Auditing in a CIS Environment Prelim
Directions: Encircle the letter of the correct answer. Avoid
any erasures. Use ballpen only.
1. Which one of the following represents a lack of
internal control in a computer-based information
system?
a. The design and implementation is
performed in accordance with
management’s specific authorization.
b. Any and all changes in application programs
have the authorization and approval of
management.
c. Provisions exist to protect data files from
unauthorized access, modification, or
destruction.
d. Both computer operators and programmers
have unlimited access to the programs and
data files.
2. In an automated payroll processing environment, a
department manager substituted the time card for a
terminated employee with a time card for a fictitious
employee. The fictitious employee had the same pay
rate and hours worked as the terminated employee.
The best control technique to detect this action
using employee identification numbers would be a
a. Batch total
b. Hash total
c. Record count
d. Subsequent check
3. An employee in the receiving department keyed in a
shipment from a remote terminal and inadvertently
omitted the purchase order number. The best
systems control to detect this error would be
a. Batch total
b. Sequence check
c. Completeness test
d. Reasonableness test
4. Which statement is incorrect when auditing in a CIS
environment?
a. A CIS environment exists when a computer
of any type or size is involved in the
processing by the entity of financial
information of significance to the audit,
whether that computer is operated by the
entity or by a third party.
b. The auditor should consider how a CIS
environment affects the audit.
c. The use of a computer changes the
processing, storage and communication of
AUDICIS WB CAYANONG.,CPA
financial information and may affect the
accounting and internal control systems
employed by the entity.
d. A CIS environment changes the overall
objective and scope of an audit
5. Which of the following significance and complexity
of the CIS activities should an auditor least
understand?
a. The organizational structure of the client’s
CIS activities.
b. Lack of transaction trails.
c. The significance and complexity of
computer processing in each significant
accounting application.
d. The use of software packages instead of
customized software
6. Which of the following is not normally a removable
storage media?
a. Compact disk
b. Tapes
c. Diskettes
d. Hard disk
7. Personal computers are susceptible to theft, physical
damage, unauthorized access or misuse of
equipment. Which of the following is least likely a
physical security to restrict access to personal
computers when not in use?
a. Using door locks or other security
protection during non-business hours.
b. Fastening the personal computer to a table
using security cables.
c. Locking the personal computer in a
protective cabinet or shell.
d. Using anti-virus software programs
8. It is a communication system that enables computer
users to share computer equipment, application
software, data and voice and video transmissions.
a. Network
b. File server
c. Host
d. Client
9. A type of network that multiple buildings are close
enough to create a campus, but the space between
the buildings is not under the control of the
company is
a. Local Area Network (LAN)
b. Metropolitan Area Network (MAN)
 Auditing in a CIS Environment Prelim
c. Wide Area Network (WAN) 15. The development of CIS will generally result in
d. World Wide Web (WWW) design and procedural characteristics that are
different from those found in manual systems. These
10. Gateway is different design and procedural aspectsof CIS
a. A hardware and software solution that include, except:
enables communications between two a. Consistency of performance.
dissimilar networking systems or protocols. b. Programmed control procedures.
b. A device that forwards frames based on c. Vulnerability of data and program storage
destination addresses. media
c. A device that connects and passes packets d. Multiple transaction update of multiple
between two network segments that use computer files or databases.
the same communication protocol.
d. A device that regenerates and retransmits 16. These require a database administrator to assign
the signal on a network. security attributes to data that cannot be changed by
database users.
11. A device that works to control the flow of data a. Discretionary access controls
between two or more network segments b. Name-dependent restrictions
a. Bridge c. Mandatory access controls
b. Router d. Content-dependent restrictions.
c. Repeater
d. Switch 17. A discretionary access control wherein users are
permitted or denied access to data resource
12. A collection of data that is shared and used by a depending on the time series of accesses to and
number of different users for different purposes. actions they have undertaken on data resources.
