Auditing Cis

AUDITING IN A COMPUTERIZED ENVIRONMENT
1.
Which statement is incorrect when auditing in a CIS

environment?
a. A CIS environment exists when a computer of any
type or size is involved in the processing by the entity
of financial information of significance to the audit,
whether that computer is operated by the entity or by
a third party.
b.
The auditor should consider how a CIS environment
affects the audit.
c. The use of a computer changes the processing,
storage and communication of financial information
and may affect the accounting and internal control
systems employed by the entity.
d. A CIS environment changes the overall objective and
scope of an audit.
2.
Which of the following standards or group of standards is

mostly affected by a computerized information system
environment?
a.
General standards
b. Reporting standards
c. Second standard of field work
d. Standards of fieldwork
3.
Which of the following is least considered if the auditor has to

determine whether specialized CIS skills are needed in an
audit?
a. The auditor needs to obtain a sufficient
understanding of the accounting and internal control
system affected by the CIS environment.
b.
The auditor needs to determine the effect of the CIS
environment on the assessment of overall risk and of
risk at the account balance and class of transactions
level.
c. Design and perform appropriate tests of controls and
substantive procedures.
d. The need of the auditor to make analytical
procedures during the completion stage of audit.
4.
5.
6.
7.
It relates to materiality of the financial statement assertions

affected by the computer processing.
a. Threshold
b. Relevance
c. Complexity
d. Significance
Which of the following least likely indicates a complexity of
computer processing?
a. Transactions are exchanged electronically with other
organizations without manual review of their
propriety.
b. The volume of the transactions is such that users
would find it difficult to identify and correct errors in
processing.
c. The computer automatically generates material
transactions or entries directly to another
applications.
d.
The system generates a daily exception report
The nature of the risks and the internal characteristics in CIS
environment that the auditors are mostly concerned include the
following except:
a. Lack of segregation of functions.
b. Lack of transaction trails.
c. Dependence of other control over computer
processing.
d. Cost-benefit ratio.
Which of the following is least likely a risk characteristic
associated with CIS environment?
a. Errors embedded in an applications program logic
maybe difficult to manually detect on a timely basis.
b. Many control procedures that would ordinarily be
performed by separate individuals in manual system
maybe concentrated in CIS.
c.
d.
The potential unauthorized access to data or to alter

them without visible evidence maybe greater.
Initiation of changes in the master file is exclusively
handled by respective users.
8.
Which of the following significance and complexity of the CIS

activities should an auditor least understand?
a. The organizational structure of the clients CIS
activities.
b. Lack of transaction trails.
c. The significance and complexity of computer
processing in each significant accounting application.
d. The use of software packages instead of customized
software.
9.
Which statement is correct regarding personal computer

systems?
a. Personal computers or PCs are economical yet
powerful self-contained general purpose computers
consisting typically of a central processing unit
(CPU), memory, monitor, disk drives, printer cables
and modems.
b.
Programs and data are stored only on nonremovable storage media.
c. Personal computers cannot be used to process
accounting transactions and produce reports that are
essential to the preparation of financial statements.
d.
Generally, CIS environments in which personal
computers are used are the same with other CIS
environments.
10. A personal computer can be used in various configurations,

including
a. A stand-alone workstation operated by a single user
or a number of users at different times.
b. A workstation which is part of a local area network of
personal computers.
c. A workstation connected to a server.
d. All of the above.
11. Which statement is incorrect regarding personal computer
configurations?
a. The stand-alone workstation can be operated by a
single user or a number of users at different times
accessing the same or different programs.
b. A stand-alone workstation may be referred to as a
distributed system.
c.
A local area network is an arrangement where two or
more personal computers are linked together through
the use of special software and communication lines.
d.
Personal computers can be linked to servers and
used as part of such systems, for example, as an
intelligent on-line workstation or as part of a
distributed accounting system.
12. Which of the following is the least likely characteristic of
personal computers?
a. They are small enough to be transportable.
b. They are relatively expensive.
c. They can be placed in operation quickly.
d. The
operating
system
software
is
less
comprehensive than that found in larger computer
environments.
13. Which of the following is an inherent characteristic of software
package?
a. They are typically used without modifications of the
programs.
b. The programs are tailored-made according to the
specific needs of the user.
c. They are developed by software manufacturer
according to a particular users specifications.
d.
It takes a longer time of implementation.
14. Which of the following is not normally a removable storage
media?
a.
b.
c.
d.
Compact disk
Tapes
Diskettes
Hard disk
a.
b.
c.
15. It is a computer program (a block of executable code) that

attaches itself to a legitimate program or data file and uses
itself as a transport mechanism to reproduce itself without the
knowledge of the user.
a. Virus
b. System management program
c. Utility program
d. Encryption
16. Which statement is incorrect regarding internal control in
personal computer environment?
a. Generally, the CIS environment in which personal
computers are used is less structured than a
centrally-controlled CIS environment.
b.
Controls over the system development process and
operations may not be viewed by the developer, the
user or management as being as important or costeffective.
c.
In almost all commercially available operating
systems, the built-in security provided has gradually
increased over the years.
d. In a typical personal computer environment, the
distinction between general CIS controls and CIS
application controls is easily ascertained.
17. Personal computers are susceptible to theft, physical damage,
unauthorized access or misuse of equipment. Which of the
following is least likely a physical security to restrict access to
personal computers when not in use?
a. Using door locks or other security protection during
non-business hours.
b. Fastening the personal computer to a table using
security cables.
c. Locking the personal computer in a protective
cabinet or shell.
d. Using anti-virus software programs.
18. Which of the following is not likely a control over removable
storage media to prevent misplacement, alteration without
authorization or destruction?
a. Using cryptography, which is the process of
transforming programs and information into an
unintelligible form.
b. Placing responsibility for such media under
personnel whose responsibilities include duties of
software custodians or librarians.
c. Using a program and data file check-in and checkout system and locking the designated storage
locations.
d.
Keeping current copies of diskettes, compact disks
or back-up tapes and hard disks in a fireproof
container, either on-site, off-site or both.
19. 19. Which of the following least likely protects critical and
sensitive information from unauthorized access in a personal
computer environment?
a. Using secret file names and hiding the files.
b. Keeping of back up copies offsite.
c. Employing passwords.
d. Segregating data into files organized under separate
file directories.
20. It refers to plans made by the entity to obtain access to
comparable hardware, software and data in the event of their
failure, loss or destruction.
a. Back-up
b. Encryption
c.
Anti-virus
d. Wide Area Network (WAN)
21. The effect of personal computers on the accounting system
and the associated risks will least likely depend on
d.
The extent to which the personal computer is being

used to process accounting applications.
The type and significance of financial transactions
being processed.
The nature of files and programs utilized in the
applications.
The cost of personal computers.
22. The auditor may often assume that control risk is high in
personal computer systems since, it may not be practicable or
cost-effective for management to implement sufficient controls
to reduce the risks of undetected errors to a minimum level.
This least likely entail
a. More physical examination and confirmation of
assets.
b. More analytical procedures than tests of details.
c. Larger sample sizes.
d. Greater use of computer-assisted audit techniques,
where appropriate.
23. Computer systems that enable users to access data and
programs directly through workstations are referred to as
a. On-line computer systems
b. Personal computer systems
c. Database management systems (DBMS)
d. Database systems
24. On-line systems allow users to initiate various functions
directly. Such functions include:
I.
Entering transactions
II.
Requesting reports
III.
Making inquiries
IV.
Updating master files
a. I, II, III and IV
b. I and II
c. I, II and III
d. I and IV
25. Many different types of workstations may be used in on-line
computer systems. The functions performed by these
workstations least likely depend on their
a. Logic
b. Transmission
c.
Storage
d. Cost
26. Types of workstations include General Purpose Terminals and
Special Purpose Terminals. Special Purpose Terminals include
a. Basic keyboard and monitor
b. Point of sale devices
c. Intelligent terminal
d.
Personal computers
27. Special Purpose Terminal used to initiate, validate, record,
transmit and complete various banking transactions
a. Automated teller machines
b.
Intelligent terminal
c. Point of sale devices
d. Personal computers
28. Which statement is incorrect regarding workstations?
a. Workstations may be located either locally or at
remote sites.
b. Local workstations are connected directly to the
computer through cables.
c. Remote
workstations
require
the
use
of
telecommunications to link them to the computer.
d. Workstations cannot be used by many users, for
different purposes, in different locations all at the
same time.
29. On-line computer systems may be classified according to
a. How information is entered into the system.
b. How it is processed.
c. When the results are available to the user.
30. In an on-line/real time processing system
a.
b.
c.
d.
Individual transactions are entered at workstations,

