Auditing Theory - Auditing in EDP (Technology) 1

1.

The program flow charting symbol representing a decision is a

a)

Triangle

b)

Circle

c)

Rectangle

d)

Diamond

Answer A is incorrect because a triangle represents off-line storage.

Answer B is incorrect because a circle represents an on-page connector.
Answer C is incorrect because a rectangle represents a computer operation.
Answer D is correct because a diamond represents a decision as to which alternative path to follow.
2.

Which of the following would lessen internal control in a computer processing system?

a)

The computer librarian maintains custody of computer program instruction and detailed listings.

b)

Computer operators have access to operator instructions and detailed program listing.

c)

The control group is solely responsible for the distribution of all computer output.

d)
Computer programmers write and debug programs which perform routines designed by the systems
analyst.
Answer A is incorrect because the computer librarian should maintain custody of program instructions and
detailed listings to strengthen controls in a computer system.
Answer B is correct because computer operators who have access to detailed program listings have the
opportunity to modify the programs.
Answer C is incorrect because the control group should be responsible for the distribution of all computer
output to strengthen controls in a computer system.
Answer D is incorrect because computer programmers should write and debug programs which perform
routines designed by the systems analyst in order to strengthen controls in a computer system.
3. Which of the following employees normally would be assigned the operating responsibility for designing
a computer installation, including flowcharts of data processing routines?
a)

Computer programmer.

b)

Data processing manager.

c)

System analyst.

d)

Internal auditor.

Answer A is incorrect because computer programmers write detailed programs based upon the work of the
systems analyst.
Answer B is incorrect because the data processing manager has overall responsibility for the computer
operations function (systems design, programming, operations, library, etc.).
Answer C is correct because the systems analyst is responsible for designing the computer system, including
the goals of the system and means of achieving those goals, based upon the nature of the business and its
information needs. The systems analyst also must outline the data processing system for the computer
programmer with system flowcharts.
Answer D is incorrect because the internal auditor may review the systems design and program flowcharts,
but is not responsible for their design.
4.

Which of the following most likely represents a significant deficiency in the internal control?

a)

The systems analyst reviews applications of data processing and maintains systems documentation.

b)

The systems programmer design systems for computerized applications and maintains output controls.

c)
The control clerk establishes control over data received by the information systems department and
reconciles control totals after processing.
d)
The accounts payable clerk prepares data for computer processing and enters the data into the
computer.
Answer A is incorrect. This procedures is generally acceptable within a computerized environment.
Answer B is correct. The systems programmer should not maintain custody of output in a computerized
system. At a minimum, the programming, operating, and library functions should be segregated in such
computer systems.
Answer C is incorrect. This procedures is generally acceptable within a computerized environment.
Answer D is incorrect. This procedure is generally acceptable within a computerized environment.
5.
One of the major problems in a computer system is that incompatible functions may be performed by
the same individual. One compensating control for this is use of

a)

A tape library.

b)

A self-checking digit system.

c)

Computer generated hash totals.

d)

A computer log.

Answer A is incorrect because a tape library is likely to be effective only when the library is effectively
controlled.
Answer B is incorrect because a self-checking digit system is unlikely to be effective if the concern is
incompatible functions.
Answer C is incorrect because hash totals are designed primarily to determine that data have not been lost
or transformed during processing.
Answer D is correct because the use of a computer log will allow a review of an individual's access to the
system.
6.

Which of the following constitutes a weakness in the internal control of a computer system?

a)

One generation of backup files is stored in an off-premises location.

b)

Machine operators distribute error message to the control group.

c)

Machine operators do not have access to the complete systems manual.

d)

Machine operators are supervised by the programmer.

Answer A is incorrect because storing backup files off-premises will improve internal control. Reconstruction
of files, if necessary, will be possible.
Answer B is incorrect because machine operators should (by nature of operating the system) have access to
error messages and will distribute them to the control group.
Answer C is incorrect because machine operators should not have access to the systems manual. Operators
should not have complete information on the operation (and weaknesses) of the overall system.
Answer D is correct because machine operators should not be supervised by the programmer. Good internal
control in a computer system requires that operators, programmers, and the library function be segregated.
7.
More than one file may be stored on a single magnetic disc. Several programs may be in the core
storage unit simultaneously. In both cases it is important to prevent the mixing of data. One way to do this
is to use
a)

File integrity control.

b)

Boundary protection.

c)

Interleaving.

d)

Paging.

Answer A is incorrect because file integrity control deals with maintaining the entire file.
Answer B is correct because the primary purpose of boundary protection is to prevent the mixing of data on
a magnetic memory disc and a core storage unit.
Answer C is incorrect because interleaving is a nonsense term.
Answer D is incorrect because paging is a technique used in virtual storage to segment programs and data
files which are being used.
8.
A control feature in an electronic data processing system requires the central processing unit (CPU) to
send signals to the printer to activate the print mechanism for each character. The print mechanism, just
prior to printing, sends a signal back to the CPU verifying that the proper print position has been activated.
This type of hardware control is referred to as
a)

Echo control.

b)

Validity control.

c)

Signal control.

d)

Check digit control.

Answer A is correct because an echo check or control consists of transmitting data back to the source unit for
comparison with the original data that were transmitted. In this case, the print command is sent to the
printer and then returned to the CPU to verify that the proper command was received.
Answer B is incorrect because a validity check or control consists of the examination of a bit pattern to
determine that the combination is legitimate for the system character set ( i.e., that the character
represented by the bit combination is valid per the system). A validity check is not being described in this
situation.
Answer C is incorrect because "signal control" is nonexistent. Answer D is incorrect because a check digit
control is a programmed control wherein the last character or digit can be calculated from the previous
digits. This type of hardware check is not being described in this situation.
9.
Automated equipment controls in a computer processing system are designed to detect errors arising
from
a)

Operation of the computer processing equipment.

b)

Lack of human alertness.

c)

Incorrect input and output data.

d)

Poor management of the computer processing installation.

