ACCOUNTING INFORMATION SYSTEMS SYSTEMS CONTROLS AND PROCESSES TURNER / WEICKGENANNT CHAPTER 7: Auditing Information Technology-Bases Technology-Bases Processes TEST BANK - CHAPTER 7 - TRUE / FALSE 1. All users of financial data data - business managers, managers, investors, investors, creditors, and government government agencies - have an enormous amount amount of data to use to make decisions. Due to the use of IT systems, it is easy to verify the accuracy and completeness completeness of the information. 2. In order to properly carry out out an audit, accountants accountants collect and and evaluate proof of procedures, procedures, transactions, and / or account balances, and compare the information with established criteria. 3. The only person who can perform a financial financial statement audit of a publicly traded traded company is a government auditor who has extensive knowledge of generally accepted accounting principles.
4. Any professionally trained trained accountant accountant is able to perform an operational audit. audit. 5. An important requirement requirement for CPA firms is that they must must be personally involved with the management of the firm that is being audited. 6. The most common type of audit service is the operating audit audit performed by internal internal auditors. 7. All types of auditors should have knowledge about technology-based systems systems so that they they can properly audit IT systems. 8. A financial statement audit is part of the IT audit. 9. Auditors do not need to to be experts on the the intricacies of computer computer systems but but they do need to understand the impact of IT on their clients’ accounting systems and internal controls. 10. A financial statement statement audit is conducted conducted in order for an opinion opinion to be expressed on the fair presentation of financial financial statements statements in accordance with GAAP. This goal is affected by the the presence or absence of IT accounting systems. 11. The remoteness remoteness of information, one of the the causes of information information risk, can relate relate to geographic distance or organizational layers. 12. The most common method for decision makers makers to reduce information information risk is to rely on information that has been audited by an independent party. 13. Auditors have the primary primary responsibility to make make sure that they comply with international international standards in all cases. 14. There is not much much room for professional professional judgment when performing performing audits, as as a result of the the detailed guidance provided by organizations, such as the PCAOB.
15. The responsibility for the the preparation of the financial statements statements lies with the auditors. 16. The role of the auditor auditor is to analyze the the financial statements statements to decide whether whether they are fairly presented in accordance with GAAP. 17. Management assertions assertions relate to to the actual existence existence and proper valuation of transactions transactions and account balances. 18. The same audit audit tests would test test for completeness of a liability or an asset. asset. 19. Auditing testing for any any single general auditing auditing objective would involve the same testing testing techniques even though there are different types of information collected to support different accounts and transactions. 20. Auditors must think think about how the features features of their client’s client’s IT systems influence its management assertions assertions and the general audit objectives even though these matters have little or no impact on the choice of audit methodologies used.
21. Risk can be inherent inherent in the client’s business, due due to things such as the nature nature of operations, or may be caused by weak internal controls. 22. Auditors do not need to concern concern themselves themselves with risks unless unless there is an indication indication that there there is an internal control weakness. 23. The auditor’s understanding understanding of internal internal controls provides the basis for designing appropriate audit tests to be used in the remaining phases of the audit. 24. The process of evaluating evaluating internal controls and designing meaningful meaningful audit tests tests is more complex for manual systems than for automated systems. 25. Computer-assisted Computer-assisted audit techniques techniques are useful audit audit tools because they they make it possible for auditors to use computers to audit large amounts of evidence in less time. 26. Substantive tests are also referred to as compliance tests. tests. 27. General controls relate to specific software and and application controls relate to all aspects aspects of the IT environment. 28. General controls must be tested before before application controls. 29. Systems operators operators and users should should not have access access to the IT documentation documentation containing containing details about the internal logic of computer systems. 30. Control tests verify whether whether financial information information is accurate, accurate, where substantive substantive tests determine whether the financial information is managed under a system that promotes accuracy.
31. Regardless of the results of the control testing, testing, some some level of substantive substantive testing must must take take place. 32. The use of generalized generalized audit software is especially useful when when there are large volumes of data and when there is a need for accurate information. 33. All of the risks and audit audit procedures that that apply to a PC environment environment may also exist exist in networks, but the risk of less of much lower. 34. Network operations typically typically involve a large number of computers, many users, and a high high volume of data transfers, so any lack of network controls could cause widespread damage. Because of this, it is necessary for auditors to apply strict tests to a representative sample of the network. 35. When audit clients clients use a database database system, the relating relating data is organized organized in a consistent manner which tends to make it easier for auditors to select items for testing. 36. When a client company company is using IT outsourcing, outsourcing, and that service center has has its own independent auditors who report on internal control, the third-party report (from the independent auditors) cannot be used as audit evidence without the auditor performing an adequate amount of compliance testing. 37. When a client changes changes the type of hardware or software software used or in other other ways modifies its IT environment, the auditors need to test only the new system in order to determine the effectiveness of the controls. 38. When a client plans to implement implement new computerized systems, systems, auditors auditors will find it advantageous to review the new system before it is placed in use. 39. A sample is random when when each item in the population has has an equal chance chance of being chosen. chosen. 40. Of all the principles and and related rules within within the AICPA Code of Professional Conduct, Conduct, the one that generally receives the most attention is integrity. 41. The Sarbanes-Oxley Sarbanes-Oxley Act has placed greater greater restrictions on CPAs by prohibiting certain certain types of services historically performed by CPAs for their audit clients. 42. The Sarbanes-Oxley Sarbanes-Oxley Act decreased decreased management’s management’s responsibilities responsibilities regarding the the fair presentation of the financial statements. 43. The responsibility of the auditor to search for fraud is less than than the responsibility responsibility to search for errors. 44. Even with a good system system of internal controls, controls, employee fraud, the theft of assets, assets, may occur due to collusion of two or more employees to carry out the fraud. 45. Management fraud fraud is the intentional intentional misstatement misstatement of financial information information and may be difficult for auditors to find because the perpetrator will attempt to hide the fraud.
46. The AICPA Code Code of Professional Conduct is made up of two sections. sections. One section, the rules, is the foundation for the honorable behavior expected of CPAs while performing professional duties. ANSWERS TO TEST BANK – CHAPTER 7 – TRUE / FALSE: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
F T F T F F T F T F
11. 12. 13. 14. 15. 16. 17. 18. 19. 20.
