You are on page 1of 25

Accounting Information Systems, 13e (Romney/Steinbart)

Chapter 11 Auditing Computer-Based Information Systems

11.1 Describe the nature, scope and objective of audit work, and identify the major steps in the
audit process.

1) Auditing involves the


A) collection, review, and documentation of audit evidence.
B) planning and verification of economic events.
C) collection of audit evidence and approval of economic events.
D) testing, documentation, and certification of audit evidence.
Answer: A
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

2) What is not a typical responsibility of an internal auditor?


A) helping management to improve organizational effectiveness
B) assisting in the design and implementation of an AIS
C) preparation of the company's financial statements
D) implementing and monitoring of internal controls
Answer: C
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

3) Which type of work listed below is not typical of internal auditors?


A) operational and management audits
B) information system audits
C) financial statement audit
D) financial audit of accounting records
Answer: C
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

4) The ________ audit examines the reliability and integrity of accounting records.
A) financial
B) informational
C) information systems
D) operational
Answer: A
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

1
Copyright © 2015 Pearson Education, Inc.
5) The ________ audit reviews the general and application controls of an AIS to assess its
compliance with internal control policies and procedures and its effectiveness in safeguarding
assets.
A) financial
B) information systems
C) management
D) internal control
Answer: B
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

6) A(n) ________ audit is concerned with the economical and efficient use of resources and the
accomplishment of established goals and objectives.
A) operational or management
B) financial
C) information systems
D) internal control
Answer: A
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

7) The ________ audit is concerned with the economical and efficient use of resources and the
accomplishment of established goals and objectives.
A) financial
B) informational
C) information systems
D) operational
Answer: D
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

8) The purpose of ________ is to determine why, how, when, and who will perform the audit.
A) audit planning
B) the collection of audit evidence
C) the communication of audit results
D) the evaluation of audit evidence
Answer: A
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

2
Copyright © 2015 Pearson Education, Inc.
9) Organizing the audit team and the physical examination of assets are components of which
two separate audit stages?
A) planning; evaluating audit evidence
B) planning; collecting audit evidence
C) collecting audit evidence; communicating audit results
D) communicating audit results; evaluating audit evidence
Answer: B
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

10) Consideration of risk factors and materiality is most associated with which audit stage?
A) collection of audit evidence
B) communication of audit results
C) audit planning
D) evaluation of audit evidence
Answer: C
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

11) A system that employs various types of advanced technology has more ________ risk than
traditional batch processing.
A) control
B) detection
C) inherent
D) investing
Answer: C
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

12) Control risk is defined as the


A) susceptibility to material risk in the absence of controls.
B) risk that a material misstatement will get through the internal control structure and into the
financial statements.
C) risk that auditors and their audit procedures will not detect a material error or misstatement.
D) risk auditors will not be given the appropriate documents and records by management who
wants to control audit activities and procedures.
Answer: B
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

3
Copyright © 2015 Pearson Education, Inc.
13) The possibility that a material error will occur even though auditors are following audit
procedures and using good judgment is referred to as
A) control risk.
B) detection risk.
C) inherent risk.
D) investigating risk.
Answer: B
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

14) The ________ stage of the auditing process involves (among other things) the auditors
observing the operating activities and having discussions with employees.
A) audit planning
B) collection of audit evidence
C) communication of audit results
D) evaluation of audit evidence
Answer: B
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

15) Verifying the accuracy of certain information, often through communication with third
parties, is known as
A) reperformance.
B) confirmation.
C) substantiation.
D) documentation.
Answer: B
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

16) The evidence collection method that examines all supporting documents to determine the
validity of a transaction is called
A) review of documentation.
B) vouching.
C) physical examination.
D) analytical review.
Answer: B
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

4
Copyright © 2015 Pearson Education, Inc.
17) The evidence collection method that considers the relationships and trends among
information to detect items that should be investigated further is called
A) review of the documentation.
B) vouching.
C) physical examination.
D) analytical review.
Answer: D
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

18) Assessing the quality of internal controls, the reliability of information, and operating
performance are all part of
A) audit planning.
B) collection of audit evidence.
C) communication of audit results.
D) evaluation of audit evidence.
Answer: D
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

19) The auditor's objective is to seek ________ that no material error exists in the information
audited.
A) absolute reliability
B) reasonable objectivity
C) reasonable evidence
D) reasonable assurance
Answer: D
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