Answer A is correct because automated equipment controls (hardware controls) are designed to detect,
report, or prevent operational errors within the computer. For example, the misreading of magnetic tapes by
a tape reader or storage of erroneous data are detected or prevented by the dual-gap heads and parity
checks. Other hardware controls are the echo check, dual circuitry, boundary protection, interlock, file
protection rings, etc.
Answer B is incorrect because lack of human alertness relates to human error which equipment controls
(hardware controls) cannot detect.
Answer C is incorrect because mistakes arising from human-related errors will not be detected by automated
equipment controls (hardware controls).
Answer D is incorrect because poor management of the computer installation is a human-related error which
will not be detected by equipment controls (hardware controls).
10. Parity checks, read-after-write checks, and duplicate circuitry are computer controls that are designed to
detect
a)

Erroneous internal handling of data.

b)

Lack of sufficient documentation for computer processes.

c)

Illogical programming commands.

d)

Illogical uses of hardware.

Answer A is correct because parity checks, read-after-write checks, and duplicate circuitry are hardware
controls which have been developed to detect and control mishandling of data within the computer. They
detect electronic or mechanical problems in the movement and storage of data.
Answer B is incorrect because these controls are not relevant to the detection and control of lack of sufficient
documentation.
Answer C is incorrect because these controls are not relevant to the detection and control of illogical
programming commands.
Answer D is incorrect because these controls are not relevant to the detection and control of illogical uses of
hardware.
11. Which of the following statements most likely represents a disadvantage for an entity that keeps
microcomputer-prepared data files rather than manually prepared files?
a)

Random error associated with processing similar transactions in different ways is usually greater.

b)

It is usually more difficult to compare recorded accountability with physical count of assets.

c)
Attention is focused on the accuracy of the programming process rather than errors in individual
transactions.
d)

It is usually easier for authorized persons to access and alter the files.

Answer A is incorrect. Random error is more closely associated with manual processing than with computer
processing.
Answer B is incorrect. Comparing recorded accountability with the physical count of assets should not be
affected by whether a manual or a microcomputer system is being used.
Answer C is incorrect. The accuracy of programming process is not generally tested when microcomputers
are used.
Answer D is correct. Persons with computer skills may be able to improperly access and alter microcomputer
files. When a system is prepared manually such manipulations may be more obvious.
12. A system in which the end user is responsible for the development and execution of the computer
application that he or she uses is referred to as
a)

Microcomputing.

b)

End-user computing.

c)

Distributed computing.

d)

Decentralized computing.

Answer A is incorrect because microcomputing is a term not frequently used, which presumably suggests
using a microcomputer.
Answer B is correct because in end-user computing the user is responsible for the development and
execution of the computer application that generates the information used by that same user.
Answer C is incorrect because with distributed computing, transactions for a single database are processed
at various sites and this does not relate directly to a circumstance in which the end user is responsible as
suggested in this question.
Answer D is incorrect because decentralized computing suggests that processing (and data) are stored on
computers at multiple locations, and it does not relate directly to a circumstance in which the end user is
responsible as suggested in this question.
13. Which of the following is an advantage of using a value-added network for EDI transactions?

a)

Ability to deal with differing data protocols.

b)

Decrease in cost of EDI.

c)

Increase in data redundancy.

d)

Direct communication between trading partners.

Answer A is correct because a value-added network is a privately owned network that routes EDI
transactions and alleviates problems related to differences between various organizations' hardware and
software.
Answer B is incorrect because a value-added network is likely to increase the cost of EDI, not decrease it.
Answer C is incorrect because a value-added network is likely to have no effect on data redundancy.
Answer D is incorrect because a value-added network results in communications to the value-added network,
and then to the trading partner.
14. To obtain evidence that user identification and password controls are functioning as designed, an auditor
would most likely
a)
Review the on-line transaction log to ascertain whether employees using password have access to data
files and computer program.
b)
Examine a sample of assigned password and access authority to determine whether password holders
have access authority incompatible with their other responsibilities.
c)
Extract a random sample of processed transactions and ensure that transactions are appropriately
authorized.
d)
Observed the file librarians activities to discover whether other systems personnel are permitted to
operate computer equipment without restriction.
Answer A is incorrect. Reviewing the on-line transaction log will provide information on transaction
processing, but not necessarily on user identification.
Answer B is correct. Examining a sample of assigned passwords and access authority will allow the auditor
to test the effectiveness of the controls.
Answer C is incorrect. Examining processed transactions will help the auditor to determine whether
transactions have been properly authorized, but will not help the auditor to determine whether user
identification and password controls are functioning as designed.
Answer D is incorrect. Observing the file librarian's activities will provide only limited evidence on user
identification and password controls.
15. When erroneous data are detected by computer program controls, such data may be excluded from
processing and printed on an error report. The error report should most probably be reviewed and followed
up by the
a)

Supervisor of computer operations.

b)

Systems analyst.

c)

Control group.

d)

Computer programmer.

Answer A is incorrect because the supervisor of computer operations has responsibility for the overall
operation of the information systems department and should not provide an internal audit function.
Answer B is incorrect because the systems analyst is responsible for designing the system, and accordingly
should not have internal audit responsibility.
Answer C is correct because the control group is responsible for providing a continuous review function by
supervising and monitoring input, operations, and the distribution of output (i.e., a continuous internal audit
function).
Answer D is incorrect because the computer programmer is charged with designing program flowcharts and
writing computer programs based on the work of the systems analyst. Accordingly, this individual does not
have internal audit responsibility.
16. The use of a header label in conjunction with magnetic tape is most likely to prevent errors by the
a)

Computer operator.

b)

Keypunch operator.

c)

Computer programmer.

d)

Maintenance technician.

Answer A is correct because the use of a header label allows the computer operator to determine whether
the correct file has been selected for processing. Therefore, header labels will most likely prevent errors by
the computer operator who mounts the magnetic tapes on the tape drives.
Answer B is incorrect because the keypunch operator does not load magnetic tapes and, therefore, is not
affected by the use of header labels.
Answer C is incorrect because the programmer will write the programs and will not run them in a good
internal control structure.
Answer D is incorrect because the maintenance technician will not run the magnetic tape. Thus, the use of
header labels will not affect the maintenance technician's errors.
17. Any assessment of the operational capabilities of a computer system must consider downtime. Even in a
fully protected system, downtime will exist because of

a)

Electrical power losses.

b)

Unscheduled maintenance.

c)

Unauthorized entry.

d)

Keypunching.