T T F F F T T F F F
21. 22. 23. 24. 25. 26. 27. 28. 29. 30.
T F T F T F F T T F
31. 32. 33. 34. 35. 36. 37. 38. 39. 40.
T T F F T F F T T F
41. 42. 43. 44. 45. 46.
T F F T T F
TEST BANK - CHAPTER 7 - MULTIPLE CHOICE 47. Accounting services that that improve the quality of information provided to the the decision maker, an an audit being the most common type of this service, is called: A. Compliance Services B. Assurance Services C. Substantive Services D. Operational Services 48. A type of assurance services that involves involves accumulating accumulating and analyzing support support for the information provided by management is called an: A. Audit B. Investigation C. Financial Statement Examination D. Control Test 49. The A. B. C. D.
main purpose purpose of an audit is to assure assure users of the financial information information about the: the: Effectiveness of the internal controls of the the company. Selection of of the proper proper GAAP when when preparing financial statements. statements. Proper application application of GAAS during during the examination. Accuracy and completeness completeness of the information.
50. Which of the following is not one one of the three primary primary types of audits? audits? A. Compliance Audits B. Financial Statement Audits C. IT Audits D. Operational Audits
51.This type of audit is completed in order to determine whether a client has adhered to the regulations and policies established by contractual agreements, governmental agencies, or some other high authority. A. Compliance Audit B. Operational Audit C. Information Audit D. Financial Statement Audit 52. This type of audit is completed completed to assess assess the operating policies policies and procedures of a client for efficiency and effectiveness. A. Efficiency Audit B. Effectiveness Audit C. Compliance Audit D. Operational Audit 53. This type of audit is completed completed to determine determine whether or not not the client has has prepared and presented its financial statements fairly, in accordance with generally accepted accounting principles. A. GAAP Audit B. Financial Statement Audit C. Compliance Audit D. Fair Application Audit 54. This A. B. C. D.
type of auditor is an an employee of the company he / she audits. IT Auditor Government Auditor Certified Public Accountant Internal Auditor
55. This A. B. C. D.
type of auditor specializes specializes in the information information systems systems assurance, control, control, and security. IT Auditor Government Auditor Certified Public Accountant Internal Auditor
56. This A. B. C. D.
type of auditor conducts conducts audits of government government agencies or income tax returns. returns. IT Auditor Government Auditor Certified Public Accountant Internal Auditor
57. This type of audit is performed by independent independent auditors who who are objective and neutral neutral with respect to the company and the information being audited. A. Compliance Audit B. Operational Audit C. Internal Audit D. External Audit
58.The independence independence of a CPA could be impaired by: A. Having no knowledge of the the company or the the company management management B. By owning owning stock stock of a similar similar company company C. Having the ability to influence the the client’s decisions D. Being married to a stockbroker 59. The IT environment environment plays a key role in how how auditors conduct their work in all but which which of the following areas: A. Consideration of Risk B. Consideration of Information Fairness C. Design and Performance of Audit Tests D. Audit Procedures Used 60. The A. B. C. D.
chance that that information used used by decision makers makers may be inaccurate inaccurate is referred to as: Sample Risk Data Risk Audit Trail Risk Information Risk
61. Which of the following is not one of the identified causes causes of information risk? A. Audited information B. Remote information C. Complexity of data D. Preparer motive 62. The main reasons reasons that it is necessary necessary to study information-based information-based processing processing and the related related audit function include: A. Information users often do not have the time or ability to verify information themselves. themselves. B. It may be difficult for decision makers to verify information contained in a computerized accounting system. C. Both of the above. D. Neither of the above. 63. The existence of IT-based business business processes often result result in details of transactions transactions being entered directly into the computer system, results in a lack of physical evidence to visibly view. This situation is referred to as: A. Physical Evidence Risk B. Loss of Audit Trail Visibility C. Transaction Transactio n Summary Chart D. Lack of Evidence View 64. The existence of IT-based business business processes, that result in the details details of the transactions transactions being entered directly into the computer system, increases the likelihood of the loss or alternation of data due to all of the following, except: A. System Failure B. Database Destruction C. Programmer Incompetence D. Environmental Damage
65. The advantages of using IT-based IT-based accounting systems, systems, where the details of transactions transactions are entered directly into the computer include: A. Computer controls can can compensate for the lack of manual manual controls B. Loss of audit trail view C. Increased internal controls risks D. Fewer opportunities opportunities to authorize authorize and and review transactions 66. The ten standards standards that provide broad broad guidelines for an auditor’s auditor’s professional responsibilities responsibilities are referred to as: A. Generally accepted accounting accounting standards standards B. General accounting and auditing practices C. Generally accepted auditing practices D. Generally accepted auditing standards 67. The generally generally accepted auditing standards standards are are divided into three groups. groups. Which of the following is not one of those groups? A. General Standards B. Basic Standards C. Standards of Fieldwork D. Standards of Reporting 68. GAAS, generally accepted accepted auditing standards, provide a general general framework for conducting quality audits, but the specific standards - or detailed guidance - are provided by all of the following groups, except: A. Public Company Accounting Accounting Oversight Board Board B. Auditing Standards Board C. Certified Fraud Examiners D. International Audit Practices Committee 69. This organization, organization, established established by the Sarbanes-Oxley Sarbanes-Oxley Act, Act, was organized organized in 2003 for the purpose of establishing auditing standards for public companies. A. Auditing Standards Board B. Public Company Company Accounting Oversight Board C. International Audit Practices Committee D. Information Systems Audit and and Control Association 70. This organization is part of the AICPA and and was the group group responsible for issuing Statements on Auditing Standards which were historically widely widely used in practice. A. Auditing Standards Board B. Public Company Company Accounting Oversight Board C. International Audit Practices Committee D. Information Systems Audit and and Control Association 71. This organization was established by the the IFA to set International International Standards Standards on Auditing that that contribute to the uniform application of auditing practices on a worldwide basis. A. International Systems Systems Audit and Control Control Association B. Auditing Standards Board C. Public Company Company Accounting Oversight Board D. International Audit Practices Committee
