Chapter 12

Multiple-Choice Questions

1. IT has several significant effects on an organization. Which

easy of the following would not be important from an auditing
perspective?
d a. Organizational changes.
b. The visibility of information.
c. The potential for material misstatement.
d. None of the above; i.e., they are all important.

2. The audit procedure which is least useful in gathering

easy evidence on significant computer processes is:
b a. documentation.
b. observation.
c. test decks.
d. generalized audit software.

3. Which of the following is not a benefit of using IT-based

controls?
easy a. Ability to process large volumes of transactions.
d b. Ability to replace manual controls with computer-based
controls.
c. Reduction in misstatements due to consistent
processing of transactions.
d. Over-reliance on computer-generated reports.

4. One significant risk related to an automated environment

easy is that auditors may ____ information provided by an
information system.
b a. not place enough reliance on
b. place too much reliance on
Arens/Elder/Beasley 
 c. reveal
d. not understand

5. Which of the following is not a risk specific to IT

environments?
easy a. Reliance on the functioning capabilities of hardware
and software.
b b. Increased human involvement.
c. Loss of data due to insufficient backup.
d. Reduced segregation of duties.

6. Which of the following is not an enhancement to internal

easy control that will occur as a consequence of increased
reliance on IT?
d a. Computer controls replace manual controls.
b. Higher quality information is available.
c. Computer-based controls provide opportunities to
enhance separation of duties.
d. Manual controls replace automated controls.

7. Which of the following is not a risk to IT systems?

easy a. Need for IT experienced staff
c b. Separation of IT duties from accounting functions
c. Improved audit trail
d. Hardware and data vulnerability

8. Which of the following is not a category of an application

control?
easy a. Processing controls.
c b. Output controls.
c. Hardware controls.
d. Input controls.

Arens/Elder/Beasley 
9. Old and new systems operating simultaneously in all
locations is a test approach known as:
easy a. pilot testing.
d b. horizontal testing.
c. integrative testing.
d. parallel testing.

10. When the client uses a computer but the auditor chooses
easy to use only the non-IT segment of internal control to assess
a control risk, it is referred to as auditing around the
computer. Which one of the following conditions need not
be present to audit around the computer?
a. Computer programs must be available in English.
b. The source documents must be available in a non-
machine language.
c. The documents must be filed in a manner that makes it
possible to locate them.
d. The output must be listed in sufficient detail to enable
the auditor to trace individual transactions.

11. Which of the following is a category of general controls?

easy a. Processing controls.
c b. Output controls.
c. Physical and online security.
d. Input controls.

12. Which of the following statements related to application

controls is correct?
easy a. Application controls relate to various aspects of the IT
d function including software acquisition and the processing
of transactions.
b. Application controls relate to various aspects of the IT
function including physical security and the processing
Arens/Elder/Beasley 
 of transactions in various cycles.
c. Application controls relate to all aspects of the IT
function.
d. Application controls relate to the processing of
individual transactions.

13. General controls include all of the following except:

easy a. systems development.
c b. online security.
c. processing controls.
d. hardware controls.

14. Predesigned formats, such as those used for audit

easy documentation, can be created and saved using electronic
spreadsheets and word processors. These are called:
b a. desktop publishing.
b. templates.
c. macros.
d. work files.

15. ______ involves implementing a new system in one part of

easy the organization, while other locations continue to use the
current system.
c a. Parallel testing
b. Online testing
c. Pilot testing
d. Control testing

16. To determine that user ID and password controls are

functioning, an auditor would most likely:
easy a. attempt to sign on to the system using invalid user
identifications and passwords.
a b. write a computer program that simulates the logic of
Arens/Elder/Beasley 
 the client’s access control software.
c. extract a random sample of processed transactions and
ensure that the transactions were appropriately
authorized.
d. examine statements signed by employees stating that
they have not divulged their user identifications and
passwords to any other person.

