Sie sind auf Seite 1von 83

364

CHAPTER 6
Auditing in a
Computer
Information Systems
(CIS) or Information
Technology (IT)
Environment
1. IT has several significant effects on an entity. Which ~f ~e
following would be important from an auditing perspective.
I. The potential for material misstatement.
II. The visibility of information.
III. Changes in the organiza.tional structure.
Auditing in a CIS or IT Environment 365
ctt~.PrER
6
A 1 and II only C. II and III only
: and III only D. I, II, and III
6 1
use of a computer changes the processing, storage, and
2. Th~rnunication of financial information. A CIS environment
co affect the following, except
~.ayThe accounting and internal control systems of the enti-
B ~e overall objective and scope of an audit.
c: The auditor's design and performance of tests of control
and substantive procedures to satisfy the audit objec-
tives.
o. The specific procedures to obtain knowledge of the enti-
ty's accounting and internal control systems.

A CIS environment does not affect the overall objective and


scope of an audit.

3. The following are benefits of using IT-based controls, ex-


cept
A. Ability to process large volume of transactions.
B. Over-reliance on computer-generated reports.
c. Ability to replace manual controls with computer-based
controls.
D. Reduction in misstatements du~ to consistent processing
of transactions.

4. Which of the following statements c0ncerning the Internet is


incorrect?
A. The Internet is a shared public network that enables
communication with other entities and individuals around
the world.
B. The Internet is a private network that only allows access
to authorized persons or entities.
--
366 CPA EXAMINATION REVIEWER: AUDITING THEORY

C. The Internet is interoperable, which means that any


computer connected to the Internet can communicate
with-any other computer connected to the Internet.
D. The Internet is a worldwide network that allows entities
to engage in e-commerce/e-business activities.

5. In planning the portions of the audit which may be affected


by the client's CIS environment, the auditor should obtain an
understanding of the significance and complexity of the CIS
activities- and the availability of data for use in the audit.
The following relate to the complexity of CIS activities ex·
cept when
A. Transactions are exchanged electronically with other or·
ganizations (for example, in electronic data interchange
systems [EDI]).
B. Complicated computations of financial information. ar~
performed by the computer and/ or material transa~ion
or entries are generated automatically without inde·
pendent validation. . d by
C. Material financial statement assertions are affecte
the computer processing. Id find
D. The volume of transactions is such that users w~u
it difficult to identify and correct errors in processing .
. ns affect·
The materiality of the financial statement assertIO lexitY,
ed by the CfS relates to the significance, not the cornP
of computer processing.
. . onrnent '
·n
6. The auditor shall consider the entity's . CIS envir cceptablY
designing audit procedures to reduce risk t~ ~n :orreet?
low level. Which of the following statements rs '" t change
A. The auditor's specific audit objectives d~ ~~nuallY or
whether financial information is processe
by computer.
6 Auditing in a CIS or IT Environment 367
cHAPiER

The methods of applying audit procedures to gather au-


B.
dit evidence are not influenced by the methods' of com-
puter processing.
c. The auditor may use either manual audit procedures,
computer-assisted audit techniques (CAATs), or a ·com-
bination of both to obtain sufficient appropriate audit ev-
idence.
o. In some CIS environments, it may be difficult or impos-
sible for the auditor to obtain certain data for inspection,
inquiry, or confirmation without the aid of a computer.

The methods of applying audit procedures to gather audit


evidence may be influenced by the methods of computer
processing.

7. Regardless· of the nature of an entity's information system,


the auditor must consider internal control. In a CIS envi-
ronment, the auditor must, at a minimum, have
A. A background in programming procedures.
B. An expertise in computer systems analysis.
c. A sufficient knowledge of the computer's operating sys-
tem.
D. A sufficient knowledge of the computer information sys-
tem.

The auditor should have a sufficient knowledge of the CIS to


plan, direct, supervise, and review the work performed.

Answers A and B are incorrect because an auditor need not


have expertise in programming and co~puter systems anal-
ysis. If specialized CIS skills are needed !n the audit, the au-
ditor may seek the assistance of an auditor's expert. ·
-
368 CPA EXAMINATION REVIEWER: AUDITING THEORY

Answer C is incorrect because the auditor should have suffi-


cient knowledge of the entire CIS, not only of the computer's
operating system. ·

8. Who is ultimately responsible for the design and implemen-


tation of cost-effective controls in a CIS environment?
A. The internal audit manager
B. The entity's management
C. The CIS manager
D. The control group in the CIS department

An entity's management is ultimately responsible for de-


signing and implementing systems that will provide reason·
able assurance that the entity's objectives will be achieved.

9. Are the following risks greater in CIS than in manual sys·


terns?
8 .e ~ Q
Yes
Erroneous data conversion Yes Yes Yes
Erroneous source document
preparation Yes Yes Yes No
Repetition of errors No No Yes Yes
Concentration of data No Yes Yes
Yes
d s or is
The preparation of source documents either prece e the
not done at all in a computer information syste~. Th~~ en·
risk of erroneous source document preparation m a C risk
vironment may be equal to c.>r less than the equivalent
in a manual system.
to ma·
In a CIS environment, the computer converts data cti0 ns·
chine-readable form prior to processing of trans~ n the
This will increclse the risk of input error. In additt~c~ions
computer's ability to uniformly process like trans
ct-IAP
TER 6 Auditing in a CIS or IT Environment 369

with the same processing instructions will ordinarily result


in all transactions being processed incorrectly if there are
programming errors (or other systematic errors in hard-
ware or software). Also, the concentration of data stored on
magnetic disk increases the risk of loss of valuable financial
information from damage or theft.

1o. Which of the following is not a hardware element in an IT


environment?
A. Scanners
B. CD-ROM drive
c. Application programs
o. Modems
An IT environment consists of hardware and software com-
ponents. Computer hardware consists of the computer and
all other physical equipment. The software component
consists of computer programs that are either purchased
from a software vendor or developed in-house by the entity.

Application software-a type of computer software-


performs desired processing tasks such as payroll pro-
cessing.

Answers A, B, and D are incorrect because optical scanners,


CD-ROM drive, and modems are elements of computer
hardware.

11. Which of the following c;omputer hardware elements is not


associated with data input?
A. Touch screen
B. Printer
C. Mouse
D. 0ptical scanner
370 CPA EXAMINATION REVIEWER: AUDITING THEORY

A printer is an output device that produces a hard copy of


computer processing results.

Answers A, C, and D are incorrect because a touch screen, a


mouse, and an optical scanner can be used for data input.

12. A hardware element. that takes the computer's digital infor·


mation and transforms it into signals that can be sent over
ordinary telephone lines is a/an
A. Intelligent terminal
B. Point-of-sale terminal
C. Terminal emulator
D. Modem

A modem converts data in digital form into analog or wave


form (the process is called modulation) so that data can be
sent to remote locations through the telephone system.

The modem at the receiving end of the transmission path


converts the analog or wave form back to the digital f~r~
(the process is called demodulation) used by the termina
or CPU.

13. Uninterruptible power supplies are used in computer faci


rties
1

to minimize the risk of


A. Crashing disk drive read-write heads.
B. Dropping bits in data transmission.
C. Failing to control concurrent access to data·
D. Losing data stored in main memory.
bat·
. ator or
An unmterruptible power source such as a gener the like·
tery backup used in a computer facility will redu~e rneJJloo'
lihood of losing data stored in the computer's main .
ER
cf"fAPT
6 Auditing in a CIS or IT Environment 371

in the event of an electrical failure such as a power outage


or voltage fluctuation.

14. In a computer system, the parts of the operating system


program and language translator program are stored in the
A. Read only memory (ROM).
B. Random access memory (RAM).
c.Magnetic tape drive.
o. Magnetic disk drive.
·ROM consists of semiconductor chips that can be read from
(but not written to) and are used as permanent storage of
the operating system and language translator.

Answers B, C, and Dare incorrect because RAM and magnet-


ic tape and disk drives are temporary storage devices.

15. A characteristic that distinguishes computer processing from


manual processing is
A. The potential for systematic error is ordinarily greater in
manual processing than in computerized processing.
B. Errors or fraud in computer processing will be detected
soon after their occurrences.
C. Most computer systems are designed so that transaction
trails useful for audit purposes do not exist.
D. Computer processing virtually eliminates the occurrence
of computational errors normally associated with manual
processing.

Computational or clerical errors are virtually eliminated in


computer processing because of the computer's capability
to uniformly process like transactions with the same pro-
cessing instructions.

· ··- ':. .. . ·· .·.


. ~
··.._"!-;:-- ' ...... . ':' :~..
~7.2 CPA EXAMINATION REVIEWER: AUDITING THEORY

Answer A is incorrect because the risk of systematic or pro-


gramming error is greater in computer processing than in
manual processing.

The computer's ability to subject like transactions to uni·


form processing will result in all transactions being pro-
cessed incorrectly if there are errors embedded in the pro·
gram logic.

Answer B is incorrect because errors or fraud in computer


processing may remain undetected for long periods of time,
or worse, may never be detected at all.

The potential for observing errors or fraud is reduced in


computer processing because of decreased human involve·
ment in.handling transactions processed by CIS.

Answer C is incorrect because CIS are designed to include


transaction trails. However, some transaction trails in com·
puter processing may exist for only a short period of time or
only in computer-readable form.

16. An affordable yet powerful self-contained general ~u~


computer which consists typically of a central processing u~d
(CPU), monitor, keyboard, disk drives, printer cables, a
modems is a/an
A. Personal computer
B. Mainframe
C. On-line computer
D. Terminal

17. A CIS where two or more personal ·computers are rnKed


1 w
unica·111
~eth~r through the use of special software and corTlare, d8'
tion Imes and allows the sharing of application softW
\

6 Auditing in a CIS or IT Environment 373


cHApTER .

ta tiles; and computer peripherals such as printers and opti-


cal scanners is a/an
A. Local area network (LAN)
B. on-line system
c. Batch processing system
o. Wide area network (WAN)
Each personal computer linked to a LAN is called a work-
station that can access data, software, and other resources
through a file server-a linked PC that manages the net-
work.

A LAN is usually confined to a small geographic location


such as a building or two or more adjacent buildings.

Two or more LANs can be linked together to form a wide ar-


ea network (WAN).

18. A file server in a local area network (LAN) is


A. A workstation that is dedicated to a single user on the
LAN.
B. A computer that stores programs and data files for users
of the LAN.
C. The cabling that physically interconnects the nodes of
the LAN.
11. A device that connects the LAN to other networks.

Common resources such as programs and data shared by


LAN nodes are stored and managed by special-purpose
computers called file servers.

Answer A is incortect because a workstation or node in a


LAN is called a client
....

374 CPA EXAMINATION REVIEWER: AUDITING THEORY

Answer C is incorrect because the cabling that physically in-


terconnects the nodes of the LAN is the communications
link.

Answer D is incorrect because bridges and gateways are


used to link networks together. Bridges connect LANs of
the same type while . gateways connect LANs of different
types.

19. Audit team members can use the same database and pro-
grams when their PCs share a hard disk and printer on a
LAN. Which of the following communication devices enables
a PC to connect to a LAN?
A. A network interface card (NIC) that plugs into the moth-
erboard.
B. A fax modem that sends signals through telephone lines.
C. An internal modem that plugs into the motherboard. .
D. An external modem with a cable connection to a senal
port.

A workstation's physical connection to the LAN is achieved


through a network interface card (NIC) which plugs into one
of the expansion slots in the PC.

Answers B, C, and D. are incorrect because modems connect


PCs to ordinary telephone lines.