20) Which of the choices below best describes a risk-based audit approach?
A) a four-step approach to internal control evaluation.
B) a three-step approach to internal control evaluation.
C) a four-step approach to financial statement review and recommendations.
D) a three-step approach to financial statement review and recommendations.
Answer: A
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

5
Copyright © 2015 Pearson Education, Inc.
21) The first step in a risk-based audit approach is to
A) evaluate the control procedures.
B) determine the threats facing the AIS.
C) identify the control procedures that should be in place.
D) evaluate weaknesses to determine their effect on the audit procedures.
Answer: B
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

22) ________can determine whether the necessary control procedures are in place.
A) A systems review
B) A systems overhaul
C) Tests of controls
D) both B and C
Answer: A
Objective: Learning Objective 1
Difficulty: Difficult
AACSB: Analytic

23) When a control deficiency is identified, the auditor should inquire about
A) tests of controls.
B) compensating controls.
C) the feasibility of a systems review.
D) materiality and inherent risk factors.
Answer: B
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

24) The ________ to auditing provides auditors with a clear understanding of possible errors and
irregularities and the related risks and exposures.
A) risk-based approach
B) risk-adjusted approach
C) financial audit approach
D) information systems approach
Answer: A
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

6
Copyright © 2015 Pearson Education, Inc.
25) Increasing the effectiveness of internal controls would have the greatest effect on
A) reducing inherent risk.
B) reducing control risk.
C) reducing detection risk.
D) reducing audit risk.
Answer: B
Objective: Learning Objective 1
Difficulty: Difficult
AACSB: Analytic

26) Expanding a firm's operations to include a manufacturing facility in Russia will


A) reduce inherent risk.
B) reduce control risk.
C) increase inherent risk.
D) increase control risk.
Answer: C
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

27) Increasing the effectiveness of auditing software will


A) reduce detection risk.
B) reduce control risk.
C) increase detection risk.
D) increase control risk.
Answer: A
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

28) An auditor examines all documents related to the acquisition, repair history, and disposal of a
firm's delivery van. This is an example of collecting audit evidence by
A) confirmation.
B) reperformance.
C) vouching.
D) analytical review.
Answer: C
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

7
Copyright © 2015 Pearson Education, Inc.
29) An auditor manually calculates accumulated depreciation on a delivery van and compares her
calculation with the accounting records. The auditor is performing
A) vouching.
B) confirmation.
C) reperformance.
D) analytical review.
Answer: C
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

30) An auditor finds that employee absentee rates are significantly higher on Mondays and
Fridays than on other work days. This is an example collecting audit evidence by
A) confirmation.
B) reperformance.
C) vouching.
D) analytical review.
Answer: D
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

31) Which of the following is not one of the types of internal audits?
A) reviewing corporate organizational structure and reporting hierarchies
B) examining procedures for reporting and disposing of hazardous waste
C) reviewing source documents and general ledger accounts to determine integrity of recorded
transactions
D) comparing estimates and analysis made before purchase of a major capital asset to actual
numbers and results achieved
Answer: A
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Reflective Thinking

32) Explain the differences between each type of audit risk.


Answer: Inherent risk is the threat faced just by conducting business in a chosen way. For
example, a business with multiple locations in several foreign countries faces more threats than a
business with a single location. Control risk is the threat that a company has inadequate,
nonexistent or unenforced policies and procedures to prevent errors and fraud from getting into
the system and being reflected in the financial statements. Detection risk is the threat that errors
or fraud get into the system and audit procedures do not identify the errors or fraud.
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

8
Copyright © 2015 Pearson Education, Inc.
33) How and to whom does an auditor communicate the audit results?
Answer: The auditor prepares a written report summarizing the findings and recommendations,
with references to supporting evidence in working papers. The report is presented to
management, the audit committee, the board of directors, and other appropriate parties. The
auditor then follows up later to determine if recommendations were implemented.
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

34) How is a financial audit different from an information systems audit?


Answer: Financial audits examine the reliability and integrity of accounting records in terms of
financial and operating information. An information systems (IS) audit reviews the general and
application controls of an AIS to assess its compliance with internal control policies and
procedures and its effectiveness in safeguarding assets. Although the AIS may generate
accounting records and financial information, it is important that the AIS itself be audited to
verify compliance with internal controls and procedures.
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

35) Why do all audits follow a sequence of events that can be divided into four stages, and what
are the four stages?
Answer: The auditor's function generally remains the same no matter what type of audit is being
conducted. The process of auditing can be broken down into the four stages of planning,
collecting evidence, evaluating evidence, and communicating audit results. These stages form a
working template for any type of financial, information systems, or operational or management
audits.
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

36) Name and describe the different types of audits.