72. This organization organization issues guidelines for conducting the the IT audit. audit. The standards standards issued issued address practices related to control and security of the IT system. A. Auditing Standards Board B. Public Company Company Accounting Oversight Board C. International Audit Practices Committee D. Information Systems Audit and and Control Association 73. The audit is to be performed by a person or persons having adequate technical technical training and proficiency as an auditor. This is one of the generally accepted auditing auditing standards that that is part of the: A. General Standards B. Operating Standards C. Fieldwork Standards D. Reporting Standards 74. Independence in mental mental attitude is to be maintained maintained in all matters related to the audit audit engagement. This is one of the generally generally accepted auditing auditing standards standards that is part of the: A. General Standards B. Operating Standards C. Fieldwork Standards D. Reporting Standards 75. The general guidelines, guidelines, known as the the generally accepted accepted auditing standards, standards, which include the concepts of adequate planning and supervision, internal control, and evidence relate to the: A. General Standards B. Operating Standards C. Fieldwork Standards D. Reporting Standards 76. The general guidelines, guidelines, known as the the generally accepted accepted auditing standards, standards, which include the concepts of presentation in accordance with GAAP, the consistent application of GAAP, adequate disclosure, and the expression of an opinion, relate to the: A. General Standards B. Operating Standards C. Fieldwork Standards D. Reporting Standards 77. Although there a number number of organizations organizations that provide detailed guidance, it is still necessary for auditors to rely on other direction regarding the types of audit tests to use and the manner in which the conclusions conclusions are drawn. These sources of information include: A. Industry Guidelines B. PCAOB C. ASB D. ASACA
78. Claims regarding the financial condition condition of the business organization organization and results of its operations are referred to as: A. Financial Statements Statements B. Management Assertions C. External Audit D. Presentation and Disclosure 79. Audit tests developed for an audit client are documented documented in a(n): A. Audit Program B. Audit Objective C. Management Assertion D. General Objectives 80. The management management assertion related related to valuation of transactions transactions and account account balances would would include all of the following, except: A. Accurate in terms of dollar amounts and and quantities B. Classified properly C. Real D. Correctly summarized 81. There are four primary phases of the IT audit. Which of the the following is not one of those those phases? A. Planning B. Evidence Audit C. Tests of Controls D. Substantive Tests 82. The A. B. C. D.
proof of the fairness of the financial financial information is: Tests of Controls Substantive Tests Audit Completion Evidence
83. Techniques used used for gathering gathering evidence include all of the following, except: except: A. Physical examination of assets or supporting supporting documentation documentation B. Observing activities C. Adequate planning and supervision D. Analyzing financial relations relationship 84. During this phase of the audit, the auditor must gain gain a thorough understanding understanding of the client’s business and financial reporting reporting systems. When completing this phase, phase, the auditors review and assess the risks and controls related to the business. A. Tests of Controls B. Substantive Tests C. Audit Completion / Reporting D. Audit Planning
85. During the planning phase of the audit, auditors estimate the the monetary amounts that that are large enough to make a difference in decision decision making. This amount is referred to as: A. Risk B. Materiality C. Substantive D. Sampling
86. The A. B. C. D.
likelihood that that errors or fraud may occur occur is referred to as: Risk Materiality Control Tests Sampling
87. A large part of the work work performed by an auditor auditor in the audit planning planning process is the gathering of evidence about the the company’s internal internal controls. This can be completed completed in any of the following ways, except: A. Interviewing key members members of the accounting accounting and IT staff. B. Observing policies and procedures C. Review IT user manuals and systems D. Preparing memos to summarize summarize their their findings 88. The Accounting Standards Standards Board issued issued the following SAS in recognition of the fact that accounting records and files often exist exist in electronic form. The statement was was issued in 2001 to expand the historical concept of audit evidence to include electronic evidence. A. SAS 82 B. SAS 86 C. SAS 94 D. SAS 101 89. The Accounting Standard Standard Board issued issued an SAS, called “The “The Effect of Information Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit”, to describe the importance of understanding both the automated and manual procedures that make up an organization’s internal controls and considers how misstatements may occur, including all of the following, except: A. How transactions are are entered into the computer B. How financial statement are printed printed from the the computer computer C. How nonstandard nonstandard journal entries entries and adjusting entries entries are initiated, initiated, recorded, and and processed. D. How standard standard journal entries are are initiated, recorded, and processed. 90. As the result of the the guidance provided in SAS 94, the auditors auditors may decide that that IT auditors may need to be called in to: A. Consider the effects effects of computer processing processing on the audit. audit. B. To assist in testing the automated automated processes. processes. C. Both of the above. D. None of the above.
91. Many companies design their IT system so that all documents and reports can be retrieved retrieved from the system in readable form. Auditors can then compare compare the documents used used to input the data into the system with reports generated from the system, without gaining any extensive knowledge of the computer system and does not require the evaluation of computer controls. This process is referred to as: A. Auditing through the the system B. Auditing around the system C. Computer assisted audit techniques D. Auditing with the computer 92. This approach, referred referred to as the whitebox whitebox approach, requires requires auditors to evaluate evaluate IT controls and processing so that they can determine whether the information generated from the system is reliable. A. Auditing through the the system B. Auditing around the system C. Computer assisted audit techniques D. Auditing with the computer 93. The IT auditing approach approach referred to as “Auditing “Auditing through the system” is necessary under which which of the following conditions? A. Supporting documents documents are available in both electronic and paper paper form. B. The auditor does not require evaluation evaluation of computer controls. controls. C. The auditor wants wants to test computer computer controls as a basis basis for evaluating risk risk and reducing the amount of audit testing required. D. The use of the the IT system has has a low impact on the the conduct of the audit. 94. Audit procedures designed to evaluate both general controls and application controls are referred to as: A. Substantive Tests Tests B. Audit Planning C. IT Auditing D. Test of Controls 95. The A. B. C. D.