20. A computer information system that allows individual du~~


to develop and execute application programs, enter an ~r is
cess data, and generate reports in a decentralized mann
called a/an
A. Online system
B. Batch processing system
C. End-user computing
D. Networking
.....:R 6 Auditing in a CIS or IT Environment 375
ct!AP'"'

In end-user computing, management empowers individual


users to develop and execute application programs, enter
and process data, and generate computer processing results.
This system is an example of decentralized processing and
usually involves the use of PCs.

Which of the following statements most likely represents a


21.
disadvantage for an entity that maintains data files on per-
sonal computers (PCs) rather than manually prepared files?
A. It is usually more difficult to compare recorded account-
ability with the physical count of assets.
B. Random error associated with processing similar transac-
tions in different ways is usually greater.
c. Attention is focused on the accuracy of the programming
process rather than errors in individual transactions.
o. It is usually easier for unauthorized persons to access
and alter the files.

In a PC environment, unauthorized individuals can easily


gain access to and change data files without visible evi-
dence.

Answer A is incorrect because the ability to compare infor-


mation in the file with the physical count of assets does not
depend on the method used in maintaining the files.

Answer B is incorrect because an advantage of CIS is the


computer's ability to process like transactions in the same
way.

Answer C is incorrect because focusing on the accuracy of


the programming process is an advantage of CIS.

22. The following are risks specific to IT environments, except


A. Reduced segregation of duties.
376 CPA EXAMINATION REVIEWER: AUDITING THEORY :Iii

B. Loss of data due to insufficient backup.


C. Increased human involvement.
D. Reliance on the functioning capabilities of hardware and
software.

23. Most personal computers have both a CD-ROM drive and a


hard disk drive. The major difference between the two
types of storage is that a hard disk
. A. Is suitable for an online system, whereas a CD-ROM is
not.
B. Provides an automatic audit trail, whereas a CD-ROM
does not.
c. Has a much larger storage capacity than a CD-ROM. t.
D. Is a direct-access storage medium, whereas a CD-ROM is
a sequential-access storage medium. il
~
24. What type of online computer system is characterized by ~j

data that are assembled from more than one location and
records that are updated immediately? ~~
A. Online, batch processing system re
B. Online, real-time processing system ca.
C. Online, inquiry system ~
D. Online, downloading/uploading system
~.
In an online processing system, individual transactionsc~~~
entered through workstations or terminals that are t
nected to the mainframe.
D,
·ng sys·
A type of online system is online, real-time processi ·ng of
tern that involves immediate validation and processiusers
I~ .
data input to update related computer files that aIJoWt deci· t

to receive the output soon enough to affect a curren ~s


5ion to be made. ~ti
6 AUditing in a CIS or IT Environment 377
cf"IApTER

A swer A is incorrect because in an online, batch processing


~tem, individual transactions are entered through remote
?rminals, subjected to certain validation routines and add-
~ to a transaction file containing other transactions en-
~ered during the period.
The transaction file is to be subjected to further validation
checks and then used in updating the relevant master file in
the subsequent processing cycle.

Answer C is incorrect because in an online, inquiry system,


users are restricted to making inquiries of master files (for
example, inquiry of a customer account balance).

Answer D is incorrect because online, upload-


ing/downloading system involves the transfer of data be-
tween the mainframe and workstations.

25. Misstatements in a batch computer system caused by incor-


rect programs or data may not be detected immediately oe-
cause
A. The processing of transactions in a batch system is not
uniform.
B. There are time delays in processing transactions in a
batch system.
C. The identification of errors in input data typically is not
part of the program.
D. Errors in some transactions may cause rejection of other
transactions in the batch.

In a batch processing system, similar transactions are pro-


cessed in groups or batches periodically-for example, dai-
ly, weekly, or ·even monthly. Hence, errors in a given batch
318 CPA EXAMINATION REVIEWER: AUDITING THEORY

may be detected only after the lapse of considerable time


fro.m the initiation of the transactions.

Answer A is incorrect because like transactions are pro-


cessed uniformly in a batch system.

Answer C is incorrect because data validation routines may


be embedded in the computer program.

Answer D is incorrect because although similar transactions i


are processed together in batches, individual transactions ji
are not dependent upon one another.

26. Which of the following features is least likely to be found in


an online, real-time processing system?
I
A. Turnaround documents
B. User manuals
C. Preformatted screens
D. Automatic error correction

A turnaround document is a source document generated


by the computer system as output and·then later used as in·
put for subsequent proce&sing. Turnaround documents ~re
least likely to be found in an online, real-time processing
system because it normally does not use source.documents·

Answer B is incorrect because user manuals provide expla·


~ations on the proper use of the system, making theill an
important component of the real-time system.
Answer C is
· incorrect
· because users usually interact withte
the mainframe through preformatted screens of rerno
terminals.

. f
r
6 Auditing in a CIS or.IT Environment 379 ,
ct-IApTER

Answer D is incorrect because automatic error correction is


a principal advantage of real-time systems-that is, error;
are immediately detected and corrected.

Which of the following is usually not a factor to consider in


2 . designing and implementing an onlin~, real-time system?
7
A. Priority allocation
B. Queues
c. Interrupts
o. Hardware diagnostics
computers are designed to include hardware diagnostic
routines that allow identification of hardware problems
such as a parity check to determine if the integrity of the bit
structure of each character has been destroyed during the
internal transmission of data within the system.

Hardware diagnostic routines are applicable to all systems,


not only to online, real-time systems.

Answers A and B are incorrect because priority allocation


and queues are important factors in real-time sy5tems. Both
of them relate to deciding which jobs should be given priori-
ty in processing.

Answer C is incorrect because interrupts allow high priority


jobs to get immediate action. In a multiprogramming envi-
ronment, work on one program is interrupted so the CPU
may attend to another.

28. Workstations or terminals are an integral component of


online computer systems. Which of the following statements
concerning workstations is incorrect?
380 CPA EXAMINATION REVIEWER: AUDITING THEORY

A. Workstations may be located either locally ·or at remote


sites.
B. Both local and remote workstations require the use of
telecommunications to link them to the main computer.
C. Local workstations are connected directly to the main
computer through cables.
D. Workstations may be used by different users, for differ-
ent purposes, in different locations, all at the same time.

Only remote workstations require the use of telecommuni-


cations to link them to the main computer. Local work-
stations are linked through cables.

29. Online computer systems use workstations or terminals that


are located either locally or at remote sites. There are two
types of workstations: general purpose terminals and special
purpose termir·als. General· purpose terminals include the
following, except
A. Basic keyboard and monitor
B. Point of sale devices
C. Intelligent terminal
D. Personal computers

General purpose terminals include:


· gda·
• Basic keyboard and monitor - used for ent~nn dis·
ta without any validation checks; the momtor
plays data from the computer system.
. ns of the
• Intelligent terminal - performs the functtodd'tional
basic keyboard and monitor with the a :J1linal.
functions ot' validating data within the .te other
maintaining transaction logs, and perfornung
local processing.
6 Auditing in a CIS or IT Environment 381
ct'IApTER

• personal computers - perform all the functions of


an intelligent terminal with additional local pro-
cessing and storage capabilities.

special purpose terminals include:

• Point of sale devices - used to rec-ord sales transac-


tions as they occur and to transmit them to the main
computer such as electronic cash registers and opti-
cal scanners.

• Automated teller machines (ATMs) - used to initi-


ate, validate, record, transmit, and complete various
banking transactions.

30. The "test data approach"


A. Involves reprocessing actual entity data using the enti-
ty's computer software.
8. Involves reprocessing actual entity data using the audi-
tor's computer software.
c.
Is where dummy transactions are prepared by the audi-
tor and processed under the auditor's control using the
entity's computer software.
D. Is where actual transactions are prepared by the auditor.

31. Which of the following is a primary example of source data


automation?
A. A subsidiary ledger
8. A utility bill
C. Point-of-sale (POS) scanners in malls
D. A bill of lading

32. Express Padala, Inc. stated in one of its mission statements


that "positive control of each package will be maintained by
( . . . .
· · ·:~ • 1 ....;,:. • • ~ •• • \.. . =!.
i... ;_.. _. ~ ' ".:,.. • ~\- ·. ' 1 · • • ... , :_ .. :

': ~ .

382 CPA EXAMINATION REVIEWER: AUDITING THEORY

utilizing ... electronic tracking and tracing systems." Ex-


press Padala uses what type of IT system?
A. Batch processing which features immediate updating as
to the location of packages.
B. Real-time processing which features updating at fixed
time periods.
C. Batch processing which features updating at fixed time
periods.
D. Real-time processing which features immediate updating
as to the location of packages.

33. In a file-oriented approach to data and information, data is


maintained in many separate files. This may create prob·
terns for organizations because of
A. Multiple users.
B. Multiple transaction files.
C. Multiple master files which may contain redundant data.
D. A lack of sophisticated file maintenance software.

34. refers to the combination of the database,


- - - - - -
the Database Management System (DBMS), and the app ic •
ra
tion programs that access the database through the DBMS.
A. Data warehouse
B. Database administrator
C. Database system
D. Database manager

35. Who is the individual responsible for the database?


A. Data coordinator
B. Database master
C. Database administrator
D. Database manager
ER 6 Auditing in a CIS or IT Environment 383
ct'IAPT

Which feature of many database systems simplifies the crea-


36· tion of reports by allowing users to specify the data ele-
ments desired and the format of the output?
A. Report generator
B. Report writer
c. Report printer
o. Report creator
37, Which of the following is probably the most significant effect
of database technology on accounting?
A. Quicker access to and greater use of accounting infor-
mation in decision-making.
B. Replacement of the double-entry system.
c. Change in the nature of financial reporting.
D. Elimination of traditional records such as journals and
ledgers.

38. An entity should have a disaster recovery plan to ensure that


data processing capacity can be restored as smoothly and
quickly as possible. The following would typically be part of
an adequate disaster recovery plan, except
A. A system upgrade due to operating sy~tem software
changes.
B. Backup computer and telecommunication facilities.
C. Scheduled electronic vaulting of files.
D. Uninterruptible power systems installed for key system
components.

39. Which of the following statements concerning computer pro-


gram modifications is il)correct?
A. After the amended program has received final approval,
the change is implemented by replacing the production
version with the developmental version.

~-
-
384 CPA EXAMINATION REVIEWER: AUDITING THEORY

B. During the modification process, the developmental ver-


sion of the program must be kept separate from the
production version.
C. When a program change is submitted for approval, a list
of all required updates should be compiled and then ap-
proved by management and program users.
D. Only material program changes should be thoroughly
tested and documented.

40. Old and new systems operating simultaneously in all loca-


tions is a test approach known as parallel testing.

Pilot testing involves implementing a new system in one part


of the organization, while other locations continue to use the
current system.

A. True; False C. False; True


B. Both are True D. Both are False

41. A collection of data that is shared and used by a number of


different users for different purposes is a
A. Database
B. Memory
C. File
D. Record
. f data that
The standard defines "database" as a collectJOn
&
°
differen
t pur·
is sl}ared and used by a number of users ,or
poses.
. d to create,
42. Which of the following computer software is use
maintain, and operate a database?
A. Application software
B. Systems software
C. Database management system (DBMS)
~R
cHAP•~
6 Auditing in a CIS or IT Environment 385

0 . Database administrator
The DBMS is used to create, maintain, and operate a data-
base. It facilitates the physical storage of the data, maintains
the interrelationships among the data, and makes the data
available to application programs.

43. The two important characteristics of a database system are


A. The database and the DBMS.
s. Data sharing and data independence.
c. The DBMS and data sharing.
D. The DBMS and data independence.

The two important characteristics of a database system are


data sharing and data independence.

Data sharing can be achieved if the database contains data


which are setup with defined relationships and are orga-
nized in a manner that permits several users to access and
use the data in different application programs.