validated and used to update related computer files
immediately.
Individual transactions are entered at a workstation,
subjected to certain validation checks and added to a
transaction file that contains other transactions
entered during the period.
Individual transactions immediately update a memo
file containing information which has been extracted
from the most recent version of the master file.
The master files are updated by other systems.
31. It combines on-line/real time processing and on-line/batch

processing.
a. On-Line/Memo Update (and Subsequent Processing)
b. On-Line Downloading/Uploading Processing
c. On-Line/Inquiry
d. On-Line/Combined Processing
32. It is a communication system that enables computer users to
share computer equipment, application software, data and
voice and video transmissions.
a. Network
b. File server
c. Host
d. Client
33. A type of network that multiple buildings are close enough to
create a campus, but the space between the buildings is not
under the control of the company is
a. Local Area Network (LAN)
b.
Metropolitan Area Network (MAN)
c. Wide Area Network (WAN)
d. World Wide Web (WWW)
34. Which of the following is least likely a characteristic of Wide
Area Network (WAN)?
a. Created to connect two or more geographically
separated LANs.
b. Typically involves one or more long-distance
providers, such as a telephone company to provide
the connections.
c.
WAN connections tend to be faster than LAN.
d. Usually more expensive than LAN.
35. Gateway is
a. A hardware and software solution that enables
communications between two dissimilar networking
systems or protocols.
b.
A device that forwards frames based on destination
addresses.
c.
A device that connects and passes packets between
two network segments that use the same
communication protocol.
d.
A device that regenerates and retransmits the signal
on a network.
36. A device that works to control the flow of data between two or
more network segments
a. Bridge
b. Router
c. Repeater
d. Switch
37. The undesirable characteristics of on-line computer systems
least likely include
a. Data are usually subjected to immediate validation
checks.
b. Unlimited access of users to all of the functions in a
particular application.
c. Possible lack of visible transaction trail.
d. Potential programmer access to the system.
38. Certain general CIS controls that are particularly important to

on-line processing least likely include
a.
b.
c.
d.
Access controls.
System development and maintenance controls.
Edit, reasonableness and other validation tests.
Use of anti-virus software program.
39. Certain CIS application controls that are particularly important

to on-line processing least likely include
a. Pre-processing authorization.
b. Transaction logs.
c. Cut-off procedures.
d. Balancing.
40. Risk of fraud or error in on-line systems may be reduced in the
following circumstances, except
a. If on-line data entry is performed at or near the point
where transactions originate, there is less risk that
the transactions will not be recorded.
b.
If invalid transactions are corrected and re-entered
immediately, there is less risk that such transactions
will not be corrected and re-submitted on a timely
basis.
c. If data entry is performed on-line by individuals who
understand the nature of the transactions involved,
the data entry process may be less prone to errors
than when it is performed by individuals unfamiliar
with the nature of the transactions.
d. On-line access to data and programs through
telecommunications may provide greater opportunity
for access to data and programs by unauthorized
persons.
41. Risk of fraud or error in on-line computer systems may be
increased for the following reasons, except
a. If workstations are located throughout the entity, the
opportunity for unauthorized use of a workstation and
the entry of unauthorized transactions may increase.
b. Workstations may provide the opportunity for
unauthorized uses such as modification of previously
entered transactions or balances.
c.
If on-line processing is interrupted for any reason,
for example, due to faulty telecommunications, there
may be a greater chance that transactions or files
may be lost and that the recovery may not be
accurate and complete.
d. If transactions are processed immediately on-line,
there is less risk that they will be processed in the
wrong accounting period.
42. 42. The following matters are of particular importance to the
auditor in an on-line computer system, except
a. Authorization, completeness and accuracy of on-line
transactions.
b. Integrity of records and processing, due to on-line
access to the system by many users and
programmers.
c.
Changes in the performance of audit procedures
including the use of CAAT's.
d.
Cost-benefit ratio of installing on-line computer
system.
43. A collection of data that is shared and used by a number of
different users for different purposes.
a. Database
b. Information file
c. Master file
d. Transaction file
44. Which of the following is least likely a characteristic of a

database system?
a.
b.
c.
d.
Individual applications share the data in the database

for different purposes.
Separate data files are maintained for each
application and similar data used by several
applications may be repeated on several different
files.
A software facility is required to keep track of the
location of the data in the database.
Coordination is usually performed by a group of
individuals whose responsibility is typically referred to
as "database administration."
45. Database administration tasks typically include

I.
Defining the database structure.
II.
Maintaining
data
integrity,
security
and
completeness.
III.
Coordinating computer operations related to the
database.
IV.
Monitoring system performance.
V.
Providing administrative support.
a. All of the above
b. All except I
c. II and V only
d. II, III and V only
46. Due to data sharing, data independence and other
characteristics of database systems
a. General CIS controls normally have a greater
influence than CIS application controls on database
systems.
b. CIS application controls normally have a greater
influence than general CIS controls on database
systems.
c. General CIS controls normally have an equal
influence with CIS application controls on database
systems.
d. CIS application controls normally have no influence
on database systems.
a.
b.
c.
d.
The extent to which databases are being used by

accounting applications.
The type and significance of financial transactions
being processed.
The nature of the database, the DBMS, the database
administration tasks and the applications.
The CIS application controls.
51. Audit procedures in a database environment will be affected

principally by
a. The extent to which the data in the database are
used by the accounting system.
b. The type and significance of financial transactions
being processed.
c. The nature of the database, the DBMS, the database
administration tasks and the applications.
d.
The general CIS controls which are particularly
important in a database environment.
52. Which statement is incorrect regarding the characteristics of a
CIS organizational structure?
a. Certain data processing personnel may be the only
ones with a detailed knowledge of the
interrelationship between the source of data, how it is
processed and the distribution and use of the output.
b. Many conventional controls based on adequate
segregation of incompatible functions may not exist,
or in the absence of access and other controls, may
be less effective.
c. Transaction and master file data are often
concentrated, usually in machine-readable form,
either in one computer installation located centrally
or in a number of installations distributed throughout
an entity.
d. Systems employing CIS methods do not include
manual operations since the number of persons
involved in the processing of financial information is
significantly reduced.
47. Which statement is incorrect regarding the general CIS controls

of particular importance in a database environment?
a. Since data are shared by many users, control may
be enhanced when a standard approach is used for
developing each new application program and for
application program modification.
b. Several data owners should be assigned
responsibility for defining access and security rules,
such as who can use the data (access) and what
functions they can perform (security).
c.
User access to the database can be restricted
through the use of passwords.
d. Responsibilities for performing the various activities
required to design, implement and operate a
database are divided among technical, design,
administrative and user personnel.
53. System characteristics that may result from the nature of CIS
processing include, except
a. Absence of input documents.
b. Lack of visible transaction trail.
c. Lack of visible output.
d. Difficulty of access to data and computer programs.
48. These require a database administrator to assign security

attributes to data that cannot be changed by database users.
a. Discretionary access controls
b.
Name-dependent restrictions
c. Mandatory access controls
d. Content-dependent restrictions.
55. Which statement is incorrect regarding internal controls in a

