Since 1977

Computer Information System M. D. RICAFRENTE

For MAS and AUD OCTOBER 2022

LECTURE NOTES
COMPUTERIZED INFORMATION SYSTEMS (CIS) IN supercomputers and fit for high-volume transaction
MANAGEMENT ADVISORY SERVICES processing. (key: volume)
• Servers - High-powered microcomputers that
Information Technology in Business
serve applications and data to clients that are
Information Technology is application of computers to store,
study, retrieve, transmit and manipulate data and connected through a network. Servers have greater
information often in the context of a business or other capacity than their client computers and often act
enterprise. as central repository for organizational data.
• Microcomputers - Also called personal computers.
Computers have pervasive impact in today’s businesses Examples include desktop computers, laptop
because they have become the primary tool to process computers. Designed to be used by one person at a
much of the financial and accounting information of business
time.
entities.

Accordingly, if auditors seek to understand the business of b. Hardware – Physical equipment

their clients, they must be able to use information • Central Processing Unit (CPU)
technology and understand current trends in information Carries out the instructions of a computer program
technology (IT) to conduct an effective and efficient audit by performing the basic arithmetic, logical, control
and input/output (IO) operations specified by the
General Types of IT Systems
instructions.
1. Accounting information system. Records and processes
financial and nonfinancial transactions that affect
processing of financial information. (transaction processing The “brain” of the computer.
system, general ledger or financial reporting system, - Arithmetic/logic unit - performs mathematical
management reporting system) operations and logical comparisons.
- Primary memory/storage – active data and
2. Management information system. Processes nonfinancial
program steps processed by the CPU. Includes RAM
transactions not normally processed by traditional
accounting information system. Designed to provide past, (random-access memory) and ROM (read-only
present and future information needed by management to memory).
plan, organize and control the operations of the - Control unit – interprets programs instructions and
organization. (e.g. sales management system, inventory coordinates input, output and storage devices.
control system, budgeting system, personnel system).
• Secondary storage
3. Expert systems. Computer systems that apply reasoning
- Magnetic tape – Data are stored sequentially in a
methods to data in a specific relatively structured area to
render advice or recommendations. (Rules based machine magnetic tape. Slowest type of data storage. Mainly
learning). use for archiving purposes.
- Magnetic disks (also known as “hard disks” or
Fundamentals of Computerized Information System “hard disk drives”/ HDD) – Most common storage
The Information System is the set of formal procedures by medium in use today. Data are accessed directly.
which data and transactions are collected and processed
- Compact Discs (CD) – Use optical technology to
into information and distributed to users who need to plan,
read and write data to the disc.
control and operate an organization.
- Solid State Drives (SSD) – Use microchips to store
Data vs. Information. Data are facts, which may or may not data and require no moving parts for read/write
be processed and have no direct effect on the user. operations. SSDs are faster but more expensive
Information are data processed, interpreted, organized and than HDDs. Commonly used for auxiliary storage
structured to make them meaningful and useful to user. like those in pluggable or thumb drives (e.g. flash
drives/USB drives)
Computer Information System is a system that is composed
of people and computers that processes or interprets - RAID (redundant array of independent (or
information. inexpensive) disks) - stores same data redundantly
on multiple magnetic discs to decrease risk of loss
Characteristics of IT System of data.
1. Types of Computer, Hardware and Software - Cloud-based storage – Also known as Storage as
a Service (SAAS). Hosted offsite by third parties
a. Computers accessible via the Internet
• Supercomputers - Extremely powerful, high-speed
computers used for extremely high-volume and/or
complex processing needs. (key: calculation speed)
• Mainframe computers - Large, powerful, high-
speed computers. Less powerful than

Page 1 of 15 www.prtc.com.ph CIS

EXCEL PROFESSIONAL SERVICES, INC.