The need for data sharing creates the need for data inde-
pendence from application programs. Through the DBMS,
data are recorded only once, for use by different application
programs. There will be true data independence if the
structure of data can be changed without affecting the appli-
cation programs, and vice versa.

44. To protect the integrity of the database, data sharing by dif-


ferent users requires organization, coordination, rules, and
guidelines. The individual responsible for managing the da-
tabase resource is the
A. Programmer
B. Database administrator
386 CPA EXAMINATION REVIEWER: AUDITING THEORY

C. User
D. CIS manager

The database administrator is responsible generally for the


definition; structure, security, operational control, and effi-
ciency of databases, including the definition of the rules by
which data are accessed and stored.

45. An auditor who wishes to trace data through several applica·


tion programs should know what programs use the data,
which files contain the data, and which printed reports dis·
play the data. In a database system, the information could
be foun·d in a
A. Decision table
B. Data dictionary
C. Database schema
I). Data encryptor

A software within the DBMS that keeps track of the location


of the data in the database is called data dictionary.

Answer A is incorrect because a decision table is a matrix


.presentation of the decision points and related actions in·
eluded in a computer program.

Answer C is incorrect because the database schema de·


scribes the database structure.
111 es·
·Answer D is incorrect because an encryptor encodes
sages.
. data·
46. Which of the following is the greatest advantage of a
base system?
A. Data redundancy can be reduced.
B. Backup and recovery procedures are minimized.
\

b Auditing in a CIS or IT Environment 387


cHApTER

Multiple occurrences of data items are useful for con-


e. sistency checking.
conversion to a database system is inexpensive and can
0
· be accomplished quickly.

In a database system, data redundancy is kept to a mini-


mum because the DBMS records the data once, for use by
various application programs. Storage structures are creat-
ed that make the application programs independent of the
location of the data.

Because each item in the database has a standard definition,


name, and format; and related items are linked by a system
of pointers,. the application programs need only to specify
the data name, not the location.

Answer B is incorrect because backup and recovery proce-


dures in a database system are just as crucial as in a tradi-
tional flat-file system. '

Answer C is incorrect because data redundancy-that is,


multiple occurrences of data items-is substantially re-
duced in a database system.

Answer D is incorrect because converting large amount of


11!- data to a database is costly and time consuming.

~ 47. The following statements relate to a database management


[~ ~1 system (DBMS) application environment. Which is false?
A. Data definition is independent of any one program.
B. The physical structure of the data is independent of user
needs. ·
C. Data are used concurrently by different users.
. --.,,-. "'"·__::-,_.::-"".. ...---~~
~-_-- .~--· .. - --~::--·
· ~,. .. \

388 CPA EXAMINATION REVIEWER: AUDITING THEORY

D. Data are shared by passing files between programs or


systems.

In a database system, application programs share the data


· in the common database for different purposes. Thus, there
is no need to pass files between applications.

48. Which of the following is an advantage of a database man-


agement system (DBMS)?
A. A decreased vulnerability as the DBMS has numerous se-
curity controls to prevent disasters.
B. Each organizational unit takes responsibility and control
for its own data.
C. Data independence from application programs.
D. The cost of the CIS department decreases because users
are now responsible for establishing their own data han-
dling techniques.

An important characteristic of a database system is that a~·


plications are independent of the database structure. 'fhts
allows programs to be developed for the user's spect"fiC
needs without concern for data retrieval problems. Moreo·
ver, changes to the physical or logical structure of the data~
base can be made without the need to modify any of the ap
plication programs that use the database.

Answer A is incorrect because the DBMS is no safer than anY


other computer information systems.
·t de·
Answer B is incorrect because each organizational un~ ms
velops its application programs that will use the data ite
in the common database.
cHApTER
6 Auditing in a CIS or IT Environment 389

Answer D is incorrect because data handling techniques r_e.-


main to be the responsibility of the CIS department.

Which of the following is usually a benefit of transmitting


49 · transactions in an electronic data interchange (EDI) envi-
ronment?
A. A reduced need to test computer controls related to
sales and collections transactions.
e. A compressed business cycle with lower year-end receiv-
ables balances.
c. No need to rely on third-party service providers to en-
sure security.
o. An increased opportunity to apply statistical sampling
techniques to account balances.

Because EDI transactions are transmitted and processed in


real time, delays are eliminated in receiving and processing
an order, shipping goods, and receiving payment. Thus, EDI
compresses an entity's business cycle and results in lower
year-end receivables balances.

Answer A is incorrect because the use of a complex pro-


cessing system increases the need to test computer controls.

Answer C is incorrect because an EDI system typically uses a


VAN (value added network) as a third-party service ·provid-
er, and reliance on VAN controls may be critical.

Answer D is incorrect becal,\se all transactions (not just a


sample) may be tested with the aid of computer technology.

SO. The internal controls over computer processing indude bOtf:,.


manual procedures and procedures designed ·i nto c;om~
programs (programmed control procedures). Th~ manual .,

390 CPA EXAM/NATION REVIEWER: AUDITING THEORY

a·mf programmed control procedures comµ11~t! the general


CIS controls and CIS application controls. The purpose of
general as controls is to .
A. Est~blish specific control procedures over the accounting
applications in order to provide reasonable assurance
that all transactions are authorized and recorded and are
processed completely, accurately, and on a timely basis.
B: Establish a framework of overall controls over the CIS
activities and to provide a reasonable level of assurance
that the · overall objectives of internal control are
achieved.
C. Provide reasonable assurance that systems are devel·
oped and maintained in an authorized and efficient man·
ner.
D .. Provide reasonable assurance that access to data and
computer programs is restricted to authorized personnel.

The purpose of general CIS controls is to establish a frame·


work of overall controls · over the CIS activities and to ~ro·
vide a reasonable level of assurance that the overall obiec·
tives of internal control are achieved.

General CIS controls may include:


• Organization and management controls. . tenance
• Application systems development and mam
controls.
• Computer operation controls.
• Systems software controls.
• Data entry and program controls. .
ecili'
1· hrnent of s~ 5 the
Answer A. is incorrect because the estab is .c,,tions 1
. . app 1I"'
control procedures over the accounting
purpose of CIS application controls.
6 Auditing in a CIS or IT Environment 391
cW'pTER

Answer C is incorrect because controls designed to provide


easonable assurance that systems are developed and main-
~ined in an authorized and efficient manner are application
systems development and maintenance controls.

Answer D is incorrect because controls designed to provide


reasonable .assurance that access to data and programs are
restricted to authorized personnel are data entry and pro-
gram controls.

51. CIS application controls include the following, except


A. Controls over input.
B. controls over processing and computer data files.
c. Controls over output.
o. Controls over access to systems software and documen-
tation.

Restricting access to systems software and documentation


to authorized personnel is a general CIS control.

CIS application controls include:

1. Controls over input - designed to provide reasonable


assurance that:
• Only authorized transactions are submitted for pro-
cessing.
• All authorized transactions are accurately converted
into machine-readable form.
• Incorrect transactions are rejected, corrected, and, if
necessary, resubmitted on a timely basis.

2. Controls over processing and computer data files -


designed to provide reasonable assurance that:
392 CPA EXAMINATION REVIEWER: AUDITING THEORY

• All transactions are processed as authorized .


• No authorized transactions are omitted.
• No unauthorized transactions are processed.
• Processing errors are identified and corrected on a
timely basis.

3. Controls over output - designed to provide reasonable


assurance that:
• The results of processing are accurate.
• Output is distributed only to authorized users.

52. The auditor is required to consider how an entity's general


CIS controls affect the CIS applications significant to the au-
dit. Accordingly, the auditor should
A. Review the design of the general CIS controls only.
8. Review the design of the CIS application controls only.
C. Review the design of the general CIS controls before re-
viewing the as application controls. re
D. Review the design of the CIS application controls befo
reviewing the design of the general CIS controls.
Jications
General CIS controls that relate to some or a II app tion
are typically interdependent controls in that thei.r o~eracon·
is often essential to the effectiveness of CIS apphcadno~gn of
· w the es•plica·
tro ls. A more efficient approac h is to rev1e
the general CIS controls before reviewing the CIS ap
tion controls.
al contrOls
53. The two broad categories of IT controls a~e gener ontrols
and application controls. General controls rn~lu.de ccomputer
A. For developing, maintaining, and mod1fyin9
..rll!le-
programs. . ion of e1 'v
8. That relate to the correction and resubmiss
ous data.
6 Auditing in a CIS or IT Environment 393
cl'IApTER

Designed to provide reasonable assurance that only au-


C. thorized users receive output from processing.
Designed to provide reasonable assurance that all data
0 · submitted for processing have been properly authorized.

General controls relate to all or many IT activities and of-


ten include organization and management controls, applica-
tion systems development and maintenance controls, com-
puter operation controls, systems software controls, and da-
ta entry and program controls.

Answers B, C, and Dare incorrect because controls over ·cor-


rection of erroneous input data, output distribution, and au-
thorization of input data are IT application controls.

54. Which of the following statements concerning application


controls is correct?
A. Application controls relate to all aspects of the IT func-
tion.
B. Application controls relate to the processing of individual
transactions.
c. Application controls relate to various aspects of the IT
function including software and hardware acquisitions.
D. Application controls relate to various aspects of the IT
function including physical security and the processing of
transactions in various cycles.

SS. The significance of hardware controls is that they


A. Ensure that run-to-run totals in application systems are
consistent.
B. Reduce the incidence of user input errors in online sys-
tems.
C. Ensure correct programming of operating system func-
tions.
D. Assure that machine instructions are executed correctly.
394 CPA EXAMINATION REVIEWER: AUDITING THEORY

To detect and control errors arising from the use of comput-


er equipment, hardware controls are built into the equip-
ment by the manufacturer, such as parity checks, read-after-
write checks, and echo checks.

Answer A is incorrect because run-to-run totals are used to


determine the completeness of update in an online system.
Separate totals are accumulated for all transactions pro·
cessed throughout a period and compared with the total of
items submitted for comput~r processing.

Answer B is incorrect because input controls such as the use


of limit checks, self-checking digits, and input screens can
reduce the incidence of user input errors in on line systems.

Answer C is incorrect because computer programmers


and/or systems analysts are responsible for correcting pro-
gram errors.

56. The following statements relate to internal control in an elec·


tronic data interchange (EDI) environment. Which is true?
A. ~n EDI systems, preventive controls are generally more
important than detective controls.
B. Control objectives for EDI systems generally are different
from the objectives for other computer information sys·
terns.
C. Internal controls that relate to the segregation of dutie~
generally are the most important controls in EDI sys
terns.
D. Internal controls in EDI systems rarely permit control nsK
at below the maximum.

In all i~formation systems-manual and computerized~


preventive contr0 l . coll
s are more important than detective

··'
· R 6 Auditing in a CIS or IT Environment 395
cHApff
trols because typically, the benefits exceed the costs. In an
EDI environment, it may be difficult to apply detective con-
trols once a transaction enters the computer system.

Answer B is incorrect because the basic objectives of inter-


nal control are the same regardless of the nature of data
processing.

Answer C is incorrect because adequate segregation of in-


compatible functions in a CIS environment may not be fea-
sible.

Answer D is incorrect because control risk in an EDI system


may be assessed at below the maximum level if relevant
controls exist and tests of controls provide evidence that
those controls are functioning ef!'ectively.

57, An entity has recently converted its revenue/receipt cycle


from a manual processing to an online, real-time processing
system. Which is the most probable result associated with
conversion to the new computerized processing system?
A. Less segregation of traditional duties.
B. Significant increase in processing time.
C. Reduction in the entity's risk exposures.
D. Increase in processing errors.

The basic segregation of functions-authorization, record-


keeping, and asset custody-in a manual system is not usu-
ally feasible in a computerized system because of decreased
human involvement in processing financial information.