Answer A is incorrect because a fully protected computer system has alternative power sources which would
provide for electrical power losses and, therefore, downtime would not exist for this reason.
Answer B is correct because even though the computer system is fully protected, unscheduled maintenance
will require a certain amount of downtime.
Answer C is incorrect because an unauthorized entry would be thwarted in a fully protected system. Thus,
downtime would not arise from unauthorized entries.
Answer D is incorrect because a fully protected computer system has adequate internal controls which would
provide for keypunching errors. Downtime would not arise from this type of error.
18. A procedural control used in the management of a computer center to minimize the possibility of data or
program file destruction through operator error includes
a)

Control figures.

b)

Crossfooting tests.

c)

Limit checks.

d)

External labels

Answer A is incorrect because control figures address the accuracy of information on a file, not the physical
security of a program file.
Answer B is incorrect because crossfooting tests address the accuracy of information on a file, not the
physical security of a program file.
Answer C is incorrect because limit checks address the accuracy of information on a file, not the physical
security of a program file.
Answer D is correct because external labels will prevent file destruction by properly identifying each file.
19. Which of the following would provide the most security for sensitive data stored on a personal computer?
a)

Using secure screen saver program.

b)

Using an eight-bit encoding scheme for hardware interfaces.

c)

Encrypting data files on the computer.

d)

Using a conventional file on the computer.

Answer A is incorrect because the term "secure screen saver program" is not typically used in information
technology.
Answer B is incorrect because it is a series of words with no particular meaning.
Answer C is correct because encryption involves coding of the data files and accordingly, encrypted sensitive
data provides security because the files cannot be read by those without knowledge of the encryption code.
Answer D is incorrect because a conventional file structure scheme, absent controls, will not provide the
desired security for sensitive data.
20. A computer input control is designed to ensure that
a)

Machine processing is accurate.

b)

Only authorized personnel have access to the computer area.

c)

Data received for processing are properly authorized and converted to machine readable form.

d)

Computer processing has been performed as intended for the particular application.

Answer A is incorrect because processing controls address machine processing and logic, not data input.
Answer B is incorrect because access controls relate to the plan of organization, a general control, and not
the input of data.
Answer C is correct because input controls are designed to provide reasonable assurance that data received
for processing by computer have been properly authorized, converted into machine sensible form and
identified, and have not been lost, suppressed, added, duplicated, or otherwise improperly changed.
Answer D is incorrect because ascertaining that computer processing has been performed as intended for a
particular application is a processing control.

21. In updating a computerized accounts receivable file, which one of the following would be used as a batch
control to verify the accuracy of the total credit posting?
a)

The sum of the cash deposits plus the discounts less the sales returns.

b)

The sum of the cash deposits.

c)

The sum of the cash deposits less the discounts taken by customers.

d)

The sum of the cash deposits plus the discounts taken by customers.

Answer A is incorrect. Refer to the correct answer explanation.

Answer B is incorrect. Refer to the correct answer explanation.
Answer C is incorrect. Refer to the correct answer explanation.
Answer D is correct because the accounts receivable will be credited for the amount of cash received plus
discounts taken by the customers. Therefore, the control total should be the sum of the cash deposits plus
the discounts taken by customers.
22. If a control total were to be computed on each of the following data items, which would best be identified
as a hash total for a payroll application?
a)

Hours worked.

b)

Total debits and total credits.

c)

Net pay.

d)

Department numbers.

Answer A is incorrect because a company may use the total of hours worked for various purposes.
Answer B is incorrect because the totals of debits and credits help the auditor (and management) to
determine that all transactions have been properly recorded and processed.
Answer C is incorrect because the total of net pay normally has a meaning, such as equaling the credit to
cash based on the payroll.
Answer D is correct. The requirement is to determine the total which would most likely be considered a hash
total. A hash total is a meaningless sum which normally has no use other than to prove the completeness
with which a batch has been processed. The summation of department numbers has no apparent use other
than to help determine that an entire batch has been processed.
23. Carmel Department Store has an ERP information system and is planning to issue credit cards to
creditworthy customers. To strengthen internal control by making it difficult for one to create a valid
customer account number, the companys independent auditor has suggested the inclusion of a check digit
which should be placed
a)

At the beginning of a valid account number, only.

b)

In the middle of a account number, only.

c)

At the end of a valid account number, only.

d)

Consistently in any position.

Answer A is incorrect. Refer to the correct answer explanation.

Answer B is incorrect. Refer to the correct answer explanation.
Answer C is incorrect. Refer to the correct answer explanation.
Answer D is correct because a check digit, while normally at the end of an account number, may be placed
consistently in any position in the account when adequate computer programming exists (i.e., the
mathematical calculation of the check digit can be performed regardless of placement).
24. Which of the following is a computer test made to ascertain whether a given characteristic belongs to the
group?
a)

Parity check.

b)

Validity check.

c)

Echo check.

d)

Limit check.

