AUDITING IN A COMPUTERIZED ENVIRONMENT
Which statement is incorrect when auditing in a CIS environment?
A CIS environment exists when a computer of any type or size is involved in the processing by the entity of financial information of significance to the audit, whether that computer is operated by the entity or by a third party.
The auditor should consider how a CIS environment affects the audit.
The use of a computer changes the processing, storage and communication of financial information and may affect the accounting and internal control systems employed by the entity.
A CIS environment changes the overall objective and scope of an audit.
Which of the following standards or group of standards is mostly affected by a computerized information system environment?
General standards
Reporting standards
Second standard of field work
Standards of fieldwork
Which of the following is least considered if the auditor has to determine whether specialized CIS skills are needed in an audit?
The auditor needs to obtain a sufficient understanding of the accounting and internal control system affected by the CIS environment.
The auditor needs to determine the effect of the CIS environment on the assessment of overall risk and of risk at the account balance and class of transactions level.
Design and perform appropriate tests of controls and substantive procedures.
The need of the auditor to make analytical procedures during the completion stage of audit.
It relates to materiality of the financial statement assertions affected by the computer processing.
Threshold
Relevance
Complexity
Significance
Which of the following least likely indicates a complexity of computer processing?
Transactions are exchanged electronically with other organizations without manual review of their propriety.
The volume of the transactions is such that users would find it difficult to identify and correct errors in processing.
The computer automatically generates material transactions or entries directly to another applications.
The system generates a daily exception report
The nature of the risks and the internal characteristics in CIS environment that the auditors are mostly concerned include the following except:
Lack of segregation of functions.
Lack of transaction trails.
Dependence of other control over computer processing.
Cost-benefit ratio.
Which of the following is least likely a risk characteristic associated with CIS environment?
Errors embedded in an application's program logic maybe difficult to manually detect on a timely basis.
Many control procedures that would ordinarily be performed by separate individuals in manual system maybe concentrated in CIS.
The potential unauthorized access to data or to alter them without visible evidence maybe greater.
Initiation of changes in the master file is exclusively handled by respective users.
Which of the following significance and complexity of the CIS activities should an auditor least understand?
The organizational structure of the client's CIS activities.
Lack of transaction trails.
The significance and complexity of computer processing in each significant accounting application.
The use of software packages instead of customized software.
Which statement is correct regarding personal computer systems?
Personal computers or PCs are economical yet powerful self-contained general purpose computers consisting typically of a central processing unit (CPU), memory, monitor, disk drives, printer cables and modems.
Programs and data are stored only on non-removable storage media.
Personal computers cannot be used to process accounting transactions and produce reports that are essential to the preparation of financial statements.
Generally, CIS environments in which personal computers are used are the same with other CIS environments.
A personal computer can be used in various configurations, including
A stand-alone workstation operated by a single user or a number of users at different times.
A workstation which is part of a local area network of personal computers.
A workstation connected to a server.
All of the above.
Which statement is incorrect regarding personal computer configurations?
The stand-alone workstation can be operated by a single user or a number of users at different times accessing the same or different programs.
A stand-alone workstation may be referred to as a distributed system.
A local area network is an arrangement where two or more personal computers are linked together through the use of special software and communication lines.
Personal computers can be linked to servers and used as part of such systems, for example, as an intelligent on-line workstation or as part of a distributed accounting system.
Which of the following is the least likely characteristic of personal computers?
They are small enough to be transportable.
They are relatively expensive.
They can be placed in operation quickly.
The operating system software is less comprehensive than that found in larger computer environments.
Which of the following is an inherent characteristic of software package?
They are typically used without modifications of the programs.
The programs are tailored-made according to the specific needs of the user.
They are developed by software manufacturer according to a particular user's specifications.
It takes a longer time of implementation.
Which of the following is not normally a removable storage media?
Compact disk
Tapes
Diskettes
Hard disk
It is a computer program (a block of executable code) that attaches itself to a legitimate program or data file and uses itself as a transport mechanism to reproduce itself without the knowledge of the user.
Virus
System management program
Utility program
Encryption
Which statement is incorrect regarding internal control in personal computer environment?
Generally, the CIS environment in which personal computers are used is less structured than a centrally-controlled CIS environment.
Controls over the system development process and operations may not be viewed by the developer, the user or management as being as important or cost-effective.
In almost all commercially available operating systems, the built-in security provided has gradually increased over the years.
In a typical personal computer environment, the distinction between general CIS controls and CIS application controls is easily ascertained.
Personal computers are susceptible to theft, physical damage, unauthorized access or misuse of equipment. Which of the following is least likely a physical security to restrict access to personal computers when not in use?
Using door locks or other security protection during non-business hours.
Fastening the personal computer to a table using security cables.
Locking the personal computer in a protective cabinet or shell.
Using anti-virus software programs.
Which of the following is not likely a control over removable storage media to prevent misplacement, alteration without authorization or destruction?
Using cryptography, which is the process of transforming programs and information into an unintelligible form.
Placing responsibility for such media under personnel whose responsibilities include duties of software custodians or librarians.
Using a program and data file check-in and check-out system and locking the designated storage locations.
Keeping current copies of diskettes, compact disks or back-up tapes and hard disks in a fireproof container, either on-site, off-site or both.
19. Which of the following least likely protects critical and sensitive information from unauthorized access in a personal computer environment?
Using secret file names and hiding the files.
Keeping of back up copies offsite.
Employing passwords.
Segregating data into files organized under separate file directories.
It refers to plans made by the entity to obtain access to comparable hardware, software and data in the event of their failure, loss or destruction.
Back-up
Encryption
Anti-virus
Wide Area Network (WAN)
The effect of personal computers on the accounting system and the associated risks will least likely depend on
The extent to which the personal computer is being used to process accounting applications.
The type and significance of financial transactions being processed.
The nature of files and programs utilized in the applications.
The cost of personal computers.
The auditor may often assume that control risk is high in personal computer systems since, it may not be practicable or cost-effective for management to implement sufficient controls to reduce the risks of undetected errors to a minimum level. This least likely entail
More physical examination and confirmation of assets.
More analytical procedures than tests of details.
Larger sample sizes.
Greater use of computer-assisted audit techniques, where appropriate.
Computer systems that enable users to access data and programs directly through workstations are referred to as
On-line computer systems
Personal computer systems
Database management systems (DBMS)
Database systems
On-line systems allow users to initiate various functions directly. Such functions include:
Entering transactions
Requesting reports
Making inquiries
Updating master files
I, II, III and IV
I and II
I, II and III
I and IV
Many different types of workstations may be used in on-line computer systems. The functions performed by these workstations least likely depend on their
Logic
Transmission
Storage
Cost
Types of workstations include General Purpose Terminals and Special Purpose Terminals. Special Purpose Terminals include
Basic keyboard and monitor
Point of sale devices
Intelligent terminal
Personal computers
Special Purpose Terminal used to initiate, validate, record, transmit and complete various banking transactions
Automated teller machines
Intelligent terminal
Point of sale devices
Personal computers
Which statement is incorrect regarding workstations?