Answer Bis incorrect because processing time is decreased


in a computerized system .

.. ~1 '
396 CPA EXAMINATION REVIEWER: AUDITING THEORY

Answer C is incorrect because computer processing does


not necessarily reduce the number of risk exposures.

Answer D is incorrect because processing errors will de-


crease as a result of the conversion to a new computerized
system.

58. The most important segregation of duties in the organization


of the information ~-ystems function is
A. Using different programming personnel to maintain utility
programs from those who maintain the application pro-
grams. .
B. Having a separate information officer at the top level of
the organization outside of the accounting function.
C. Assuring that those responsible for programming the
system do not have access to data processing opera-
tions.
D. Not allowing the data librarian to assist in data pro-
cessing operations.

An important general CIS control is segregation of ~utiesj


Although some separation of duties common in a manua
system may not be feasible in a CIS environment, some func·
tions should not be combined.
hould
The functions of systems analysts and programmers 5 tors.
not be combined with the functions of computer opera ffect
Programmers and systems analysts may be able to ~ere·
changes in programs, files, and controls and should t
fore have no access to computer equipment.
, O JllOdifY
Computer-operators should have no opportunity t J11Il1ing
programs and data files, and should not have progra
-rr:R 6 Auditing in a CIS or IT Environment 397
cHAl'.' 1...

duties or responsibility for installing new or modifying ex-


isting systems.

Answer A is incorrect because computer programmers han-


dle all types of computer software.

Answer B is incorrect because having a separate infor-


mation officer at the top level of the organization outside of
the accounting function would be less critical than separa-
tion of duties between programmers and computer opera-
tors.

Answer D is Incorrect because computer librarians may as-


sist in data processing operations. However, because they
maintain control over system and program documentation
and data files, they should not have access to computer
equipment.

59. A systems analyst should have access to each of the follow-


ing, except
A. Edit criteria
B. Source code
C. Password identification tables
D. User procedures

Unauthorized changes to application programs and data


files can be made by the analyst if he/she has access to
password identification tables.

Answers A, B, and D are incorrect because the systems ana-


lyst needs access to ·edit criteria, source code, and user pro-
cedures.
-

398 CPA EXAMINATION REVIEWER: AUDITING THEC?RY

60. Which of the following would represent an internal control


weakness in an IT environment?
A. The computer librarian maintains custody of computer
application programs and files. ·
B. The data control group is solely responsible for distrib-
uting computer-generated reports.
· C. Computer operators have access to operator instructions
and have the authority to modify application programs.
D. Computer programmers write and modify programs de-
signed by systems analysts.

Computer operators should have access to operator instruc-


tions so they can perform their duties. However, they
should not have the authority to modify application pr?- .
grams.
·)
Answer A is incorrect because the computer librarian is re-
.•.. sponsible for maintaining custody and recordkeeping for
)' computer application programs and data files.
I

,1, Answer B is incorrect because an appr.opriate function °;


the data control group is distribution of computer outpu
t;.I and other reports .

I I
' Answer _D is incor~e~t because computer program~e~da~;
responsible for wntmg and revising programs design
systems analysts.
l •••
. weel<lY
61. The manager of computer operations prepares a coPY
schedule of planned computer processing and send~ a roee·
to the computer librarian. The control objective this P
dure serves is to ato!'S·
A. Authorize the release of data files to computer oper
B. Specify the distribution of computer results. .
I. C. Specify file r~tention and disaster recovery policies.
I;
TER 6 Auditing in a CIS or IT Environment 399
cf-IAP
o. Keep improper and unauthorized transactions from en-
tering the computer facility. .

A computer librarian has in his/her custody data files, pro-


grams, and documentation, all of which are his/her ac-
countability. The weekly schedule of. planned computer
processing provides authorization for release of files to
computer operators and a consequent transfer of accounta-
bility.

Answers B and D are incorrect because the data control


group keeps unauthorized and improper transactions from
entering the computer facility and specifies the distribution
of computer results.

Answer C is incorrect because file retention and disaster re-


covery policies are specified in the entity's backup and re-
covery plan.

62. One of the major problems in a CIS environment is that in-


compatible duties may be performed by the same individual.
One compensating control is the use of
A. Computer-generated hash totals
B. A computer log .
C. A self-checking digit system
D. Echo checks

Computer and software· usage is recorded in a computer


(console) log, including operator interventions during com-
puter processing. A compensating control for the lack of ad-
equate segregation of duties is by proper monitoring of the
computer log. For example, a computer log may include a
list of operator interventions during computer processing.
400 CPA EXAMINATION REVIEWER: AUDITING THEO.RV

Answer A is incorrect because hash totals are control totals


calculated using nonfinancial data (for example, the sum of
sales order numbers) to keep track of the records in a batch.

Answer C is incorrect because a self-checking digit system is


an input control to detect data coding errors. It involves
adding a control digit to a code (for example, a bank account
number) when it is originally designed to allow the code's
integrity to be established during subsequent processing.

Answer D is incorrect because echo check is a hardware


control that involves the receiver of the message returning
the message to the sender to determine if the correct mes·
sage was received.

63. In the organization of the information systems function, the


most important separation of duties is
A. Using different programming personnel to maintain utility
programs from those who maintain the application pro·
grams.
B. Assuring that those responsible for programming the
system do not have access to data processing opera·
tions.
C. Not allowing the data librarian to assist in data pro·
cessing operations. f
0
d. Having a separate information officer at the top level
the organization outside of the accounting function.

64. An entity has recently ~onverted its purchasing c:yc~e rr;~h:


manual process to an online computer system. Which. to
following is a probable result associated with conversion
the new IT system?
A. Traditional duties are less separated.
B. Increased processing time.
C. Reduction in the entity's risk exposure.
TER
cHAP
6 Auditing in a CIS or IT Environment 401

o. Increased processing errors.

65, An entity s~ould plan the physical location of its computer


facility. Whrch of the following is the primary consideration
for selecting a computer site?
A. It should be in the basement or on the ground floor.
a. It should maximize the visibility of the computer.
c. It should minimize the distance that data control person-
nel must travel to deliver data and reports and be easily
accessible by a majority of company personnel.
o. It should provide security.
The computer and other peripheral pieces of hardware
should be protected from disasters such as fire, flood, sabo-
tage, and theft. Thus, the primary consideration for select-
ing a computer. site should be the security of the computer
facility.

Answer A is incorrect because the basement or the ground


floor is not always a secured place. For example, installing a
computer facility on the ground floor or in the basement of
an old office building in Malabon City could be disastrous
because of frequent flooding.

Answer B is incorrect because maximizing the visibility of


the computer would be an invitation to burglars and other
computer criminals.

Answer C is incorrect because a majority of entity personnel


need not have an easy access to rnmputer site since only au-
tho!ized personnel should be allowed in the computer facili-
ty.

,,

'-:-.~-· -r-r.-;

- ~ ~.: , . . . -

..: . .u·r.
CPA EXAMINATION REVIEWER: AUDITING THEORY

66. Which of the following ·statements regarding security con-


cerns for notebook computers is false?
A. The primary methods of control usually involve applica-
tion controls. ·
B. Centralized control over the selection and acquisition of
hardware and software is a major concern.
C. Some conventional controls such as segregation of duties
may not be feasible.
D. As their use becomes more sophisticated, the degree of
concern regarding physical security increases.

General controls apply to all CIS activities. Given the nature


of notebook computers, general controls to prevent theft of
equipment and data and restrict access to the use of equip-
ment and data must be the primary concerns.

67. The following are a database administrator's responsibilities,


except
A. Develop application programs to access the database.
B. Design the content and organization of the database.
C. Protect the database and its software. .
D. Monitor and improve the efficiency of the database.
adrninis·
Systems analysts and programmers, not a da~abase ucation
trator, have the responsibility of developing app
p·r ograms to access the database.
. . ·n the con·
Answer B, C, and Dare incorrect because desig?• gthe data·
tent and organization of the database; protecung·ng the ef·
base and its software; and monitoring and impr~~·iJitieS of il
ficiency of the database are appropriate responsi
database administrator.
I

I
cHAPTER 6 ·Auditing in a CIS or IT Environment 403

6a. Which of the following groups should have the operational


responsibility for the accuracy and completeness of comput-
er-based information?
A. External auditors
B. Internal auditors
c. Users
D. Top management

Users are in the best position to review the accuracy and


completeness of computer output in relation to the input
provided. Thus, the operational responsibility for the accu-
racy and completeness of computer-based information
should be placed on users.

Answer A is incorrect because the primary purpose of ex-


ternal auditing is the expression of an opinion on an entity's
financial statements.
. .
Answer B is incorrect because internal auditing is an inde-
pendent appraisal activity within an organization. There-
fore, internal auditors should not have operational respon-
sibility.

Answer D is incorrect because top management is responsi-


ble for the overall control of the CIS.

69. An inexperienced computer operator mounted an incorre~


version of the accounts receivable master file on a tape drive
during processing. Consequently, the entire processing run
had to be repeated at a prohibitive cost. Which of the fol-
lowing software controls would be most eff~ctive in prevent-
ing this type of operator error from affecting the processing
of files?
A. File header and label check

J
....................................................
··~r---- .,,
~.
404 CPA EXAMINATION REVIEWER: AUDITING THEORY

B. Data transmission check


C. Memory isolation protection
D. Unauthorized access protection

An effective control to reduce the risk of mounting an incor-


rect version of a master file is the use of external, header,
and trailer labels. An external label is a human-readable
label written on a gummed paper to be attached to the file.
A header label is a machine-readable label at the beginning
of a file that identifies it. A trailer label is also a machine·
readable label at the end of a file containing control totals
and record counts.

Answer B is incorrect because only the accuracy of the


communication is verified by a data transmission check

Answer C is incorrect because memory isolation protecti0?


(also called boundary protection) ensures that while ~~ltl·
pie jobs are running simultaneously, the memory partition
allocated to each job is not changed.

Answer Dis incorrect because access controls (for examP~~


the use of personal identification codes such as passwor d
and PINs) ensure that unauthorized access to programs an
files is prevented.

70. Which of the following is the best method to prevent unau·


thorized alteration of online records?
A. Computer sequence checks
B. Computer matching
C. Database access controls
D. Key verification

\
1-
R 6 Auditing in a CIS or IT Environment 405
ctiApTE

unauthorized access to online records can be prevented by


establishing and implementing access controls to ensure
that only authorized personnel have access to the compa-
ny's database.

71. Which of the following would least likely ensure the devel-
opment of an effective application system?
A. Involvement of management in the development stage.
B. Active participation by user departments in the develop-
ment stage.
c. Post..implementation reviews..
o. Prioritization of application systems to be developed.

An effective application system is one that meets the organi-


zation's objectives. The order in which the applications are
implemented does not necessarily influence a system's ef-
fectiveness.

Answer A is incorrect because the inv9lvement of manage-


'
ment assures that proper resources will be made available
' during development.

~ Answer B is incorrect because active participation by users


will assure that their information needs (i.e., the system's

I
rl
•!t·
objectives) will be satisfied.

Answer C is incorrect because post-implementation reviews


are necessary to ensure that a newly developed application
system includes appropriate controls and meets manage-
ment directives .
I
f '

f.i' 72. Which of the following would most likely cause a problem in
Ir the computer program development process?
L A. User specifications are inadvertently misunderst~d.
~
c•

.r
~.
;

~-: ·

"
1
406 CPA EXAMINATION REVIEWER: AUDITING THEORY

B. Programmers use specialized application tools to simu-


late the system being developed.
C. Programmers take a longer amount Of time to develop
the computer program than expected.
D. Written user specifications are used to develop detail
program code.