Answer A is incorrect because a parity check involves a special bit which is added to each character stored in
memory and detects if the hardware loses a bit during the internal movement of the character.
Answer B is correct because a validity check determines whether a character is a legitimate item of the given
character set. Thus, the validity check ascertains whether a given character is within the desired group (e.g.
a field indicating sex of an individual where F=female and M=male would not accept an "A" being coded).
Answer C is incorrect because an echo check is a hardware control wherein data is transmitted back to its
source and compared to the original data to verify the transmission correctness.
Answer D is incorrect because a limit or reasonableness check is a programmed control based on specified
limits. For example, a calendar month cannot be numbered higher than 12, or a week cannot have more than
168 hours.
25. Smith Corporation has numerous customers. A customer file is kept on disk storage. Each customer file
contains name, address, credit limit, and account balance. The auditor wishes to test this file to determine
whether credit limits are being exceeded. The best procedure for the auditor to follow would be to
a)
Develop test data that would cause some account balances to exceed the credit limit and determine if
the system properly detects such situations.

b)
Develop a program to compare credit limits with account balances and print out the details of any
account with balance exceeding its credit limit.
c)

Request a printout of all account balances so they can be checked against the credit limits.

d)
Request a printout of a sample of account balances so they can be individually checked against the
credit limits.
Answer A is incorrect because while test data will indicate whether the client's program allows credit limits to
be exceeded, it will not indicate whether credit limits are actually being exceeded.
Answer B is correct because a program to compare actual account balances with the predetermined credit
limit and thereby prepare a report on whether any actual credit limits are being exceeded will accomplish the
stated objective.
Answer C is incorrect because a manual check of all account balances will be very time consuming. Thus, a
manual check would not be the best procedure for the auditor to follow.
Answer D is incorrect because a printout of only a sample of account balances would not provide information
as to whether credit limits are being exceeded.
26. First Federal S&L has an on-line real-time system, with terminals installed in all of its branches. This
system will not accept a customers cash withdrawal instructions in excess of Php1,000 without the use of a
terminal audit key. After the transaction is authorized by a supervisor, the bank teller then processes the
transaction with the audit key. This control can be strengthened by
a)

On-line recording of the transactions on an audit override sheet.

b)

Increasing the peso amount to Php1,500.

c)

Requiring manual, rather than on-line, recording of all such transactions.

d)

Using parallel simulations.

Answer A is correct because documentation of all situations in which the "terminal audit key" has been used
will improve the audit trail.
Answer B is incorrect because increasing the peso amount required for use of the key will simply reduce the
number of times it is used (and allow larger withdrawals to be made without any required special
authorization).
Answer C is incorrect because there is no reason to believe that a manual system will be more effective than
an on-line system.
Answer D is incorrect because parallel simulation, running the data through alternate software, would have
no particular advantage for processing these large withdrawals.
27. In a daily computer run to update checking account balances and print out basic details on any
customers account that was overdrawn, the overdrawn account of the computer programmer was never
printed. Which of the following control procedures would have been most effective in detecting this fraud?
a)
Use of the test-data approach by the auditor in testing the clients program and verification of the
subsidiary file.
b)
Use of a running control total for the master file of checking account balances and comparison with the
printout.
c)

A program check for valid customer code.

d)
Periodic recompiling of programs from documented source files, and comparison with programs
currently in use.
Answer A is incorrect because use of a test-data approach involves the development of a set of dummy
transactions which are processed by the client's computer programs. Thus, the auditor would only detect
the fraud if the test data overdrew the programmer's account.
Answer B is incorrect because using a running control total of all checking account balances could not be
meaningfully compared with a printout of overdrawn accounts.
Answer C is incorrect because a program check for a valid customer code would only detect those
transactions for which the customer code was incorrectly inputted or no such customer existed.
Answer D is correct because a periodic recompiling of the program from the original source files and
comparison with the program currently in use would allow the auditor to detect the modification in the
program that has permitted the fraud to occur.
28. Which of the following is not a major reason for maintaining an audit trail for a computer system?
a)

Deterrent to irregularities.

b)

Monitoring purposes.

c)

Analytical procedures.

d)

Query answering.

Answer A is incorrect. An audit trail may deter irregularities since the perpetrator may realize that his or her
act may be detected.
Answer B is incorrect. An audit trail will help management to monitor the computer system.
Answer C is correct. Analytical procedures use the outputs of the system, and therefore the audit trail is of
limited importance.
Answer D is incorrect. An audit trail will make it much easier to answer queries.
29. An auditor anticipates assessing control risk at a low level in a computerized environment. Under these
circumstances, on which of the following controls would the auditor initially focus?

a)

Programmed controls.

b)

Application controls.

c)

Output controls.

d)

General controls.

Answer A is incorrect. Programmed controls are usually tested subsequent to the general controls.
Answer B is incorrect. Application controls are usually tested subsequent to the general controls.
Answer C is incorrect. Output controls are usually tested subsequent to the general controls.
Answer D is correct. Auditors usually begin by considering general control procedures. Since the
effectiveness of specific application controls is often dependent on the existence of effective general controls
over all computer activities, this is usually an efficient approach.
30. A computer-assisted audit technique that is most likely to be effective in a continuous auditing
environment is
a)

Parallel simulation.

b)

Controlled reprocessing.

c)

Embedded audit modules.

d)

Transactions tripping.

Answer A is incorrect because parallel simulation and controlled reprocessing are likely to be more effective
in an environment that does not involve continuous auditing.
Answer B is incorrect because parallel simulation and controlled reprocessing are likely to be more effective
in an environment that does not involve continuous auditing.
Answer C is correct because embedded audit modules are programmed routines incorporated directly into an
application program that will help auditors perform audit functions such as calculations and to allow
continuous monitoring.
Answer D is incorrect because the term transaction tripping is not typically used in information technology.
31. The individual with whom an auditor would be most likely to discuss specific access controls within a
clients relational database management system is the
a)

Database administrator.

b)

Controller.

c)

Systems analyst.

d)

Systems librarian.

Answer A is correct because the database administrator ordinarily controls access to the database.
Answer B is incorrect because the controller will not ordinarily control access to the database.
Answer C is incorrect because allowing the systems analyst to determine specific access rights is
incompatible with the role of detailed analysis.
Answer D is incorrect because allowing the systems librarian to determine specific access rights is
incompatible with the role of serving as librarian over the data.
32. In a client/server environment, the client is most likely to be the
a)

Supplier of the computer system.

b)

Computer of various users.

c)

Computer that contains the networks software and provides services to a server.

d)

Database administrator.

Answer A is incorrect because the supplier of the computer system is not referred to as the client.
Answer B is correct because the "client" may be viewed as the computer or workstation of the individual
user.
Answer C is incorrect because the server ordinarily provides most of the software and provides services to
the client.
Answer D is incorrect because the database administrator is not referred to as the client.