CIS environment?
a. Manual and computer control procedures comprise
the overall controls affecting the CIS environment
(general CIS controls) and the specific controls over
the accounting applications (CIS application
controls).
b. The purpose of general CIS controls is to establish a
framework of overall control over the CIS activities
and to provide a reasonable level of assurance that
the overall objectives of internal control are achieved.
c. The purpose of CIS application controls is to
establish specific control procedures over the
application systems in order to provide reasonable
assurance that all transactions are authorized and
recorded, and are processed completely, accurately
and on a timely basis.
49. A discretionary access control wherein users are permitted or

denied access to data resource depending on the time series
of accesses to and actions they have undertaken on data
resources.
a. Name-dependent restrictions
b. Context-dependent restriction
c. Content-dependent restriction
d. History-dependent restriction
50. The effect of a database system on the accounting system and

the associated risks will least likely depend on:
54. The development of CIS will generally result in design and

procedural characteristics that are different from those found in
manual systems. These different design and procedural
aspectsof CIS include, except:
a. Consistency of performance.
b. Programmed control procedures.
c. Vulnerability of data and program storage media
d. Multiple transaction update of multiple computer files
or databases.
d.
The internal controls over computer processing,

which help to achieve the overall objectives of
internal control, include only the

designed into computer programs.
procedures
56. General CIS controls may include, except:

a. Organization and management controls.
b. Delivery and support controls.
c. Development and maintenance controls.
d. Controls over computer data files.
57. 57. CIS application controls include, except
a. Controls over input.
b. Controls over processing and computer data files.
c. Controls over output.
d. Monitoring controls.
58. Which statement is incorrect regarding the review of general
CIS controls and CIS application controls?
a. The auditor should consider how these general CIS
controls affect the CIS applications significant to the
audit.
b.
General CIS controls that relate to some or all
applications are typically interdependent controls in
that their operation is often essential to the
effectiveness of CIS application controls.
c. Control over input, processing, data files and output
may be carried out by CIS personnel, by users of the
system, by a separate control group, or may be
programmed into application software.
d. It may be more efficient to review the design of the
application controls before reviewing the general
controls.
59. Which statement is incorrect regarding the evaluation of
general CIS controls and CIS application controls?
a. The general CIS controls may have a pervasive
effect on the processing of transactions in application
systems.
b. If general CIS controls are not effective, there may
be a risk that misstatements might occur and go
undetected in the application systems.
c. Manual procedures exercised by users may provide
effective control at the application level.
d. Weaknesses in general CIS controls cannot preclude
testing certain CIS application controls.
60. The applications of auditing procedures using the computer as
an audit tool refer to
a. Integrated test facility
b. Auditing through the computer
c. Data-based management system
d. Computer assisted audit techniques
61. Which statement is incorrect regarding CAATs?
a. CAATs are often an efficient means of testing a large
number of transactions or controls over large
populations.
b. To ensure appropriate control procedures, the
presence of the auditor is not necessarily required at
the computer facility during the running of a CAAT.
c.
The general principles outlined in PAPS 1009 apply
in small entity IT environments.
d. Where smaller volumes of data are processed, the
use of CAATs is more cost effective.
62. Consists of generalized computer programs designed to
perform common audit tasks or standardized data processing
functions.
a. Package or generalized audit software
b. Utility programs
c. Customized or purpose-written programs
d. System management programs
63. Audit automation least likely include

a. Expert systems.
b.
c.
d.
Tools to evaluate a clients risk management

procedures.
Manual working papers.
Corporate and financial modeling programs for use
as predictive audit tests.
64. An internal auditor noted the following points when conducting

a preliminary survey in connection with the audit of an EDP
department. Which of the following would be considered a
safeguard in the control system on which the auditor might
rely?
a. Programmers and computer operators correct daily
processing problems as they arise.
b. The control group works with user organizations to
correct rejected input.
c. New systems are documented as soon as possible
after they begin processing live data.
d. The average tenure of employees working in the
EDP department is ten months.
65. An on-line access control that checks whether the users code
number is authorized to initiate a specific type of transaction or
inquiry is referred to as
a. Password
b. Compatibility test
c. Limit check
d. Reasonableness test
66. A control procedure that could be used in an on-line system to
provide an immediate check on whether an account number
has been entered on a terminal accurately is a
a. Compatibility test
b. Record count
c. Hash total
d. Self-checking digit
67. A control designed to catch errors at the point of data entry is
a. Batch total
b. Self-checking digit
c. Record count
d. Checkpoints
68. Program documentation is a control designed primarily to
ensure that
a. Programmers have access to the tape library or
information on disk files.
b. Programs do not make mathematical errors.
c. Programs are kept up to date and perform as
intended.
d. Data have been entered and processed.
69. Some of the more important controls that relate to automated
accounting information systems are validity checks, limit
checks, field checks, and sign tests. These are classified as
a. Control total validation routines
b. Output controls
c. Hash totaling
d. Input validation routines
70. Most of todays computer systems have hardware controls that
are built in by the computer manufacturer. Common hardware
controls are
a. Duplicate circuitry, echo check, and internal header
labels
b. Tape file protection, cryptographic protection, and
limit checks
c. Duplicate circuitry, echo check, and dual reading
d. Duplicate circuitry, echo check, tape file protection,
and internal header labels
71. Computer manufacturers are now installing software programs

permanently inside the computer as part of its main memory to
provide protection from erasure or loss if there is interrupted

electrical power. This concept is known as
a. File integrity
b. Random access memory (RAM)
c. Software control
d. Firmware
72. Which one of the following represents a lack of internal control
in a computer-based information system?
a. The design and implementation is performed in
accordance
with
managements
specific
authorization.
b. Any and all changes in application programs have
the authorization and approval of management.
c. Provisions exist to protect data files from
unauthorized access, modification, or destruction.
d. Both computer operators and programmers have
unlimited access to the programs and data files.
73. In an automated payroll processing environment, a department
manager substituted the time card for a terminated employee
with a time card for a fictitious employee. The fictitious
employee had the same pay rate and hours worked as the
terminated employee. The best control technique to detect this
action using employee identification numbers would be a
a. Batch total
b. Hash total
c. Record count
d. Subsequent check
74. An employee in the receiving department keyed in a shipment
from a remote terminal and inadvertently omitted the purchase
order number. The best systems control to detect this error
would be
a. Batch total
b. Sequence check
c. Completeness test
d. Reasonableness test
75. The reporting of accounting information plays a central role in
the regulation of business operations. Preventive controls are
an integral part of virtually all accounting processing systems,
and much of the information generated by the accounting
system is used for preventive control purposes. Which one of
the following is not an essential element of a sound preventive
control system?
a. Separation of responsibilities for the recording,
custodial, and authorization functions.
b. Sound personnel policies.
c. Documentation of policies and procedures.
d. Implementation of state-of-the-art software and
hardware.
76. The most critical aspect regarding separation of duties within
information systems is between
a. Project leaders and programmers
b. Programmers and systems analysts
c. Programmers and computer operators
d. Data control and file librarians
77. Whether or not a real time program contains adequate controls
is most effectively determined by the use of
a. Audit software
b. A tracing routine
c. An integrated test facility
d. A traditional test deck
78. Compatibility tests are sometimes employed to determine
whether an acceptable user is allowed to proceed. In order to
perform compatibility tests, the system must maintain an
access control matrix. The one item that is not part of an
access control matrix is a
a. List of all authorized user code numbers and
passwords.
b. List of all files maintained on the system.
c. Record of the type of access to which each user is
entitled.
d.
Limit on the number of transaction inquiries that can

be made by each user in a specified time period.
79. Which one of the following input validation routines is not likely
to be appropriate in a real time operation?
a. Field check
b. Sequence check
c. Sign check
d. Redundant data check
80. Which of the following controls is a processing control designed
to ensure the reliability and accuracy of data processing?
a.
b.
c.
d.
Limit test
Yes
No
No
Yes
Validity check test