Program development involves coding programs in accord·


ance with user specifications. Thus, a misunderstanding
about user specifications can have fundamental and perva·
sive repercussions.

Answer B is incorrect because using specialized application


simulation tools should prevent problems.

Answer C is incorrect because although taking a longer


amount of time to develop the computer program than ex·
. pected is undesirable, it does not necessarily preclude the
achievement of objectives.

Answer D is incorrect because the system design should in·


corporate user specifications.

73. Which _of the ~allowing controls would most likely. provi::
protection against unauthorized changes in production P
grams?
A. Restricting programmer access to the computer ro?rn'ent
B. Requiring two operators to be present during equipl11
Qperation.
C. Limiting program access solely to operators.
D. Implementing management review of daily run I095·
eJllS
The risk of unauthorized changes will be reduced if sY;! tile
analysts, programmers, and others are denied acces~
ER 6 Auditing in a CIS or IT Environment 407
cHAPT

resident production programs. However, computer opera-


tors should have access to the production programs in order
to run the programs.

Answers A and Bare in.correct because unauthorized chang-


es to production programs can be made by programmers at
terminals regardless of whether they are denied access to
the· computer room and regardless of whether two opera-
tor~ are present during equipment operation.

Answer D is incorrect because management review of com-


puter (console) logs, not run logs, would be an effective con-
trol.

74. Which of the following would most likely indicate that a


computer virus is present?
A. Numerous copyright violations due to unauthorized use
of purchased software.
B. Unexplained losses of or changes to data.
C. Frequent power surges that harm computer equipment.
D. Inadequate backup, recovery, and contingency plans.

A virus is a program that attaches itself to a legitimate pro-


gram to penetrate the operating system and cause destruc-
tion to the operating system, application programs, and data
files. For example, a virus can simply copy itself a number of
times within the main memory to destroy resident pro-
grams and data.

Answers A, C, and D are incorrect because copyright viola-


tions, frequent power surges, and inadequate backup, re-
covery, and contingency plans are not indicators of a com-
puter virus.
---~

408 CPA EXAMINATION REVIEWER: AUDITING THEORY

75. Which of the following operating procedures would most


likely increase an entity's exposure to computer viruses?
A. Downloading public-domain software from electronic bul-
letin boards.
B. Installing original copies of purchased software on hard
disk drives.
C. Frequent backup of files.
D. Encryption of data files.

Personal computers are a major source of virus penetration.


Downloading public-domain software carries a risk that vi·
rus-infected data may enter the system.

Answer B is incorrect because original copies of purchased


software should be virus-free.

Answers C and D are incorrect because viruses are spread


through distribution of infected files, not through encryp·
tion or frequent backup of files.

76. An entity installed antivirus software on all its personal .corn~


puters. The soft.ware was designed to prevent initial in~
tions, stop replication attempts detect infections after thetr
o~currence, n:'ark affected system' components, an~ rerno"e in9
viruse~ ~rom infected components. The major risk in relV
on ant1virus software is that it may
A. Consume too many system resources.
B. Interfere with system operations.
C. Not detect certain viruses.
D. Make software installation too complex.
A ti · d toe~·
n. viral programs (also called vaccines) are use f r t1te
amine application and operating system programs ~pro·
presence of viruses and remove them from the affecte s afld
gram Howev viruse
· er, a vaccine works only on known
cHAPTE
R 6 Auditing in a CIS or IT Environment 409

there is no guararitee that it will work if a virus has been


mutated.

Answers A and B are incorrect because antiviral software


can be set to execute at startup so as not to consume too
many system resources.

Answer D is ·incorrect because installation of antiviral soft-


ware is not an overly complex process.

77, The accountant who prepared a spreadsheet model for


workload forecasting left the company, and his successor
was unable to understand how to use the spreadsheet.. The
best control to permit new employees to un_derstand inter-
nally developed progr~ms is
A. Adequate backups are made for spreadsheet models.
B. Use of end-user computing resources is monitored.
c. End-user computing efforts are consistent with strategic
plans.
D. Documentation standards exist.and are followed.

Because of inadequate program documentation, the ·ac-


countant's successor could not use the spreadsheet model.
New employees will be able to understand internally devel-
oped programs if documentation standards exist and are be-
ing followed.

Answer A is incorrect because the accountant's successor


could not use the spreadsheet model due to inadequate
documentation, not inadequate backups.

Answer Bis incorrect because monitoring means controlling


the use of resources.

;_· : j
CPA EXAMINATION REVIEWER: AUDITING THEORY

Answer C is incorrect because ensuting consistency with


strategic plans refates to the systemJs effectiveness.

78. What is the appropriate term for_the process of monitoring,


evaluating, and modifying a system?
A. Feasibility study
B. Maintenance
C. Implementation
D. Analysis

Systems maintenance means keeping a new system that has


been designed and implemented current with user needs.
This basically involves revising the system and application
programs to meet new user needs and to correct design er·
rors. The responsibility for systems maintenance is as·
sumed by systems analysts and programmers.

Answer A is incorrect because a feasibility study is made ~o


determine the technical, legal, operational, and sche·d~. e
(i.e., the company's ability to implement the project wit in
an acceptable time) feasibility of a proposed system.
tiOO in·
Answer C is incorrect because system implementa . 05 .
. r at10 ·
volves data c?nversion; cod ing a nd test1~~ app icm loY-
purchase and mstallation of equipment; trammg of e P5ys·
ees; system documentation; and installation of the new
tern.
. ·nvoJves a
Answer D is incorrect because systems analysis 1 , needs,
5
survey of the current system, an analysis of the user
and gathering and evaluation of facts.
·1y t0
rirnari
79. Program documentation is a control designed P
provide reas9nable assurance that
TER 6 Auditing in a CIS or IT Environment 41,
ct-W'

A. Programs are kept up to date and perform·as intended.


s. No one uses the computer hardware for personal rea·
sons.
c. programs are free of syntax and logic errors.
o. Programmers have access to operational materials.

Program documentation provides detailed information


about each application program including the source pro-
gram, file formats and record layouts, program flowcharts,
written authorizations for all program changes, and operat-
ing instructions. For a computer system to operate efficient-
ly, adequate and up-to-date program documentation is nec-
essary.

Answer B is incorrect because program documentation can-


not ensure security of computer hardware.

Answer C is incorrect because debugging should uncover er-


rors in programs.

Answer D is incorrect because programme·r s should not


have access to operational materials such as the tape library
or information on disk files. ·

80. An entity updates its accounts receivable master file weekly


and retains the master files and corresponding tlpdate trans-
actions for the most recent two-week period. The purpose
of this periodic retention of master files and transaction data
is to
A. Validate groups of update transactions for each version.
B. Permit reconstruction of the master file if needed.
C. Verify run-to-run control totals ~or receivables.
D. Match internal labels to avoid writing on the wrong vol-
ume.
4t2 CPA EXAMINATION REVIEWER: AUDITING_TfiEORY

The grandparent-parent-child approach (also called


grandfather-father-son approach) is used in sequential file
batch systems. This backup technique begins when the cur-
rent master file (the parent) is processed against a transac-
tion file to create a new updated master file (the child).
When a new batch of transactions is processed, the child be-
comes the parent (the current master file), and the parent
(the original master file) becomes the grandparent or back-
up file.

As described, the grandparent-parent-child backup tech·


nique involves the creation and retention of three genera-
tions of master files to enable reconstruction of destroyed
or corrupted rriaster file.

The systems designer is responsible for determining the


number of backup files needed for each application. The de·
signer should consider the degree of file activity and the fi·
nancial relevance of the system in making such a decision.

.
Answers A an d D are mcorrect because va1·d t. routinesd
1 a 10n
and internal labels may prevent data from being destroye
. but do not allow recovery of lost or destroyed data.
to·
Answer C is incorrect because verification of run-to-run y
cover ·
tals ensures completeness of proce·ssing, not data re
sys·
81. An entity's contingency plans for computer informationents·
terns should include appropriate backup arrange~dered
. b cons1
Wh1ch of the following arrangements would e . e alrrtost
too vendor-dependent when vital operations requir
immeqiate availability of computer resources?
A. A "cold site" arrangement.
B. A "hot site" arrangement.

\
6 Auditing In a CIS or IT Environment 413
cHApTER

C. A "cold and hot site~' arrangement. .


o. Using excess capacity at another data center within the
entity.

A "cold site" is a backup facility that has all the needed


computer resources in place except the computer equip-
ment. This backup arrangement is too vendor-dependent
because it relies on the vendor's timely delivery of the need-
ed computer equipment.

Answer B is incorrect because a "hot site" backup facility


has all the needed resources in place, including the comput-
er equipment, and is therefore not vendor-dependent.

Answer C is incorrect because a "cold and hot site" backup


facility has a "hot site" component that is fully configured
and available for immediate use while the "cold site" is be-
ing configured, making it not too vendor-de.pendent.

Answer Dis incorrect because having excess capacity at an-


other data center within an entity means that there are
available resources that can be used.

82. Which of the following is the primary objective of secu~·ity


software?
A. To detect the presence of computer viruses.
B. To monitor the segregation of functional responsibilities
within applications.
C. To prevent installation of unauthorized utility software.
D. To control access to information system resources.

The primary objective of security software is to keep unau-


thorized intruders from accessing information system re-
sources and data files.
414 CPA EXAMINATION REVIEWER: AUDITING THEORY

Answer A is incorrect because antiviral software, not securi·


ty software, detects the presence of computer viruses.

Answer Bis incorrect because security software can be used


t~ establish, not monitor, separation of duties.

Answer C is incorrect because security software can be used


to control the use of utility software, not-to prevent installa·
tion of unauthorized utility software.

83. All administrative and professional staff in an entity's legal


department prepare documents on terminals connected to a
host LAN file server. Which of the following is the best con·
trol over unauthorized access to sensitive documents in the
system?
A. Required entry of passwords for access to the system.
B. Required entry of passwords for access to individual
documents.
C. Physical security for all .disks containing document files.
D. Periodic server backup and storage in a secure area.

Effective access controls normally require differe~t P:~d


words to access the system to read certain data files, .
. . , r unau
othe~ mformat10n system resources. The control ~ve 355•
thonzed access to sensitive documents is required p
word entry for access to individual documents.
A . . sswords
nswer A is incorrect because required entry of pa nn~
for a~cess to the system allows all departmental perso
to gam access to all documents in the system. flopPY
Answer C is incorrect because a LAN may not use
disks.
ct.JAPTE
R 6 Auditing in a CIS or IT Environment 415

Answer D is incorrect because although periodic server


backup and storage in a secure area is a good securi-
ty/backup control procedure, it would not prevent intrud-
ers from accessing sensitive documents online.

84. An internal auditor has just concluded a physical security


audit of a data center which is primarily engaged in top-
secret defense contract work. The auditor has recommend-
ed biometric authentication for workers entering the build-
ing. The recommendation might include devices that verify
all of the following, except
A. Fingerprints
B. Password patterns
c. Speech patterns
D. Retina patterns

The use of biometric devices is considered the ultimate in


user authentication procedures. These devices are used to
establish an individual's identity by measuring various per-
sonal characteristics, fingerprints, voiceprints, retina prints,
or signature characteristics.

85. Which of the following best describes the process called au-
thentication?
A. The system verifies the identity of the user.
B. The user identifies himself/herself to the system.
C. The user indicates to the system that the transaction
was processed correctly;
D. The system verifies that the user is entitled to enter the
transactions requested.

Authentication is the process of verifying the identity of


the user. Biometric devices are used to authenticate an in-
dividual's ideritity using physiological or behavioral traits
such as retina patterns, fingerprints, and speech patterns.
416 CPA EXAMINATION REVIEWER: AUDITING THEORY

Answer B is incorrect because when a user identifies him-


self/herself to the system, it does not necessarily mean that
the system verifies his/her identity.