Answer:
The financial audit — this audit examines the reliability and integrity of accounting records (both
financial and operating information).
The information systems audit — this audit reviews the general and application controls of an
AIS and assesses its compliance with internal control policies and procedures and effectiveness
in safeguarding assets.
The operational or management audit — this audit conducts an evaluation of the efficient and
effective use of resources, as well as an evaluation of the accomplishment of established goals
and objectives.
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

9
Copyright © 2015 Pearson Education, Inc.
37) Describe the risk-based audit approach.
Answer: The risk-based audit approach has four steps that evaluate internal controls. This
approach provides a logical framework for conducting an audit of the internal control structure of
a system. The first step is to determine the threats facing the AIS. Threats here can be defined as
errors and irregularities in the AIS. Once the threat risk has been established, the auditor should
identify the control procedures that should be in place to minimize each threat. The control
procedures identified should either be able to prevent or detect errors and irregularities within the
AIS. The next step is to evaluate the control procedures. This step includes a systems review of
documentation and also interviewing the appropriate personnel to determine whether the needed
procedures are in place within the system. The auditor can then use tests of controls to determine
if the procedures are being satisfactorily followed. The fourth step is to evaluate weaknesses
found in the AIS. Weaknesses here means errors and irregularities not covered by the AIS control
procedures. When such deficiencies are identified, the auditor should see if there are
compensating controls that may counterbalance the deficiency. A deficiency in one area may be
neutralized given control strengths in other areas. The ultimate goal of the risk-based approach is
to provide the auditor with a clear understanding of errors and irregularities that may be in the
system along with the related risks and exposures. Once an understanding has been obtained, the
auditor may provide recommendations to management as to how the AIS control system can be
improved.
Objective: Learning Objective 1
Difficulty: Difficult
AACSB: Analytic

38) Describe how audit evidence can be collected.


Answer: Since the audit effort revolves around the identification, collection, and evaluation of
evidence, most audit effort is spent in the collection process. To identify, collect, and evaluate
evidence, several methods have been developed to assist in the effort. These methods include: 1)
the observation of the activities being audited; 2) a review of documentation to gain a better
understanding of the AIS; 3) discussions with employees about their jobs and how procedures are
carried out; 4) the creation and administration of questionnaires to gather data about the system;
examination of tangible assets; 6) confirmation of the accuracy of certain information;
of selected calculations; 8) vouching for the validity of a transaction by
examination of all supporting documentation; and, 9) analytical review of relationships and
trends among information to detect items that should be further investigated. It is important to
remember that only a sample of evidence is collected for audit purposes, as it is not feasible to
perform audit procedures on the entire set of activities, records, assets, or documents that are
under the review process in an audit.
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

10
Copyright © 2015 Pearson Education, Inc.
11.2 Identify the six objectives of an information system audit, and describe how the risk-based
audit approach can be used to accomplish these objectives.

1) What is the purpose of an information systems audit?


A) to determine the inherent risk factors found in the system
B) to review and evaluate the internal controls that protect the system
C) to examine the reliability and integrity of accounting records
D) to examine whether resources have been used in an economical and efficient manner in
keeping with organization goals and objectives
Answer: B
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

2) The information systems audit objective that pertains to source data being processed into some
form of output is known as
A) overall security.
B) program development.
C) program modifications.
D) processing.
Answer: D
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic

3) Which of the following is not one of the six objectives of an information systems audit?
A) Security provisions exist to protect data from unauthorized access, modification, or
destruction.
B) Obtaining evidence to provide reasonable assurance the financial statements are not
materially misstated
C) Programs have been developed and acquired in accordance with management's authorization.
D) Program modifications have received management's authorization and approval.
Answer: B
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

4) Which of the following is not an information systems audit test of controls?