33. A join command in a database query is ordinarily used to combine several

a)

Queries.

b)

Attributes from a single table.

c)

Users so as to allow dual access to several tables.

d)

Tables or parts of tables.

Answer A is incorrect because a query may join several tables, not several queries.
Answer B is incorrect because attributes from more than one table are combined through a join command.
Answer C is incorrect because a query does not combine users.
Answer D is correct because the use of the "join" term is well established in information technology as
consisting of the combination of various tables, or portions thereof.
34. When designing the physical layout of a data processing center, which of the following would be least
likely to be a necessary control that is considered?
a)

Design of controls to restrict access.

b)

Adequate physical layout space for the operating system.

c)

Inclusions of an adequate power supply system with surge protection.

d)

Consideration of risk related to other related to other uses of electricity in the area.

Answer A is incorrect because access controls must be considered.

Answer B is correct because an operating system ordinarily requires no physical layout space since it
represents software within a computer.
Answer C is incorrect because to effectively operate the data processing center one needs adequate power
and surge protection.
Answer D is incorrect because other uses of electricity in the area may cause interference with the data
processing and therefore should be considered.
35. Which of the following is an auditors client most likely to use to perform queries requested by the auditor
of a relational database?
a)

Data objective language.

b)

Data definition language.

c)

Data manipulation language.

d)

Data control language.

Answer A is incorrect because the term data object language is not ordinarily used in information technology.
Answer B is incorrect because data definition language is used to define a database, including creating,
altering, and deleting tables and establishing various constraints.
Answer C is correct because data manipulation language is composed of commands used to maintain and
query a database, including updating, inserting in, modifying and querying (asking for data).
Answer D is incorrect because data control language is composed of commands used to control a database,
including controlling which users have various privileges (e.g., who is able to read from and write to various
portions of the database).
36. Data control language used in a relational database is most likely to include commands used to control
a)

The original defining of a database.

b)

The maintenance and querying of a database.

c)

Which users have various privileges relating to a database.

d)

The creation and alteration of tables within a database.

Answer A is incorrect because data definition language is more directly associated with original defining of a
database.
Answer B is incorrect because data manipulation language related most directly to the maintenance and
querying of a database.
Answer C is correct because data control language is composed of commands used to control a database,
including controlling which users have various privileges (e.g., who is able to read from and write to various
portions of the database.)
Answer D is incorrect because data definition language is more directly associated with original defining of a
database.

37. Which of the following is correct concerning electronic commerce security?

a)
Since they cannot use both, companies must decide whether to use an electronic data interchange
approach or an approach using the internet.
b)
Companies that wish to use the internet for electronic commerce must adhere to the Uniform Internet
Service Provider Code of Conduct.
c)

Use of a website home page instead of encryption leads to greater security in electronic transactions.

d)

The successful use of a firewall will help assure the security of a firms computer systems.

Answer A is incorrect because companies can use both an electronic data interchange approach and one
using the Internet.
Answer B is incorrect because there is no such "Uniform Internet Service Provider Code of Conduct" that
must be adhered to by companies.
Answer C is incorrect because using a "home page" is not an alternative to using encryption.
Answer D is correct because a firewall will limit who is able to access a database.
38. A data warehouse in an example of
a)

On-line analytical processing.

b)

On-line transaction processing.

c)

Essential information processing.

d)

Decentralized processing.

Answer A is correct because a data warehouse is an approach to on-line analytical processing that combines
data into a subject-oriented, integrated collection of data used to support management decision-making
processes.
Answer B is incorrect because on-line transaction processing involves day-to-day transaction processing
operations.
Answer C is incorrect because the term essential information batch processing is vague, and is not ordinarily
associated with a data warehouse.
Answer D is incorrect because a data warehouse may or may not be associated with decentralized
processing.
39. SQL is most directly related to
a)

String question language processing.

b)

The grandfather, father, son method of record retention.

c)

Electronic commerce.

d)

Relational databases.

Answer A is incorrect because the term string question language processing is not used in information
technology.
Answer B is incorrect because SQL is not directly related to record retention using the grandfather, father,
son approach.
Answer C is incorrect because while electronic commerce may use SQL, the most direct tie is to relational
databases.
Answer D is correct because virtually all relational databases use the SQL computer language.
40. Which of the following is necessary to audit balances in an on-line EDP system in an environment of
destructive updating?
a)

Periodic dumping of transaction files.

b)

Year-end utilization of audit hooks.

c)

An integrated test facility.

d)

A well-documented test facility.

Answer A is incorrect because the auditor will require more than the periodic dumping of files to audit
balances in an on-line computer system in an environment of destructive updating. Although a periodic
dumping may be part of an audit trial, it would not be necessary.
Answer B is incorrect because year-end utilization of audit hooks would not be feasible as transaction files
would have been destroyed during the year. Audit hooks describe a method of retaining selected or all
transaction files for the auditor. Audit hooks have to be utilized during the year (i.e., prior to destruction of
the transaction files to be feasible).
Answer C is incorrect because an integrated test facility describes tests of controls through utilization of
actual or dummy transactions. Therefore, it is not a test of balances.
Answer D is correct. Destructive updating in an on-line computer system is destructive of transaction files.
Accordingly, auditing of the balances in accounts where transactions are periodically destroyed requires a
well-documented audit trail for the auditor.