17. When IT programs or files can be accessed from terminals,

easy users should be required to enter a(n):
d a. echo check.
b. parity check.
c. self-diagnosis test.
d. authorized password.

18. An auditor’s flowchart of a client’s system is a graphical

representation that depicts the auditor’s:
easy a. program for tests of controls.
b b. understanding of the system.
c. understanding of the types of errors that are probable
given the present system.
d. documentation of the study and evaluation of the
system.

19. Which of the following is not a characteristic of an online

processing system?
medium a. Output of the data files is available on request.
d b. Master files are updated at the time the entry is made.
c. Display terminals are used for both input and output
purposes.
d. Programming is not allowed online and must be done
separately.

Arens/Elder/Beasley 
20. Typical controls developed for manual systems which are
still important in IT systems include:
medium a. proper authorization of transactions.
d b. competent and honest personnel.
c. careful and complete preparation of source documents.
d. all of the above.

21. ______ controls prevent and detect errors while

transaction data are processed.
medium a. Software
c b. Application
c. Processing
d. Transaction

22. A database management system:

medium a. physically stores each element of data only once.
a b. stores data on different files for different purposes, but
always knows where they are and how to retrieve
them.
c. allows quick retrieval of data but at a cost of inefficient
use of file space.
d. allows quick retrieval of data, but it needs to update
files continually.

23. Which of the following is not associated with converting

from a manual to an IT system?
medium a. It usually centralizes data.
d b. It permits higher quality and more consistent controls
over operations.
c. It may eliminate the control provided by division of
duties of independent persons who perform related
functions and compare results.
d. It may take the recordkeeping function and the
Arens/Elder/Beasley 
 document preparation function away from those who
have custody of assets and put those functions into the IT
center.

24. Which of the following statements about general controls

is not correct?
medium a. Disaster recovery plans should identify alternative
hardware to process company data.
d b. Successful IT development efforts require the
involvement of IT and non-IT personnel.
c. The chief information officer should report to senior
management and the board.
d. Programmers should have access to computer
operations to aid users in resolving problems.

25. Which of the following statements is correct?

medium a. Auditors should evaluate application controls before
evaluating general controls.
c b. Auditors should evaluate application controls and
general controls simultaneously.
c. Auditors should evaluate general controls before
evaluating application controls.
d. None of these statements is correct.

26. An important characteristic of IT is uniformity of

processing. Therefore, a risk exists that:
medium a. auditors will not be able to access data quickly.
c b. auditors will not be able to determine if data is
processed consistently.
c. erroneous processing can result in the accumulation of
a great number of misstatements in a short period of
time.
d. all of the above.
Arens/Elder/Beasley 
27. Auditors should evaluate the ________ before evaluating
medium application controls because of the potential for pervasive
effects.
d a. input controls
b. control environment
c. processing controls
d. general controls
28. A control that relates to all parts of the IT system is called
a(n):
medium a. general control.
a b. systems control.
c. universal control.
d. applications control.

29. Controls which apply to a specific element of the system

are called:
medium a. user controls.
d b. general controls.
c. systems controls.
d. applications controls.

30. Which of the following is not an example of an applications

control?
medium a. An equipment failure causes system downtime.
a b. There is a preprocessing authorization of the sales
transactions.
c. There are reasonableness tests for the unit selling price
of a sale.
d. After processing, all sales transactions are reviewed by
the sales department.

31. Which of the following is least likely to be used in obtaining

Arens/Elder/Beasley 
medium an understanding of client general controls?
c a. Examination of system documentation
b. Inquiry of client personnel (e.g., key users)
c. Observation of transaction processing
d. Reviews of questionnaires completed by client IT
personnel

32. Which of the following is not a general control?

medium a. Reasonableness test for unit selling price of a sale.
a b. Equipment failure causes error messages on monitor.
c. Separation of duties between programmer and
operators.
d. Adequate program run instructions for operating the
computer.

33. Controls which are built in by the manufacturer to detect

equipment failure are called:
medium a. input controls.
c b. fail-safe controls.
c. hardware controls.
d. manufacturer’s controls.