Yes
No
Yes
No
81. Which of the following characteristics distinguishes computer

processing from manual processing?
a. Computer processing virtually eliminates the
occurrence of computational error normally
associated with manual processing.
b. Errors or irregularities in computer processing will be
detected soon after their occurrences.
c. The potential for systematic error is ordinarily greater
in manual processing than in computerized
processing.
d. Most computer systems are designed so that
transaction trails useful for audit do not exist.
82. Which of the following most likely represents a significant
deficiency in the internal control structure?
a. The systems analyst review applications of data
processing and maintains systems documentation.
b. The systems programmer designs systems for
computerized applications and maintains output
controls.
c. The control clerk establishes control over data
received by the EDP department and reconciles
control totals after processing
d. The accounts payable clerk prepares data for
computer processing and enters the data into the
computer.
83. Which of the following activities would most likely be performed
in the EDP Department?
a. Initiation of changes to master records.
b. Conversion of information to machine-readable form.
c. Correction of transactional errors.
d. Initiation of changes to existing applications.
84. For control purposes, which of the following should be
organizationally segregated from the computer operations
function?
a. Data conversion
b. Systems development
c. Surveillance of CRT messages
d. Minor maintenance according to a schedule
85. Which of the following is not a major reason for maintaining an
audit trail for a computer system?
a. Deterrent to irregularities
b. Analytical procedures
c. Monitoring purposes
d. Query answering
86. In an automated payroll system, all employees in the finishing
department were paid the rate of P75 per hour when the
authorized rate was P70 per hour. Which of the following
controls would have been most effective in preventing such an
error?
a. Access controls which would restrict the personnel
departments access to the payroll master file data.
b.
A review of all authorized pay rate changes by the
personnel department.
c. The use of batch control totals by department.
d.
A limit test that compares the pay rates per

department with the maximum rate for all employees.
87. Which of the following errors would be detected by batch

controls?
a. A fictitious employee as added to the processing of
the weekly time cards by the computer operator.
b. An employee who worked only 5 hours in the week
was paid for 50 hours.
c.
The time card for one employee was not processed
because it was lost in transit between the payroll
department and the data entry function.
88. The use of a header label in conjunction with magnetic tape is
most likely to prevent errors by the
a. Computer operator
b. Computer programmer
c. Keypunch operator
d. Maintenance technician
89. For the accounting system of ACME Company, the amounts of
cash disbursements entered into an EDP terminal are
transmitted to the computer that immediately transmits the
amounts back to the terminal for display on the terminal
screen. This display enables the operator to
a. Establish the validity of the account number
b. Verify the amount was entered accurately
c. Verify the authorization of the disbursements
d. Prevent the overpayment of the account
90. When EDP programs or files can be accessed from terminals,
users should be required to enter a(an)
a. Parity check
b. Self-diagnostic test
c. Personal identification code
d. Echo check
91. The possibility of erasing a large amount of information stored
on magnetic tape most likely would be reduced by the use of
a. File protection ring
b. Completeness tests
c. Check digits
d. Conversion verification
92. Which of the following controls most likely would assure that an
entity can reconstruct its financial records?
a. Hardware controls are built into the computer by the
computer manufacturer.
b. Backup diskettes or tapes of files are stored away
from originals.
c. Personnel who are independent of data input
perform parallel simulations.
d. System flowcharts provide accurate descriptions of
input and output operations.
93. Mill Co. uses a batch processing method to process its sales
transactions. Data on Mills sales transaction tape are
electronically sorted by customer number and are subject to
programmed edit checks in preparing its invoices, sales
journals, and updated customer account balances. One of the
direct outputs of the creation of this tape most likely would be a
a. Report showing exceptions and control totals.
b. Printout of the updated inventory records.
c. Report showing overdue accounts receivable.
d. Printout of the sales price master file.
94. Using microcomputers in auditing may affect the methods used
to review the work of staff assistants because
a. The audit field work standards for supervision may
differ.
b. Documenting the supervisory review may require
assistance of consulting services personnel.
c.
Supervisory personnel may not have an

understanding of the capabilities and limitations of
microcomputers.
d.
Working paper documentation may not contain

readily observable details of calculations.
95. An auditor anticipates assessing control risk at a low level in a

computerized environment. Under these circumstances, on
which of the following procedures would the auditor initially
focus?
a. Programmed control procedures
b. Output control procedures
c. Application control procedures
d. General control procedures
96. After the preliminary phase of the review of a clients EDP
controls, an auditor may decide not to perform tests of controls
(compliance tests) related to the control procedures within the
EDP portion of the clients internal control structure. Which of
the following would not be a valid reason for choosing to omit
such tests?
a. The controls duplicate operative controls existing
elsewhere in the structure.
b. There appear to be major weaknesses that would
preclude reliance on the stated procedure.
c.
The time and costs of testing exceed the time and
costs in substantive testing if the tests of controls
show the controls to be operative.
d. The controls appear adequate.
97. Which of the following client electronic data processing (EDP)
systems generally can be audited without examining or directly
testing the EDP computer programs of the system?
a. A system that performs relatively uncomplicated
processes and produces detailed output.
b. A system that affects a number of essential master
files and produces a limited output.
c. A system that updates a few essential master files
and produces no printed output other than final
balances.
d. A system that performs relatively complicated
processing and produces very little detailed output.
98. Computer systems are typically supported by a variety of utility
software packages that are important to an auditor because
they
a. May enable unauthorized changes to data files if not
properly controlled.
b. Are very versatile programs that can be used on
hardware of many manufacturers.
c. May be significant components of a clients
application programs.
d. Are written specifically to enable auditors to extract
and sort data.
99. To obtain evidence that online access controls are properly
functioning, an auditor most likely would
a. Create checkpoints at periodic intervals after live
data processing to test for unauthorized use of the
system.
b. Examine the transaction log to discover whether any
transactions were lost or entered twice due to a
system malfunction
c. Enter invalid identification numbers or passwords to
ascertain whether the system rejects them.
d. Vouch a random sample of processed transactions to
assure proper authorization
100. Which of the following statements most likely represents a
disadvantage for an entity that keeps microcomputer-prepared
data files rather than manually prepared files?
a. Attention is focused on the accuracy of the
programming process rather than errors in individual
transactions.
b.
It is usually easier for unauthorized persons to
access and alter the files.
c.
Random error associated with processing similar
transactions in different ways is usually greater.
d.
It is usually more difficult to compare recorded
accountability with physical count of assets.
101. An auditor would least likely use computer software to

a. Access client data files
b. Assess EDP controls
c. Prepare spreadsheets
d. Construct parallel simulations
102. A primary advantage of using generalized audit software
packages to audit the financial statements of a client that uses
an EDP system is that the auditor may
a. Consider increasing the use of substantive tests of
transactions in place of analytical procedures.
b. Substantiate the accuracy of data through selfchecking digits and hash totals.
c.
Reduce the level of required tests of controls to a
relatively small amount.
d.
Access information stored on computer files while
having a limited understanding of the clients
hardware and software features.
103. Auditors often make use of computer programs that perform
routine processing functions such as sorting and merging.
These programs are made available by electronic data
processing companies and others and are specifically referred
to as
a. Compiler programs
b. Utility programs
c. Supervisory programs
d. User programs
104. Smith Corporation has numerous customers. A customer file is
kept on disk storage. Each customer file contains name,
address, credit limit, and account balance. The auditor wishes
to test this file to determine whether the credit limits are being
exceeded. The best procedure for the auditor to follow would
be to
a. Develop test data that would cause some account
balances to exceed the credit limit and determine if
the system properly detects such situations.
b.
Develop a program to compare credit limits with
account balances and print out the details of any
account with a balance exceeding its credit limit.
c.
Request a printout of all account balances so they
can be manually checked against the credit limits.
d.
Request a printout of a sample of account balances
so they can be individually checked against the credit
limits.
105. The use of generalized audit software package
a. Relieves an auditor of the typical tasks of
investigating exceptions, verifying sources of
information, and evaluating reports.
b.
Is a major aid in retrieving information from
computerized files.
c. Overcomes the need for an auditor to learn much
about computers.
d. Is a form of auditing around the computer.
106. An auditor used test data to verify the existence of controls in a
certain computer program. Even though the program
performed well on the test, the auditor may still have a concern
that
a. The program tested is the same one used in the
regular production runs.
b. Generalized audit software may have been a better
tool to use.
c. Data entry procedures may change and render the
test useless.
d. The test data will not be relevant in subsequent audit
periods.
107. An auditor most likely would introduce test data into a
computerized payroll system to test internal controls related to
the
a. Existence of unclaimed payroll checks held by
supervisors.
b. Early cashing of payroll checks by employees.
c. Discovery of invalid employee I.D. numbers.
d. Proper approval of overtime by supervisors.
108. When an auditor tests a computerized accounting system,