a. Database a. Name-dependent restrictions
b. Information file b. Context-dependent restriction
c. Master file c. Content-dependent restriction
d. Transaction file d. History-dependent restriction

13. Database administration tasks typically include 18. Types of workstations include General Purpose
I. Defining the database structure. Terminals and Special Purpose Terminals. Special
II. Maintaining data integrity, security and Purpose Terminals include
completeness. a. Basic keyboard and monitor
III. Coordinating computer operations related b. Point of sale devices
to the database. c. Intelligent terminal
IV. Monitoring system performance. d. Personal computers
V. Providing administrative support.
19. Special Purpose Terminal used to initiate, validate,
a. All of the above record, transmit and complete various banking
b. All except I transactions
c. II and V only a. Automated teller machines
d. II, III and V only b. Intelligent terminal
c. Point of sale devices
14. System characteristics that may result from the d. Personal computers
nature of CIS processing include, except
a. Absence of input documents. 20. The nature of the risks and the internal
b. Lack of visible transaction trail. characteristics in CIS environment that the auditors
c. Lack of visible output. are mostly concerned include the following except:
d. Difficulty of access to data and computer a. Lack of segregation of functions.
programs. c. Lack of transaction trails
b. Dependence of other control over computer
processing.

AUDICIS WB CAYANONG.,CPA
 Auditing in a CIS Environment Prelim
d. Cost-benefit ratio.
21. Which of the following is least likely a risk
characteristic associated with CIS environment?
a. Errors embedded in an application’s program
logic maybe difficult to manually detect on
a timely basis.
b. Many control procedures that would
ordinarily be performed by separate
individuals in manual system maybe
concentrated in CIS.
c. The potential unauthorized access to data or
to alter them without visible evidence
maybe greater.
d. Initiation of changes in the master file is
exclusively handled by respective users
22. A collection of data that is shared and used by a
number of different users for different purposes.
a. Database
b. Information file
c. Master file
d. Transaction file
23.. Which of the following least likely indicates a
complexity of computer processing?
a. Transactions are exchanged electronically
with other organizations without manual
review of their propriety.
b. The volume of the transactions is such that
users would find it difficult to identify and
correct errors in processing.
c. The computer automatically generates
material transactions or entries directly to
another applications.
d. The system generates a daily exception report
24. The most critical aspect regarding separation of
duties within information systems is between
a. Project leaders and programmers
b. Programmers and systems analysts
c. Programmers and computer operators
d. Data control and file librarians
25. Which of the following controls is a processing
control designed to ensure the reliability and
accuracy of data processing?
Limit test Validity check test
a. Yes Yes
b. No No
c. No Yes
AUDICIS WB CAYANONG.,CPA
d. Yes No
26. Which of the following characteristics distinguishes
computer processing from manual processing?
a. Computer processing virtually eliminates
the occurrence of computational error
normally associated with manual
processing.
b. Errors or irregularities in computer
processing will be detected soon after their
occurrences.
c. The potential for systematic error is
ordinarily greater in manual processing than
in computerized processing.
d. Most computer systems are designed so
that transaction trails useful for audit do
not exist.
27. Which of the following most likely represents a
significant deficiency in the internal control
structure?
a. The systems analyst review applications of
data processing and maintains systems
documentation.
b. The systems programmer designs systems
for computerized applications and
maintains output controls.
c. The control clerk establishes control over
data received by the EDP department and
reconciles control totals after processing
d. The accounts payable clerk prepares data
for computer processing and enters the
data into the computer.
28. Which of the following activities would most likely
be performed in the EDP Department?
a. Initiation of changes to master records.
b. Conversion of information to machine-
readable form.
c. Correction of transactional errors.
d. Initiation of changes to existing
applications.
29. For control purposes, which of the following should
be organizationally segregated from the computer
operations function?
a. Data conversion
b. Systems development
c. Surveillance of CRT messages
d. Minor maintenance according to a schedule
 Auditing in a CIS Environment Prelim
30. Which of the following is not a major reason for
maintaining an audit trail for a computer system?
a. Deterrent to irregularities
b. Analytical procedures
c. Monitoring purposes
d. Query answering
31. An auditor anticipates assessing control risk at a low
level in a computerized environment. Under these
circumstances, on which of the following procedures
would the auditor initially focus?
a. Programmed control procedures
b. Output control procedures
c. Application control procedures
d. General control procedures
32. An auditor anticipates assessing control risk at a low
level in a computerized environment. Under these
circumstances, on which of the following procedures
would the auditor initially focus?
a. Programmed control procedures
b. Output control procedures
c. Application control procedures
d. General control procedures
33. The computer process whereby data processing is
performed concurrently with a particular activity and
the results are available soon enough to influence
the course of action being taken or the decision
being made is called:
a. Random access sampling
b. On-line, real-time system
c. Integrated data processing
d. Batch processing system
34. Internal control is ineffective when computer
department personnel
a. Participate in computer software
acquisition decisions.
b. Design documentation for computerized
systems.
c. Originate changes in master file.
d. Provide physical security for program files.