41. An auditor may decide not to perform tests of controls related to the computer portion of the clients
controls. Which of the following would not be a valid reason for choosing to omit tests of controls?
a)

The controls appear adequate.

b)

The control duplicate operative controls existing elsewhere in the system.

c)

There appear to be major conditions that would preclude reliance on the stated procedure.

d)
The time and peso costs of testing exceed the time and peso saving in substantive testing if the tests of
controls show the control to be operative.
Answer A is correct because if controls appear adequate, the auditor tests them unless, (1) the costs of
testing are expected to exceed the savings in substantive tests or (2) the controls are redundant to other
internal control activities. Therefore, this is not a valid reason for omitting tests of controls.
Answer B is incorrect because when controls duplicate operative controls existing elsewhere in the system,
tests of controls will not be required for both sets of controls. Therefore, the fact that the controls are
redundant to other controls is a valid reason for omitting testing on them.
Answer C is incorrect because the auditor should not expend the effort on the tests of controls if the review
of the system indicates that there are conditions which would preclude reliance on the system.
Answer D is incorrect because tests of controls may be omitted if it is determined that the costs of testing
are expected to exceed the possible savings in substantive tests.
42. Hitech, Inc. has changed from a conventional to a computerized payroll clock card system. Factory
employees now record time in and out with magnetic cards and the computer system automatically updates
all payroll records. Because of this change
a)

The auditor must audit through the computer.

b)

Internal control has improved.

c)

Part of the audit trail has been lost.

d)

The potential for payroll related fraud has been diminished.

Answer A is incorrect because while an auditor may choose to audit through the computer, it may not be
necessary.
Answer B is incorrect because the effect of this change on internal control is dependent on the controls
existing in the new system. Thus, internal control may improve or it may become weakened by the change
in the payroll clock card system.
Answer C is correct because the system no longer includes a time card which summarizes the hours worked;
thus, a part of the audit trail has been lost.
Answer D is incorrect because the computer system's effect on the likelihood of fraud cannot be determined
without further information on specific controls currently in existence.
43. Controls within the computer system may leave no visible evidence indicating that the procedures were
performed. In such instances, the auditor should test these controls by
a)

Making corroborative inquiries.

b)

Observing the separation of duties of personnel.

c)

Reviewing transactions submitted for processing and comparing them to related output.

d)

Reviewing the run manual.

Answer A is incorrect because corroborative inquiries involve gathering supportive documentation. However,
within the computer system, there is no visible evidence or documentation for the procedures performed.
Answer B is incorrect because observing the separation of functional responsibilities is less applicable to a
computer system because frequently many previously separated functions are combined in a computer
system. Thus, attempting to observe the separation of functional responsibilities would not test the internal
controls because this separation does not exist.
Answer C is correct because when computer control procedures leave no visible evidence indicating the
procedures have been performed, the auditor should test these controls by reviewing transactions submitted
for processing and comparing them with the related output. The objective is to determine that no
transactions tested with unacceptable conditions went unreported and without appropriate resolution. This
procedure can be undertaken by submitting actual client live data or dummy transactions.
Answer D is incorrect because the run manual consists of program documentation including the problem
statement, system flow chart, operating instructions, record layouts, program flow charts, program listing,
test data, and an approval and change sheet. Reviewing the run manual would be part of the review of the
system's controls and not a test of performance.

44. If a CPA wishes to identify all checks written for an amount over Php1,000,000 that are included in a
relational database, a likely approach to obtaining the list would be through a

a)

Manipulation control.

b)

Query.

c)

Control total.

d)

Data taint technique.

Answer A is incorrect because the term manipulation control is very general and not particularly appropriate
in this context. Answer B is correct because a data query will access the appropriate files and provide a list of
such checks. Answer C is incorrect because a control total is a total of a numerical field of records and this
total would not help a CPA identify all checks written over Php1,000,000. Answer D is incorrect because the
term data taint technique is not used in information technology.
45. An independent auditor studies and evaluates a clients computer system. The auditors study includes
tests of controls that might include which of the following?
a)

Examination of systems flowcharts to determine whether they reflect the current status of the system.

b)

Examination of the systems manuals to determine whether existing procedures are satisfactory.

c)
Examination of the machine room log book to determine whether control information is properly
recorded.
d)
Examination of organization charts to determine whether electronic data processing department
responsibilities are properly separated to afford effective control.
Answer A is incorrect because while flowcharts allow auditors to obtain an understanding of the system, they
are not tests of controls.
Answer B is incorrect because an examination of the systems manuals does not test a control.
Answer C is correct because tests of controls are designed to determine if the purported controls are in
effect. An examination of the machine room log book to verify that control information is properly recorded
would be such a test.
Answer D is incorrect because the examination of organization charts does not test a control.
46. Which of the following client computer systems generally can be audited without examining or directly
testing computer programs of the system?
a)

A system that performs relatively uncomplicated processes and produce detailed output.

b)

A system that affects a number of essential master files and produces a limited output.

c)
A system that update a few essential master files and produce no printed output other than final
balances.
d)

A system that performs relatively complicated processing and produces very little detailed output.

Answer A is correct because auditing around the system is possible if the system performs uncomplicated
processes and produces detailed output.
Answer B is incorrect because the system described is a more complicated computer system producing only
limited output. In this system, the data and related controls are within the system, and thus the auditor
must examine the system itself.
Answer C is incorrect because the system described is a more complicated computer system producing only
limited output. In this system, the data and related controls are within the system, and thus the auditor
must examine the system itself.
Answer D is incorrect because the system described is a more complicated computer system producing only
limited output. In this system, the data and related controls are within the system, and thus the auditor
must examine the system itself.
47. A CPA might find information on the structure of relational database tables through which language
interface?
a)

Data definition language.

b)

Data control language.

c)

Data query language.

d)

Data manipulation language.

Answer A is correct because data definition language is used to define a database, including creating,
altering, and deleting tables and establishing various constraints.
Answer B is incorrect because data control language is composed of commands used to control a database,
including controlling which users have various privileges (e.g., who is able to read from and write to various
portions of the database).
Answer C is incorrect because the term data query language is not used in information technology.
Answer D is incorrect because data manipulation language is composed of commands used to maintain and
query a database, including updating, inserting in , modifying and querying (asking for data).

48. Auditing by testing the input and output of a computer system instead of the computer program itself will

a)

Not detect program errors which do not show up in the output sampled.

b)

Detect all program errors, regardless of other nature of the output.

c)

Provide the auditor with the same type of evidence.

d)

Not provide the auditor with confidence in the results of the auditing procedures.