which of the following is true of the test data approach?
a. Test data must consist of all possible valid and
invalid conditions.
b. The program tested is different from the program
used throughout the year by the client.
c. Several transactions of each type must be tested.
d. Test data are processed by the clients computer
programs under the auditors control.
109. Which of the following statements is not true to the test data
approach when testing a computerized accounting system?
a. The test need consist of only those valid and invalid
conditions which interest the auditor
b. Only one transaction of each type need be tested.
c. The test data must consist of all possible valid and
invalid conditions.
d. Test data are processed by the clients computer
programs under the auditors control.
110. Which of the following is not among the errors that an auditor
might include in the test data when auditing a clients EDP
system?
a. Numeric characters in alphanumeric fields.
b. Authorized code.
c. Differences in description of units of measure.
d. Illogical entries in fields whose logic is tested by
programmed consistency checks.
111. An auditor who is testing EDP controls in a payroll system
would most likely use test data that contain conditions such as
a. Deductions not authorized by employees.
b. Overtime not approved by supervisors.
c. Time tickets with invalid job numbers.
d. Payroll checks with unauthorized signatures.
112. Auditing by testing the input and output of an EDP system
instead of the computer program itself will
a. Not detect program errors which do not show up in
the output sampled.
b. Detect all program errors, regardless of the nature of
the output.
c. Provide the auditor with the same type of evidence.
d. Not provide the auditor with confidence in the results
of the auditing procedures.
113. Which of the following computer-assisted auditing techniques
allows fictitious and real transactions to be processed together
without client operating personnel being aware of the testing
process?
a. Integrated test facility
b. Parallel simulation
c. Input controls matrix
d. Data entry monitor
114. Which of the following methods of testing application controls
utilizes a generalized audit software package prepared by the
auditors?
a. Parallel simulation
b. Test data approach
c. Integrated testing facility approach
d. Exception report tests
115. Misstatements in a batch computer system caused by incorrect
programs or data may not be detected immediately because
a. Errors in some transactions may cause rejection of
other transactions in the batch.
b. The identification of errors in input data typically is
not part of the program.
c. There are time delays in processing transactions in a
batch system.
d. The processing of transactions in a batch system is
not uniform.
116. Which of the following is not a characteristic of a batch
processed computer system?
a.
b.
c.
d.
The collection of like transactions which are sorted

and processed sequentially against a master file.
Keypunching of transactions, followed by machine
processing.
The production of numerous printouts.
The posting of a transaction, as it occurs, to several
files, without immediate printouts.
117. Where disk files are used, the grandfather-father-son updating

backup concept is relatively
118. difficult to implement because the
a. Location of information points on disks is an
extremely time consuming task.
b. Magnetic fields and other environmental factors
cause off-site storage to be impractical.
c. Information must be dumped in the form of hard copy
if it is to be reviewed before used in
d. Process of updating old records is destructive.
119. An auditor would most likely be concerned with which of the
following controls in a distributed data processing system?
a. Hardware controls
b. Access controls
c. Systems documentation controls
d. Disaster recovery controls
120. If a control total were computed on each of the following data
items, which would best be identified as a hash total for a
payroll EDP application?
a. Total debits and total credits
b. Department numbers
c. Net pay
d. Hours worked
121. Which of the following is a computer test made to ascertain
whether a given characteristic belongs to the group?
a. Parity check
b. Echo check
c. Validity check
d. Limit check
122. A control feature in an electronic data processing system
requires the central processing unit (CPU) to send signals to
the printer to activate the print mechanism for each character.
The print mechanism, just prior to printing, sends a signal back
to the CPU verifying that the proper print position has been
activated. This type of hardware control is referred to as
a. Echo check
b. Signal control
c. Validity control
d. Check digit control
123. Which of the following is an example of a check digit?
a. An agreement of the total number of employees to
the total number of checks printed by the computer.
b. An algebraically determined number produced by the
other digits of the employee number
c. A logic test that ensures all employee numbers are
nine digits.
d. A limit check that an employees hours do not exceed
50 hours per work week.
124. In a computerized system, procedure or problem-oriented
language is converted to machine language through a(an)
a. Interpreter
b. Verifier
c. Compiler
d. Converter
125. A customer erroneously ordered Item No. 86321 rather than
item No. 83621. When this order is processed, the vendors
EDP department would identify the error with what type of
control?
a. Key verifying
b. Batch total
c. Self-checking digit
d. Item inspection
126. The computer process whereby data processing is performed

concurrently with a particular activity and the results are
available soon enough to influence the course of action being
taken or the decision being made is called:
a. Random access sampling
b. On-line, real-time system
c. Integrated data processing
d. Batch processing system
127. Internal control is ineffective when computer department
personnel
a. Participate in computer software acquisition
decisions.
b. Design documentation for computerized systems.
c. Originate changes in master file.
d. Provide physical security for program files.
128. Test data, integrated test data and parallel simulation each
require an auditor to prepare data and computer programs.
CPAs who lack either the technical expertise or time to prepare
programs should request from the manufacturers or EDP
consultants for
a. The program Code
b. Generalized audit software
c. Flowchart checks
d. Application controls
129. Which of the following best describes a fundamental control
weakness often associated with electronic data processing
system?
a. EDP equipment is more subject to system error than
manual processing is subject to human error.
b. Monitoring is not an adequate substitute for the use
of test data.
c. EDP equipment processes and records similar
transactions in a similar manner.
d. Functions that would normally be separated in a
manual system are combined in the EDP system like
the function of programmers and operators.
130. Which of the following tasks could not be performed when
using a generalized audit software package?
a. Selecting inventory items for observations.
b. Physical count of inventories.
c. Comparison of inventory test counts with perpetual
records.
d. Summarizing inventory turnover statistics for
obsolescence analysis.
131. All of the following are auditing through the computer
techniques except
a. Reviewing source code
b. Automated tracking and mapping
c. Test-decking
d. Integrated test facility
132. The output of a parallel simulation should always be
a. Printed on a report.
b. Compared with actual results manually.
c. Compared with actual results using a comparison
program.
d. Reconciled to actual processing output.
133. Generalized audit software is a computer-assisted audit
technique. It is one of the widely used technique for auditing
computer application systems. Generalized audit software is
most often used to
a. Verify computer processing.
b. Process data fields under the control of the operation
manager.
c. Independently analyze data files.
d. Both a and b.
134. From an audit viewpoint, which of the following represents a

potential disadvantage associated with the widespread use of
microcomputers?
a.
b.
c.
d.
Their portability.
Their ease of access by novice users.
Their easily developed programs using spreadsheets
which do not have to be documented.
All of the above.
135. Which of the following functions would have the least effect on
an audit if it was not properly segregated?
a. The systems analyst and the programmer functions.
b. The computer operator and programmer functions.
c. The computer operator and the user functions.
d. The applications programmer and the systems
programmer.
136. To obtain evidence that user identification and password
control procedures are functioning as designed, an auditor
would most likely
a. Attempt to sign on to the system using invalid user
identifications and passwords.
b. Write a computer program that simulates the logic of
the clients access control software.
c. Extract a random sample of processed transactions
and ensure that the transactions were appropriately
authorized. Examine statements signed by
employees stating that they have not divulged their
user identifications and passwords to any other
person.
137. In considering a client's internal control structure in a computer
environment, the auditor will encounter general controls and
application controls. Which of the following is an application
control?
a. Organization charts.
b. Hash total.
c. Systems flowcharts.
d. Control over program changes
138. Auditing by testing the input and output of a computer system-i.e., auditing "around" the computer--instead of the computer
software itself will
a. Not detect program errors that do not appear in the
output sampled.
the output.
c. Provide the auditor with the same type of evidence.
of the auditing procedures.
139. Smith Corporation has numerous customers. A customer file is
kept on disk. Each customer file contains the name, address,
credit limit, and account balance. The auditor wishes to test
this file to determine whether credit limits are being exceeded.
The best procedure for the auditor to follow would be to
a. Develop test data that would cause some account
balances to exceed the credit limit and determine if
the system properly detects such situations.
b. Develop a program to compare credit limits with
account balances and print out the details of any
account with a balance exceeding its credit limit.
c. Request a printout of all account balances so they
can be manually checked against the credit limits.
d. Request a printout of a sample of account balances
so they can be individually checked against the credit
limits.
utilizes software prepared by the auditors and applied to the
client's data?
a. Parallel simulation.
b. Integrated test facility.
c. Test data.
d. Exception report tests.
141. The testdata method is used by auditors to test the
a. Accuracy of input data.
b. Validity of the output.
c. Procedures contained within the program.
d. Normalcy of distribution of test data.
142. Which of the following is true of generalized audit software?