34. Auditors usually evaluate the effectiveness of:

medium a. hardware controls before general controls.
c b. sales-cycle controls before application controls.
c. general controls before applications controls.
d. applications controls before the control environment.

35. Controls which are designed to assure that the information

medium processed by the computer is authorized, complete, and
accurate are called:
a a. input controls.
b. processing controls.
Arens/Elder/Beasley 
 c. output controls.
d. general controls.

36. Programmers should be allowed access to:

medium a. user controls.
d b. general controls.
c. systems controls.
d. applications controls.

37. Programmers should do all but which of the following?

medium a. Test programs for proper performance.
b b. Evaluate legitimacy of transaction data input.
c. Develop flowcharts for new applications.
d. Programmers should perform each of the above.

38. ______ tests determines that every field in a record has

been completed.
medium a. Validation
c b. Sequence
c. Completeness
d. Programming

39. In an IT-intensive environment, most processing controls

are:
medium a. input controls.
c b. operator controls.
c. programmed controls.
d. documentation controls.

40. Which of the following is not a processing control?

medium a. Control totals.
c b. Logic tests.
c. Check digits.
Arens/Elder/Beasley 
 d. Computations tests.

41. Output controls are not designed to assure that data

generated by the computer are:
medium a. accurate.
d b. distributed only to authorized people.
c. complete.
d. used appropriately by employees in making decisions.

42. Auditors usually obtain information about general and

application controls through:
medium a. interviews with IT personnel.
d b. examination of systems documentation.
c. reading program change requests.
d. all of the above methods.

43. When auditors consider only non-IT controls in assessing

control risk, it is known as:
medium a. the single-stage audit.
c b. the test deck approach.
c. auditing around the computer.
d. generalized audit software (GAS).

44. The auditor’s objective to determine whether the client’s

medium computer programs can correctly handle valid and invalid
transactions as they arise is accomplished through the:
a a. test data approach.
b. generalized audit software approach.
c. microcomputer-aided auditing approach.
d. generally accepted auditing standards.

45. The audit approach in which the auditor runs his or her
medium own program on a controlled basis to verify the client’s
Arens/Elder/Beasley 
 data recorded in a machine language is:
c a. the test data approach.
b. called auditing around the computer.
c. the generalized audit software approach.
d. the microcomputer-aided auditing approach.

46. Which of the following is not one of the three categories of

medium testing strategies when auditing through the computer?
a a. Pilot simulation.
b. Test data approach.
c. Parallel simulation.
d. Embedded audit module.

47. Companies with non-complex IT environments often rely

medium on microcomputers to perform accounting system
d functions. Which of the following is not an audit
consideration in such an environment?
a. Limited reliance on automated controls.
b. Unauthorized access to master files.
c. Vulnerability to viruses and other risks.
d. Excess reliance on automated controls.

48. Internal control is ineffective when computer personnel:

medium a. participate in computer software acquisition decisions.
c b. design flowcharts and narratives for computerized
systems.
c. originate changes in customer master files.
d. provide physical security over program files.

49. When using the test data approach:

medium a. test data should include only exception conditions.
d b. application programs tested must be virtually identical
to those used by employees.
Arens/Elder/Beasley 
 c. select data may remain in the client system after
testing.
d. none of the above statements is correct.

50. Because general controls have a _____ effect on the

medium operating effectiveness of application controls, auditors
must consider general controls.
b a. nominal
b. pervasive
c. mitigating
d. worsening

51. Errors in data processed in a batch computer system may

not be detected immediately because:
medium a. transaction trails in a batch system are available only
for a limited period of time.
b b. there are time delays in processing transactions in a
batch system.
c. errors in some transactions cause rejection of other
transactions in the batch.
d. random errors are more likely in a batch system than in
an online system.