• Information in Computers
- Digital – series of binary digits (0s and 1s). • Centralized - processing occurs at one location.
- Analog – produced by fluctuations of continuous • Decentralized - processing (and data) are stored
signal (speech, temperature, weight, speed) on computers at multiple locations.
• Distributed - Transactions for a single database
• Input Devices are processed at various sites.
- Keyboard
- Mouse, joystick, light pens 4. Data file structure
- Touch screen
- Magnetic tape reader a. Traditional file processing (legacy) systems
- Magnetic ink character reader (MICR) • Focus on data processing needs of individual
- Scanner departments.
- Automatic Teller Machine (ATM) • Each application/program is developed to meet
- Radio Frequency Identification (RFID) the needs of the requesting department or user
- Point-of-sale (POS) recorders group.
- Microphone/voice recognition • Advantage: cost effective for simple applications
• Disadvantage: Data are fragmented/redundant
• Output Devices among different departments
- Monitors
- Printers b. Database systems
- Speakers • Database system – computer hardware and
software that enables the database to be
c. Software – Programs that control hardware implemented.
• Database – a collection of interrelated files,
• Systems software ordinarily most of which are stored online.
- Operating system (OS) • Database management system – software that
- Utility programs provides a facility for communications between
- Communications software various application programs and database.
• Advantage: Data are kept up to date and
• Applications software redundancy is reduced.
- Programs designed for specific uses or applications • Disadvantage: Costly to set up and maintain.
(e.g. word processing, graphics, spreadsheets,
email, database systems, accounting) 5. Database structures
- Accounting software include low-end (all in one
package designed for small enterprises, high-end • Hierarchical - Data elements at one level own the
(usually in modules like general ledger modules) data elements at the next lower level.
and ERP (Enterprise Resource Planning), a complete • Networked - Each data element can have several
information system suite for large and medium size owners and can own several other elements
organizations. • Relational - A database with the logical structure
of a group of related spreadsheets. Each row
2. Methods of processing represents a record, which is an accumulation of all
the fields related to the same identifier or key; each
a. Batch Processing column represents a field common to all the records.
• Processing groups of like transactions (batches) • Object-oriented - Information (attributes and
• Example, all sales information during the day are methods) are included in structures called object
aggregated and updated to the system as a classes.
group/batch. • Object-relational - Includes both relational and
object-oriented features.
b. Online Real-Time • Distributed - A single database that is spread
• Transactions are processed as they occur. physically across computers in multiple locations
• Online transaction processing (OLTP) – databases that are connected by a data communications link.
supporting day-to-day operations (e.g. bank
automatic teller systems, online sales/reservation 6. Network
systems).
• Online analytical processing (OLAP) – software a. Scope
technology enabling the user to query the system • Personal Area Network (PAN) – network centered
and conduct analysis around an individual and the personal
communication devices he/she uses.
c. Online/memo update • Local Area Network (LAN) – Privately owned
• Also known as shadow update, combines on- networks within a single location.
line/real time processing and on-line/batch • Metropolitan Area Network (MAN) – larger version
processing. of LAN.
• Wide Area Network (WAN) – networks spanning
3. Location large geographical area

Page 2 of 15 www.prtc.com.ph CIS

EXCEL PROFESSIONAL SERVICES, INC.

determine if data should remain on a LAN and

b. Network Topologies transfer data only to the connection that needs it.
• Point-to-point – consist of two nodes connected by • Routers - Routers are the backbone devices of
the internet & is usually delivered on a dedicated large intranets and of the Internet. The two main
leased line. functions of a router are the selection of best path
• Bus Topology – The nodes are all connected to a and the switching of packets to the proper interface.
common cable – the bus. It is generally less costly • Gateways – Gateways are used to connect LANs
to install than a ring topology. to host computers. Gateways act as translators
• Ring Topology – This configuration eliminates the between networks using incompatible transport
central site. All nodes in this configuration are of protocols. A gateway is used to interconnect
equal status (peers). Responsibility for managing networks that may have different architectures.
communications is distributed among the nodes.
Common resources that are shared by all nodes can Electronic Commerce (E-commerce)
be centralized and managed by a file server that is E-commerce involves individuals and organizations
also a node. engaging in various electronic transactions with computers
• Star Topology – A network of computers with a and telecommunication networks.
large central computer (the host). The host
computer has direct connections to smaller Electronic Funds Transfer (EFTs) – making cash payments
computers, typically desktop or laptop PCs. between two (2) or more organizations or individuals rather
• Hierarchical (Tree) Topology – A host computer is than physically by cash or checks.
connected to several levels of subordinate smaller
computers in a master-slave relationship. Electronic Data Interchange (EDI) – electronic exchange of
business transactions in a standard format from one entity’s
• Mesh or Double Star Topology – Similar to star
computer to another through an electronic communications
topology but with greater redundancy. Offers the network
greatest resiliency but most expensive to implement
• Hybrid Topology – Any computer network that Systems Design & Business Process Improvement
uses more than one type of connecting technology Designing the system fit for the organization is critical in
or topology. achieving organizational goals. Well-designed systems
• Client-Server Architecture – This configuration increase business performance through streamlining
distributes the processing between the user’s operations and reduction of non-value-added activities.
(client’s) computer and the central file server.
• Cloud Computing – Cloud Computing is Internet- Traditionally, the process by which organizations acquire or
based computing, whereby shared resources, improve their information systems is known as the Systems
software, and information are provided to Development Life Cycle (SDLC). This is characterized by
computers and other devices on demand, like the different phases and process through which an organization
electricity grid. In general, Cloud computing develop and/or purchase information systems.
customers do not own the physical infrastructure,
instead avoiding capital expenditure by renting Medium to large organizations with specific information
usage from a third-party provider. They consume needs tend to develop their information systems in-house.
resources as a service and pay only for resources The advantage in-house developed systems include meeting
specific needs or requirements while the disadvantage is
that they use.
high costs of development and maintenance. On the other
hand, smaller organization or large organization with
c. Network Devices and Peripherals standard information needs may decide to purchase
• Network Interface Cards (NICs) – NICs are circuit information systems from available vendors. These
boards used to transmit and receive commands and packaged applications from vendor are cheaper compared
messages between a PC and a LAN. to in-house developed systems but the capabilities are
• Modems – is a device that modulates and limited. Regardless of approach, designing and developing
a system pose significant financial and operational risks.
demodulates signals. They are primarily used for
converting digital signals into quasi-analog signals Typical SDLC phases include planning, analysis, design,
for transmission over analog communication development, testing, implementation and maintenance.
channels and for reconverting the quasi-analog Planning • Identify problems to be solved
signals into digital signals. Phase • Define the system to be developed
• Repeaters – Repeaters offer the simplest form of based on organization’s strategic
interconnectivity. They merely generate or repeat goals
• Determine scope of the project
data packets or electrical signals between cable
• Develop project plan
segments. • Evaluate initial feasibility of the
• Hubs – Hubs concentrate connections. In other project
words, they take a group of hosts and allow the Analysis • Understand the requirements of the
network to see them as a single unit. Phase proposed system
• Bridges – a bridge is a device that connects similar • Includes end users, IT specialists,
or dissimilar LANs together to form an extended systems analysts, accountants
• Gap analysis between proposed
LAN.
system and existing system
• Switches - Workgroup switches add more • Signoff by users after the
intelligence to data transfer management. They can requirements are specified