automated automated controls that that affect all all computer applications applications are referred to as: as: General Controls Specific Controls Input Controls Application Controls
96. The two broad categories categories of general controls controls that relate to to IT systems include include which of the following: A. IT systems documentation documentation B. IT administration and and the related operating systems development and maintenance maintenance processes C. Authenticity table D. Computer security and virus protection
97. Related audit tests to review the the existence and communication communication of company policies regarding important aspects of IT administrative control include all of the following, except: A. Personal accountability accountability and segregation of incompatible responsibilities responsibilities B. Job description and clear clear lines of authority authority C. Prevention of unauthorized access D. IT systems documentation 98. Controls meant meant to prevent the destruction destruction of information information as the result result of unauthorized unauthorized access to the IT system are referred to as: A. IT administration B. System controls C. Information administration D. Security controls 99. Auditors should perform this this type of test to to determine the valid valid use of the client’s client’s computer system, according to the authority tables. A. Authenticity tests tests B. Penetration tests C. Vulnerability assessments assessments D. IT systems documentation 100. These tests of the security controls involve various methods of entering the client’s system to determine whether controls are working as intended. A. Authenticity tests tests B. Penetration tests C. Vulnerability assessments assessments D. IT systems documentation 101. These tests of security controls analyze a company’s control environment for possible weaknesses. Special software programs programs are available to help auditors identify identify weak points in their client’s security measures. A. Authenticity tests tests B. Penetration tests C. Vulnerability assessments assessments D. IT systems documentation 102. One of the most effective ways a client can protect its computer system is to place physical controls in the computer computer center. Physical controls include include all of the following, except: except: A. Proper temperature temperature control B. Locks C. Security guards D. Cameras 103. One of the most effect ways a client can protect its computer system is to place environmental controls in the the computer center. Environmental controls controls include: A. Card keys B. Emergency power supply C. Alarms D. Security guards
104. This type of application control is performed to verify the accuracy and completeness of information entered into software software programs. Auditors are concerned about about whether errors are being prevented and detected during this stage of data processing. A. Security controls B. Processing controls C. Input controls D. Output controls 105. IT audit procedures typically include a combination of data accuracy tests where the data processed by computer applications are reviewed for correct dollar amounts or other numerical values. These procedures procedures are referred to as: A. Security controls B. Processing controls C. Input controls D. Output controls 106. This type of processing control test involves a comparison of different items that are expected to have the same values, such as comparing two batches or comparing actual data against a predetermined control total. A. Validation Checks B. Batch Totals C. Run-to-Run Totals D. Balancing Tests 107. This is one of the computer-assisted audit techniques, techniques, related to processing controls, that involves processing client data through a controlled program designed to resemble the client’s application. This test is run to find out whether whether the same results are achieved achieved under different systems. A. Integrated Test Facility B. Embedded Audit Module C. Parallel Simulation D. Test Data Method 108. Regardless of whether the results are printed or retained electronically, auditors may perform all of the following procedures to test application outputs, except: A. Integrated Tests Tests B. Reasonableness Reasonableness Tests C. Audit Trail Tests D. Rounding Errors Tests 109. The auditor’s test of the accuracy of monetary amounts of transactions and account balances is known as: A. Testing of controls B. Substantive tests C. Compliance tests D. Application tests
110. Real-time financial reporting has created the need for this type of auditing, where auditors constantly analyze audit evidence and provide assurance on the related financial information as soon as it occurs or shortly thereafter. A. Real-time auditing B. Virtual auditing C. E-auditing D. Continuous auditing 111. This phase of auditing occurs when the auditors evaluate all the evidence that has been accumulated and makes a conclusion based on that evidence. A. Tests of Controls B. Audit Planning C. Audit Completion / Reporting D. Substantive Testing 112. This piece of audit evidence is often considered to be the most important because it is a signed acknowledgment of management’s management’s responsibility for the fair presentation of the financial statements and a declaration that they have provided complete and accurate information to the auditors during all phases of the audit. A. Letter of Representation Representation B. Audit Report C. Encounter Statement D. Auditors Contract 113. Which of the following is a proper description of an auditor report? A. Unqualified opinion - identifies certain exceptions to the clean opinion. B. Adverse opinion - notes that that there are are material misstatements misstatements presented. C. Qualified opinion - states states that the auditors auditors believe the financial financial statements statements are fairly and consistently presented in accordance with GAAP. D. Unqualified opinion - states states that the auditors were not able to reach a conclusion. conclusion. 114. When PCs are used for accounting instead of mainframes or client-server system, they face a greater risk of loss due to which of the following: A. Authorized access access B. Segregation of duties C. Lack of backup control D. All of the above 115. When client companies rely on external, independent computer service centers to handle all or part of their IT needs it is referred to as: A. External Processing Processing B. WAN Processing C. Database Management System D. IT Outsourcing
116. Because it is not possible to test all transactions and balances, auditors rely on this to choose and test a limited number of items and transactions and then make conclusions about the balance as a whole. A. Sampling B. Materiality C. Compliance D. Substance 117. The AICPA Code of Professional Conduct, commonly called the Code of Ethics, is made up of two sections. Which of the following correctly states the the two sections? A. Integrity and responsibility responsibility B. Principles and rules C. Objectivity and independence D. Scope and nature 118. The rule in the AICPA Code of Professional Conduct that is referred to as Responsibilities , can be stated as: A. CPAs should act in a way that will will serve the public interest, interest, honor the public public trust, and demonstrate commitment to professionalism. B. To maintain and broaden broaden public confidence, confidence, CPAs should perform their professional duties duties with the highest sense of integrity. C. In carrying out their professional professional duties, CPAs should exercise sensitive sensitive professional and and moral judgments in all their activities. D. CPAs in public practice should observe the principles principles of the Code of Professional Conduct in determining the scope and nature of services to be provided. 119. This concept means that the auditors should not automatically assume that their clients are honest, but that they (the auditors) must have a questioning mind and a persistent approach to evaluating evidence for possible misstatements. misstatements. A. Independence B. Integrity C. Due Care D. Professional Skepticism
ANSWERS TO TEST BANK – CHAPTER 7 – MULTIPLE CHOICE: 47. 48. 49. 50. 51. 52. 53. 54. 55. 56. 57. 58. 59. 60. 61.
B A D C A D B D A B D C B D A
62. 63. 64. 65. 66. 67. 68. 69. 70. 71. 72. 73. 74. 75. 76.
C B C A D B C B A D D A A C D
77. 78. 79. 80. 81. 82. 83. 84. 85. 86. 87. 88. 89. 90. 91.
A B A C B D C D B A D C B C B
92. 93. 94. 95. 96. 97. 98. 99. 100. 101. 102. 103. 104. 105. 106.
A C D A B C D A B C A B C B D
107. 108. 109. 110. 111. 112. 113. 114. 115. 116. 117. 118. 119.