Answer A is correct because portions of the program may contain errors which are not reflected in the
output. For example, if a "loop" in a program is not used in one application, it is not tested and therefore any
errors within the "loop" cannot be detected.
Answer B is incorrect because the auditor's lack of understanding of the entire program precludes the
detection of all errors.
Answer C is incorrect because while auditing inputs and outputs can provide important evidence, it will often
be different than the evidence obtained by testing the program itself.
Answer D is incorrect because auditing inputs and outputs may satisfy the auditor as to the absence of
program errors.
49. A primary advantage of using generalized audit packages in the audit of an advanced computer system
is that it enables the auditor to
a)

Substantiate the accuracy of data through self-checking digit and hash totals.

b)

Utilize the speed and accuracy of the computer.

c)

Verify the performance of machine operations which leave visible evidence of occurrence.

d)

Gather and store large quantities of supportive evidential matter in machine readable form.

Answer A is incorrect because audit packages do not substantiate data through self-checking digits and hash
totals. While this may be feasible through generalized audit packages, these controls are usually present in
only the client software.
Answer B is correct because generalized audit packages provide a means of converting machine readable
data into auditor readable data with added data manipulation routines including various sort and arithmetic
functions. Thus, generalized audit packages utilize the speed and accuracy of the computer.
Answer C is incorrect because the performance of machine operations which leaves visible evidence of
occurrence can be checked manually by the auditor. The use of a generalized audit package would not be
needed in this situation.
Answer D is incorrect because generalized audit packages convert machine readable data into auditor
readable form rather than gather and store data in machine readable form.
50. Which of the following is an advantage of generalized computer audit packages?
a)

They are all written in one identical computer language.

b)

They can be used for audit of clients that use differing computer equipment and file formats.

c)

They have reduced the need for the auditor to study input controls for computer-related procedures.

d)

Their use can be substitute for a relatively large part of the required tets of controls.

Answer A is incorrect because generalized computer audit packages are written in many computer
languages. In fact, they must be written in the same language or a compatible language to the computer
language used in the client's system.
Answer B is correct because as the term "generalized" implies, generalized computer audit packages can be
used for audits of clients that use different computer equipment and file formats. They are simply a very
generalized input-output program.
Answer C is incorrect because generalized computer audit packages may be used to assist the auditor in
studying input controls, but they will not reduce the need to study the controls.
Answer D is incorrect because generalized computer audit packages may be used to assist the auditor in
related tests of controls, but they cannot be used as a substitute for the testing.
Auditing Theory - Auditing in EDP (Technology) 2
1. A primary advantage of using generalized audit software packages to audit the financial statements of a
client that uses an computer system is that the auditor may
a)

Consider increasing the use of substantive tests of transactions in place of analytical procedures.

b)

Substantiate the accuracy of data through self-checking digits and hash totals.

c)

Reduce the level of required tests of control\s to a relatively small amount.

d)
Access information stored on computer files while having a limited understanding of the clients
hardware and software features.
Answer A is incorrect because the use of generalized audit software may lead to either an increase or a
decrease in the use of either substantive tests of transactions or analytical procedures.
Answer B is incorrect because self-checking digits and hash totals are controls within the client's computer
system to substantiate the accuracy of the data.
Answer C is incorrect because the use of generalized audit software will not necessarily reduce the level of
tests of controls.
Answer D is correct because generalized audit software allows an auditor to test the client's data, not the
software or hardware. As the software is generalized, it can manipulate data from various types of
information systems.

2.

In auditing through a computer, the test data method is used by auditors to test the

a)

Accuracy of input data.

b)

Validity of the output.

c)

Procedures contained within the program.

d)

Normalcy of distribution of test data.

Answer A is incorrect because the controls, not the accuracy of input data, are being directly tested--the
auditor is the one preparing the input data. Answer B is incorrect because overall output (e.g., a payroll
journal) is not directly tested; only the controls in effect are tested. Note that the parallel simulation method
tests validity of output more directly.
Answer C is correct because the auditor, when using test data, prepares a set of dummy transactions to
determine if the controls purported to be in effect in a program are functioning as intended.
Answer D is incorrect and a nonsense reply because there is certainly no reason to expect the auditor's test
data to be normally distributed on any meaningful measure.
3.
An audit technique which involves actual analysis of the logic of a computer programs processing
routines is referred to as
a)

Code review.

b)

Comparison program.

c)

Extended records.

d)

Test data.

Answer A is correct because code review involves the actual analysis of the logic of a computer program's
processing routines. The primary advantage is that the auditor obtains a detailed understanding of the
program.
Answer B is incorrect because a code comparison program is used to compare source and/or object codes of
a controlled copy of a program currently being used to process data.
Answer C is incorrect because extended records attaches additional audit data which would not otherwise be
saved to regular historic records and thereby helps to provide a more complete audit trail.
Answer D is incorrect because a set of dummy transactions is developed by the auditor and processed by the
client's computer programs to determine whether the controls which the auditor intends to test to restrict
control risk are operating effectively using the test data techniques.
4.
When testing a computerized accounting system, which of the following is not true of the test data
approach?
a)
The test data need consist of only those valid and invalid conditions in which the auditor the auditor is
interested.
b)

Only one transaction of each type need be tested.

c)

Test data are processed by the clients computer programs under the auditors control.

d)

The test data must consist of all possible valid and invalid conditions.

Answer A is incorrect because the auditor should test those valid and invalid conditions in which s/he is
interested.
Answer B is incorrect because only one transaction of each type need be tested in a computer control system
in which the control either works or does not work.
Answer C is incorrect because test data is run using the client's computer programs under the auditor's
control.
Answer D is correct (not true) because it is impossible or not cost beneficial to test all possible valid and
invalid conditions. The number of possibilities is too large.
5.

Which of the following is not a technique to continuously test controls within a computer system?

a)

Controlled reprocessing.

b)

Extended records.

c)

Systems control audit review files.

d)

Transactions tagging.