Page 3 of 15 www.prtc.com.ph CIS

EXCEL PROFESSIONAL SERVICES, INC.

Design Phase • Building the technical blue print of Application Controls

the proposed system (database,
user interface, reports, programs, a. Input validation controls - must ensure that every
hardware, controls) transaction to be processed is entered, processed and
Development • Documents from the design phase recorded accurately and completely. These controls should
Phase are transformed into actual system ensure that only valid and authorized information is input
• The platform on which the system and these transactions are processed only once.
is to operate is build or purchased
• Databases are developed Preprinted Information is preassigned a place and a
Testing Phase • Verify that the system works and forms format on the input form.
meets business requirements set
Check digit An extra digit added to an identification
forth in analysis phase
• Involve unit testing, system number to detect certain types of data
testing, integration testing, user transmission errors.
acceptance testing (UAT) Control, A total of one numerical field for all the
Implementati • Putting the system in operation by batch, or records of a batch that normally would
on Phase the users proof total be added. (e.g. total sales)
• Methods include:
Hash total A control total where the total is
1. Parallel implementation. Both
systems are used until it is meaningless for financial purposes. (e.g.
determined that the new total employee number)
system is operating properly. Record count A control total of the total records
This has the advantage of less processed.
risk of system disaster. The Limit A test of the reasonableness of a field of
disadvantage is the additional
(reasonablene data, given a predetermined
cost and work during the period
ss) test upper and/or lower limit.
in which both systems are
operating. Field check A control that limits the types of
2. Plunge or Turnkey. Stops the characters accepted into a specific data
use of the old system and starts field.
the use of the new system Validity check A control that allows only “valid”
immediately. This method is
transactions or data to be entered into
less costly than parallel
the system.
implementation, but it has
higher risk of system
breakdown. b. Processing controls – many of the input validation
3. Pilot implementation. Having a controls also serve as processing controls. For example,
small group of individuals using processed information should include limit tests, record
the new system until it is seen counts, and control totals. In addition, external labels should
to be working properly. be used on removable media, with internal header and
4. Phased implementation. trailer labels used to determine that all information on a file
Installing the system in a series has been read.
of phases.
c. Output controls – essentially user control activities. These
controls involve employee (operator and/or control group)
Maintenance • Monitoring and supporting the new follow-up of items listed on computer exception reports. (a)
Phase system. Checks of computer output against source documents,
• Activities include ongoing training, control totals, or other input to provide assurance that
setting up help desk resources and programmed aspects of the financial reporting system and
a system for making authorized control activities have operated effectively. (b) Reviewing
changes to the system. computer processing logs to determine that all of the correct
computer jobs executed properly. (c) Maintaining proper
Controls over IT System procedures and communications specifying authorized
recipients of output.
Segregation controls
Segregate functions between information systems Disaster Recovery and Business Continuity
department and user department. A plan should allow the organization to (1) Minimize the
Information systems department shall not initiate or extent of disruption, damage, and loss. (2) Establish an
authorize transactions. alternate (temporary) method for processing information.
Within information systems department, at a minimum, (3) Resume normal operations as quickly as possible. (4)
segregate programming, data entry, operations, and the Train and familiarize personnel to perform emergency
library function operations