52. ______ link equipment in large geographic regions.

medium a. Cosmopolitan area networks (CANs)
c b. Local area networks (LANs)
c. Wide area networks (WANs)
d. Virtual area networks (VANs)

53. Which of the following computer-assisted auditing

medium techniques allows fictitious and real transactions to be
c processed together without client operating personnel
being aware of the testing process?
Arens/Elder/Beasley 
 a. Parallel simulation.
b. Generalized audit software programming.
c. Integrated test facility.
d. Test data approach.

54. Firewalls are used to protect:

medium a. erroneous internal handling of data.
d b. against insufficient documentation of transactions.
c. illogical programming commands.
d. unauthorized use of system resources.

55. In an IT system, automated equipment controls or

hardware controls are designed to:
medium a. correct errors in the computer programs.
c b. monitor and detect errors in source documents.
c. detect and control errors arising from the use of
equipment.
d. arrange data in a logical sequential manner for
processing purposes.

56. If a control total were to be computed on each of the

medium following data items, which would best be identified as a
hash total for a payroll IT application?
b a. Gross wages earned.
b. Employee numbers.
c. Total hours worked.
d. Total debit amounts and total credit amounts.

57. What tools do companies use to limit access to sensitive

company data?
medium
a Encryption Digital Firewall
techniques signatures
Arens/Elder/Beasley 
 a. Yes Yes Yes
b. Yes No No
c. No Yes Yes
d. Yes Yes No

58. Rather than maintain an internal IT center, many

medium companies use ________ to perform many basic functions
such as payroll.
b a. external general service providers
b. external application service providers
c. internal control service providers
d. internal auditors

59. A company uses the account code 669 for maintenance

medium expense. However, one of the company clerks often codes
d maintenance expense as 996. The highest account code in
the system is 750. What internal control in the company’s
computer program would detect this error?
a. Pre-data input check.
b. Valid-character test.
c. Sequence check.
d. Valid-code test.

60. Which of the following is not an application control?

challengin a. Preprocessing authorization of sales transactions.
g
d b. Reasonableness test for unit selling price of sale.
c. Post-processing review of sales transactions by the
sales department.
d. Separation of duties between computer programmer
and operators.

61. It is common in IT systems to have certain types of

Arens/Elder/Beasley 
challengin transactions initiated automatically by the computer.
g Which of the following activities would not be an
d appropriate candidate for automatic computer
initialization?
a. In a bank, periodic calculation of interest on customer
accounts.
b. In a manufacturing facility ordering inventory at preset
order levels.
c. In a hospital, the ordering of oxygen when pre-specified
levels are achieved.
d. In an investment brokerage firm, the sale of
pharmaceutical stocks when the Dow-Jones Industrial
Average falls below a certain level.

62. Application controls vary across the IT system. To gain an

challengin understanding of internal control for a private company,
g the auditor must evaluate the application controls for
every:
d a. every audit area.
b. every material audit area.
c. every audit area in which the client uses the computer.
d. every audit area where the auditor plans to reduce
assessed control risk.

63. Many clients have outsourced the IT functions. The

challengin difficulty the independent auditor faces when a computer
g service center is used is to:
c a. gain the permission of the service center to review their
work.
b. find compatible programs that will analyze the service
center’s programs.
c. determine the adequacy of the service center’s internal
controls.
Arens/Elder/Beasley 
 d. try to abide by the Code of Professional Conduct to
maintain the security and confidentiality of client’s
data.

64. An auditor who is testing IT controls in a payroll system

challengin would most likely use test data that contain conditions
g such as:
a a. time tickets with invalid job numbers.
b. overtime not approved by supervisors.
c. deductions not authorized by employees.
d. payroll checks with unauthorized signatures.

65. Which of the following is not a general control?

challengin a. The plan of organization and operation of IT activity.
g
c b. Procedures for documenting, reviewing, and approving
systems and programs.
c. Processing controls.
d. Hardware controls.