Workstations may be located either locally or at remote sites.
Local workstations are connected directly to the computer through cables.
Remote workstations require the use of telecommunications to link them to the computer.
Workstations cannot be used by many users, for different purposes, in different locations all at the same time.
On-line computer systems may be classified according to
How information is entered into the system.
How it is processed.
When the results are available to the user.
All of the above.
In an on-line/real time processing system
Individual transactions are entered at workstations, validated and used to update related computer files immediately.
Individual transactions are entered at a workstation, subjected to certain validation checks and added to a transaction file that contains other transactions entered during the period.
Individual transactions immediately update a memo file containing information which has been extracted from the most recent version of the master file.
The master files are updated by other systems.
It combines on-line/real time processing and on-line/batch processing.
On-Line/Memo Update (and Subsequent Processing)
On-Line Downloading/Uploading Processing
On-Line/Inquiry
On-Line/Combined Processing
It is a communication system that enables computer users to share computer equipment, application software, data and voice and video transmissions.
Network
File server
Host
Client
A type of network that multiple buildings are close enough to create a campus, but the space between the buildings is not under the control of the company is
Local Area Network (LAN)
Metropolitan Area Network (MAN)
Wide Area Network (WAN)
World Wide Web (WWW)
Which of the following is least likely a characteristic of Wide Area Network (WAN)?
Created to connect two or more geographically separated LANs.
Typically involves one or more long-distance providers, such as a telephone company to provide the connections.
WAN connections tend to be faster than LAN.
Usually more expensive than LAN.
Gateway is
A hardware and software solution that enables communications between two dissimilar networking systems or protocols.
A device that forwards frames based on destination addresses.
A device that connects and passes packets between two network segments that use the same communication protocol.
A device that regenerates and retransmits the signal on a network.
A device that works to control the flow of data between two or more network segments
Bridge
Router
Repeater
Switch
The undesirable characteristics of on-line computer systems least likely include
Data are usually subjected to immediate validation checks.
Unlimited access of users to all of the functions in a particular application.
Possible lack of visible transaction trail.
Potential programmer access to the system.
Certain general CIS controls that are particularly important to on-line processing least likely include
Access controls.
System development and maintenance controls.
Edit, reasonableness and other validation tests.
Use of anti-virus software program.
Certain CIS application controls that are particularly important to on-line processing least likely include
Pre-processing authorization.
Transaction logs.
Cut-off procedures.
Balancing.
Risk of fraud or error in on-line systems may be reduced in the following circumstances, except
If on-line data entry is performed at or near the point where transactions originate, there is less risk that the transactions will not be recorded.
If invalid transactions are corrected and re-entered immediately, there is less risk that such transactions will not be corrected and re-submitted on a timely basis.
If data entry is performed on-line by individuals who understand the nature of the transactions involved, the data entry process may be less prone to errors than when it is performed by individuals unfamiliar with the nature of the transactions.
On-line access to data and programs through telecommunications may provide greater opportunity for access to data and programs by unauthorized persons.
Risk of fraud or error in on-line computer systems may be increased for the following reasons, except
If workstations are located throughout the entity, the opportunity for unauthorized use of a workstation and the entry of unauthorized transactions may increase.
Workstations may provide the opportunity for unauthorized uses such as modification of previously entered transactions or balances.
If on-line processing is interrupted for any reason, for example, due to faulty telecommunications, there may be a greater chance that transactions or files may be lost and that the recovery may not be accurate and complete.
If transactions are processed immediately on-line, there is less risk that they will be processed in the wrong accounting period.
42. The following matters are of particular importance to the auditor in an on-line computer system, except
Authorization, completeness and accuracy of on-line transactions.
Integrity of records and processing, due to on-line access to the system by many users and programmers.
Changes in the performance of audit procedures including the use of CAAT's.
Cost-benefit ratio of installing on-line computer system.
A collection of data that is shared and used by a number of different users for different purposes.
Database
Information file
Master file
Transaction file
Which of the following is least likely a characteristic of a database system?
Individual applications share the data in the database for different purposes.
Separate data files are maintained for each application and similar data used by several applications may be repeated on several different files.
A software facility is required to keep track of the location of the data in the database.
Coordination is usually performed by a group of individuals whose responsibility is typically referred to as "database administration."
Database administration tasks typically include
Defining the database structure.
Maintaining data integrity, security and completeness.
Coordinating computer operations related to the database.
Monitoring system performance.
Providing administrative support.
All of the above
All except I
II and V only
II, III and V only
Due to data sharing, data independence and other characteristics of database systems
General CIS controls normally have a greater influence than CIS application controls on database systems.
CIS application controls normally have a greater influence than general CIS controls on database systems.
General CIS controls normally have an equal influence with CIS application controls on database systems.
CIS application controls normally have no influence on database systems.
Which statement is incorrect regarding the general CIS controls of particular importance in a database environment?
Since data are shared by many users, control may be enhanced when a standard approach is used for developing each new application program and for application program modification.
Several data owners should be assigned responsibility for defining access and security rules, such as who can use the data (access) and what functions they can perform (security).
User access to the database can be restricted through the use of passwords.
Responsibilities for performing the various activities required to design, implement and operate a database are divided among technical, design, administrative and user personnel.
These require a database administrator to assign security attributes to data that cannot be changed by database users.
Discretionary access controls
Name-dependent restrictions
Mandatory access controls
Content-dependent restrictions.
A discretionary access control wherein users are permitted or denied access to data resource depending on the time series of accesses to and actions they have undertaken on data resources.
Name-dependent restrictions
Context-dependent restriction
Content-dependent restriction
History-dependent restriction
The effect of a database system on the accounting system and the associated risks will least likely depend on:
The extent to which databases are being used by accounting applications.
The type and significance of financial transactions being processed.
The nature of the database, the DBMS, the database administration tasks and the applications.
The CIS application controls.
Audit procedures in a database environment will be affected principally by
The extent to which the data in the database are used by the accounting system.
The type and significance of financial transactions being processed.
The nature of the database, the DBMS, the database administration tasks and the applications.
The general CIS controls which are particularly important in a database environment.
Which statement is incorrect regarding the characteristics of a CIS organizational structure?
Certain data processing personnel may be the only ones with a detailed knowledge of the interrelationship between the source of data, how it is processed and the distribution and use of the output.
Many conventional controls based on adequate segregation of incompatible functions may not exist, or in the absence of access and other controls, may be less effective.
Transaction and master file data are often concentrated, usually in machine-readable form, either in one computer installation located centrally or in a number of installations distributed throughout an entity.
Systems employing CIS methods do not include manual operations since the number of persons involved in the processing of financial information is significantly reduced.
System characteristics that may result from the nature of CIS processing include, except
Absence of input documents.
Lack of visible transaction trail.
Lack of visible output.
Difficulty of access to data and computer programs.
The development of CIS will generally result in design and procedural characteristics that are different from those found in manual systems. These different design and procedural aspectsof CIS include, except:
Consistency of performance.