a. They can be used only in auditing on-line computer
systems.
b. They can be used on any computer without
modification.
c. They each have their own characteristics, which the
auditor must carefully consider before using in a
given audit situation.
d. They enable the auditor to perform all manual
compliance test procedures less expensively.
143. Assume that an auditor estimated that 10,000 checks were
issued during the accounting period. If an application control
that performs a limit check for each check request is to be
subjected to the auditor's testdata approach, the sample
should include:
a. Approximately 1,000 test items.
b. A number of test items determined by the auditor to
be sufficient under the circumstances.
c. A number of test items determined by the auditor's
reference to the appropriate sampling tables.
d. One transaction.
144. PC DOS, MS DOS, and AppleDOS are examples of
a. Application software.
b. Generalized audit software.
c. Database management systems.
d. Operating software.
145. Which of the following is not an example of a computerassisted audit technique?
a. Integrated test data.
b. Audit modules.
c. Disk operating systems.
d. Audit hooks.
disadvantage for an entity that maintains computer data files
rather than manual files?
a. It's usually more difficult to detect transposition
errors.
b. Transactions are usually authorized before they are
executed and recorded.
c. It's usually easier for unauthorized persons to access
and alter the files.
d. Random error is more common when similar
transactions are processed in different ways.
147. Which of the following statements best describes a weakness
often associated with computers?
a. Computer equipment is more subject to systems
error than manual processing is subject to human
error.
b. Computer equipment processes and records similar
transactions in a similar manner.
c. Control activities for detecting invalid and unusual
transactions are less effective than manual control
activities.
d. Functions that would normally be separated in a
manual system are combined in a computer system.
148. Accounting functions that are normally considered incompatible
in a manual system are often combined by computer software.
This necessitates an application control that prevents
unapproved
a. Access to the computer library.
b. Revisions to existing software.
c. Usage of software.
d. Testing of modified software.
149. When software or files can be accessed from on-line servers,
users should be required to enter
a. A parity check.
b. A personal identification code.
c. A self-diagnosis test.
d. An echo check.
150. An auditor's consideration of a company's computer control

activities has disclosed the following four circumstances.
Indicate which circumstance constitutes a significant deficiency
in internal control.
a. Computer operators do not have access to the
complete software support documentation.
b. Computer operators are closely supervised by
programmers.
c. Programmers are not authorized to operate
computers.
d. Only one generation of backup files is stored in an
off-premises location.
151. In a computer system, hardware controls are designed to
a. Arrange data in a logical sequence for processing.
b. Correct errors in software.
c. Monitor and detect errors in source documents.
d. Detect and control errors arising from use of
equipment.
152. In the weekly computer run to prepare payroll checks, a check
was printed for an employee who had been terminated the
previous week. Which of the following controls, if properly
utilized, would have been most effective in preventing the error
or ensuring its prompt detection?
a. A control total for hours worked, prepared from time
cards collected by the timekeeping department.
b. Requiring the treasurer's office to account for the
number of the pre-numbered checks issued to the
CBIS department for the processing of the payroll
c. Use of a check digit for employee numbers
d. Use of a header label for the payroll input sheet
153.
An auditor is preparing test data for use in the audit of a

computer based accounts receivable application. Which of the
following items would be appropriate to include as an item in
the test data?
a. A transaction record which contains an incorrect
master file control total
b. A master file record which contains an invalid
customer identification number
c. A master file record which contains an incorrect
master file control total
d. A transaction record which contains an invalid
customer identification number.
154. Unauthorized alteration of on-line records can be prevented by

employing:
a. Key verification
b. Computer sequence checks
c. Computer matching
d. Data base access controls
155. In auditing through a computer, the test data method is used by
auditors to test the
a. Accuracy of input data
b. Validity of the output
c. Procedures contained within the program
d. Normalcy of distribution of test data.
156. In the preliminary survey the auditor learns that a department
has several microcomputers. Which of the following is usually
true and should be considered in planning the audit?
a. Microcomputers, though small, are capable of
processing
financial information, and physical
security is a control concern
b. Microcomputers are limited to applications such as
worksheet generation and do not present a
significant audit risk
c. Microcomputers are generally under the control of
the data processing department and use the same
control features
d. Microcomputers are too small to contain any built-in
control features. Therefore, other controls must be
relied upon.
157. The primary reason for internal auditing's involvement in the
development of new computer-based sysstems is to:
a. Plan post-implementation reviews
b.
c.
d.
Promote adequate controls

Train auditors in CBIS techniques
Reduce overall audit effort.
158. Which of the following is an advantage of generalized computer

audit packages?
a. They are all written in one identical computer
language
b. They can be used for audits of clients that use
differing CBIS equipment and file formats
c. They have reduced the need for the auditor to study
input controls for CBIS related procedures
d. Their use can be substituted for a relatively large part
of the required control testing
159. Processing simulated file data provides the auditor with
information about the reliability of controls from evidence that
exists in simulated files. One of the techniques involved in this
approach makes use of
a. Controlled reprocessing
b. Program code checking
c. Printout reviews
d. Integrated test facility
disadvantage for an entity that keeps microcomputer-prepared
data files rather than manually prepared files?
a. It is usually more difficult to detect transposition
errors
b. Transactions are usually authorized before they are
executed and recorded
c. It is usually easier for unauthorized persons to
access and alter the files
d. Random error associated with processing similar
transactions in different ways is usually greater
161. The possibility of losing a large amount of information stored in
computer files most likely would be reduced by the use of
a. Back-up files
b. Check digits
c. Completeness tests
d. Conversion verification
162. An integrated test facility (ITF) would be appropriate when the
auditor needs to
a. Trace a complex logic path through an application
system
b. Verify processing accuracy concurrently with
processing
c. Monitor transactions in an application system
continuously
d. Verify load module integrity for production programs
163. Where computer processing is used in significant accounting
applications, internal accounting control procedures may be
defined by classifying control procedures into two types:
general and
a. Administrative
b. Specific
c. Application
d. Authorization
164. The increased presence of the microcomputer in the workplace
has resulted in an increasing number of persons having access
to the computer. A control that is often used to prevent
unauthorized access to sensitive programs is:
a. Backup copies of the diskettes
b. Passwords for each of the users
c. Disaster-recovery procedures
d. Record counts of the number of input transactions in
a batch being processed
165. Checklists, systems development methodology, and staff hiring
are examples of what type of controls?
a. Detective
b. Preventive
c. Subjective
d. Corrective
166. When an on-line, real-time (OLRT) computer-based processing

system is in use, internal control can be strengthened by
a. Providing for the separation of duties between
keypunching and error listing operations
b. Attaching plastic file protection rings to reels of
magnetic tape before new data can be entered on
the file
c. Making a validity check of an identification number
before a user can obtain access to the computer files
d. Preparing batch totals to provide assurance that file
updates are made for the entire input
167. When auditing "around" the computer, the independent auditor
focuses solely upon the source documents and
a. Test data
b. CBIS processing
c. Control techniques
d. CBIS output
168. One of the features that distinguishes computer processing
from manual processing is
a. Computer processing virtually eliminates the
occurrence of computational error normally
associated with manual processing
b. Errors or fraud in computer processing will be
detected soon after their occurrences
c. The potential for systematic error is ordinarily greater
in manual processing than in computerized
processing
d. Most computer systems are designed so that
transaction trails useful for audit purposes do not
exist
169. Given the increasing use of microcomputers as a means for
accessing data bases, along with on-line real-time processing,
companies face a serious challenge relating to data security.
Which of the following is not an appropriate means for meeting
this challenge?
a. Institute a policy of strict identification and password
controls housed in the computer software that permit
only specified individuals to access the computer
files and perform a given function.
b. Limit terminals to perform only certain transactions.
c. Program software to produce a log of transactions
showing date, time, type of transaction, and operator.
d. Prohibit the networking of microcomputers and do
not permit users to access centralized data bases.
170. What type of computer-based system is characterized by data
that are assembled from more than one location and records
that are updated immediately?
a. Microcomputer system
b. Minicomputer system
c. Batch processing system
d. Online real-time system
171. Company A has recently converted its manual payroll to a
computer-based system. Under the old system, employees
who had resigned or been terminated were occasionally kept
on the payroll and their checks were claimed and cashed by
other employees, in collusion with shop foremen.
The
controller is concerned that this practice not be allowed to
continue under the new system.
The best control for
preventing this form of "payroll padding" would be to
a. Conduct exit interviews with all employees leaving
the company, regardless of reason.
b. Require foremen to obtain a signed receipt from
each employee claiming a payroll check.
c. Require the human resources department to
authorize all hires and terminations, and to forward a
current computerized list of active employee
numbers to payroll prior to processing. Program the
computer to reject inactive employee numbers.
d. Install time clocks for use by all hourly employees.
172. Compared to a manual system, a CBIS generally
1)
Reduces segregation of duties
2)
Increases segregation of duties
3)
4)
a.
b.
c.
d.
Decreases manual inspection of processing results