66. In comparing (1) the adequacy of the hardware controls in

challengin the system with (2) the organization’s methods of handling
g the errors that the computer identifies, the independent
auditor is:
c a. unconcerned with both (1) and (2).
b. equally concerned with (1) and (2).
c. less concerned with (1) than with (2).
d. more concerned with (1) than with (2).

Arens/Elder/Beasley 
67. Service auditors do not issue which of the following types
of reports?
challengin a. Report on implemented controls
g
b b. Report on controls that have been implemented and
tested for design effectiveness
c. Report on controls that have been implemented and
tested for operating effectiveness
d. Each of the above is issued.

68. The most important output control is:

challengin a. distribution control, which assures that only authorized
g personnel receive the reports generated by the system.
b
b. review of data for reasonableness by someone who
knows what the output should look like.
c. control totals, which are used to verify that the
computer’s results are correct.
d. logic tests, which verify that no mistakes were made in
processing.

Essay Questions

69. Briefly define general controls and application controls.

easy
Answer:
General controls are those that relate to all aspects of
the IT function. They include controls related to
administration, software acquisition and maintenance,
physical and on-line security, backup and disaster
recovery planning, and hardware controls. Application
Arens/Elder/Beasley 
 controls relate to the processing of individual
transactions. Application controls are specific to certain
software applications and typically do not affect all IT
functions.

70. What are three specific risks to IT systems?

easy
Answer:
Three specific risks to IT systems include risks to
hardware and data, a reduced audit trail, and the need
for IT experience and separation of IT duties.

71. Discuss how the integration of IT into accounting systems

medium enhances internal control.

Answer:
Enhancements to internal control resulting from the
integration of IT into accounting systems include:
 Computer controls replace manual controls.
Replacing manual procedures with programmed
controls that apply checks and balances to each
processed transaction and that process information
consistently can reduce human error that is likely to
occur in traditional manual environments.
 Higher quality information is available. IT systems
typically provide management with more and higher
quality information faster than most manual
systems.

Arens/Elder/Beasley 
72 Identify the three categories of application controls, and
medium give one example of each.

Answer:
Application controls fall into three categories:
 Input controls. Key verification and check digits are
examples of input controls.
 Processing controls. One example is a
reasonableness test for the unit selling price of a
sale.
 Output controls. One example is post-processing
review of sales transactions by the sales department.

73. Discuss what is meant by the term “auditing around the

medium computer.”

Answer:
“Auditing around the computer” occurs when the
auditor considers only the non-IT controls when
assessing control risk. Under this approach, the auditor
obtains an understanding of internal control and
performs tests of controls, substantive tests of
transactions, and account balance verification
procedures in the same manner as in manual systems.
However, there is no attempt to test, or rely on, the
client’s IT controls.

74. Discuss the circumstances that must exist for the auditor
medium to “audit around the computer.”

Arens/Elder/Beasley 
 Answer:
To “audit around the computer,” the following
conditions must exist:
 The source documents must be available in a form
readable by a human.
 The documents must be maintained in a manner that
makes it possible to locate them for auditing
purposes.
 The output must be listed in sufficient detail to
enable the auditor to trace individual transactions
from the source documents to the output and vice
versa.
If any of these conditions does not exist, the auditor
will have to rely on computer-oriented controls.

75. Describe three computer auditing techniques available to

medium the auditor.

Answer:
Computer auditing techniques available to the auditor
are:
 Test data approach. Using this approach, the auditor
develops different types of transactions that are
processed under his or her own control using the
client’s computer programs on the client’s IT
equipment.
 Parallel simulation. Using parallel simulation, the
auditor writes a computer program that replicates
some part of the client’s application system. The
client’s data is then processed using the auditor’s
computer program. The auditor then compares the
output generated by his or her program with that
Arens/Elder/Beasley 
 generated by the client’s program to test the
correctness of the client’s program. Generalized
audit software may be used.
 Embedded audit module. Using this approach, the
auditor inserts an audit module in the client’s
application system to capture transactions with
characteristics that are of interest to the auditor.