Programmed control procedures.
Vulnerability of data and program storage media
Multiple transaction update of multiple computer files or databases.
Which statement is incorrect regarding internal controls in a CIS environment?
Manual and computer control procedures comprise the overall controls affecting the CIS environment (general CIS controls) and the specific controls over the accounting applications (CIS application controls).
The purpose of general CIS controls is to establish a framework of overall control over the CIS activities and to provide a reasonable level of assurance that the overall objectives of internal control are achieved.
The purpose of CIS application controls is to establish specific control procedures over the application systems in order to provide reasonable assurance that all transactions are authorized and recorded, and are processed completely, accurately and on a timely basis.
The internal controls over computer processing, which help to achieve the overall objectives of internal control, include only the procedures designed into computer programs.
General CIS controls may include, except:
Organization and management controls.
Delivery and support controls.
Development and maintenance controls.
Controls over computer data files.
57. CIS application controls include, except
Controls over input.
Controls over processing and computer data files.
Controls over output.
Monitoring controls.
Which statement is incorrect regarding the review of general CIS controls and CIS application controls?
The auditor should consider how these general CIS controls affect the CIS applications significant to the audit.
General CIS controls that relate to some or all applications are typically interdependent controls in that their operation is often essential to the effectiveness of CIS application controls.
Control over input, processing, data files and output may be carried out by CIS personnel, by users of the system, by a separate control group, or may be programmed into application software.
It may be more efficient to review the design of the application controls before reviewing the general controls.
Which statement is incorrect regarding the evaluation of general CIS controls and CIS application controls?
The general CIS controls may have a pervasive effect on the processing of transactions in application systems.
If general CIS controls are not effective, there may be a risk that misstatements might occur and go undetected in the application systems.
Manual procedures exercised by users may provide effective control at the application level.
Weaknesses in general CIS controls cannot preclude testing certain CIS application controls.
The applications of auditing procedures using the computer as an audit tool refer to
Integrated test facility
Auditing through the computer
Data-based management system
Computer assisted audit techniques
Which statement is incorrect regarding CAATs?
CAATs are often an efficient means of testing a large number of transactions or controls over large populations.
To ensure appropriate control procedures, the presence of the auditor is not necessarily required at the computer facility during the running of a CAAT.
The general principles outlined in PAPS 1009 apply in small entity IT environments.
Where smaller volumes of data are processed, the use of CAATs is more cost effective.
Consists of generalized computer programs designed to perform common audit tasks or standardized data processing functions.
Package or generalized audit software
Utility programs
Customized or purpose-written programs
System management programs
Audit automation least likely include
Expert systems.
Tools to evaluate a client's risk management procedures.
Manual working papers.
Corporate and financial modeling programs for use as predictive audit tests.
An internal auditor noted the following points when conducting a preliminary survey in connection with the audit of an EDP department. Which of the following would be considered a safeguard in the control system on which the auditor might rely?
Programmers and computer operators correct daily processing problems as they arise.
The control group works with user organizations to correct rejected input.
New systems are documented as soon as possible after they begin processing live data.
The average tenure of employees working in the EDP department is ten months.
An on-line access control that checks whether the user's code number is authorized to initiate a specific type of transaction or inquiry is referred to as
Password
Compatibility test
Limit check
Reasonableness test
A control procedure that could be used in an on-line system to provide an immediate check on whether an account number has been entered on a terminal accurately is a
Compatibility test
Record count
Hash total
Self-checking digit
A control designed to catch errors at the point of data entry is
Batch total
Self-checking digit
Record count
Checkpoints
Program documentation is a control designed primarily to ensure that
Programmers have access to the tape library or information on disk files.
Programs do not make mathematical errors.
Programs are kept up to date and perform as intended.
Data have been entered and processed.
Some of the more important controls that relate to automated accounting information systems are validity checks, limit checks, field checks, and sign tests. These are classified as
Control total validation routines
Output controls
Hash totaling
Input validation routines
Most of today's computer systems have hardware controls that are built in by the computer manufacturer. Common hardware controls are
Duplicate circuitry, echo check, and internal header labels
Tape file protection, cryptographic protection, and limit checks
Duplicate circuitry, echo check, and dual reading
Duplicate circuitry, echo check, tape file protection, and internal header labels
Computer manufacturers are now installing software programs permanently inside the computer as part of its main memory to provide protection from erasure or loss if there is interrupted electrical power. This concept is known as
File integrity
Random access memory (RAM)
Software control
Firmware
Which one of the following represents a lack of internal control in a computer-based information system?
The design and implementation is performed in accordance with management's specific authorization.
Any and all changes in application programs have the authorization and approval of management.
Provisions exist to protect data files from unauthorized access, modification, or destruction.
Both computer operators and programmers have unlimited access to the programs and data files.
In an automated payroll processing environment, a department manager substituted the time card for a terminated employee with a time card for a fictitious employee. The fictitious employee had the same pay rate and hours worked as the terminated employee. The best control technique to detect this action using employee identification numbers would be a
Batch total
Hash total
Record count
Subsequent check
An employee in the receiving department keyed in a shipment from a remote terminal and inadvertently omitted the purchase order number. The best systems control to detect this error would be
Batch total
Sequence check
Completeness test
Reasonableness test
The reporting of accounting information plays a central role in the regulation of business operations. Preventive controls are an integral part of virtually all accounting processing systems, and much of the information generated by the accounting system is used for preventive control purposes. Which one of the following is not an essential element of a sound preventive control system?
Separation of responsibilities for the recording, custodial, and authorization functions.
Sound personnel policies.
Documentation of policies and procedures.
Implementation of state-of-the-art software and hardware.
The most critical aspect regarding separation of duties within information systems is between
Project leaders and programmers
Programmers and systems analysts
Programmers and computer operators
Data control and file librarians
Whether or not a real time program contains adequate controls is most effectively determined by the use of
Audit software
A tracing routine
An integrated test facility
A traditional test deck
Compatibility tests are sometimes employed to determine whether an acceptable user is allowed to proceed. In order to perform compatibility tests, the system must maintain an access control matrix. The one item that is not part of an access control matrix is a
List of all authorized user code numbers and passwords.
List of all files maintained on the system.
Record of the type of access to which each user is entitled.
Limit on the number of transaction inquiries that can be made by each user in a specified time period.
Which one of the following input validation routines is not likely to be appropriate in a real time operation?
Field check
Sequence check
Sign check
Redundant data check
Which of the following controls is a processing control designed to ensure the reliability and accuracy of data processing?
Limit test Validity check test
Yes Yes
No No
No Yes
Yes No
Which of the following characteristics distinguishes computer processing from manual processing?
Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing.
Errors or irregularities in computer processing will be detected soon after their occurrences.
The potential for systematic error is ordinarily greater in manual processing than in computerized processing.
Most computer systems are designed so that transaction trails useful for audit do not exist.
Which of the following most likely represents a significant deficiency in the internal control structure?