A) Observe computer-site access procedures.
B) Investigate how unauthorized access attempts are handled.
C) Review logical access policies and procedures.
D) Examine the results of disaster recovery plan simulations.
Answer: C
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

11
Copyright © 2015 Pearson Education, Inc.
5) Which of the following is an information systems audit review procedure?
A) Verify the extent and effectiveness of encryption.
B) Inspect computer sites.
C) Test assignment procedures for user IDs.
D) Observe the preparation of backup files.
Answer: B
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

6) Which of the following is not a control procedure for preventing inadvertent programming
errors?
A) Review software license agreements.
B) Test new programs, including user acceptance testing.
C) Purchase hardware only from management approved vendors.
D) Require management approval of programming specifications.
Answer: C
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

7) You are the head of the IT department at Panther Designs, Inc. A systems review reveals that
your firm has poor control procedures for preventing inadvertent programming errors. However,
you are not concerned because you feel Panther Designs has strong compensating controls. What
control likely exists to give you this confidence?
A) The internal audit department processes test data at Panther Designs.
B) Panther Designs pays its employees well, decreasing the likelihood of errors.
C) Panther Designs only hires competent programmers, decreasing the likelihood of errors.
D) All of Panther Design's IT applications are less than 2 years old.
Answer: A
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

8) You are an internal auditor for Ron Burgandy Suits. The CEO has asked you to perform an
audit of the program modifications process. Identify one procedure you might use to test controls
surrounding the program modification process.
A) Review logical access control policies.
B) Discuss modification policies with management, users, and systems personnel.
C) Verify logical access controls are in effect for program changes.
D) Separate development, test, and production versions of programs.
Answer: C
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

12
Copyright © 2015 Pearson Education, Inc.
9) What is a test data generator?
A) an application that records how well systems personnel have performed on company
competency examinations
B) an application that prepares data that can be used for auditing the effectiveness of computer
processing
C) an application that records which professional examinations systems personnel have obtained
D) a backup generator application that can be used to generate data if the original storage device
fails
Answer: B
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

10) True or False: Embedded audit molecules can be used to continually monitor the system and
collect audit evidence.
Answer: TRUE
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic

11.3 Describe the different tools and techniques auditors use to test software programs and
program logic.

1) Identify the activity below that the external auditor should not be involved.
A) examining system access logs
B) developing the information system
C) examining logical access policies and procedures
D) making recommendations to management for improvement of existing internal controls
Answer: B
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

2) What role should an auditor play in system development?


A) an independent reviewer only
B) a developer of internal controls
C) an advisor and developer of internal control specifications
D) A and B above
Answer: A
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

13
Copyright © 2015 Pearson Education, Inc.
3) Which statement below is incorrect regarding program modifications?
A) Only material program changes should be thoroughly tested and documented.
B) During the change process, the developmental version of the program must be kept separate
from the production version.
C) After the modified program has received final approval, the change is implemented by
replacing the developmental version with the production version.
D) When a program change is submitted for approval, a list of all required updates should be
compiled and then approved by management and program users.
Answer: A
Objective: Learning Objective 3
Difficulty: Easy
AACSB: Analytic

4) How could auditors determine if unauthorized program changes have been made?
A) by interviewing and making inquiries of the programming staff
B) by examining the systems design and programming documentation
C) by using a source code comparison program
D) by interviewing and making inquiries of recently terminated programming staff
Answer: C
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

5) Which auditing technique will not assist in determining if unauthorized programming changes
have been made?
A) use of a source code comparison program
B) use of the reprocessing technique to compare program output
C) interviewing and making inquiries of the programming staff
D) use of parallel simulation to compare program output
Answer: C
Objective: Learning Objective 3
Difficulty: Easy
AACSB: Analytic

6) Strong ________ controls can partially compensate for inadequate ________ controls.
A) development; processing
B) processing; development
C) operational; internal
D) internal; operational
Answer: B
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

14
Copyright © 2015 Pearson Education, Inc.
7) The ________ procedure for auditing computer process controls uses a hypothetical series of
valid and invalid transactions.
A) concurrent audit techniques
B) test data processing
C) integrated test facility
D) dual process
Answer: B
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

8) The auditor uses ________ to continuously monitor the system and collect audit evidence
while live data are processed.
A) test data processing
B) parallel simulation
C) concurrent audit techniques
D) analysis of program logic
Answer: C
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

9) Auditors have several techniques available to them to test computer-processing controls. An


audit technique that immediately alerts auditors of suspicious transactions is known as
A) a SCARF.
B) reperformance.
C) the snapshot technique.
D) an audit hook.
Answer: D
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

10) A type of software that auditors can use to analyze program logic and detect unexecuted
program code is
A) an audit log.
B) a mapping program.
C) a scanning routine.
D) program tracing.
Answer: B
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