Answer C is incorrect because this is an application control


that relates to the accuracy of processing transactions.

Answer D is incorrect because authentication does not nee·


essarily include determining the ·functions of a user whose
identity has been verified·.

86. Which of the following assurances is not provided by an ap-


plication control?
A. Review and approval procedures for new systems are set
by policy and adhered to. e
B. Authorized transactions are completely processed one
and only once.
C. Transaction data are complete and accurate.
D. Processing results are received _by the intended user.
are con·
Review and approval procedures for new systems hich is
trols over _systems development and maintenance, w
one of the general controls.
h ob·
Answers B, C, and D are incorrect because these are t e
jectives of application controls.
. 5 of ttiree
87. Data processing activities may be classified in ter~ Which of
stages or processes: input, processing, and ou~pt~d with the
the following activities is not normally associa
input stage?
A. Recording
B. Batching
C. Reporting
D. Verifying
cHAPTER 6 Auditing in a CIS or IT Environment 417

Reporti~g is normally associated with the output stage.


output 1s th~ result of computer processing, for example, a
hard copy printout of a report, magnetic files, or invoices.

Answers A, B, and D are incorrect because recording, batch-


ing, and verifying are normally associated with the input
stage.

88. Which of the following is the purpose of input controls?


A. To ensure the authorization of access to data files.
B. To ensure the completeness, accuracy, and validity of
updating.
c. To ensure the completeness, accuracy, and validity of
input.
D. To ensure the authorization of access to program files.

Input controls are designed to provide reasonable assur-


ance that data received for computer processing are com-
plete, accurate, and valid.

Answers A and D are incorrect because ensuring the author-


ization of access to data and program files is the objective of
access controls.

Answer B is incorrect because ensuring the completeness,


accuracy, and validity of updating is the objective of pro-
cessing controls.

89. If a control total were to be computed on each of the follow-


ing data items, which would best be identified as a hash to-
tal for a payroll IT application? .
A. Employee numbers.
B. Total debit and credit amounts.
C. Gross wages earned by employees.
D. Total hours worked.
f ...
-r .
•.

'
418 CPA EXAM/NATION REVIEWER: AUDITING THEORY

90. An entity uses the account code 699 for depreciation ex-
pense. However, one of the company data input clerks of-
ten codes depreciation expense as 996. The highest ac-
count code in the company's system is 700. What pro-
grammed control procedure would detect this error?
A. Pre-data input check.
B. Sequence check.
C. Valid-code test.
D. Valid-character test.

91. Which of the following provides the most valuable infor-


mation for detecting unauthorized input from a terminal?
A. User error repGrt
B. Transaction log
C. Error file
D. Console log printout

A transaction log is a permanent record of all comple~ely


validated transactions received for computer processing.
Subsequent comparison of the transaction log with autho~;
ized transactions such as authorized source documents WI
detect unauthorized input from a terminal.
. .
A nswer A is ty lists
incorrect because a user error report on
input that fails the validation tests.
. .
Answer C is . d to store
incorrect because an error file is use
and correct error records detected during validation.
d of
Answer D is incorrect because a console log is a reco:du~I
..ndiVI
computer and software usage. It does not recor d 1
transactions transmitted from a terminal. .
rers have
92. Many customers, managers, employees, and supP 'cofllptJt'
blamed the computer for making errors. In realttY,
R 6 Auditing in a CIS or IT Environment 419
cf-IAPTE

ers make very few mechanical errors. Which of the follow-


ing is the most likely source of errors in a fully operational
computer-based system?
A. . Systems analysis and programming
B. operator error
c. Processing
D. Input

It is garbage-in, garbage-out in computer. processing-


erroneous input results in erroneous output.

Answer A is incorrect because proper design and implemen-.


tation of computer programs would eliminate most syntax
and logic errors or bugs.

Answer B is incorrect because operator (run) manuals


which describe how to run the system, decrease the chance
of operator error.

Answer C is incorrect because, once a program has been


thoroughly tested (for example, by creating hypothetical
master files and transaction files to be processed by the
progra m being tested), the processing of appropriate data
does not result in errors.

93. Data conversion is the transcription of transaction data from


source documents to magnetic tape or disk suitable for
computer processing. Which of the following data conver-
.sion methods is most difficult to audit?
A. Keying data to disk for online processing.
B. Keying data to disk for batch processing. _
C. Reading source data usihg optical character rec::ognition.
D. Keying data to sot,1rce documents for magnetic ink char-
acter recognition.
420
CPA EXAMINATION REVIEWER: AUDITING THEORY

Data conve~sion in onJine systems is difficult to audit be-


cause there 1s usuaUy no visible audit trail. Transactio ·
t · d d· J ns are
ransm1tte Irect y from terminals and hard copy source
documents are often Jacking.

Answer Bis incorrect because keying data to disk for batch


processing creates records that can be readily tested.

An.5wer C is incorrect because hard copy source documents


are retained in optical character recognition. Moreover, this
method reduces the risks of conversion error.

Answer D is incorrect because magnetic ink character


recognition provides hard copy source documents that can
be used for audit purposes. ·

94. Which of the following best describes the online data pro-
cessing control called preformatting? 'terns to
A. The display of a document with blanks for data 1
be entered by the terminal operator.. d' cover er·
B. A program initiated prior to regular input to c~sn be car·
rors in data before entry so that the errors ·
rected. . . a that reciu1·res
c. A series of requests for required input da~efore a subse-
an acceptable response to each request ·on
quent request is made. . for a transactl
D A check to determine if all data rtems
. . al operator.
have been entered by the termin line
·n oil
be use d I roacJl•
A preformatted screen approach m~~der this aP~ fl1 0n·
systems to . avoid data e~try er~ors. is Jayed on.thfroffl 8
blanks for specified data items will be dd ~a entrY 15
itor. This is most appropriate when a
ER 6 Auditing in a CIS or IT Environment 421
cfiP.l'T

source document. Moreover, the screen format may even be


in the form of a transaction document.

Answer B is incorrect because an edit/validation routine


is a program initiated prior to regular input to discover er-
rors in data before entry so that errors can be corrected.

Answer C is incorrect because the dialogue approach is


another screen prompting method that is most appropriate
for data received orally, e.g., by phone.

Answer D is incorrect because a check to determine if all da-


ta items for a transaction have been entered by the terminal
operator is called completeness check.

95. When erroneous data are detected by computer program


controls, such data may be excluded from processing and
printed on an error report. Who should review and follow up
this error report?
A. Systems analyst
B. Data control group
C. Computer operator
D. Computer programmer

Many entities have a data control group (independent of the


computer processing operation) that acts as liaison between
the end user and data processing.

The data control group is responsible for receiving from us-


ers, transaction documents for processing; and controlling
the distribution of computer output such as documents and
reports. It is responsible for following up error reports to
ensure that erroneous records are corrected by users and
reprocessed by the computer center.
422 CPA EXAMINATION REVIEWER AUDITING THEORY

Answers A. C, and D are incorrect because systems analysts,


computer operators, and computer programmers are not
independent of computer operations.

96. If a payroll system continues to pay employees who have


been terminated, control weaknesses most likely exist be-
cause
A. Input file label checking routines built into the program
were ignored by the operator.
B. Programmed controls such as limit checks should have
been built into the system.
C. Procedures were not implemented to verify and control
the receipt by the computer processing department of all
transactions prior to processing.
D. There were inadequate manual controls maintained out-
side the computer system.

In a payroll system the authorization to pay employees


' hich is ex·
should come from the personnel department, w .•
. d t Hence,'0
ternal to the computer processing epartmen · teJJJ
adequat~ controls maintained outside the computer 5Y~5 to
are likely to allow the payments to terminated employe
continue without being detected.
. e of input
Answers A, B, and C are incorrect because. the usd tect un·
file labels, limit checks, and batch totals will not e
authorized transactions.
. we
cornpanY1 .
97. In the accounting system of Samantha puter ter
amounts of cash disbursements entered at a c~rnrnniediatelY
h' h 1 1"
minal are transmitted to the computer, ~ icfor displaY
on
transmits the amounts back to the terminal erator to
the terminal screen. This display enables the op
A. Establish the validity of the account number.
B. Prevent the overpayment of the account.
6 Auditing in a CIS or IT Environment 423
cHApTER

C. verify the accura~ ~f the amount entered.


o. verify the authonzat1on of the disbursement.
Displaying the amounts entered on the terminal screen al-
lows the terminal operator to visually verify the accuracy of
the amounts entered.

Which of the following input validation checks is least likely


98
' to be appropriate in an online, real-time system?
A. Sign check ·
B. Sequence check
c. Reasonableness check
o. Redundant data check
The sequence check control is appropriate only in systems
that use sequential master files. This control determines if
the records are in proper order by comparing the sequence
of each record in the batch with the previous record. Be-
cause records are not processed sequentially in an online,
real-time system, this control is not likely to be appropriate.

Answers A, C, and D are appropriate in an online, real-time


system.

A sign check tests data to determine if they have appropri- ,


ate arithmetic sign.

A reasonableness check determines if an amount falls with-


in predefined limits. For example, the number of hours
worked in a single day should be neither less than zero nor
more than 12. ·

A redundancy check assures that an application· process~s


each record only once ..

424 CPA EXAMINATION REVIEWER: AUDITING THEORY

99. A receiving clerk keyed in a shipment from a remote termi·


nal and inadvertently omitted the purchase order number.
Which of the following controls would most likely detect this
error?
A. Completeness check
B. Compatibility check
C. Sequence check
D. Reasonableness test

A completeness test identifies missing data within a single


transaction record (for example, missing purchase order
number on the shipping document) or records within a
batch of transaction data.

Answer B is incorrect because a compatibility check (also


called field test) d~termines whether a field contains proper
characters.

Answer C is incorrect because a sequence check determines


if records have been properly sorted.

Answer D is incorrect because a reasonableness test deter·


mines if the value is within predetermined limits.

100. A wholesaler of automotive parts has a computerized ~illi~


. intor
syst ~m. Because of a clerical error while entering billed
mat1on from the sales order, one of its customers was Which
for only three of the five items ordered and received. dY
of the following controls could have prevented or prornP
detected this clerical error? ac·
A. Periodic comparison of total accounts receivable per ·va·
counts receivable master file with total accounts recei
ble per accounts receivable control account. . voice
B. A completeness check that does not allow a sales iri
to be processed if key fields are blank.
Auditing in a CIS or IT Environment 425
cHAprER 6
prenumbered shipping documents together with a pro-
c. cedure for follow up anytime there is not a one-to-one
relationship between shipping documents and sales in-
voices.
Matching line control counts produced by the computer
0
· with predetermined line control counts.

Aune control count could have prevented or promptly de-


tected the clerical error. This control technique involves a
count of individual line items on a document. Missing lines
can be detected by simply comparing these counts with
predetermined line control counts for each document.

Answer A is incorrect because the three-item sales invoice


would be the basis for updating both the accounts receiva-
ble master file and control account. Hence, no discrepancy
would be disclosed by the comparison.

Answer B is incorrect because a completeness check would


not detect the billing error because other sales invoices may
properly contain three or fewer lines.
Answer C is incorrect because although the sales invoice has
missing lines, it exists and can be matched with the shipping
document.

101. Which of the following computerized control procedures


would most likely provide reasonable assurance that data
uploaded from personal computers to a mainframe are com-
plete and that no additional data are added?
A. Field-level edit controls that .test each field for alphanu-
merical integrity.
B. Self-checking digits to ensure that only authorized part
numbers are added to the database.
426· CPA EXAMINATION REVIEWER: AUDITING THEORY

C. Batch control totals, including financial totals and hash


totals. ·
D. Passwords that effectively limit access to only those au-
thorized to upload the data to the mainframe.