The systems analyst review applications of data processing and maintains systems documentation.
The systems programmer designs systems for computerized applications and maintains output controls.
The control clerk establishes control over data received by the EDP department and reconciles control totals after processing
The accounts payable clerk prepares data for computer processing and enters the data into the computer.
Which of the following activities would most likely be performed in the EDP Department?
Initiation of changes to master records.
Conversion of information to machine-readable form.
Correction of transactional errors.
Initiation of changes to existing applications.
For control purposes, which of the following should be organizationally segregated from the computer operations function?
Data conversion
Systems development
Surveillance of CRT messages
Minor maintenance according to a schedule
Which of the following is not a major reason for maintaining an audit trail for a computer system?
Deterrent to irregularities
Analytical procedures
Monitoring purposes
Query answering
In an automated payroll system, all employees in the finishing department were paid the rate of P75 per hour when the authorized rate was P70 per hour. Which of the following controls would have been most effective in preventing such an error?
Access controls which would restrict the personnel department's access to the payroll master file data.
A review of all authorized pay rate changes by the personnel department.
The use of batch control totals by department.
A limit test that compares the pay rates per department with the maximum rate for all employees.
Which of the following errors would be detected by batch controls?
A fictitious employee as added to the processing of the weekly time cards by the computer operator.
An employee who worked only 5 hours in the week was paid for 50 hours.
The time card for one employee was not processed because it was lost in transit between the payroll department and the data entry function.
All of the above.
The use of a header label in conjunction with magnetic tape is most likely to prevent errors by the
Computer operator
Computer programmer
Keypunch operator
Maintenance technician
For the accounting system of ACME Company, the amounts of cash disbursements entered into an EDP terminal are transmitted to the computer that immediately transmits the amounts back to the terminal for display on the terminal screen. This display enables the operator to
Establish the validity of the account number
Verify the amount was entered accurately
Verify the authorization of the disbursements
Prevent the overpayment of the account
When EDP programs or files can be accessed from terminals, users should be required to enter a(an)
Parity check
Self-diagnostic test
Personal identification code
Echo check
The possibility of erasing a large amount of information stored on magnetic tape most likely would be reduced by the use of
File protection ring
Completeness tests
Check digits
Conversion verification
Which of the following controls most likely would assure that an entity can reconstruct its financial records?
Hardware controls are built into the computer by the computer manufacturer.
Backup diskettes or tapes of files are stored away from originals.
Personnel who are independent of data input perform parallel simulations.
System flowcharts provide accurate descriptions of input and output operations.
Mill Co. uses a batch processing method to process its sales transactions. Data on Mill's sales transaction tape are electronically sorted by customer number and are subject to programmed edit checks in preparing its invoices, sales journals, and updated customer account balances. One of the direct outputs of the creation of this tape most likely would be a
Report showing exceptions and control totals.
Printout of the updated inventory records.
Report showing overdue accounts receivable.
Printout of the sales price master file.
Using microcomputers in auditing may affect the methods used to review the work of staff assistants because
The audit field work standards for supervision may differ.
Documenting the supervisory review may require assistance of consulting services personnel.
Supervisory personnel may not have an understanding of the capabilities and limitations of microcomputers.
Working paper documentation may not contain readily observable details of calculations.
An auditor anticipates assessing control risk at a low level in a computerized environment. Under these circumstances, on which of the following procedures would the auditor initially focus?
Programmed control procedures
Output control procedures
Application control procedures
General control procedures
After the preliminary phase of the review of a client's EDP controls, an auditor may decide not to perform tests of controls (compliance tests) related to the control procedures within the EDP portion of the client's internal control structure. Which of the following would not be a valid reason for choosing to omit such tests?
The controls duplicate operative controls existing elsewhere in the structure.
There appear to be major weaknesses that would preclude reliance on the stated procedure.
The time and costs of testing exceed the time and costs in substantive testing if the tests of controls show the controls to be operative.
The controls appear adequate.
Which of the following client electronic data processing (EDP) systems generally can be audited without examining or directly testing the EDP computer programs of the system?
A system that performs relatively uncomplicated processes and produces detailed output.
A system that affects a number of essential master files and produces a limited output.
A system that updates a few essential master files and produces no printed output other than final balances.
A system that performs relatively complicated processing and produces very little detailed output.
Computer systems are typically supported by a variety of utility software packages that are important to an auditor because they
May enable unauthorized changes to data files if not properly controlled.
Are very versatile programs that can be used on hardware of many manufacturers.
May be significant components of a client's application programs.
Are written specifically to enable auditors to extract and sort data.
To obtain evidence that online access controls are properly functioning, an auditor most likely would
Create checkpoints at periodic intervals after live data processing to test for unauthorized use of the system.
Examine the transaction log to discover whether any transactions were lost or entered twice due to a system malfunction
Enter invalid identification numbers or passwords to ascertain whether the system rejects them.
Vouch a random sample of processed transactions to assure proper authorization
Which of the following statements most likely represents a disadvantage for an entity that keeps microcomputer-prepared data files rather than manually prepared files?
Attention is focused on the accuracy of the programming process rather than errors in individual transactions.
It is usually easier for unauthorized persons to access and alter the files.
Random error associated with processing similar transactions in different ways is usually greater.
It is usually more difficult to compare recorded accountability with physical count of assets.
An auditor would least likely use computer software to
Access client data files
Assess EDP controls
Prepare spreadsheets
Construct parallel simulations
A primary advantage of using generalized audit software packages to audit the financial statements of a client that uses an EDP system is that the auditor may
Consider increasing the use of substantive tests of transactions in place of analytical procedures.
Substantiate the accuracy of data through self-checking digits and hash totals.
Reduce the level of required tests of controls to a relatively small amount.
Access information stored on computer files while having a limited understanding of the client's hardware and software features.
Auditors often make use of computer programs that perform routine processing functions such as sorting and merging. These programs are made available by electronic data processing companies and others and are specifically referred to as
Compiler programs
Utility programs
Supervisory programs
User programs
Smith Corporation has numerous customers. A customer file is kept on disk storage. Each customer file contains name, address, credit limit, and account balance. The auditor wishes to test this file to determine whether the credit limits are being exceeded. The best procedure for the auditor to follow would be to
Develop test data that would cause some account balances to exceed the credit limit and determine if the system properly detects such situations.
Develop a program to compare credit limits with account balances and print out the details of any account with a balance exceeding its credit limit.
Request a printout of all account balances so they can be manually checked against the credit limits.
Request a printout of a sample of account balances so they can be individually checked against the credit limits.
The use of generalized audit software package
Relieves an auditor of the typical tasks of investigating exceptions, verifying sources of information, and evaluating reports.
Is a major aid in retrieving information from computerized files.
Overcomes the need for an auditor to learn much about computers.
Is a form of auditing around the computer.
An auditor used test data to verify the existence of controls in a certain computer program. Even though the program performed well on the test, the auditor may still have a concern that
The program tested is the same one used in the regular production runs.
Generalized audit software may have been a better tool to use.