A plan should include priorities, insurance, backup

General Control Activities approaches, specific assignments, period testing and
General control activities control program development, updating, and documentation.
program changes, computer operations, and access to
programs and data. These controls increase the assurance Type of backup approaches:
that programmed control activities operate effectively Batch The most common approach is the
during the period. systems Grandfather-Father-Son method. A
Examples include (a) logical access, (b) manage change, (c) master file (e.g., accounts receivable) is
segregation of duties and (d) backup procedures. updated with the day’s transaction files
(e.g., files of cash receipts and credit sales).

Page 4 of 15 www.prtc.com.ph CIS

EXCEL PROFESSIONAL SERVICES, INC.

After the update, the new file master file is Transmission accuracy and completeness (6) Physical
the son. The file from which the father was security over telecommunications facilities
developed with the transaction files of the
AUDITING COMPUTERIZED INFORMATION SYSTEMS
appropriate day is the grandfather. The
(CIS)
grandfather and son files are stored in An information systems (IS) audit is associated with
different locations. If the son were auditors who use technical skills and knowledge to audit
destroyed, for example, it could be through the computer system, or provide audit services
reconstructed by rerunning the father file where processes or data, or both, are embedded in
and the related transaction files. technologies. These auditors usually are Certified
Information Systems Auditor (CISA). IS auditors work in
Online Checkpoint – Similar to grandfather-father- internal audit departments, in external audit firms, and even
in fraud audits.
databases son, but at certain points, “checkpoints,” the
and system makes a copy of the database and The auditor should consider how a CIS environment affects
master this “checkpoint” file is stored on a separate the audit. The auditors must be able to use information
files disk or tape. If a problem occurs the system technology and understand current trends in information
is restarted at the last checkpoint and technology (IT) to understand the business of their clients
updated with subsequent transactions. and to conduct an effective and efficient audit.
Rollback – as part as a part of recovery, to
The overall objective and scope of an audit do not change
undo changes made to a database to a point
in a CIS environment. However, the use of a computer
at which it was functioning properly. changes the processing, storage and communication of
Backup facilities financial information and may affect the accounting and
a. Hot site—A commercial disaster internal control systems employed by the entity.
recovery service that allows a business Accordingly, a CIS environment may affect:
to continue computer operations in the
• The procedures followed by the auditor in obtaining a
event of computer disaster. For
sufficient understanding of the accounting and internal
example, if a company’s data processing
control systems.
center becomes inoperable, that
• The consideration of inherent risk and control risk
enterprise can move all processing to a
through which the auditor arrives at the risk
hot site that has all the equipment
assessment.
needed to continue operation. This is
• The auditor’s design and performance of tests of control
also referred to as a recovery operations
and substantive procedures appropriate to meet the
center (ROC) approach.
audit objective.
b. Cold site—Similar to a hot site, but the
customer provides and installs the
Audit Approach in a CIS Environment
equipment needed to continue
Black Box Approach (Auditing around the computer) - the
operations. A cold site is less expensive,
auditor develops the procedures to review input documents
but takes longer to get in full operation
and output reports only, without knowing the computer
after a disaster. This is sometimes
technology, programming and other techniques used in
referred to as an “empty shell” in that
electronic data processing previously.
the “shell” is available and ready to
receive whatever hardware the
White Box Approach (Auditing through the computer) is an
temporary user needs.
audit approach is used when auditors become more
c. Reciprocal agreement—An agreement
knowledgeable in computer operations, auditing procedures
between two or more organizations
change. Transactions are tested through the computer.
(with compatible computer facilities) to
Programming codes can also be reviewed to understand
aid each other with their data processing
better the logic in processing transactions.
needs in the event of a disaster. This is
sometimes referred to as a mutual aid
Use of Computer-Assisted Audit Tools (CAATs)
pact.
CAATs are computer programs and data the auditor uses as
part of the audit procedures to process data of audit
Telecommunications
significance contained in an entity’s information systems.
The data may be transaction data, on which the auditor
• The electronic transmission of information by radio, wire,
wishes to perform tests of controls or substantive
fiber optic, coaxial cable, microwave, laser, or other
procedures, or they may be other types of data.
electromagnetic system.
• Transmitted information – voice, data, video, fax, other
CAATs may be used in performing various auditing
• Components involved: (1) computers for communications
procedures, including the following:
control & switching, (2) transmission facilities like copper
wires, fiber optic cables, microwave stations & • tests of details of transactions and balances, for
communications satellite, (3) modems example, the use of audit software for recalculating
• Software controls and monitors the hardware, formats interest or the extraction of invoices over a certain value
information, adds appropriate control information, performs from computer records;
switching operations, provides security, and supports the • analytical procedures, for example, identifying
management of communications. inconsistencies or significant fluctuations;
• Telecommunication enables: (1) Electronic data • tests of general controls;
interchange (2) Electronic funds transfer (3) Point of sale • sampling programs to extract data for audit testing;
systems (4) Commercial databases (5) Airline reservation
• tests of application controls, for example, testing the
systems functioning of a programmed control; and
• Controls: (1) System integrity at remote sites (2) Data
entry (3) Central computer security (4) Dial-in security (5) • reperforming calculations performed by the entity’s
accounting systems.