Increases manual inspection of processing results.
1 and 3
1 and 4
2 and 3
2 and 4
173. One of the major problems in a CBIS is that incompatible

functions may be performed by the same individual. One
compensating control for this is the use of
a. Echo checks
b. A self-checking digit system
c. Computer generated hash totals
d. A computer log
174. Which of the following processing controls would be most
effective in assisting a store manager to ascertain whether the
payroll transaction data were processed in their
entirety?
a. Payroll file header record
b. Transaction identification codes
c. Processing control totals
d. Programmed exception reporting
175. An organizational control over CBIS operations is
a. Run-to-run balancing of control totals
b. Check digit verification of unique identifiers
c. Separation of operating and programming functions
d. Maintenance of output distribution logs
utilizes a generalized audit software package prepared by the
auditors?
a. Parallel simulation
b. Integrated testing facility approach
c. Test data approach
d. Exception report tests
177. An unauthorized employee took computer printouts from output
bins accessible to all employees. A control which would have
prevented this occurrence is
a. A storage/retention control
b. A spooler file control
c. An output review control
d. A report distribution control
178. Which of the following is a disadvantage of the integrated test
facility approach?
a. In establishing fictitious entities, the auditor may be
compromising audit independence.
b. Removing the fictitious transactions from the system
is somewhat difficult and, if not done carefully, may
contaminate the client's files.
c. ITF is simply an automated version of auditing
"around" the computer.
d. The auditor may not always have a current copy of
the authorized version of the client's program.
179. Totals of amounts in computer-record data fields which are not
usually added for other purposes but are used only for data
processing control purposes are called
a. Record totals
b. Hash totals
c. Processing data totals
d. Field totals
180. A hash total of employee numbers is part of the input to a
payroll master file update program. The program compares the
hash total to the total computed for transactions applied
to
the master file. The purpose of this procedure
is to:
a. Verify that employee numbers are valid
b. Verify that only authorized employees are paid
c. Detect errors in payroll calculations
d. Detect the omission of transaction processing
181. Matthews Corp. has changed from a system of recording time
worked on clock cards to a computerized payroll system in
which employees record time in and out with magnetic cards.
The CBIS automatically updates all payroll records. Because

of this change
a. A generalized computer audit program must be used
b. Part of the audit trail is altered
c. The potential for payroll related fraud is diminished
d. Transactions must be processed in batches
182. Generalized audit software is of primary interest to the auditor
in terms of its capability to
a. Access information stored on computer files
b. Select a sample of items for testing
c. Evaluate sample test results
d. Test the accuracy of the client's calculations
183. Accounts payable program posted a payable to a vendor not
included in the on-line vendor master file. A control which
would prevent this error is a
a. Validity check
b. Range check
c. Reasonableness test
d. Parity check
184. In a computerized sales processing system, which of the
following controls is most effective in preventing sales invoice
pricing errors?
a. Sales invoices are reviewed by the product
managers before being mailed to customers
b. Current sales prices are stored in the computer, and,
as stock numbers are entered from sales orders, the
computer automatically prices the orders
c. Sales prices, as well as product numbers, are
entered as sales orders are entered at remote
terminal locations
d. Sales prices are reviewed and updated on a
quarterly basis
185. Which of the following is likely to be of least importance to an
auditor in reviewing the internal control in a company with a
CBIS?
a. The segregation of duties within the data processing
center.
b. The control over source documents
c. The documentation maintained for accounting
applications.
d. The cost/benefit ratio of data processing operations
186. For the accounting system of Acme Company, the amounts of
cash disbursements entered into an CBIS terminal are
transmitted to the computer that immediately transmits the
amounts back to the terminal for display on the terminal
screen. This display enables the operator to
a. Establish the validity of the account number
b. Verify the amount was entered accurately
c. Verify the authorization of the disbursement
d. Prevent the overpayment of the account
187. Which of the following audit techniques most likely would
provide an auditor with the most assurance about the
effectiveness of the operation of an internal control procedure?
a. Inquiry of client personnel
b. Recomputation of account balance amounts
c. Observation of client personnel
d. Confirmation with outside parties
188. Adequate technical training and proficiency as an auditor
encompasses an ability to understand a CBIS sufficiently to
identify and evaluate
a. The processing and imparting of information
b. Essential accounting control features
c. All accounting control features
d. The degree to which programming conforms with
application of generally accepted accounting
principles.
189. Which of the following is not a major reason why an accounting
audit trail should be maintained for a computer system?
a. Query answering
b.
c.
d.
Deterrent to fraud
Monitoring purposes
Analytical review
190. Adequate control over access to data processing is required to

a. Prevent improper use or manipulation of data files
and programs
b. Ensure that only console operators have access to
program documentation
c. Minimize the need for backup data files
d. Ensure that hardware controls are operating
effectively and as designed by the computer
manufacturer
191. When testing a computerized accounting system, which of the
following is not true of the test data approach?
a. The test data need consist of only those valid and
invalid conditions in which the auditor is interested
b. Only one transaction of each type need be tested
c. Test data are processed by the client's computer
programs under the auditor's control
d. The test data must consist of all possible valid and
invalid conditions
192. In studying a client's internal controls, an auditor must be able
to distinguish between prevention controls and
detection
controls. Of the following data processing controls, which is
the best detection control?
a. Use of data encryption techniques
b. Review of machine utilization logs
c. Policy requiring password security
d. Backup and recovery procedure
193. Which of the following procedures is an example of auditing
"around" the computer?
a. The auditor traces adding machine tapes of sales
order batch totals to a computer printout of the sales
journal
b. The auditor develops a set of hypothetical sales
transactions and, using the client's computer
program, enters the transactions into the system and
observes the processing flow
c. The auditor enters hypothetical transactions into the
client's processing system during client processing of
live" data
d. The auditor observes client personnel as they
process the biweekly payroll. The auditor is primarily
concerned with computer rejection of data that fails
to meet reasonableness limits
194. Auditing by testing the input and output of a computer-based
system instead of the computer program itself will
a. Not detect program errors which do not show up in
the output sampled
the output
c. Provide the auditor with the same type of evidence
of the auditing procedures
195. Which of the following is an acknowledged risk of using test
data when auditing CBIS records?
a. The test data may not include all possible types of
transactions
b. The computer may not process a simulated
transaction in the same way it would an identical
actual transaction
c. The method cannot be used with simulated master
records
d. Test data may be useful in verifying the correctness
of account balances, but not in determining the
presence of processing controls
196. When the auditor encounters sophisticated computer-based

systems, he or she may need to modify the audit approach. Of
the following conditions, which one is not a valid reason for

modifying the audit approach?
a. More advanced computer systems produce less
documentation, thus reducing the visibility of the
audit trail
b. In complex comuter-based systems, computer
verification of data at the point of input replaces the
manual verification found in less sophisticated data
processing systems
c. Integrated data processing has replaced the more
traditional separation of duties that existed in manual
and batch processing systems.
d. Real-time processing of transactions has enabled the
auditor to concentrate less on the completeness
assertion
197. If a control total were to be computed on each of the following
data items, which would best be identified as a hash total for a
payroll CBIS application?
a. Net pay
b. Department numbers
c. Hours worked
d. Total debits and total credits
198. In a distributed data base (DDB) environment, control tests for
access control administration can be designed which focus on
a. Reconciliation of batch control totals
b. Examination of logged activity
c. Prohibition of random access
d. Analysis of system generated core dumps
199. A control to verify that the dollar amounts for all debits and
credits for incoming transactions are posted to a receivables
master file is the:
a. Generation number check
b. Master reference check
c. Hash total
d. Control total
200. The program flowcharting symbol representing a decision is a
a. Triangle
b. Circle
c. Rectangle
d. Diamond
201. An update program for bank account balances calculates
check
digits for account numbers. This is an example of
a. An input control
b. A file management control
c. Access control
d. An output control
202. CBIS controls are frequently classified as to general controls
and application controls. Which of the following is an example
of an application control?
a. Programmers may access the computer only for
testing and "debugging" programs
b. All program changes must be fully documented and
approved by the information systems manager and
the user department authorizing the change
c. A separate data control group is responsible for
distributing output, and also compares input and
output on a test basis
d. In processing sales orders, the computer compares
customer and product numbers with internally stored
lists
203. After a preliminary phase of the review of a client's CBIS
controls, an auditor may decide not to perform further tests
related to the control procedures within the CBIS portion of the
client's internal control system. Which of the following would
not be a valid reason for choosing to omit further testing?
a. The auditor wishes to further reduce assessed risk
b. The controls duplicate operative controls existing
elsewhere in the system
c. There appear to be major weaknesses that would
preclude reliance on the stated procedures
d.
The time and dollar costs of testing exceed the time