Data entry procedures may change and render the test useless.
The test data will not be relevant in subsequent audit periods.
An auditor most likely would introduce test data into a computerized payroll system to test internal controls related to the
Existence of unclaimed payroll checks held by supervisors.
Early cashing of payroll checks by employees.
Discovery of invalid employee I.D. numbers.
Proper approval of overtime by supervisors.
When an auditor tests a computerized accounting system, which of the following is true of the test data approach?
Test data must consist of all possible valid and invalid conditions.
The program tested is different from the program used throughout the year by the client.
Several transactions of each type must be tested.
Test data are processed by the client's computer programs under the auditor's control.
Which of the following statements is not true to the test data approach when testing a computerized accounting system?
The test need consist of only those valid and invalid conditions which interest the auditor
Only one transaction of each type need be tested.
The test data must consist of all possible valid and invalid conditions.
Test data are processed by the client's computer programs under the auditor's control.
Which of the following is not among the errors that an auditor might include in the test data when auditing a client's EDP system?
Numeric characters in alphanumeric fields.
Authorized code.
Differences in description of units of measure.
Illogical entries in fields whose logic is tested by programmed consistency checks.
An auditor who is testing EDP controls in a payroll system would most likely use test data that contain conditions such as
Deductions not authorized by employees.
Overtime not approved by supervisors.
Time tickets with invalid job numbers.
Payroll checks with unauthorized signatures.
Auditing by testing the input and output of an EDP system instead of the computer program itself will
Not detect program errors which do not show up in the output sampled.
Detect all program errors, regardless of the nature of the output.
Provide the auditor with the same type of evidence.
Not provide the auditor with confidence in the results of the auditing procedures.
Which of the following computer-assisted auditing techniques allows fictitious and real transactions to be processed together without client operating personnel being aware of the testing process?
Integrated test facility
Parallel simulation
Input controls matrix
Data entry monitor
Which of the following methods of testing application controls utilizes a generalized audit software package prepared by the auditors?
Parallel simulation
Test data approach
Integrated testing facility approach
Exception report tests
Misstatements in a batch computer system caused by incorrect programs or data may not be detected immediately because
Errors in some transactions may cause rejection of other transactions in the batch.
The identification of errors in input data typically is not part of the program.
There are time delays in processing transactions in a batch system.
The processing of transactions in a batch system is not uniform.
Which of the following is not a characteristic of a batch processed computer system?
The collection of like transactions which are sorted and processed sequentially against a master file.
Keypunching of transactions, followed by machine processing.
The production of numerous printouts.
The posting of a transaction, as it occurs, to several files, without immediate printouts.
Where disk files are used, the grandfather-father-son updating backup concept is relatively
difficult to implement because the
Location of information points on disks is an extremely time consuming task.
Magnetic fields and other environmental factors cause off-site storage to be impractical.
Information must be dumped in the form of hard copy if it is to be reviewed before used in
Process of updating old records is destructive.
An auditor would most likely be concerned with which of the following controls in a distributed data processing system?
Hardware controls
Access controls
Systems documentation controls
Disaster recovery controls
If a control total were computed on each of the following data items, which would best be identified as a hash total for a payroll EDP application?
Total debits and total credits
Department numbers
Net pay
Hours worked
Which of the following is a computer test made to ascertain whether a given characteristic belongs to the group?
Parity check
Echo check
Validity check
Limit check
A control feature in an electronic data processing system requires the central processing unit (CPU) to send signals to the printer to activate the print mechanism for each character. The print mechanism, just prior to printing, sends a signal back to the CPU verifying that the proper print position has been activated. This type of hardware control is referred to as
Echo check
Signal control
Validity control
Check digit control
Which of the following is an example of a check digit?
An agreement of the total number of employees to the total number of checks printed by the computer.
An algebraically determined number produced by the other digits of the employee number
A logic test that ensures all employee numbers are nine digits.
A limit check that an employee's hours do not exceed 50 hours per work week.
In a computerized system, procedure or problem-oriented language is converted to machine language through a(an)
Interpreter
Verifier
Compiler
Converter
A customer erroneously ordered Item No. 86321 rather than item No. 83621. When this order is processed, the vendor's EDP department would identify the error with what type of control?
Key verifying
Batch total
Self-checking digit
Item inspection
The computer process whereby data processing is performed concurrently with a particular activity and the results are available soon enough to influence the course of action being taken or the decision being made is called:
Random access sampling
On-line, real-time system
Integrated data processing
Batch processing system
Internal control is ineffective when computer department personnel
Participate in computer software acquisition decisions.
Design documentation for computerized systems.
Originate changes in master file.
Provide physical security for program files.
Test data, integrated test data and parallel simulation each require an auditor to prepare data and computer programs. CPAs who lack either the technical expertise or time to prepare programs should request from the manufacturers or EDP consultants for
The program Code
Generalized audit software
Flowchart checks
Application controls
Which of the following best describes a fundamental control weakness often associated with electronic data processing system?
EDP equipment is more subject to system error than manual processing is subject to human error.
Monitoring is not an adequate substitute for the use of test data.
EDP equipment processes and records similar transactions in a similar manner.
Functions that would normally be separated in a manual system are combined in the EDP system like the function of programmers and operators.
Which of the following tasks could not be performed when using a generalized audit software package?
Selecting inventory items for observations.
Physical count of inventories.
Comparison of inventory test counts with perpetual records.
Summarizing inventory turnover statistics for obsolescence analysis.
All of the following are "auditing through the computer" techniques except
Reviewing source code
Automated tracking and mapping
Test-decking
Integrated test facility
The output of a parallel simulation should always be
Printed on a report.
Compared with actual results manually.
Compared with actual results using a comparison program.
Reconciled to actual processing output.
Generalized audit software is a computer-assisted audit technique. It is one of the widely used technique for auditing computer application systems. Generalized audit software is most often used to
Verify computer processing.
Process data fields under the control of the operation manager.
Independently analyze data files.
Both a and b.
From an audit viewpoint, which of the following represents a potential disadvantage associated with the widespread use of microcomputers?
Their portability.
Their ease of access by novice users.
Their easily developed programs using spreadsheets which do not have to be documented.
All of the above.
Which of the following functions would have the least effect on an audit if it was not properly segregated?
The systems analyst and the programmer functions.
The computer operator and programmer functions.
The computer operator and the user functions.
The applications programmer and the systems programmer.
To obtain evidence that user identification and password control procedures are functioning as designed, an auditor would most likely
Attempt to sign on to the system using invalid user identifications and passwords.
Write a computer program that simulates the logic of the client's access control software.
Extract a random sample of processed transactions and ensure that the transactions were appropriately authorized. Examine statements signed by employees stating that they have not divulged their user identifications and passwords to any other person.
In considering a client's internal control structure in a computer environment, the auditor will encounter general controls and application controls. Which of the following is an application control?
Organization charts.
Hash total.
Systems flowcharts.
Control over program changes
Auditing by testing the input and output of a computer system--i.e., auditing "around" the computer--instead of the computer software itself will
Not detect program errors that do not appear in the output sampled.