Arens/Elder/Beasley 
76. What are the two software testing strategies that
medium companies typically use? Which strategy is more
expensive?

Answer:
Companies may use pilot testing and parallel testing to
test new software. Pilot testing involves operating the
new software at a limited number of facilities, while
continuing to operate the old software at all other
locations. Parallel testing involves operating the new
and old software simultaneously. Parallel testing is
more expensive than pilot testing.

77. Discuss the advantages and benefits of using generalized

medium audit software.

Answer:
Advantages and benefits of using generalized audit
software include:
 they are developed in such a manner that most of the
audit staff can be trained to use the program even if
they have little formal IT education.
 a single program can be applied to a wide range of
tasks without having to incur the cost or
inconvenience of developing individualized programs.
 generalize audit software can perform tests much
faster and in more detail than using traditional
manual procedures.

78. Why do businesses use networks? Describe a local area

Arens/Elder/Beasley 
medium network and a wide area network.

Answer:
Networks are used to link equipment such as
microcomputers, midrange computers, mainframes,
work stations, servers, and printers. A local area
network links equipment within a single or small cluster
of buildings and is used only within a company. A wide
area network links equipment in larger geographic
regions, including global operations.

79. Discuss the four areas of responsibility under the IT

medium function that should be segregated in large companies.

Answer:
The responsibilities for IT management, systems
development, operations, and data control should be
separated:
 IT Management. Oversight of the IT function should
be segregated from the systems development,
operations, and data control functions. Oversight of
IT should be the responsibility of the Chief
Information Officer or IT manager.
 Systems development. Systems analysts are
responsible for the overall design of each application
system. Programmers develop, test, and document
applications software. Programmers and analysts
should not have access to input data or computer
operations.
 Operations. Computer operators are responsible for
the day-to-day operations of the computer.
 Data control. Data control personnel independently
Arens/Elder/Beasley 
 verify the quality of input and the reasonableness of
output.

Arens/Elder/Beasley 
80. What types of reports may be issued by a service
challengin organization auditor? Which of these is likely to be used by
g an auditor performing an audit of a public company?

Answer:
Service organization auditors may issue two types of
reports:
 reports on controls that have been implemented,
and
 reports on controls that have been implemented and
tested for operating effectiveness.

Auditors of a public company would likely use the latter

type of report because they have to provide a report
on the internal control over financial reporting.

81. Identify the six categories of general controls and give one
challengin example of each.
g
Answer:
General controls fall into the following six categories:
 Administration of the IT function. For example, the
chief information officer (CIO) should report to
senior management and board of directors.
 Segregation of IT duties. For example, there should
be separation of duties between the computer
programmers, operators, and the data control group.
 Systems development. Users, analysts, and
programmers develop and test software.
 Physical and online security. For example, passwords

Arens/Elder/Beasley 
 should be required for access to computer systems.
 Backup and contingency planning. Written backup
plans should be prepared and tested on a regular
basis throughout the year.
 Hardware controls. For example, uninterruptible
power supplies should be used to avoid loss of data
in the event of a power blackout.

Other Objective Answer Format Questions

82. Match eight of the terms (a-n) with the definitions

medium provided below (1-8):

a. Application controls
b. Auditing around the computer
c. Auditing through the computer
d. Error listing
e. General controls
f. Generalized audit software
g. Hardware controls
h. Input controls
i. Output controls
j. Parallel simulation
k. Parallel testing
l. Pilot testing
m. Processing controls
n. Test data approach

k 1. The new and old systems operate

simultaneously in all locations.

Arens/Elder/Beasley 
e 2. Controls that relate to all parts of the IT system.

Arens/Elder/Beasley 
j 3. Involves the use of a computer program written
by the auditor that replicates some part of a
client’s application system.

n 4. A method of auditing IT systems which uses

data created by the auditor to determine
whether the client’s computer program can
correctly process valid and invalid transactions.

i 5. Controls such as review of data for

reasonableness, designed to assure that data
generated by the computer is valid, accurate,
complete, and distributed only to authorized
people.

a 6. Controls that apply to processing of

transactions.

l 7. A new system is implemented in one part of the

organization while other locations continue to
rely on the old system.

h 8. Controls such as proper authorization of

documents, check digits, and adequate
documentation, designed to assure that the
information to be processed by the computer is
authorized, complete, and accurate.