35. An organizational control over CBIS operations is
a. Run-to-run balancing of control totals
b. Check digit verification of unique identifiers
c. Separation of operating and programming
functions
d. Maintenance of output distribution logs
AUDICIS WB CAYANONG.,CPA
36. The primary reason for an audit by an independent,
external audit firm is:
a. To satisfy governmental regulatory to
requirements
b. To guarantee that there are no
misstatements in the financial
statements.
c. To provide increased assurance to
users as to the fairness of the financial
statements.
d. To ensure that ay fraud will be
discovered.
37. Which of the following factors most likely would
cause a CPA to not accept a new audit engagement?
a. The prospective client has already
completed its physical inventory count.
b. The CPA lacks an understanding of the
prospective client’s operation and
industry.
c. The CPA is unable to review the
predecessor’s auditor working papers.
d. The prospective client is unwilling to
make all financial records available to
the CPA.
38. When the Auditing Standards uses the word ‘’shall’’
relating to a requirement, it means, that the auditor:
a. Must fulfill the responsibilities under all
circumstances
b. Must comply with requirements unless
the auditor demonstrates and
documents that alternative actions
were sufficient to achieve the
objectives of the standards.
c. Should consider whether to follow the
advice based on the excercise of
professional judgement in the
circumstances.
d. May choose to change responsibilities
relating to various professional
standards that remain under
consideration.
 Auditing in a CIS Environment Prelim
39. When the auditor of a parent entity is also the
auditor of its component. Which of the following
factors may influence the auditors descision whether
to send a separate engagement letter to the entity’s
component.
a. Whether a separate auditor’s report is
to issued on the component.
b. The components management does not
accept its responsibilities that are
fundamental to the conduct of an
audit.
c. The financial reporting framework used
by the component is unaaceptable.
d. The preconditions for an audit of the
components financial statements are
not present.
40. Which of the following activities should be
performed by the auditor at the beginning of the
current audit engagement ?
a. Perform procedures regarding the
continuance of the client relationship
and the specific audit engagement.
b. Evaluate compliance with relevant
ethical requirements, including
independence.
c. Establish an understanding of the terms
of the engagement.
a. A,B
b. B,C
c. A,C
d. A,B,C.
41. In financial statement audits, the audit process
should conform with
a. PSA
b. FRS
c. Audit Program
d. Auditor’s judgement
42. Philippine Standards on Auditing should be looked
upon practitioners as:
a. Ideals strive for, but which are not
achievable.
b. Maximum standards which denote excellent
work.
AUDICIS WB CAYANONG.,CPA
c. Minimum standards of performance which
must be achieved on each engagement.
d. Benchmark to be used on all audits.
43. As the acceptable level of detection risk decreases
an auditor may.
a. Reduce substantive test by relying on the
assessments of inherent and control risk.
b. Postpone the planned timing of substantive
tests from interim dates to the year-end.
c. Eliminate the assessed level of inherent risk
from consideration as planning factor,
d. Lower the assessed level of control risk
from the maximum level to below the
maximum.
44. Inherent risk and control risk differ from the
detection risk in that they.
a. Arise from the misapplication of auditing
procedures.
b. May be assessed in either quantitative or
non-quantitative terms.
c. Exist independently of the financial
statement audit.
d. Can be changed at the auditors’ discretion.
45. Which of the following would an auditor most likely
use in determining the auditors’ preliminary
judgement about materiality?
a. The anticipated sample size of the planned
substantive test.
b. The entity’s annualized interim financial
statements.
c. The results of internal control
questionnaire.
d. The contents of the management
representation letter.