Answer A is correct because controlled reprocessing does not ordinarily continuously test controls within a
computer system. Controlled reprocessing, a variation of parallel simulation, processes actual client data
through a copy of the client's application program.
Answer B is incorrect because extended records attaches additional audit data which would not otherwise be
saved to regular historic records and thereby helps to provide a more complete audit trail. Extended records
is considered a technique for continuous (or concurrent) testing.
Answer C is incorrect because systems control audit review files (SCARF) is a log, usually created by an
embedded audit module, used to collect information for subsequent review and analysis. SCARF is
considered a technique for continuous (or concurrent) testing.
Answer D is incorrect because transaction tagging is a technique in which an identifier providing a
transaction with a special designation is added to the transaction record. Transaction tagging is considered a
technique for continuous (or concurrent) testing.

6.
Which of the following is not a problem associated with the use of test data for computer-audit
purposes?
a)

Auditing through the computer is more difficult than auditing around the computer.

b)

It is difficult to design test data that incorporate all potential variations in transactions.

c)

Test data may be commingled with live data causing operating problem for the client.

d)

The program with which the test data are processed may differ from the one used in actual operations.

Answer A is correct. It is not a problem relative to the use of test data, because once the auditor is at the
test stage, the computer system is probably so sophisticated that it is much more difficult or even impossible
to audit around the computer.
Answer B is incorrect. It does represent a problem with using the test data approach to computer audits.
Answer C is incorrect. It does represent a problem with using the test data approach to computer audits.
Answer D is incorrect. It does represent a problem with using the test data approach to computer audits.
7. When an auditor tests a computerized accounting system, which of the following is true of the test data
approach?
a)

The test data must consist of all possible valid and invalid conditions.

b)

The program tested is different from the program used throughout the year by the client.

c)

Several transactions of each type must be tested.

d)

Test data are processed by the clients computer programs under the auditors control.

Answer A is incorrect because it is not possible to include all possible valid and invalid conditions.
Answer B is incorrect because the program that should be tested is the client's program which is used
throughout the year.
Answer C is incorrect because only one transaction of each type need be tested in a computer control system
in which the control either works or does not work.
Answer D is correct because the test data approach consists of processing a set of dummy transactions on
the client's computer system. The test data approach is used to test the operating effectiveness of controls
the auditor intends to rely upon to assess control risk at a level lower than the maximum.
8.

The machine language for a specific computer

a)

May be changed by the programmer.

b)

Is the same as all the other computer languages.

c)

Is determined by the engineers who designed the computer.

d)

Is always alphabetic.

Answer A is incorrect because a programmer will not be able to write a program which will change the
computer's machine language.
Answer B is incorrect because machine languages differ among different computers.
languages differ from user programs (e.g., written in BASIC, COBOL).

Also, machine

Answer C is correct because the machine language must be designed for the specific computer and,
therefore, is determined by the engineers who design the computer.
Answer D is incorrect because the machine language is never alphabetic; it is of a binary form.
9.
An auditor should be familiar with a clients electronic data processing hardware and software. An
important element of the clients software is the program. Another element of software is the
a)

Cathode ray tube (CRT).

b)

Central processing unit (CPU).

c)

Magnetic tape drive.

d)

Compiler.

Answer A is incorrect because a cathode ray tube is a television-like device (hardware) to display input or
output data.
Answer B is incorrect because the CPU (central processing unit) is the principal hardware component of a
computer containing the mathematic unit, primary storage, and a control unit.
Answer C is incorrect because a magnetic tape drive is a hardware unit which reads and writes on magnetic
tape (i.e., a storage device), as well as an input and output device.
Answer D is correct because software consists of the instructions which tell the computer hardware how to
perform the desired processing. A compiler is software because it translates a source program (written in
FORTRAN, COBOL, etc.) into an object program which is machine-readable (i.e., instructions to be followed by
the CPU).

10. A computer service center processes, for an auditors client, financial data that has a material effect on
that clients financial statements. The independent auditor need not consider a review of the service center
controls if
a)

The service center controls have already been reviewed by the internal audit team of the client.

b)

The service center processes data exclusively for the audit client and its subsidiaries.

c)
The user controls relied upon, which are external to the service center, are adequate to provide
assurance that errors and irregularities may be discovered with reasonable promptness.
d)
The service center is a partially owned subsidiary of the client company, whose financial statements are
examined by another CPA.
Answer A is incorrect because the auditor would have to review the service center controls, even though the
internal audit team of the client reviewed the controls. The work of internal auditors cannot be substituted
for the work of the independent auditor.
Answer B is incorrect because a service center serving only the client would be the same as an in-house
system and would require full review of the controls.
Answer C is correct because if the user controls relied upon are adequate to detect errors or irregularities, a
review of the service center controls would not be necessary.
Answer D is incorrect because only the financial statements of the service center were reviewed by another
CPA, not the controls. Thus, the independent auditor still must consider a review of the service center's
controls.
11. Which of the following is not a characteristic of a batch processed computer system?
a)

The collection of like transactions which are sorted and processed sequentially against a master file.

b)

Keypunching of transactions, followed by machine processing.

c)

The production of numerous printouts.

d)

The posting of a transaction, as it occurs, to several files, without intermediate printouts.

Answer A is incorrect since a batch system may process sequentially against a master file.
Answer B is incorrect because keypunching is followed by machine processing in a batch system.
Answer C is incorrect because processed batches ordinarily result in numerous printouts.
Answer D is correct because simultaneous posting to several files is most frequently related to an on-line
real-time system, not a batch system.
12. What is the computer process called when data processing is performed concurrently with a particular
activity and the results are available soon enough to influence the particular course of action being taken or
the decision being made?
a)

Batch processing.

b)

Real-time processing.

c)

Integrated data processing.

d)

Random access processing.

Answer A is incorrect because integrated batch processing systems collect data into groups (batches) prior to
processing. Then, the entire group of records is processed at regular intervals.
Answer B is correct because on-line real-time systems are those for which processing is performed as data
are input and the results are available immediately.
Answer C is incorrect because integrated data processing refers to a system (batch or real-time) for which
duplicate records and duplicate operations are minimized.
Answer D is incorrect because random access processing is a method of data access (random versus
sequential access), not a method of data processing.