Detect all program errors, regardless of the nature of the output.
Provide the auditor with the same type of evidence.
Not provide the auditor with confidence in the results of the auditing procedures.
Smith Corporation has numerous customers. A customer file is kept on disk. Each customer file contains the name, address, credit limit, and account balance. The auditor wishes to test this file to determine whether credit limits are being exceeded. The best procedure for the auditor to follow would be to
Develop test data that would cause some account balances to exceed the credit limit and determine if the system properly detects such situations.
Develop a program to compare credit limits with account balances and print out the details of any account with a balance exceeding its credit limit.
Request a printout of all account balances so they can be manually checked against the credit limits.
Request a printout of a sample of account balances so they can be individually checked against the credit limits.
Which of the following methods of testing application controls utilizes software prepared by the auditors and applied to the client's data?
Parallel simulation.
Integrated test facility.
Test data.
Exception report tests.
The test–data method is used by auditors to test the
Accuracy of input data.
Validity of the output.
Procedures contained within the program.
Normalcy of distribution of test data.
Which of the following is true of generalized audit software?
They can be used only in auditing on-line computer systems.
They can be used on any computer without modification.
They each have their own characteristics, which the auditor must carefully consider before using in a given audit situation.
They enable the auditor to perform all manual compliance test procedures less expensively.
Assume that an auditor estimated that 10,000 checks were issued during the accounting period. If an application control that performs a limit check for each check request is to be subjected to the auditor's test–data approach, the sample should include:
Approximately 1,000 test items.
A number of test items determined by the auditor to be sufficient under the circumstances.
A number of test items determined by the auditor's reference to the appropriate sampling tables.
One transaction.
PC DOS, MS DOS, and AppleDOS are examples of
Application software.
Generalized audit software.
Database management systems.
Operating software.
Which of the following is not an example of a computer-assisted audit technique?
Integrated test data.
Audit modules.
Disk operating systems.
Audit hooks.
Which of the following statements most likely represents a disadvantage for an entity that maintains computer data files rather than manual files?
It's usually more difficult to detect transposition errors.
Transactions are usually authorized before they are executed and recorded.
It's usually easier for unauthorized persons to access and alter the files.
Random error is more common when similar transactions are processed in different ways.
Which of the following statements best describes a weakness often associated with computers?
Computer equipment is more subject to systems error than manual processing is subject to human error.
Computer equipment processes and records similar transactions in a similar manner.
Control activities for detecting invalid and unusual transactions are less effective than manual control activities.
Functions that would normally be separated in a manual system are combined in a computer system.
Accounting functions that are normally considered incompatible in a manual system are often combined by computer software. This necessitates an application control that prevents unapproved
Access to the computer library.
Revisions to existing software.
Usage of software.
Testing of modified software.
When software or files can be accessed from online servers, users should be required to enter
A parity check.
A personal identification code.
A selfdiagnosis test.
An echo check.
An auditor's consideration of a company's computer control activities has disclosed the following four circumstances. Indicate which circumstance constitutes a significant deficiency in internal control.
Computer operators do not have access to the complete software support documentation.
Computer operators are closely supervised by programmers.
Programmers are not authorized to operate computers.
Only one generation of backup files is stored in an offpremises location.
In a computer system, hardware controls are designed to
Arrange data in a logical sequence for processing.
Correct errors in software.
Monitor and detect errors in source documents.
Detect and control errors arising from use of equipment.
In the weekly computer run to prepare payroll checks, a check was printed for an employee who had been terminated the previous week. Which of the following controls, if properly utilized, would have been most effective in preventing the error or ensuring its prompt detection?
A control total for hours worked, prepared from time cards collected by the timekeeping department.
Requiring the treasurer's office to account for the number of the pre-numbered checks issued to the CBIS department for the processing of the payroll
Use of a check digit for employee numbers
Use of a header label for the payroll input sheet
An auditor is preparing test data for use in the audit of a computer based accounts receivable application. Which of the following items would be appropriate to include as an item in the test data?
A transaction record which contains an incorrect master file control total
A master file record which contains an invalid customer identification number
A master file record which contains an incorrect master file control total
A transaction record which contains an invalid customer identification number.
Unauthorized alteration of on-line records can be prevented by employing:
Key verification
Computer sequence checks
Computer matching
Data base access controls
In auditing through a computer, the test data method is used by auditors to test the
Accuracy of input data
Validity of the output
Procedures contained within the program
Normalcy of distribution of test data.
In the preliminary survey the auditor learns that a department has several microcomputers. Which of the following is usually true and should be considered in planning the audit?
Microcomputers, though small, are capable of processing financial information, and physical security is a control concern
Microcomputers are limited to applications such as worksheet generation and do not present a significant audit risk
Microcomputers are generally under the control of the data processing department and use the same control features
Microcomputers are too small to contain any built-in control features. Therefore, other controls must be relied upon.
The primary reason for internal auditing's involvement in the development of new computer-based sysstems is to:
Plan post-implementation reviews
Promote adequate controls
Train auditors in CBIS techniques
Reduce overall audit effort.
Which of the following is an advantage of generalized computer audit packages?
They are all written in one identical computer language
They can be used for audits of clients that use differing CBIS equipment and file formats
They have reduced the need for the auditor to study input controls for CBIS related procedures
Their use can be substituted for a relatively large part of the required control testing
Processing simulated file data provides the auditor with information about the reliability of controls from evidence that exists in simulated files. One of the techniques involved in this approach makes use of
Controlled reprocessing
Program code checking
Printout reviews
Integrated test facility
Which of the following statements most likely represents a disadvantage for an entity that keeps microcomputer-prepared data files rather than manually prepared files?
It is usually more difficult to detect transposition errors
Transactions are usually authorized before they are executed and recorded
It is usually easier for unauthorized persons to access and alter the files
Random error associated with processing similar transactions in different ways is usually greater
The possibility of losing a large amount of information stored in computer files most likely would be reduced by the use of
Back-up files
Check digits
Completeness tests
Conversion verification
An integrated test facility (ITF) would be appropriate when the auditor needs to
Trace a complex logic path through an application system
Verify processing accuracy concurrently with processing
Monitor transactions in an application system continuously
Verify load module integrity for production programs
Where computer processing is used in significant accounting applications, internal accounting control procedures may be defined by classifying control procedures into two types: general and
Administrative
Specific
Application
Authorization
The increased presence of the microcomputer in the workplace has resulted in an increasing number of persons having access to the computer. A control that is often used to prevent unauthorized access to sensitive programs is:
Backup copies of the diskettes
Passwords for each of the users
Disaster-recovery procedures
Record counts of the number of input transactions in a batch being processed
Checklists, systems development methodology, and staff hiring are examples of what type of controls?