C A B D C A B C D A B C D
TEST BANK - CHAPTER 7 – END OF CHAPTER QUESTIONS: 120. Which of the following types of audits is most likely to be conducted for the purpose of identifying areas for cost savings? A. Financial Statement Statement Audits B. Operational Audits C. Regulatory Audits D. Compliance Audits 121. Financial statement audits are required to be performed by: A. Governmental Auditors B. CPAs C. Internal Auditors D. IT Auditors 122. Which of the following is not considered a cause for information risk? A. Management’s geographic location is far far from the source of the information needed to make effective decisions. B. The information is collected collected and prepared prepared by persons who use use the information for very different purposes. C. The information relates relates to business activities that are are not well understood understood by those who collect and summarize the information for decision makers. D. The information has been tested by internal internal auditors and a CPA CPA firm.
123. Which of the following is not a part of general accepted auditing standards? A. General Standards B. Standards of Fieldwork C. Standards of Information Systems D. Standards of Reporting 124. Which of the following best describes what is meant by the term “generally accepted auditing standards”? A. Procedures used to to gather evidence to support the accuracy accuracy of a client’s financial financial statements. B. Measures of the quality of an an auditor’s conduct. C. Professional pronouncements pronouncements issued issued by the Auditing Standards Standards Board. D. Rules acknowledged by the accounting accounting profession because of their widespread application. 125. In an audit of financial statement in accordance with generally accepted auditing standards, an auditor is required to: A. Document the auditor’s understanding understanding of the client company’s company’s internal internal controls. B. Search for weaknesses weaknesses in the operation operation of the client company’s company’s internal internal controls. C. Perform tests of controls controls to evaluate the the effectiveness of the the client company’s company’s internal controls. D. Determine whether whether controls are appropriately designed to prevent prevent or detect material misstatements. 126. Auditors should design a written audit program so that: A. All material transactions transactions will be included in substantive substantive testing. testing. B. Substantive testing performed prior to year end will be minimized. minimized. C. The procedures will achieve specific specific audit objectives related to specific specific management management assertions. D. Each account balance balance will be tested under under either a substantive substantive test or a test of controls. 127. Which of the following foll owing audit objectives relates to the management assertion of existence? A. A transaction is recorded recorded in the proper period. B. A transaction transaction actually actually occurred (i.e., it is real) real) C. A transaction is properly presented presented in the the financial statements. statements. D. A transaction transaction is supported by detailed evidence. 128. Which of the following fol lowing statements regarding an audit program is true? A. A standard audit program program should be developed developed for use on any client client engagement. engagement. B. The audit program should should be completed by the client company company before the audit planning planning stage begins. C. An audit program should should be developed by the the internal auditor before audit testing begins. D. An audit program establishes establishes responsibility responsibility for each audit test by requiring the signature signature or initials of the auditor who performed the test.
129. Risk assessment is a process designed to: A. Identify possible events that may affect the the business. B. Establish policies and procedures procedures to carry out internal controls. controls. C. Identify and capture information information in a timely manner. D. Review the quality of internal controls controls throughout throughout the year. 130. Which of the following audit procedures is most likely to be performed during the planning phase of the audit? A. Obtain an understanding understanding of the client’s client’s risk assessment assessment process. process. B. Identify specific internal internal control activities activities that are designed to prevent fraud. fraud. C. Evaluate the reasonableness of the client’s client’s accounting estimates. D. Test the timely cutoff of cash payments and collections. collections. 131. Which of the following f ollowing is the most significant disadvantage of auditing around the computer rather than through the computer? A. The time involved in testing testing processing controls controls is significant. B. The cost involved in testing processing processing controls controls is significant. significant. C. A portion of the audit audit trail is not tested. tested. D. The technical technical expertise required required to test processing controls controls is extensive. extensive. 132. The primary objective of compliance testing in a financial fi nancial statement statement audit is to determine whether: A. Procedures have been been updated regularly. regularly. B. Financial statement statement amounts amounts are accurately accurately stated. stated. C. Internal controls are are functioning functioning as designed. D. Collusion is taking place. 133. Which of the following fol lowing computer assisted auditing techniques processes actual client input data (or a copy of the real data) on a controlled program under the auditor’s control to periodically test controls in the client’s cli ent’s computer system? A. Test data method method B. Embedded audit module C. Integrated test facility D. Parallel simulation 134. Which of the following f ollowing computer assisted auditing techniques allows fictitious and real transactions to be processed together without client personnel being aware of the testing process? A. Test data method method B. Embedded audit module C. Integrated test facility D. Parallel simulation
135. Which of the following is a general control to test for external access to a client’s computerized systems? A. Penetration tests tests B. Hash totals C. Field checks D. Program tracing 136. Suppose that during the planning phase of an audit, the auditor determines that weaknesses exist in the client’s computerized computerized systems. These weaknesses weaknesses make the client company susceptible to the risk of an unauthorized unauthorized break-in. Which type of audit procedures procedures should be emphasized in the remaining phases of this audit? A. Tests of controls B. Penetration tests C. Substantive Substantiv e tests D. Rounding errors tests 137. Generalized audit software can be used to: A. Examine the consistency consistency of data maintained maintained on computer computer files. B. Perform audit tests of multiple computer files concurrently. C. Verify the processing logic of operating system software. software. D. Process test data data against master master files that contain contain both real and fictitious data. 138. Independent auditors are generally actively involved in each of the following tasks except: A. Preparation of a client’s client’s financial statements statements and accompanying accompanying notes. notes. B. Advising client management management as to the applicability of a new accounting standard. C. Proposing adjustments adjustments to a client’s financial statements. statements. D. Advising client management management about about the presentation of the financial financial statements. statements. 139. Which of the following is most likely to be an attribute unique to the audit work of CPAs, compared with work performed by attorneys or practitioners of other business professions? A. Due professional care B. Competence C. Independence D. A complex underlying body of professional knowledge 140. Which of the following foll owing terms in not associated with the auditor’s requirement to maintain independence? A. Objectivity B. Neutrality C. Professional Skepticism D. Competence
ANSWERS TO TEST BANK BANK - CHAPTER 7 – END OF OF CHAPTER QUESTIONS 120. 121. 122. 123. 124. 125.
B B D C B A
126. 127. 128. 129. 130. 131.
C B D A A C
132. 133. 134. 135. 136. 137.