15
Copyright © 2015 Pearson Education, Inc.
11) ________ is one tool used to document source data controls.
A) An input control matrix
B) A flowchart generator program
C) A program algorithm matrix
D) A mapping program
Answer: A
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

12) The use of a secure file library and restrictions on physical access to data files are control
procedures used together to prevent
A) an employee or outsider obtaining data about an important client.
B) a data entry clerk from introducing data entry errors into the system.
C) a computer operator from losing or corrupting files or data during transaction processing.
D) programmers making unauthorized modifications to programs.
Answer: A
Objective: Learning Objective 3
Difficulty: Difficult
AACSB: Analytic

13) An auditor creates a fictitious customer in the system and then creates several fictitious sales
to the customer. The records are then tracked as they are processed by the system. The auditor is
using
A) an integrated test facility.
B) the snapshot technique.
C) a system control audit review file.
D) continuous and intermittent simulation.
Answer: A
Objective: Learning Objective 3
Difficulty: Difficult
AACSB: Analytic

14) An auditor sets an embedded audit module to flag all credit transactions in excess of $3,000.
The flag causes the system state to be recorded before and after each transaction is processed.
The auditor is using
A) audit hooks.
B) an integrated test facility.
C) the snapshot technique.
D) a system control audit review file.
Answer: C
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

16
Copyright © 2015 Pearson Education, Inc.
15) An auditor sets an embedded audit module to record all credit transactions in excess of
$4,000 and stores the data in an audit log. The auditor is using
A) audit hooks.
B) the snapshot technique.
C) a system control audit review file.
D) continuous and intermittent simulation.
Answer: C
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

16) An auditor sets an embedded audit module to flag questionable online transactions, display
information about the transaction on the auditor's computer, and send a text message to the
auditor's cell phone. The auditor is using
A) the snapshot technique.
B) a system control audit review file.
C) audit hooks.
D) continuous and intermittent simulation.
Answer: C
Objective: Learning Objective 3
Difficulty: Difficult
AACSB: Analytic

17) An auditor sets an embedded audit module to selectively monitor transactions. Selected
transactions are then reprocessed independently, and the results are compared with those
obtained by the normal system processing. The auditor is using
A) an integrated test facility.
B) the snapshot technique.
C) a system control audit review file.
D) continuous and intermittent simulation.
Answer: D
Objective: Learning Objective 3
Difficulty: Difficult
AACSB: Analytic

18) When programmers are working with program code, they often employ utilities that are also
used in auditing. For example, as program code evolves, it is often the case that blocks of code
are superseded by other blocks of code. Blocks of code that are not executed by the program can
be identified by
A) embedded audit modules.
B) scanning routines.
C) mapping programs.
D) automated flow charting programs.
Answer: C
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

17
Copyright © 2015 Pearson Education, Inc.
19) When programmers are working with program code, they often employ utilities that are also
used in auditing. For example, as program code evolves, it is often the case that variables defined
during the early part of development become irrelevant. The occurrences of variables that are not
used by the program can be found using
A) program tracing.
B) scanning routines.
C) mapping programs.
D) embedded audit modules.
Answer: B
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

20) Explain why the auditor's role in program development and acquisition should be limited.
Answer: The auditor's role in any organization systems development should be limited only to
an independent review of systems development activities. The key to the auditor's role is
independence; the only way auditors can maintain the objectivity necessary for performing an
independent evaluation function is by avoiding any and all involvement in the development of
the system itself. If auditor independence is impaired, the audit itself may be of little value and
its results could easily be called into question. The auditors could be basically reviewing their
own work.
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

21) Audit tests and procedures traditionally have been performed on a sample basis. Do options
exist for auditors to test significantly more (or all) transactions?
Answer: Computer assisted audit techniques (CAATS) allow auditors to automate and simplify
the audit process. Large amounts of data can be examined by software, created from auditor-
supplied specifications. Two popular CAATS packages are Audit Control Language (ACL) and
Interactive Data Extraction and Analysis (IDEA). Auditors can also use concurrent audit
techniques to identify and collect information about certain types of transactions in real-time.
Examples of concurrent audit techniques are embedded audit modules, integrated test facility,
system control audit review file (SCARF), snapshot technique, audit hooks and continuous and
intermittent simulation (CIS).
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

