auditor's request, the client has
modified its payroll processing
program so as to separately record
any weekly payroll entry consisting of
60 hours or more. These separately
recorded ("marked") entries are locked
into the system and are available only
to the auditor
206. Which of the following would lessen
internal control in a CBIS?
a. The computer librarian maintains
custody of computer program
instructions and detailed listings
b. Computer operators have access to
operator instructions and detailed
program listings
c. The control group is solely responsible
for the distribution of all computer
output
d. Computer programmers write and
debug programs which perform
routines designed by the systems
analyst
207. Access control in an on-line CBIS can
best be provided in most circumstances by
a. An adequate librarianship function
controlling access to files
b. A label affixed to the outside of a file
medium holder that identifies the
contents
c. Batch processing of all input through a
centralized, well-guarded facility
d. User and terminal identification
controls, such as passwords
208. While entering data into a cash
receipts transaction file, an employee
transposed two numbers in a customer code.
Which of the following controls could prevent
input of this type of error?
a. Sequence check
b. Record check
c. Self-checking digit
d. Field-size check
209. What is the computer process called
when data processing is performed
concurrently with a particular activity and the
results are available soon enough to influence
the particular course of action being taken or
the decision being made?
a. Batch processing
b. Real time processing
c. Integrated data processing
d. Random access processing
210. Reconciling processing control totals
is an example of
a. An input control
b. An output control
c. A processing control
d. A file management control
211. Disadvantage of auditing around the
computer is that it
a. Permits no assessment of actual
processing
b. Requires highly skilled auditors
c. Demands intensive use of machine
resources
d. Interacts actively with auditee
applications
212. The completeness of computer-
generated sales figures can be tested by
comparing the number of items listed on the
daily sales report with the number of items
billed on the actual invoices. This process
uses
0
0
a. Check digits
b. Control totals
c. Validity tests
d. Process tracing data
213. Which of the following controls would
be most efficient in reducing common
data input errors?
a. Keystroke verification
b. A set of well-designed edit checks
c. Balancing and reconciliation
d. Batch totals
214. On-line real-time systems and
electronic data interchange systems have the
advantages of providing more timely
information and reducing the quantity of
documents associated with less automated
systems. The advantages, however, may
create some problems for the auditor. Which
of the following characteristics of these
systems does not create an audit problem?
a. The lack of traditional documentation
of transactions creates a need for
greater attention to programmed
controls at the point of transaction
input
b. Hard copy may not be retained by the
client for long periods of time, thereby
necessitating more frequent visits by
the auditor
c. Control testing may be more difficult
given the increased vulnerability of the
client's files to destruction during the
testing process
d. Consistent on-line processing of
recurring data increases the incidence
of errors
215. Creating simulated transactions that
are processed through a system to generate
results that are compared with predetermined
results, is an auditing procedure referred to as
a. Desk checking
b. Use of test data
c. Completing outstanding jobs
d. Parallel simulation
216. To obtain evidential matter about
control risk, an auditor ordinarily selects tests
from a variety of techniques, including
a. Analysis
b. Confirmations
c. Reprocessing
d. Comparison
217. A major exposure associated with the
rapidly expanding use of microcomputers is
the absence of:
a. Adequate size of main memory and
disk storage
b. Compatible operating systems
c. Formalized procedures for purchase
justification
d. Physical, data file, and program
security

218. To ensure that goods received are the

same as those shown on the purchase
invoice, a computerized system should:
a. Match selected fields of the purchase
invoice to goods received
b. Maintain control totals of inventory
value
c. Calculate batch totals for each input
d. Use check digits in account numbers

219. Errors in data processed in a batch

computer system may not be detected
immediately because
a. Transaction trails in a batch system
are available only for a limited period
of time
b. There are time delays in processing
transactions in a batch system
c. Errors in some transactions cause
rejection of other transactions in the
batch
d. Random errors are more likely in a
batch system than in an on-line
system

220. Which of the following is a computer

test made to ascertain whether a given
characteristic belongs to the group?
a. Parity check
b. Validity check
c. Echo check
d. Limit check.

0
0