and dollar savings in substantive testing if the
controls are tested for compliance
204. For good internal control over computer program changes, a

policy should be established requiring that
a. The programmer designing the change adequately
test the revised program
b. All program changes be supervised by the CBIS
control
group
c. Superseded portions of programs be deleted from
the
program run manual to avoid confusion
d. All proposed changes be approved in writing by a
responsible individual.
205. Which of the following is not a technique for testing data
processing controls?
a. The auditor develops a set of payroll test data that
contain numerous errors. The auditor plans to enter
these transactions into the client's system and
observe whether the computer detects and properly
responds to the error conditions
b. The auditor utilizes the computer to randomly select
customer accounts for confirmation
c. The auditor creates a set of fictitious custom
accounts and introduces hypothetical sales
transactions, as well as sales returns and
allowances, simultaneously with the client's live data
processing
d. At the auditor's request, the client has modified its
payroll processing program so as to separately
record any weekly payroll entry consisting of 60
hours or more.
These separately recorded
("marked") entries are locked into the system and are
available only to the auditor
206. Which of the following would lessen internal control in a CBIS?
a. The computer librarian maintains custody of
computer program instructions and detailed listings
b. Computer operators have access to operator
instructions and detailed program listings
c. The control group is solely responsible for the
distribution of all computer output
d. Computer programmers write and debug programs
which perform routines designed by the systems
analyst
207. Access control in an on-line CBIS can best be provided in
most circumstances by
a. An adequate librarianship function controlling access
to files
b. A label affixed to the outside of a file medium holder
that identifies the contents
c. Batch processing of all input through a centralized,
well-guarded facility
d. User and terminal identification controls, such as
passwords
208. While entering data into a cash receipts transaction file, an
employee transposed two numbers in a customer code. Which
of the following controls could prevent input of this type
of
error?
a. Sequence check
b. Record check
c. Self-checking digit
d. Field-size check
209. What is the computer process called when data processing is
performed concurrently with a particular activity and the results
are available soon enough to influence the particular course of
action being taken or the decision being made?
a. Batch processing
b. Real time processing
c. Integrated data processing
d. Random access processing
210. Reconciling processing control totals is an example of
a. An input control
b.
c.
d.
An output control
A processing control
A file management control
211. Disadvantage of auditing around the computer is that it

a. Permits no assessment of actual processing
b. Requires highly skilled auditors
c. Demands intensive use of machine resources
d. Interacts actively with auditee applications
212. The completeness of computer-generated sales figures can be
tested by comparing the number of items listed on the daily
sales report with the number of items billed on the actual
invoices. This process uses
a. Check digits
b. Control totals
c. Validity tests
d. Process tracing data
213. Which of the following controls would be most efficient in
reducing common data input errors?
a. Keystroke verification
b. A set of well-designed edit checks
c. Balancing and reconciliation
d. Batch totals
214. On-line real-time systems and electronic data interchange
systems have the advantages of providing more timely
information and reducing the quantity of documents associated
with less automated systems. The advantages, however, may
create some problems for the auditor. Which of the following
characteristics of these systems does not create an audit
problem?
a. The lack of traditional documentation of transactions
creates a need for greater attention to programmed
controls at the point of transaction input
b. Hard copy may not be retained by the client for long
periods of time, thereby necessitating more frequent
visits by the auditor
c. Control testing may be more difficult given the
increased vulnerability of the client's files to
destruction during the testing process
d. Consistent on-line processing of recurring data
increases the incidence of errors
215. Creating simulated transactions that are processed through a

system to generate results that are compared with
predetermined results, is an auditing procedure referred to as
a. Desk checking
b. Use of test data
c. Completing outstanding jobs
d. Parallel simulation
216. To obtain evidential matter about control risk, an auditor
ordinarily selects tests from a variety of techniques, including
a. Analysis
b. Confirmations
c. Reprocessing
d. Comparison
217. A major exposure associated with the rapidly expanding use of
microcomputers is the absence of:
a. Adequate size of main memory and disk storage
b. Compatible operating systems
c. Formalized procedures for purchase justification
d. Physical, data file, and program security
218. To ensure that goods received are the same as those shown
on the purchase invoice, a computerized system should:
a. Match selected fields of the purchase invoice to
goods received
b. Maintain control totals of inventory value
c. Calculate batch totals for each input
d. Use check digits in account numbers
219. Errors in data processed in a batch computer system may not
be detected immediately because
a. Transaction trails in a batch system are available
only for a limited period of time
b. There are time delays in processing transactions in a
batch system
c. Errors in some transactions cause rejection of other
transactions in the batch
d. Random errors are more likely in a batch system
than in
an on-line system
220. Which of the following is a computer test made to ascertain
whether a given characteristic belongs to the group?
a. Parity check
b. Validity check
c. Echo check
d.
Limit check.

Auditing Cis

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Auditing Cis

Uploaded by

Copyright:

Available Formats

AUDITING IN A COMPUTERIZED ENVIRONMENT

Which statement is incorrect when auditing in a CIS

Which of the following standards or group of standards is

Which of the following is least considered if the auditor has to

It relates to materiality of the financial statement assertions

The potential unauthorized access to data or to alter

Which of the following significance and complexity of the CIS

Which statement is correct regarding personal computer

10. A personal computer can be used in various configurations,

15. It is a computer program (a block of executable code) that

The extent to which the personal computer is being

Individual transactions are entered at workstations,

31. It combines on-line/real time processing and on-line/batch

38. Certain general CIS controls that are particularly important to

39. Certain CIS application controls that are particularly important

44. Which of the following is least likely a characteristic of a

Individual applications share the data in the database

45. Database administration tasks typically include

The extent to which databases are being used by

51. Audit procedures in a database environment will be affected

47. Which statement is incorrect regarding the general CIS controls

48. These require a database administrator to assign security

55. Which statement is incorrect regarding internal controls in a

49. A discretionary access control wherein users are permitted or

50. The effect of a database system on the accounting system and

54. The development of CIS will generally result in design and

The internal controls over computer processing,

internal control, include only the

56. General CIS controls may include, except:

63. Audit automation least likely include

Tools to evaluate a clients risk management

64. An internal auditor noted the following points when conducting

71. Computer manufacturers are now installing software programs

provide protection from erasure or loss if there is interrupted

Limit on the number of transaction inquiries that can

Validity check test

81. Which of the following characteristics distinguishes computer

A limit test that compares the pay rates per

87. Which of the following errors would be detected by batch

Supervisory personnel may not have an

Working paper documentation may not contain

95. An auditor anticipates assessing control risk at a low level in a

101. An auditor would least likely use computer software to

108. When an auditor tests a computerized accounting system,

The collection of like transactions which are sorted

117. Where disk files are used, the grandfather-father-son updating

126. The computer process whereby data processing is performed

134. From an audit viewpoint, which of the following represents a

142. Which of the following is true of generalized audit software?

150. An auditor's consideration of a company's computer control

An auditor is preparing test data for use in the audit of a

154. Unauthorized alteration of on-line records can be prevented by

Promote adequate controls

158. Which of the following is an advantage of generalized computer

166. When an on-line, real-time (OLRT) computer-based processing

Decreases manual inspection of processing results

173. One of the major problems in a CBIS is that incompatible

The CBIS automatically updates all payroll records. Because

190. Adequate control over access to data processing is required to

196. When the auditor encounters sophisticated computer-based

the following conditions, which one is not a valid reason for

The time and dollar costs of testing exceed the time

204. For good internal control over computer program changes, a