18
Copyright © 2015 Pearson Education, Inc.
22) When doing an information systems audit, auditors must review and evaluate the program
development process. What errors or fraud could occur during the program development
process?
Answer: There can be unintentional errors due to misunderstood systems specifications,
incomplete specifications, or poor programming. Developers could insert unauthorized code
instructions into the program for fraudulent purposes.
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

23) Briefly describe tests that can be used to detect unauthorized program modifications.
Answer: Review procedures for requesting, approving, programming, and testing changes.
Review or observe specific testing and implementation procedures. Compare source code from
the approved and tested program with the program code currently in use. Randomly and without
notice, use the source code from the approved and tested program to reprocess transactions,
and compare the results with the operational system results. Write new code designed to replicate
the approved and tested code and use parallel simulation to reprocess transactions, and compare
the results with the operational system results.
Objective: Learning Objective 3
Difficulty: Difficult
AACSB: Analytic

24) Define and give examples of embedded audit modules.


Answer: Embedded audit modules are segments of program code that perform audit functions,
report test results and store collected evidence for later review. An Integrated Test Facility
(ITF) processes fictitious records through the operational system in real-time. The snapshot
technique records master file records immediately before and immediately after processing
specifically selected transactions. A System Control Audit Review File (SCARF) continuously
monitors transactions and collects transaction data that meet, or fall outside, predetermined
criteria. Audit Hooks immediately notify auditors of suspicious transactions being processed, or
submitted for processing. Continuous and Intermittent Simulation (CIS) identifies specific
transactions with audit significance and processes the transactions parallel to the operational
system. If discrepancies result, the CIS can store the evidence for later review or can prevent
transaction processing.
Objective: Learning Objective 3
Difficulty: Difficult
AACSB: Analytic

19
Copyright © 2015 Pearson Education, Inc.
25) a) What is test data processing? b) How is it done? c) What are the sources that an auditor
can use to generate test data?
Answer: a) Test data processing is a technique used to examine the integrity of the computer
processing controls. b) Test data processing involves the creation of a series of hypothetical valid
and invalid transactions and the introduction of those transactions into the system. The invalid
data may include records with missing data, fields containing unreasonably large amounts,
invalid account numbers, etc. If the program controls are working, then all invalid transactions
should be rejected. Valid transactions should all be properly processed. c) The various ways test
data can be generated are: A listing of actual transactions. The initial transactions used by the
programmer to test the system. A test data generator program that generates data using program
specifications.
Objective: Learning Objective 3
Difficulty: Difficult
AACSB: Analytic

26) Describe the disadvantages of test data processing.


Answer: The auditor must spend considerable time developing an understanding of the system
and preparing an adequate set of test transactions. Care must be taken to ensure that test data
does not affect the company's files and databases. The auditor can reverse the effects of the test
transactions or process the transactions in a separate run using a copy of the file or database.
However, a separate run removes some of the authenticity obtained from processing test data
with regular transactions. Also, since the reversal procedures may reveal the existence and nature
of the auditor's test to key personnel, it can be less effective than a concealed test.
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

11.4 Describe computer audit software, and explain how it is used in the audit of an AIS.

1) An audit software program that generates programs that perform certain audit functions, based
on auditor specifications, is referred to as a(n)
A) input controls matrix.
B) CAATS.
C) embedded audit module.
D) mapping program.
Answer: B
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytic

20
Copyright © 2015 Pearson Education, Inc.
2) An auditor might use ________ to convert data from several sources into a single common
format.
A) Windows Media Converter
B) concurrent audit technique
C) computer assisted audit techniques software
D) Adobe Professional
Answer: C
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytic

3) What is the primary purpose of computer audit software?


A) eliminate auditor judgment errors
B) assist the auditor in retrieving and reviewing information
C) detect unauthorized modifications to system program code
D) recheck all mathematical calculations, cross-foot, reprocess financial statements and compare
to originals
Answer: B
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytic

4) How has the U.S. government deployed computer-assisted audit techniques to reduce the
budget?
A) to identify fraudulent Medicare claims
B) to perform random audits of government spending
C) to replace human auditors with computerized auditors
D) to develop a more balanced government budget
Answer: A
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytic

5) True or False: One of the advantages of CAATS software is that it can replace the auditor's
judgment in specific areas of an audit.
Answer: FALSE
Objective: Learning Objective 4
Difficulty: Easy
AACSB: Analytic

21
Copyright © 2015 Pearson Education, Inc.
6) Identify the company below that CAATS would likely provide the most value.
A) a local car dealership
B) a mom and pop grocery store
C) a large lumber mill that uses an ERP system
D) a medium-sized shoe retailer with outlets in many cities
Answer: D
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytic

7) Which of the following is not one way CAATS could be used?