C D C A C A
138. A 139. C 140. D
TEST BANK - CHAPTER 7 – SHORT ANSWER QUESTIONS 141. What are assurance services? What value do assurance services provide? Answer: Assurance services are accounting accounting services that that improve the quality of information. Many Many services performed by accountants are valued because they lend credibility to financial information. 142. Differentiate between a compliance audit and an operational audit. Answer: A compliance audit audit is a form of assurance assurance service that that involves accumulating accumulating and analyzing information to determine whether a company has complied with regulations and policies established by contractual agreements, governmental agencies, company management, or other high authority. Operational audits assess operating policies and procedures for efficiency and effectiveness. 143. Which type of audit is most likely to be performed by government auditors? Which type of audit is most likely to be performed by internal auditors? Answer: Governmental Governmental auditors are most likely to perform compliance audits, audits, and internal internal auditors are most likely to perform operational audits. 144. Identify the three areas of an auditor’s work that are significantly impacted by the presence of IT accounting systems. Answer: The IT environment environment plays a key role in how auditors conduct their work in the following areas: consideration of risk determination of audit procedures to be used to obtain knowledge of the accounting and internal control systems design and performance of audit tests. • •
•
145. Describe the three causes of information risk. Answer: Information risk risk is caused by: Remote information; for instance, when the source of information is removed from the decision maker, it stands a greater chance of being misstated. Large volumes of information or complex information. Variations in viewpoints viewpoints or incentives of the the preparer. •
• •
146. Explain how an audit trail might get “lost” within a computerized system. Answer: Loss of an audit audit trail occurs when there is a lack of physical physical evidence to view in support of a transaction. This may occur when the details of accounting transactions transactions are entered directly into the computer system, with no supporting paper documents. If there is a system failure, database destruction, unauthorized access, or environmental damage, the information processed under such a system may be lost or altered. 147. Explain how the presence of IT processes can improve the quality of information that management management uses for decision making. Answer: IT processes tend to provide information information in a timely and efficient efficient manner. This enhances management’s management’s ability to make effective decisions, which is the essence of quality of information. 148. Distinguish among the focuses of the GAAS standards of fieldwork and standards of reporting. Answer: The standards standards of fieldwork provide general general guidelines for performing the the audit. They address the importance of planning and supervision, understanding internal controls, and evidence accumulation. The standards of reporting reporting address the auditor’s requirements requirements for communicating the audit results in writing, including the reference to GAAP, consistency, adequate disclosures, and the expression of an overall opinion on the fairness of the financial statements. 149. Which professional standard-setting organization provides guidance on the conduct of an IT audit? Answer: The Information Information Systems Audit and Control Association Association (ISACA) is responsible responsible for issuing Information Systems Auditing Standards (ISASs), which provide guidelines for conducting an IT audit. 150. If management is responsible for its own financial statements, why are auditors important? Answer: Auditors are important important because because they are responsible responsible for analyzing financial financial statements to to decide whether they are fairly stated and presented in accordance with GAAP. Since the financial statements are prepared by managers of the company, the role of auditors is to reduce information risk associated with those financial fi nancial statements. statements. To accomplish this, auditors design tests to analyze information supporting the financial statements in order to determine whether management’s assertions are valid. 151. List the techniques used for gathering evidence. Answer: The techniques techniques used for gathering evidence include include the following: physically examining or inspecting assets or supporting documentation obtaining written confirmation from an independent source rechecking or recalculating information observing activities making inquiries of company personnel analyzing financial relationships and making comparisons to determine reasonableness • • • • • •
152. During which phase of an audit would an auditor consider risk assessment and materiality? Answer: Risk assessment assessment and materiality materiality are considered considered during the planning planning phase of an audit.
153. What is the significance of Statement on Auditing Standards No. 94? Answer: SAS 94, “The “The Effect of Information Information Technology on the the Auditor’s Consideration Consideration of Internal Control in a Financial Statement Audit”, is significant because it describes the importance of understanding both the automated and manual procedures that make up a company’s internal controls. It also provides guidance guidance to assist an auditor auditor in determining determining whether an IT audit audit specialist may be needed for the audit. 154. Distinguish between auditing through the computer and auditing with the computer. Answer: When are auditors auditors required to audit audit through the computer as opposed opposed to auditing around around the computer? Auditing through the the computer involves directly directly testing internal internal controls within the IT system, which requires the auditors to understand the computer system logic. Auditing through the computer is necessary when the auditor wants to test computer controls as a basis for evaluating risk and reducing the amount of audit testing required, and when supporting documents are available only in electronic form. Auditing with the computer involves auditors using their own systems, software, and computer-assisted audit techniques to help conduct an audit 155. Explain why it is customary to complete the testing of general controls before testing application controls. Answer: Since general general controls are the automated automated controls controls that affect all computer computer applications, the reliability of general controls must be established before application controls are tested. The effectiveness of general controls is considered the foundation for the IT control environment. If there are problems with the effectiveness of general controls, auditors will not devote attention to the testing of application controls; rather, they will reevaluate the audit approach with reduced reliance on controls. 156. Identify four important aspects of administrative control in an IT environment. Answer: Four important important aspects of administrative administrative control include: include: personal accountability and segregation of incompatible responsibilities job descriptions and clear clear lines of authority computer security and virus protection IT systems documentation • • • •
157. Think about a place you have worked where computers were present. What are some physical and environmental controls that you have observed in the workplace? Provide at least two examples of each from your personal experience. Answer: Student’s Student’s responses are likely to vary greatly. Examples Examples of physical controls may may include card keys and configuration tables, as well as other physical security features such as locked doors, etc. Environmental controls may include temperature and humidity controls, f ire, flood, earthquake controls, or measures to ensure a consistent power supply. 158. Batch totals and hash totals are common input controls. Considering the fact that hash totals can be used with batch processing, differentiate between these two types of controls. Answer: Both batch totals and hash hash totals are mathematical mathematical sums sums of data that can be used to determine whether there may be missing data. However, batch totals are meaningful because they provide summations of dollar amounts or item counts for a journal entry used in the financial accounting system, whereas hash totals are not relevant to the financial accounting system (i.e., the hash totals are used only for their control purpose and have no other numerical significance).