Arens/Elder/Beasley 
83. Inherent risk is often reduced in complex IT systems
easy relative to less complex IT systems.
b a. True
b. False

84. Parallel testing is used when old and new systems are
easy operated simultaneously in all locations.
a a. True
b. False

85. Firewalls can protect company data and software

easy programs.
a a. True
b. False

86. Programmers should not have access to transaction data.

easy a. True
a b. False

87. One potential disadvantage of IT systems is the reduction

easy or elimination of source documents, which reduces the
a visibility of the audit trail.
a. True
b. False

88. LANs link equipment within a single or small cluster of

easy buildings and are used only for intracompany purposes.
a a. True
b. False

89. In IT systems, if general controls are effective, it increases

medium the auditor’s ability to rely on application controls to
Arens/Elder/Beasley 
a reduce control risk.
a. True
b. False

90. Parallel testing is more expensive than pilot testing.

medium a. True
a b. False

91. The effectiveness of manual controls depends solely on the

medium competence of the personnel performing the controls.
b a. True
b. False

92. The test data approach requires the auditor to insert an

medium audit module in the client’s application system to test
b transaction data specifically identified by the auditor as
unusual.
a. True
b. False

93. General controls in smaller companies are usually less

medium effective than in more complex IT environments.
a a. True
b. False

94. Knowledge of both general and application controls is not

(Public) particularly crucial for auditors of public companies.
medium a. True
b b. False

95. Logic tests and completeness tests are examples of general

medium controls.
b a. True
Arens/Elder/Beasley 
 b. False

96. When the auditor decides to “audit around the computer,”

medium there is no need to test the client’s IT controls or obtain an
b understanding of the client’s internal controls related to
the IT system.
a. True
b. False

97. Auditors normally link controls and deficiencies in general

medium controls to specific transaction-related audit objectives.
b a. True
b. False

98. Output controls focus on detecting errors after processing

medium is completed rather than preventing errors prior to
a processing.
a. True
b. False

99. The objective of the computer audit technique known as

medium the test data approach is to determine whether the client’s
a computer programs can correctly process valid and invalid
transactions.
a. True
b. False

100. Parallel simulation is used primarily to test internal

medium controls over the client’s IT systems, whereas the test data
b approach is used primarily for substantive testing.
a. True
b. False

Arens/Elder/Beasley 
101. Processing controls is a category of application controls.
medium a. True
a b. False

102. Controls that relate to a specific use of the IT system, such

medium as the processing of sales or cash receipts, are called
a application controls.
a. True
b. False

103. “Auditing around the computer” is acceptable only if the

medium auditor has access to the client’s data in a machine-
b readable language.
a. True
b. False

104. IT controls are classified as either input controls or output

medium controls.
b a. True
b. False

105. One common use of generalized audit software is to help

medium the auditor identify weaknesses in the client’s IT control
b procedures.
a. True
b. False

106. Tests of controls are normally performed only if the

medium auditor believes the client’s internal control may be
a effective.
a. True
b. False

Arens/Elder/Beasley 
107. “Auditing around the computer” is most appropriate when
medium the client has not maintained detailed output or source
b documents in a form readable by humans.
a. True
b. False

108. When auditing a client whose information is processed by

medium an outside service provider, it is not acceptable for the
b auditor to rely on the audit report of another independent
auditor who has previously tested the internal controls of
the service provider, rather than testing the service
provider’s controls himself or herself.
a. True
b. False

109. When a client uses microcomputers for the accounting

medium functions, the auditor should normally rely only on non-IT
a controls or take a substantive approach to the audit.
a. True
b. False

Arens/Elder/Beasley