Batch totals which consist of record counts, financial or


control totals, and hash totals can be used to ensure the ac·
curacy and completeness of data uploaded from personal
computers to a mainframe. After the uploading process,
these totals are reconciled with predetermined totals to test
if the data have been completely transferred.

A record count (also called item count) is the total number


of records in a batch.

A financial or control total is the total peso value of a fi·


nancial field, for example, the total sales invoice amounts.

A hash total is the total of a unique nonfinancial field, for


example, the total of purchase order numbers in a batch.
h do not pro·
Answers A, B, and D are incorrect because t ey d
vide assurance about the completeness of data uploa ·
. siVe cor·
102. An entity's labor distribution report requires extend to inac·
rections each month because of labor hours ch~rg~ ut corr
tive jobs. Which of the following data processing inP
trots appears to be missing?
A. Validity check
B. Limit check
C. Missing data check
D. Control total
427
Auditing in a CIS or IT Environment
cl'if'piER 6
Udity ~hecks compare actual values in a field (for exan:-
va transaction code) against acceptable (valid) values m
ple, a aster file. If the value in the field does not match o~e
t~et:e acceptable values, the record is considered to ~e m
0
r If the computer checks first for validity of the Jobs,
labor· hours would not be erroneously assigne
erro · d to inactive
· ·

jobs.
Answer B is incorrect because a limit check determines if
the value in the field exceeds a predetermined limit.

Answer C is incorrect because missing data checks are


used to determine if a field contains blank spaces. The com-
puter considers a record in error if blanks are detected
where data values are expected.

Answer D is incorrect because control totals are used to


reconcile computer input with processing results.
I
I

\ 103. If, in reviewing an application system, it is noted that batch


controls are not used, which of the foilowing statements by
the user of the system is acceptable as a compensating con-
\ trol?
A. "The volume of transactions prohibits batching." -
B. "We do a 100°/o physical review of the input document to·
the output document."
C. "We do.a 100°/o key verification of all data input."
D. "The supervisor must approve all inputs."

A 100% phys_ical review of the input documen~ to the output


document will provide evidence that all records are com-
pletely and accurately p-rocessed. Thus, this procedure will
compensate for the lack of batch control totals . .

428 CPA EXAMINATION REVIEWER: AUDITING THEORY

Answer A is incorrect because the use of batch control totals


is most appropriate in managing high volumes of transac-
tion data.

Answer C is incorrect because a 100% key verification does


not assure that all records submitted for processing were
keypunched:

Answer D is incorrect because the supervisor's approval of


all inputs does not assure that all approved inputs were
processed.

104. A mail-order retailer of low-cost novelty items is receiving an


increasing number of complaints from customers about the
wrong merchandise being shipped. The order code for items
has the format WWXXYYZZ which has the following mean·
ing:
WW major category
XX minor category
YY identifies the .item
ZZ identifies the catalog

In .many cases, the wrong merchandise was sent beca:,


adJacent characters in the order code had been transpos ·s
1
The most effective control to prevent this erroneous input
to

AU
. se a master fil.e reference for order codes to~
all
the existence of items to
B. Separate the parts of. the order code with hYPh-
make the characters easier to read. rT1 for
C. Add check digits to the order codes and verify the
each order. h iteffl
D. Require customers to specify the name for eac
they order.
R 6 Auditing in a CIS or IT Environment 429
cHAPTE

Transposition errors can corrupt data codes and cause se-


rious data processing problems if they go undetected.

An effective control to detect data coding errors is by ad.ding


a check digit (or digits) to a data code.

The check digit is the result of the mathematical calculation


done based on the original data code (the simplest form is to
add all the digits in the code). During the input process, the
system recalculates the check digit for each input and com-
pares the result with the check digit attached to the data
code entered.

Answer A is incorrect because order codes containing


transposed characters may match other items in the file.
Thus, the use of a master file reference code would not de-
tect erroneous order codes.

Answer B is incorrect because the use of hyphens would


make the order code easier to read, but would not detect
order codes with transposed characters.

Answer D is incorrect because requiring customers to speci-


fy the name for each item they order would generally not al-
low detection of erroneous codes.

105. Which of the following is the major purpose of the auditor's


study and evaluation of the company's computer processing
operations?
A. Ensure the exercise of due professional care.
B. Evaluate the reliability and integrity of financial infor-
mation.
C. Become familiar with the company's means of identify-
ing, measuring, classifying, and reporting information.
430 CPA EXAMINATION REVIEWER: AUDITING THEORY

o·. Evaluate the competence of computer processing operat-


ing personnel.

The auditor studies and evaluates information systems pri-


marily to ascertain whether financial data are accurate, reli·
able, timely, and complete.

Answer A is incorrect because auditors are required to exer·


cise due professional care in all audits.

Answer C is incorrect because becoming familiar with the


company's information system is a means to achieve the au·
ditor's principal objective.

Answer Dis incorrect because evaluating the competenced~f


computer processing operating personnel is not the a~ •
1

tor's primary purpose of evaluating the company's in or·


mation system.
mentof
106. When the auditor chooses to use only the non-IT seg t as
a client's control to assess control risk, it is referre~I ~inQ
auditing around the computer. Which one of ~he fad~ air
1
conditions need not be present to apply this au
proach? . enable
A. The output must be listed in sufficient detail to
the auditor to trace individual transactions. er ttiat
B. The source documents must be filed in a mann
makes it possible to locate them. · in a non·
C. The source documents must be available
machine language. . .h
D. Computer programs must be available in Enghs · t
assess 1s
1
men
107. The followi~g ~tatements relate to the a~ditor nt. Whicl1
5

of control nsk m an entity's computer environrne


correct?
6 Auditing in a CIS or IT Environment 431
ct-!AprER

The auditor usually can ignore the computer system if


A. he/she can obtain an understanding of the controls out-
side the computer information system.
B. If the general controls are ineffective, the auditor ordi-
narily can assess control risk at a low level if the applica-
tion controls are effective.
c. The auditor's objectives with respect to the assessment
of control risk are the same as in a manual system.
o. The auditor must obtain an understanding of the internal
control and test controls fn computer environments.

The overall objective and scope of an audit does not change


in a CIS environment. Regardless of the information system
used by the entity-manual or computerized, the auditor is
required to obtain an understanding of internal control and
assess control risk to plan the audit.

Answer A is incorrect because, when an entity's computer


information system is significant (i.e., it has a material effect
on financial statement assertions), the auditor is required to
obtain an understanding of the CIS environment and deter-
mine whether it may influence the assessment of inherent
and control risks.

Answer B is incorrect because, if general controls are inef-


fective, the auditor is unlikely to assess control risk at a low
level, regardless of whether application controls have been
designed and implemented for each significant accounting
application.

Answer D is 'incorrect because tests of controls should be


performed only when the auditor's risk assessment includ~s
an expectation of the operating effectiveness of controls·
(i.e., control risk is assessed at below the maxi.mum), or
f -· .. ;:'
r

- J

432 CPA EXAMINATION REVIEWER: AUDITING THEORY

when substantive procedures alone do · not provide suffi-


cient appropriate audit evidence at the assertion level.

108. Computer programs and data that the auditor may use as
part of the audit procedures to process data of audit signifi·
cance contained in an entity's information system are called
A. CAATs
B. DOOGs
C. BIIKs
D. BIIRDs

Computer-assisted audit techniques (CAATs) are com·


puter programs and data that the auditor may use in per·
forming various audit procedures, including the following:
• tests of details of transactions and balances
• analytical review procedures
• tests of general and application controls .
• sampling programs to extract data for audit testing .
h entJ·
• reperformance of calculations performed by t e
ty's accounting system
BIIKs and
Answers B, C, and Dare incorrect because DOOGs, '
BllRDs are not used in information technology (IT) ..
. ftWare to
109. One common type of CAAT is the use of audit 5 ? ;ntor·
process data of audit significance from the entity'sd pop·
mation system. An audit software that has widesprea puter
111
ularity because it is easy to use and requires little cosed on
background· on the part of the auditor; it can b_e ~to per·
both n:ainframe and PC systems; it allows_ th,e audit~ter p~­
form his/her tests independent of the entity s ~orn~ data in
cessing personnel; and it can be used to audit t e ·
most file formats and structures is called a
A. Customized program.

'. ~
6 Auditing in a CIS or IT Environment 433
c~ApTER .

a. purpose-written program.
C Utility program. .
·. package or ~eneralized audit software (GAS).
0
The easy-to-use and flexibility features of generalized audit
softWare (GAS) make it very popular to auditors in the au~it
of information technology (IT) environments. This audit
softWare is designed to perform common audit tasks or
standardized data processing functions, such as the follow-
ing:
• reading data files
• selecting and analyzing information
• summarizing and totaling files
• performing or verifying calculations
• creating data files
• providing totals of unusual items
• reporting in an auditor-specified format
Answers A and B are incorrect because customized or pur-
pose-written programs are designed to perform audit tasks
in specific circumstances. These programs are used when·
an entity's computer information system is so unique or
complex that any GAS is deemed unsuitable.

Answer C is incorrect because utility programs are part of


the operating system and security software packages that
are provided by computer manufacturers and software ven-
dors. This software performs routine data processing func-
tions, such as sorting, copying, creating, merging, erasing,
and printing files. It is not generally designed for audit pur-
poses and may not contain audit features, such as record
counts or control totals.
434 CPA EXAMINATION REVIEWER: AUDITING THEORY

110. Customized or purpose-written programs perform audit tasks


in specific circumstances where package audit software is
deemed unsuitable usually because system constraints make
it difficult or impossible to use. A purpose-written program
may be developed by
8. 12 ~ Q
The auditor No Yes Yes No
The entity being audited Yes Yes No No
An outside programmer
hired by the auditor Yes Yes No No
111. These computer programs are enhanced productivity tools
that are typically part of a sophisticated operating systems
environment, for example, data retrieval software or code
comparison software.
A. Purpose-written programs
B. System management programs
C. Utility programs
D. Generalized audit software

112. Embedded audit routines are sometimes built into an entity's


computer information system to provide data for later .use ~
the auditor. One technique invol·-1es embedding audit so
~are modul~s v:'ithin an application system to provide co~~
tmuous morntonng of the entity's transactions. Thes~ auin·
modul:s are used to create logs that collect transactio~ gs
0
formation for subsequent review by the auditor. These
are called
A. Systems control audit review files (SCARFs)
B. Console logs
C. Computer logs
D. IT logs

.'
6 Auditing in a CIS or IT Envimnment 435
cHAprER

When an accounting application is processed by computer,


3
11 · an auditor cannot venfy the reliable operation of pro-
grammed .controls by . . . .
A. Periodically submitting auditor-prepared test data to
same computer process and evaluating the results.
6, constructing a processing system for accounting applica-
tions and processing actual data from throughout the pe-
riod through both the client's program and the auditor's
program.
c. Manually comparing detail transaction files used by an
edit program with the prc:>gram's generated error listings
to determine that errors were properly identified by the
edit program.
o. Manually reperforming, as of a moment in time, the pro-
cessing of input data and comparing the simulated re-
sults with the actual results.

The effectiveness of programmed controls may not be test-


ed if auditing around the computer (also called the black
box approach) is to be applied. This involves manual com-
parison of the input dat~ with the computer output.

Because programmed controls are built into the computer


program, the auditor should instead apply the white box
approach. This means that the auditor should have an in-
depth understanding of how the programmed controls func.:
tion and should consider using CAATs in testing their effec-
tiveness.