159. The test data method and an integrated test facility are similar in that they are both tests of applications controls and they both rely on the use of test data. Explain the difference between these two audit techniques. Answer: The test data method tests tests the processing processing accuracy of software applications by using the the company’s own computer system to process fictitious information i nformation developed by the auditors. The results of the test must be compared with predicted results. An integrated test facility also tests processing applications, but can accomplish this without disrupting the company’s operations. An integrated test facility inputs fictitious data along with the company’s actual data, and tests it using the client’s own computer system. The testing occurs simultaneously with the company’s actual transaction processing. 160. Explain the necessity for performing substantive testing even for audit clients with strong internal controls and sophisticated IT systems. Answer: Since substantive substantive testing determines determines whether whether financial information information is accurate, it is necessary for all financial statement statement audits. Control testing establishes establishes whether the system system promotes accuracy, while substantive testing verifies the monetary amounts of transactions and account balances. Even if controls are found to be effective, there still needs to be some testing to make sure that the amounts of transactions and account balances have actually been recorded fairly. 161. What kinds of audit tools are used to perform routine tests on electronic data files taken from databases? List the types of tests that can be performed with these tools. Answer: CPA firms use use generalized audit audit software (GAS) or data data analysis software software (DAS) to perform audit tests on electronic data files taken from commonly used database systems. These tools help auditors perform routine testing in an efficient manner. The types of tests that can be performed using GAS or DAS include: mathematical and statistical calculations data queries identification of missing items in a sequence stratification and comparison of data items selection of items of interest from the data files summarization of testing results into a useful format for decision making • • • • • •
162. Which of the four types of audit reports is the most favorable for an audit client? Which is the least favorable? Answer: An unqualified audit audit report is the most most favorable because because it expresses reasonable reasonable assurance that the underlying financial statements are fairly stated in all material respects. On the other hand, an adverse opinion is the least favorable report because it indicates the presence of material misstatements in the underlying financial statements. 163. Why is it so important to obtain a letter of representations from an audit client? Answer: The letter of representations representations is so important because because it is management’s management’s acknowledgement of its primary responsibility for the fair presentation of the financial statements. In this letter, management must declare that it has provided complete and accurate information to its auditors during all phases of the audit. This serves as a significant piece of audit evidence.
164. How can auditors evaluate internal controls when their clients use IT outsourcing? Answer: When a company company uses IT outsourcing, outsourcing, auditors must must still evaluate internal controls. This This may be accomplished by relying upon a third-party report from the independent auditor of the outsourcing center, or it can audit around the computer, or it can test controls at the outsourcing center. 165. An auditor’s characteristic of professional skepticism is most closely associated with which ethical principle of the AICPA Code of Professional Conduct? Answer: Professional skepticism skepticism is most closely closely associated with the principle of Objectivity Objectivity and Independence. Professional skepticism means that auditors should have a questioning mind and a persistent approach for evaluating financial information for the possibility of misstatements. This is closely related to the notion of objectivity and independence in its requirements for being free of conflicts of interest. TEST BANK - CHAPTER 7 – SHORT ESSAY 166. Why is it necessary for a CPA to be prohibited from having financial or personal connections with a client? Provide an example of how a financial connection to a company would impair an auditor’s objectivity. Provide an example of how a personal relationship might impair an auditor’s objectivity. Answer: An auditor should should not have any any financial or personal connections connections with a client client company because they could could impair his/her objectivity. It would be difficult for an auditor auditor to be free of bias if he/she were to have a financial or personal relationship with the company or o ne of its associates. For example, if an auditor owned stock in a client company, the auditor would stand to benefit financially if the company’s financial statements included and unqualified audit report, as this favorable opinion could lead to favorable results for the company such as paying a dividend, obtaining financing, etc. etc. Additionally, if an auditor had a family member member or other close personal relationship with someone who works for the company, the auditor’s independence may be impaired due to the knowledge that the family member or other person may be fi nancially dependent upon the company or may have played a significant role in the preparation of the financial statements. 167. From an internal control perspective, discuss the advantages and disadvantages of using ITbased accounting systems. Answer: The advantages advantages of using IT-based IT-based accounting systems systems are the improvements improvements in internal internal control due to the reduction of human error and increase i ncrease in speed. The disadvantages include the loss of audit trail visibility, increased likelihood of lost or altered data, lack of segregation of duties, and fewer opportunities for authorization and review of transactions. 168. Explain why standards of fieldwork for GAAS are not particularly helpful to an auditor who is trying to determine the types of testing to be used on an audit engagement. Answer: GAAS provides a general general framework that that is not specific enough enough to provide specific guidance in the actual performance of an audit. For detailed guidance, auditors rely upon standards issued by the PCAOB, the ASB, the IAPC, and ISACA.
169. Tyrone and Tyson are assigned to perform the audit of Tylen Company. During the audit, it was discovered that the amount of sales reported on Tylen’s income statement was understated because one week’s sales transactions were not recorded due to a computer glitch. Tyrone claims that this problem represents a violation of the management assertion regarding existence, because the reported account balance was not real. Tyson argues that the completeness assertion was violated, because relevant data was omitted from the records. Which auditor is correct? Explain your answer. Answer: The completeness completeness assertion is concerned with possible possible omissions from the the accounting records and the related understatements of financial information; in other words, it asserts that all valid transactions have been recorded. Accordingly, Tyson’s argument is correct. Tyrone’s argument is not correct because the existence assertion is concerned with the possibility of fictitious transactions and the related overstatements of financial information. 170. One of the most important tasks of the planning phase is for the auditor to gain an understanding of internal controls. How does this differ diff er from the tasks performed during the tests of controls phase? Answer: During the planning planning phase of an audit, auditors must gain an understanding of internal internal controls in order to determine whether the controls can be relied upon as a basis for reducing the extent of substantive testing to be performed. Understanding of internal controls is the basis for the fundamental decision regarding the strategy of the audit. It also impacts the auditor’s risk assessment and establishment establishment of materiality. During the tests of controls phase, the auditor goes beyond the understanding of the internal controls and actually evaluates the effectiveness of those controls. 171. How is it possible that a review of computer logs can be used to test for both internal access controls and external access controls? Answer: Other than reviewing the computer computer logs, identify and describe two types of audit audit procedures performed to test internal access controls, and two types of audit procedures performed to test external external access controls. controls. Internal access access controls can be evaluated evaluated by reviewing computer logs for the existence of login failures or unusual activity, and to gauge access times for reasonableness in light of the types of tasks performed. Internal access controls can also be tested by reviewing the company’s policies regarding segregation of IT duties and other IT controls, and can test those controls to determine whether access is being limited in accordance with the company’s policies. In addition, auditors may perform authenticity testing to evaluate the authority tables and determine whether only authorized employees are provided access to IT systems. Computer logs can also be reviewed to evaluate external access controls, as the logs may identify unauthorized users and failed access attempts. External access controls may also be tested through authenticity authenticity tests, penetrations penetrations tests, and vulnerability assessments. assessments. Authenticity tests, as described above, determine whether access has been limited to those included in the company’s authority tables. Penetration tests involve the auditor trying to gain unauthorized access to the client’s system, by attempting to penetrate its firewall. Vulnerability assessments are tests aimed at identifying weak points in the company’s IT systems where unauthorized unauthorized access may occur, such as through a firewall or due to problems probl ems in the encryption techniques.