A) to merge files
B) to test files for specific risks
C) to process electronic transactions
D) to query data files to retrieve records meeting specified criteria
Answer: C
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytic

8) What type of data does CAATS use to produce an auditing program?


A) archived data
B) backup data
C) live data
D) a copy of live data
Answer: D
Objective: Learning Objective 4
Difficulty: Moderate
AACSB: Analytic

11.5 Describe the nature and scope of an operational audit.

1) The scope of a(n) ________ audit encompasses all aspects of systems management.
A) operational
B) information systems
C) financial
D) internal control
Answer: A
Objective: Learning Objective 5
Difficulty: Moderate
AACSB: Analytic

22
Copyright © 2015 Pearson Education, Inc.
2) Evaluating effectiveness, efficiency, and goal achievement are objectives of ________ audits.
A) financial
B) operational
C) information systems
D) all of the above
Answer: B
Objective: Learning Objective 5
Difficulty: Easy
AACSB: Analytic

3) In the ________ stage of an operational audit, the auditor measures the actual system against
an ideal standard.
A) evidence collection
B) evidence evaluation
C) testing
D) internal control
Answer: B
Objective: Learning Objective 5
Difficulty: Easy
AACSB: Analytic

4) The evidence collection stage of an operational audit includes all the following activities
except
A) reviewing operational policies.
B) establishing audit objectives.
C) testing the accuracy of operating information.
D) testing controls.
Answer: B
Objective: Learning Objective 5
Difficulty: Easy
AACSB: Analytic

5) True or False: During the evidence evaluation stage of an operational audit, the auditor
measures the system against generally accepted accounting principles (GAAP).
Answer: FALSE
Objective: Learning Objective 5
Difficulty: Easy
AACSB: Analytic

23
Copyright © 2015 Pearson Education, Inc.
6) You are the head of the internal audit department for Apple Computer. You want to hire a
person to serve as one of Apple's operational auditors. Identify the candidate below that is likely
to be the most qualified person for the job.
A) Jane, a CPA who has 10 years of audit experience
B) Kasheena, an MBA who has 10 years of management experience
C) Joe, a CISA who has 10 years of IT audit experience
D) Vahlia, a CPA who has 7 years of audit experience and 3 years of management experience
Answer: D
Objective: Learning Objective 5
Difficulty: Difficult
AACSB: Analytic

7) Who generally receives the findings and conclusions of an operational audit?


A) the board of directors
B) management
C) the external auditor
D) the IRS
Answer: B
Objective: Learning Objective 5
Difficulty: Moderate
AACSB: Analytic

8) Andile Uzoma is the CEO of Chibuzo Incorporated. The board of directors has recently
demanded that they receive independent assurance regarding the financial statements, which are
generated using an accounting information system. Which type of audit would best suit the
demands of the board of directors?
A) financial audit
B) information system audit
C) operational audit
D) sustainability audit
Answer: A
Objective: Learning Objective 5
Difficulty: Moderate
AACSB: Analytic

9) Andile Uzoma is the CEO of Chibuzo Incorporated. The board of directors has recently
demanded that they receive more assurance that internal controls surrounding the company's
information system are effective. Which type of audit would best suit the demands of the board
of directors?
A) financial audit
B) information system audit
C) operational audit
D) sustainability audit
Answer: B
Objective: Learning Objective 5
Difficulty: Moderate
AACSB: Analytic

24
Copyright © 2015 Pearson Education, Inc.
10) Andile Uzoma is the CEO of Chibuzo Incorporated. The board of directors has recently
demanded that they receive more assurance that Chibuzo Incorporated is operating in an
efficient, effective manner. Which type of audit would best suit the demands of the board of
directors?
A) financial audit
B) information system audit
C) operational audit
D) sustainability audit
Answer: C
Objective: Learning Objective 5
Difficulty: Moderate
AACSB: Analytic

11) With regards to an accounting information system, a financial audit is most concerned with
A) the system's output.
B) the system's input.
C) the system's processing.
D) the system's storage.
Answer: A
Objective: Learning Objective 5
Difficulty: Difficult
AACSB: Analytic

25
Copyright © 2015 Pearson Education, Inc.