Answer A is incorrect because the use of the test data ap-


proach is an effective method of evaluating the reliability of
programmed control procedures.
436 CPA EXAMINATION REVIEWER: AUDITING THEORY

Answer B is incorrect because parallel simulation is also


an effective method of evaluating the reliability of pro-
grammed controls.

Answer C is incorrect because manually comparing the out-


put of an auditor's edit program with the error listings gen-
erated by the client's program would provide evidence
about the reliability of programmed controls.

114. Auditing through the computer must be used when


A. Generalized audit software is not available.
B. Processing is primarily online and updating is real-time.
C. Input transactions are batched and system logic is
straightforward.
D. Processing primarily consists of sorting the input data
and updating the master file sequentially.

Auditing through the computer involves an in-depth un-


derstanding of the computer program's logic. This approac.h
is appropriate when a complex and significant application ~s
involved and evidence external to the computer system JS
unlikely to be available-for example, in an online, real-time
system. d't
Answer A is incorrect because, in deciding on what au~e
approach is appropriate-auditing through or around
computer, the auditor determines whether evidence e~ter~
nal to the computer is available, not whether generalize
audit software is available.
au-
Answer C is incorrect because, in a simple batch syste~· ap·
diting around the computer (the black box approach) JS uch
5
propri=:lte because evidence external to the computer, 3 r11.
as printouts and source documents, can be directly ex
ined by the auditor.
TER 6 Auditing in a CIS or IT Environment 437
cHAP

Answer D is incorre~t because, when processing is simple


(for exa~ple, when ~Iles are stored and processed sequen-
tially), evidence outside the computer is likely to be availa-
ble.

115 . When an auditor tests a computer information system which


of the following is true of the test data approach? '
A. Test data are processed by the client's computer pro-
grams under the auditor's control.
B. Several transactions of each type must be tested.
c. Test data must consist of all possible valid and invalid
conditions.
o. The program tested is different from the program used
throughout the year by the entity.

Under the test data approach, the auditor processes a spe-


cially prepared set of input data containing possible valid
and invalid conditions using the client's application pro-
gram.

The results of each test are compared with predetermined


results, based on the auditor's understanding of the pro-
grammed controls. This approach will allow the auditor to
maP:e an objective evaluation of the program logic and the
effectiveness of programmed controls.

Answer B is incorrect because only one of each transaction


type needs to be tested and evaluated.

Answer C is incorrect because the auditor tests only those


controls that are relevant to the financial statement audit.

Answer D i-s incorrect because, if the program to be used for


testing is different from the program used throughout the

.. ._; ... . .. . .~ •.. :i..~···-'


.,.~.-:-:r-- . .-. ~~...-.~~ -..,_~·_,. •.. ~ :i:· - -<:
.-.-._: ·~~~tL4~
:-;... .. ll'!x~;11:mw~
. m~.. ! - -..~-~
--- ~'=·~ - "'
=
· .-:
:t'.::;+:,::-~
r •: : .;
:+":"'ii';: ."'.'~
, fF~.
·.,
r ·: ·: ~ ...

:t

438 CPA EXAMINATION REVIEWER: AUDITING THEORY

year by the client, no assurance can be obtained about the


effectiveness of programmed controls.

116. An auditor who is testing IT controls in a payroll system


, would most likely use test data that contain conditions such
as
A. Payroll checks with unauthorized signatures.
B. Deductions not authorized by employees.
C. Time tickets with invalid job numbers.
D. Overtime not approved by supervisors.

117. Auditors have learned that increased computerization has


created more opportunities for computer fraud but has also
led to the development of computer audit techniques to de-
tect frauds. A type of fraud that has occurred in the banking
industry is a programming fraud in which the programmer
designs a program to calculate daily interest on savings ac·
counts to four decimal points . . The programmer then trun·
cates the last two digits and adds it to his account balance.
Which of the following CAATs would be most effective in de·
tecting this type of fraud?
A. Generalized audit software that selects account balances
for confirmation with the depositor.
B. Snapshot.
C. Parallel simulation.
D. SCARF (Systems Control and Audit Review File).

In parallel simulation, the auditor uses specially pr:; a


pared computer program that simulates key features
processes of the application program to be tested.

Program logic and controls are evaluated by comparing t~~


results of processing actual data using the simulation p~s­
?ram wit~ the results of processing the same actual data
mg the client's application program.

'·'
6 Auditing in a CIS or IT Environment 439
cHApTER

p rallel simulation is the most effective CAAT application


bacause the amounts credited to the depositors' accounts
c:n be compared with amounts calculated by the auditor's
simulation program.

Answer A is incorrect because confirmation of a depositor's


account balance may fail to detect errors involving a very
insignificant amount (i.e., less than one centavo daily).

Answers B and D are incorrect because SCARFs and snap-


shots will not detect the computer fraud described.

118. To obtain evidence that online access controls are properly


functioning, an auditor is most likely to
A. Vouch a random sample of processed transactions to as-
sure proper authorization.
B. Create checkpoints at periodic intervals after live data
processing to test for unauthorized use of the system.
c. Enter invalid identification numbers or passwords to as-
certain whether the system rejects them.
D. Examine the transaction log to discover whether any
transactions were lost or entered twice because of a sys-
tem malfunction.

The auditor can directly test whether online acc~ss controls


are properly functioning by attempting to gain access to the
system by using invalid identification numbers or pass-
words.

Answer A is incorrect because unauthorized transactions


may be entered by any intruder who knows valid identifica-
tion numbers or passwords.

440 CPA EXAMINATION REVIEWER: AUDITING THEORY

Answer B is incorrect because, in batch computer systems


checkpoints are used as a recovery procedure. '

Answer Dis incorrect because examining the transaction log


to discover whether any transactions were lost or duplicat-
ed would not determine if online access controls are func-
tioning effectively.

119. Which of the following CAATs allows fictitious and real trans-
actions to be processed together without the knowledge of
client operating personnel?
A. Data entry monitor
B. Integrated test facility (ITF)
C. Parallel simulation
D. Input control matrix

The integrated test facility (ITF) approach enables the a~di­


tor to test a computer· program's logic and controls during.
its normal operation. Under this approach, fictitious re~­
ords for dummy units (for example, a division, a ~~part~
ment, or a dummy entity) are integrated with legiuma
records in the database.
dons are
During normal computer processing, test transac . st the
merged with actual transactions and processed again
dummy records in the master file.
'th·
. b tested w1 .
Because computer applications with ITF can e es audit
out intervention of operating personnel, ITF en~an~idence.
efficiency and increases the reliability of the audit e
onitof
d ta entrY rn st·
Answers A and D are incorrect because a d'tor
1
in te
and input control matr:ix are not used by the au
ing an entity's computer information system.
\
\

cHAPTER 6 Auditing in a CIS or IT Environment


441

Answer C is in,correct because, in parallel simulation, real


(not fictitious) tran~actions are reprocessed. .

120. In auditing an_ online perp~tual inventory system, an auditor


selected certain file-updating transactions for detailed test-
ing. The audit tech.nique that will provide a computer trail of
all relevant processrng steps applied to a specific transaction
is called
A. Snapshot
;. B. Simulation
1 c. Tagging and tracing
o. Code comparison

Tagging and tracing involves selection of specific transac-


tions to be tagged (by attaching an 'indicator at input) and
traced through critical control points in the computer in-
formation system.
fi.

~ The computer trail can be printed or stored in a computer


~·.
n file for the auditor's evaluation.
1
~ Answers A, B, and Dare incorrect because snapshot, simula-
tion, and code comparison do not provide a trail of all rele-
vant processing steps.

TRUE OR FALSE

m· 1. A hash total is a numeric value computed to provide assur-


M. ance that the original value has not been altered in construc-
tion or transmission.

:~ 2. General controls include data validation controls.



-
442 CPA EXAMINATION REVIEWER: AUDITING THEORY

3. A limit or reasonableness test is a test to ensure that a nu-


merical value does not exceed some predetermined value.

4. The control environment component of internal controls in-


cludes access to computer prog·rams.

5. As opposed to a manual control, an automated control


should function consistently in the absence of program
changes.

6. The ~isplay monitor is a software component of a computer


system.

7. The systems analyst should not be allowed access to pro-


gram listings of application programs.

8. The posting of a transaction, as it occurs, to several Rlechs,


without intermediate printouts is a characteristic of a bat
processed computer system.

9. Controls which are built in by the ~anufacturer to detect


equipment failure are called input controls.
, data
10. Echo checks, data encryption, and parity checks are
transmission controls.
. . auditor'
11. When applying the test data approach, auditors use the di·
controlled software to do the same operations that
ent's software does, using the same data files.
sterns is
12. A problem f~r a ~P~ associated with advanced rr.~Ymachine
that the audit trail 1s sometimes generated onlY 1
readable form.
6 Auditing in a CIS or IT Environment 443
ctiAp'fEFt

C ntrols which are designed to assure that the information


0
13· 0 cessed by the computer is authorized, complete, and ac-
~~rate are called input controls.
A system in which the end user is responsible for the devel-
14· oprnent and execution of t~e computer .application that he or
she uses is called decentralized computing.

In an IT-intensive environment, most processing controls are


15
· programmed controls.

An example of an access control is a check digit.


16.
. output controls are designed to assure that data generated
17
by the computer are used appropriately by management.

lB. An internal control deficiency occurs when computer person-


nel originate changes in customer master files.

19. Auditing through the computer is generally used when pro-


cessing is primarily on line and updating is real-time.

20. General controls have a pervasive effect on the operating


effectiveness of application controls.

21. Random errors are more likely in a batch system than in an


online system.

22. Auditing by testing the input and output of a computer sys-


tem instead of the computer program itself will detect all
program errors, regardless of the nature of the output.

23. In an IT system, automated equipment controls or hardware


controls are designed to detect and control errors arising
from the use of equipment.
444 CPA EXAMINATION REVIEWER: AUDITING THEORY

. 24. Logging in to the company's information systems via a


.password is an application control.

25. Controls that relate to a specific use of the IT system, such


as the processing of sales or cash receipts, are called gen·
eral controls.
6 Auditing in a CIS or IT Environment 445
cHApTER

ANSWERS
f(EY

1. D
25. B 49. B 73. c 97. c
2. B 26. A 50. B 74. B 98. B
3. B 27. D 51. D 75. A 99. A
4. B 28. B 52. c 76. c 100. D
5. c 29. B 53. A 77. D 101. c
6. B 30. c 54. B 78. B 102. A ·
7. D 31. c 55. D 79. A 103. B
8. B 32. D 56. A 80. B 104. c
9. D 33. c 57. A 81. A 105. B
10. c 34. c 58. c 82. D 106. D
11. B 35. c 59. c 83. B 107. c
12. D 36. B 60. c 84. B 108. A
13. D 37. A 61. A 85. A 109. D
14. A 38. A 62. B 86. A 110. B
15. D 39. D 63. B 87. c 111. B
16. A 40. B 64. A 88. c 112.· A
17. A 41. A 65. D 89. A 113. D
18. B 42. c 66. A 90. c 114. B
19. A 43. B 67. A 91. B 115. A
20. c 44. B 68. c 92. D 116. c
21. D 45. B 69. A 93. A 117. c
22. c '16. A 70. c 94. A 118. c
23. c 47. D 71. D 95. B 119. B
24. B 48. c 72. A 96. D 120. c
446 CPA EXAMINATION REVIEWER: AUD\T\NG THEOR.'t'

TRUE OR fALSE
6. fa\se 11. Fa\se 16. Fa\se 21. fa\se
1. fa\se
7. false 12. True 17. False 22. fa\se
2. fa\se
18. True 23. true
8. false 13. True
3. True
19. True 24. False
9. false 14. Fa\se
4. false
20. True 25. fa\se
10. True 15. True
s. True