172. Explain why continuous auditing is growing in popularity. Identify and describe a computerassisted audit technique useful for continuous auditing. Answer: Continuous auditing has increased increased in popularity due due to the increase increase in e-commerce. RealRealtime financial reporting has created the need for continuous auditing, whereby auditors continuously analyze evidence and provide assurance on the related financial information as soon as it occurs or shortly thereafter. The embedded audit module is a computer-assisted audit technique that accomplishes continuous auditing. The embedded audit module approach involves placing special audit testing programs within a company’s operating system These test modules search the data and analyze transactions or account balances that meet specified conditions of interest to the auditor. 173. Each of the principles of the AICPA Code of Professional Conduct relates to the trustworthiness of the CPA. Distinguish between the third principle (integrity) and the fourth principle (objectivity and independence). Answer: Integrity related related closely to honesty and and performing duties duties with a high sense sense of due care. Objectivity and independence are more concerned with the attitude of skepticism in approaching duties. This involves being unbiased unbiased and free of any any conflicts of interest. TEST BANK - CHAPTER 7 – PROBLEMS 174. Match the standard-setting bodies with their purpose. Answer: I. c. II. a. III. d. IV. b. 175. Identify whether the following audit tests are used to evaluate internal access controls (I), external access controls (E), or both (B): authenticity, penetration, vulnerability assessments, review of access logs, and review of policies concerning the issuance of passwords and security tokens. Answer: Authenticity tests tests (B) Penetration tests (E) Vulnerability assessments assessments (E) Review of access logs (B) Review of policies concerning the issuance of passwords and security tokens (I) • • • • •
176. Refer to the notes payable audit program excerpt presented in Exhibit 7-3. If an auditor had a copy of his client’s data file for its notes receivable, how could a general audit software or data analysis software package be used to assist with these audit tests? Answer: GAS and DAS could could assist auditors in testing notes payable payable by performing mathematical mathematical calculations of interest amounts, stratification of amounts into current and long-term categories according to maturity dates, and performing ratio calculations as may be needed to assess compliance with restrictions.
177. In order to preserve auditor independence, the Sarbanes-Oxley Act of 2002 restricts the types of nonaudit services that auditors can perform for their public-company audit clients. Answer: The list includes includes nine types of services services that are prohibited prohibited because they they are deemed to impair an auditor’s independence. Included in the list are the following: financial information systems design and implementation internal audit outsourcing Describe how an auditor’s independence could be impaired if she performed IT design and implementation functions for her audit client. Likewise, how could an auditor’s involvement with internal audit outsourcing impair her independence with respect to auditing the same company? Both of these scenarios would place the auditor in a position of auditing his/her own work. Auditors could not maintain maintain independence if they are involved in both the IT design and implementation as well as the financial financial statement audit. audit. To the extent that the the IT system impacts financial reporting, an auditor could not possibly be unbiased with respect to a system that he/she had designed and implemented. implemented. Likewise, auditors are not likely to be unbiased unbiased with respect to performing a financial statement audit for the same company as he/she performed internal audit work. Any evaluations performed during the internal audit engagement are likely to have a bearing on the auditor’s professional attitude while performing the financial statement audit. • •
178. Visit the AICPA website at www.aicpa.org www.aicpa.org and and click on Becoming a CPA/Academic Resources. Use the Careers in Accounting tab to locate information on audit careers. Answer: The AICPA AICPA website presents presents information on various various career paths, including public accounting (audit, taxation, financial planning, etc.), business and industry, governmental accounting, not-for-profit accounting, accounting, education, education, and entrepreneurship. entrepreneurship. Some specialty areas areas include forensic accounting, environmental accounting, and showbiz accounting.
179. Visit the ISACA website at www.isaca.org www.isaca.org and and click the Students and Educators tab and then the IT Audit Basics tab to find articles covering topics concerning the audit process. Locate an article on each of the following topics and answer the related question: a) Identify and briefly describe the four categories of CAATs, b) List the factors that contribute to the formation of due care in an auditor. Answer: a. Identify and briefly describe the four categories of CAATs. The four categories include 1: data analysis software, including GAS and DAS Network security evaluation software/utilities OS and DBMS security evaluation software/utilities Software and code testing tools b. List the factors that contribute to the formation of due care in an auditor include 2: peer review auditor conduct communication technical competence judgment business knowledge training certification standards independence continuous reassessment high ethical standards • • • •
• • • • • • • • • • • •
180. Refer to the example presented in this chapter describing frauds perpetrated by top managers in large companies like Enron, Xerox, and WorldCom. Perform an Internet search to determine the nature of Xerox’s management fraud scheme and to find out what happened to the company after the problems were discovered. Answer: Xerox’s fraud fraud involved earnings management or manipulation of the financial statements statements in order to boost earnings. earnings. This occurred at Xerox Xerox to the tune tune of hundreds of millions millions of dollars and involved various accounting tricks to hide the company’s true financial performance so that it would meet or beat Wall Street expectations. The most significant trick was the premature recording of revenues. Upon discovery of the fraud, the SEC filed a $10 million civil suit against Xerox, the largest fine in SEC history. history. In addition, Xerox had to restate restate its earnings from 1997 through 2001.
1
“Using CAATs to Support IS Audit” by S. Anantha Sayana for Information Systems Control Journal, Vol. 1, 2003. “Due Professional Care” by Frederick Gallegos for Information Systems Control Journal, Vol, 2, 2002.
2