Detective
Preventive
Subjective
Corrective
When an on-line, real-time (OLRT) computer-based processing system is in use, internal control can be strengthened by
Providing for the separation of duties between keypunching and error listing operations
Attaching plastic file protection rings to reels of magnetic tape before new data can be entered on the file
Making a validity check of an identification number before a user can obtain access to the computer files
Preparing batch totals to provide assurance that file updates are made for the entire input
When auditing "around" the computer, the independent auditor focuses solely upon the source documents and
Test data
CBIS processing
Control techniques
CBIS output
One of the features that distinguishes computer processing from manual processing is
Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing
Errors or fraud in computer processing will be detected soon after their occurrences
The potential for systematic error is ordinarily greater in manual processing than in computerized processing
Most computer systems are designed so that transaction trails useful for audit purposes do not exist
Given the increasing use of microcomputers as a means for accessing data bases, along with on-line real-time processing, companies face a serious challenge relating to data security. Which of the following is not an appropriate means for meeting this challenge?
Institute a policy of strict identification and password controls housed in the computer software that permit only specified individuals to access the computer files and perform a given function.
Limit terminals to perform only certain transactions.
Program software to produce a log of transactions showing date, time, type of transaction, and operator.
Prohibit the networking of microcomputers and do not permit users to access centralized data bases.
What type of computer-based system is characterized by data that are assembled from more than one location and records that are updated immediately?
Microcomputer system
Minicomputer system
Batch processing system
Online real-time system
Company A has recently converted its manual payroll to a computer-based system. Under the old system, employees who had resigned or been terminated were occasionally kept on the payroll and their checks were claimed and cashed by other employees, in collusion with shop foremen. The controller is concerned that this practice not be allowed to continue under the new system. The best control for preventing this form of "payroll padding" would be to
Conduct exit interviews with all employees leaving the company, regardless of reason.
Require foremen to obtain a signed receipt from each employee claiming a payroll check.
Require the human resources department to authorize all hires and terminations, and to forward a current computerized list of active employee numbers to payroll prior to processing. Program the computer to reject inactive employee numbers.
Install time clocks for use by all hourly employees.
Compared to a manual system, a CBIS generally
Reduces segregation of duties
Increases segregation of duties
Decreases manual inspection of processing results
Increases manual inspection of processing results.
1 and 3
1 and 4
2 and 3
2 and 4
One of the major problems in a CBIS is that incompatible functions may be performed by the same individual. One compensating control for this is the use of
Echo checks
A self-checking digit system
Computer generated hash totals
A computer log
Which of the following processing controls would be most effective in assisting a store manager to ascertain whether the payroll transaction data were processed in their entirety?
Payroll file header record
Transaction identification codes
Processing control totals
Programmed exception reporting
An organizational control over CBIS operations is
Run-to-run balancing of control totals
Check digit verification of unique identifiers
Separation of operating and programming functions
Maintenance of output distribution logs
Which of the following methods of testing application controls utilizes a generalized audit software package prepared by the auditors?
Parallel simulation
Integrated testing facility approach
Test data approach
Exception report tests
An unauthorized employee took computer printouts from output bins accessible to all employees. A control which would have prevented this occurrence is
A storage/retention control
A spooler file control
An output review control
A report distribution control
Which of the following is a disadvantage of the integrated test facility approach?
In establishing fictitious entities, the auditor may be compromising audit independence.
Removing the fictitious transactions from the system is somewhat difficult and, if not done carefully, may contaminate the client's files.
ITF is simply an automated version of auditing "around" the computer.
The auditor may not always have a current copy of the authorized version of the client's program.
Totals of amounts in computer-record data fields which are not usually added for other purposes but are used only for data processing control purposes are called
Record totals
Hash totals
Processing data totals
Field totals
A hash total of employee numbers is part of the input to a payroll master file update program. The program compares the hash total to the total computed for transactions applied to the master file. The purpose of this procedure is to:
Verify that employee numbers are valid
Verify that only authorized employees are paid
Detect errors in payroll calculations
Detect the omission of transaction processing
Matthews Corp. has changed from a system of recording time worked on clock cards to a computerized payroll system in which employees record time in and out with magnetic cards. The CBIS automatically updates all payroll records. Because of this change
A generalized computer audit program must be used
Part of the audit trail is altered
The potential for payroll related fraud is diminished
Transactions must be processed in batches
Generalized audit software is of primary interest to the auditor in terms of its capability to
Access information stored on computer files
Select a sample of items for testing
Evaluate sample test results
Test the accuracy of the client's calculations
Accounts payable program posted a payable to a vendor not included in the on-line vendor master file. A control which would prevent this error is a
Validity check
Range check
Reasonableness test
Parity check
In a computerized sales processing system, which of the following controls is most effective in preventing sales invoice pricing errors?
Sales invoices are reviewed by the product managers before being mailed to customers
Current sales prices are stored in the computer, and, as stock numbers are entered from sales orders, the computer automatically prices the orders
Sales prices, as well as product numbers, are entered as sales orders are entered at remote terminal locations
Sales prices are reviewed and updated on a quarterly basis
Which of the following is likely to be of least importance to an auditor in reviewing the internal control in a company with a CBIS?
The segregation of duties within the data processing center.
The control over source documents
The documentation maintained for accounting applications.
The cost/benefit ratio of data processing operations
For the accounting system of Acme Company, the amounts of cash disbursements entered into an CBIS terminal are transmitted to the computer that immediately transmits the amounts back to the terminal for display on the terminal screen. This display enables the operator to
Establish the validity of the account number
Verify the amount was entered accurately
Verify the authorization of the disbursement
Prevent the overpayment of the account
Which of the following audit techniques most likely would provide an auditor with the most assurance about the effectiveness of the operation of an internal control procedure?
Inquiry of client personnel
Recomputation of account balance amounts
Observation of client personnel
Confirmation with outside parties
Adequate technical training and proficiency as an auditor encompasses an ability to understand a CBIS sufficiently to identify and evaluate
The processing and imparting of information
Essential accounting control features
All accounting control features
The degree to which programming conforms with application of generally accepted accounting principles.
Which of the following is not a major reason why an accounting audit trail should be maintained for a computer system?
Query answering
Deterrent to fraud
Monitoring purposes
Analytical review
Adequate control over access to data processing is required to
Prevent improper use or manipulation of data files and programs
Ensure that only console operators have access to program documentation
Minimize the need for backup data files
Ensure that hardware controls are operating effectively and as designed by the computer manufacturer
When testing a computerized accounting system, which of the following is not true of the test data approach?
The test data need consist of only those valid and invalid conditions in which the auditor is interested
Only one transaction of each type need be tested
Test data are processed by the client's computer programs under the auditor's control
The test data must consist of all possible valid and invalid conditions
In studying a client's internal controls, an auditor must be able to distinguish between prevention controls and detection controls. Of the following data processing controls, which is the best detection control?
Use of data encryption techniques
Review of machine utilization logs
Policy requiring password security
Backup and recovery procedure
Which of the following procedures is an example of auditing "around" the computer?
The auditor traces adding machine tapes of sales order batch totals to a computer printout of the sales journal
The auditor develops a set of hypothetical sales transactions and, using the client's computer program, enters the transactions into the system and observes the processing flow
The auditor enters hypothetical transactions into the client's processing system during client processing of live" data
The auditor observes client personnel as they process the biweekly payroll. The auditor is primarily concerned with computer rejection of data that fails to meet reasonableness limits
Auditing by testing the input and output of a computer-based system instead of the computer program itself will
Not detect program errors which do not show up in the output sampled
Detect all program errors, regardless of the nature of the output
Provide the auditor with the same type of evidence
Not provide the auditor with confidence in the results of the auditing procedures
Which of the following is an acknowledged risk of using test data when auditing CBIS records?
The test data may not include all possible types of transactions
The computer may not process a simulated transaction in the same way it would an identical actual transaction
The method cannot be used with simulated master records
Test data may be useful in verifying the correctness of account balances, but not in determining the presence of processing controls
When the auditor encounters sophisticated computer-based systems, he or she may need to modify the audit approach. Of the following conditions, which one is not a valid reason for modifying the audit approach?
More advanced computer systems produce less documentation, thus reducing the visibility of the audit trail
In complex comuter-based systems, computer verification of data at the point of input replaces the manual verification found in less sophisticated data processing systems
Integrated data processing has replaced the more traditional separation of duties that existed in manual and batch processing systems.
Real-time processing of transactions has enabled the auditor to concentrate less on the completeness assertion
If a control total were to be computed on each of the following data items, which would best be identified as a hash total for a payroll CBIS application?
Net pay
Department numbers
Hours worked
Total debits and total credits
In a distributed data base (DDB) environment, control tests for access control administration can be designed which focus on
Reconciliation of batch control totals
Examination of logged activity
Prohibition of random access
Analysis of system generated core dumps
A control to verify that the dollar amounts for all debits and credits for incoming transactions are posted to a receivables master file is the:
Generation number check
Master reference check
Hash total
Control total
The program flowcharting symbol representing a decision is a
Triangle
Circle
Rectangle
Diamond
An update program for bank account balances calculates check digits for account numbers. This is an example of
An input control
A file management control
Access control
An output control
CBIS controls are frequently classified as to general controls and application controls. Which of the following is an example of an application control?
Programmers may access the computer only for testing and "debugging" programs
All program changes must be fully documented and approved by the information systems manager and the user department authorizing the change
A separate data control group is responsible for distributing output, and also compares input and output on a test basis
In processing sales orders, the computer compares customer and product numbers with internally stored lists
After a preliminary phase of the review of a client's CBIS controls, an auditor may decide not to perform further tests related to the control procedures within the CBIS portion of the client's internal control system. Which of the following would not be a valid reason for choosing to omit further testing?
The auditor wishes to further reduce assessed risk
The controls duplicate operative controls existing elsewhere in the system
There appear to be major weaknesses that would preclude reliance on the stated procedures
The time and dollar costs of testing exceed the time and dollar savings in substantive testing if the controls are tested for compliance
For good internal control over computer program changes, a policy should be established requiring that
The programmer designing the change adequately test the revised program
All program changes be supervised by the CBIS control group
Superseded portions of programs be deleted from the program run manual to avoid confusion
All proposed changes be approved in writing by a responsible individual.
Which of the following is not a technique for testing data processing controls?
The auditor develops a set of payroll test data that contain numerous errors. The auditor plans to enter these transactions into the client's system and observe whether the computer detects and properly responds to the error conditions
The auditor utilizes the computer to randomly select customer accounts for confirmation
The auditor creates a set of fictitious custom accounts and introduces hypothetical sales transactions, as well as sales returns and allowances, simultaneously with the client's live data processing
At the auditor's request, the client has modified its payroll processing program so as to separately record any weekly payroll entry consisting of 60 hours or more. These separately recorded ("marked") entries are locked into the system and are available only to the auditor
Which of the following would lessen internal control in a CBIS?
The computer librarian maintains custody of computer program instructions and detailed listings
Computer operators have access to operator instructions and detailed program listings
The control group is solely responsible for the distribution of all computer output
Computer programmers write and debug programs which perform routines designed by the systems analyst
Access control in an on-line CBIS can best be provided in most circumstances by
An adequate librarianship function controlling access to files
A label affixed to the outside of a file medium holder that identifies the contents
Batch processing of all input through a centralized, well-guarded facility
User and terminal identification controls, such as passwords
While entering data into a cash receipts transaction file, an employee transposed two numbers in a customer code. Which of the following controls could prevent input of this type of error?
Sequence check
Record check
Self-checking digit
Field-size check
What is the computer process called when data processing is performed concurrently with a particular activity and the results are available soon enough to influence the particular course of action being taken or the decision being made?
Batch processing
Real time processing
Integrated data processing
Random access processing
Reconciling processing control totals is an example of
An input control
An output control
A processing control
A file management control
Disadvantage of auditing around the computer is that it
Permits no assessment of actual processing
Requires highly skilled auditors
Demands intensive use of machine resources
Interacts actively with auditee applications
The completeness of computer-generated sales figures can be tested by comparing the number of items listed on the daily sales report with the number of items billed on the actual invoices. This process uses
Check digits
Control totals
Validity tests
Process tracing data
Which of the following controls would be most efficient in reducing common data input errors?
Keystroke verification
A set of well-designed edit checks
Balancing and reconciliation
Batch totals
On-line real-time systems and electronic data interchange systems have the advantages of providing more timely information and reducing the quantity of documents associated with less automated systems. The advantages, however, may create some problems for the auditor. Which of the following characteristics of these systems does not create an audit problem?
The lack of traditional documentation of transactions creates a need for greater attention to programmed controls at the point of transaction input
Hard copy may not be retained by the client for long periods of time, thereby necessitating more frequent visits by the auditor
Control testing may be more difficult given the increased vulnerability of the client's files to destruction during the testing process
Consistent on-line processing of recurring data increases the incidence of errors
Creating simulated transactions that are processed through a system to generate results that are compared with predetermined results, is an auditing procedure referred to as
Desk checking
Use of test data
Completing outstanding jobs
Parallel simulation
To obtain evidential matter about control risk, an auditor ordinarily selects tests from a variety of techniques, including
Analysis
Confirmations
Reprocessing
Comparison
A major exposure associated with the rapidly expanding use of microcomputers is the absence of:
Adequate size of main memory and disk storage
Compatible operating systems
Formalized procedures for purchase justification
Physical, data file, and program security
To ensure that goods received are the same as those shown on the purchase invoice, a computerized system should:
Match selected fields of the purchase invoice to goods received
Maintain control totals of inventory value
Calculate batch totals for each input
Use check digits in account numbers
Errors in data processed in a batch computer system may not be detected immediately because
Transaction trails in a batch system are available only for a limited period of time
There are time delays in processing transactions in a batch system
Errors in some transactions cause rejection of other transactions in the batch
Random errors are more likely in a batch system than in an on-line system
Which of the following is a computer test made to ascertain whether a given characteristic belongs to the group?
Parity check
Validity check
Echo check
Limit check.