Page 5 of 15 www.prtc.com.ph CIS

EXCEL PROFESSIONAL SERVICES, INC.

d. Field statistics, such as (1) net value, (2) total of all

Types of CAATs: debt (credit values), (3) number of records, (4)
• Program Analysis - understanding the client’s programs. average value, (5) maximum (minimum) value and
Relatively time-consuming and require a high level of (6) standard deviation
computer expertise, thus, they are infrequently used in e. File comparisons such as (1) compare payroll details
financial statement audits with personnel records and (2) compare current and
• General Control Activities - involves the use of auditor- prior period inventory files
controlled actual or simulated data. The approach f. Gap detection/duplicate detection—Find missing or
provides direct evidence about the operation of duplicate records
programs and programmed controls. Examples include g. Sampling
a. Test data: A set of dummy transactions is developed h. Calculation
by the auditor and processed by the client’s i. Exportation – Select an application that has been
computer programs to determine whether the performed using GAS and export to another file
controls which the auditor intends to test (not format (for additional analysis)
necessarily all controls) to restrict control risk are • Electronic Spreadsheets - often included in generalized
operating effectively. audit software, may be used for applications such as
b. Integrated test facility (ITF): This method analytical procedures and performing mathematical
introduces dummy transactions into a system in the procedures; Microsoft’s Excel and Mac’s Sheets are
midst of live transactions and is usually built into the examples of electronic spreadsheets. Also, auditors
system during the original design. often use electronic spreadsheets to prepare working
c. Parallel simulation: Parallel simulation processes trial balances, lead, and other schedules. Such
actual client data through an auditor’s generalized spreadsheets may significantly simplify the
audit software program and frequently, although computational aspects of tasks such as incorporating
not necessarily, the auditor’s computer. After adjustments and reclassifications on a worksheet and
processing the data, the auditor compares the are relatively easy to use, inexpensive, and can be
output obtained with output obtained from the saved and easily modified in the future. Disadvantages
client. include the need for auditor training, and the fact that
• Continuous/concurrent testing - audit procedures that original spreadsheet development takes a significant
are able to identify and capture audit data as amount of time.
transactions occur. Advanced computer systems, • Automated Workpaper Software – originally used to
particularly those using EDI, sometimes do not retain generate trial balances, lead schedules, and other
permanent audit trails, thus requiring capture of audit workpapers, advances in computer technology (e.g.,
data as transactions are processed. Examples include: improvements in scanning) make possible an electronic
a. Embedded audit modules and audit hooks - are workpaper environment. Ordinarily, this type of
programmed routines incorporated into an software is easy to use and inexpensive. The primary
application program that are designed to perform an disadvantage is the time required to enter the data for
audit function such as a calculation, or logging the first year being audited.
activity.
b. Systems control audit review files (SCARF) – A Risks in CIS Environment
SCARF is a log, usually created by an embedded IS poses specific risks to internal control including:
audit module, used to collect information for • Systems or programs may inaccurately process
subsequent review and analysis. The auditor information
determines the appropriate criteria for review and • Unauthorized access to data may lead to destruction of
the SCARF selects that type of transaction, peso data or inappropriate changes to data
limit, or other characteristic. • Unauthorized changes to data in master files
• Review of operating systems and other systems • Unauthorized changes to systems or programs
software - Systems software may perform controls for
computer systems. Related audit techniques range
• Failure to make necessary changes to systems or
programs
from user-written programs to the use of purchasing
operating systems monitoring software. • Inappropriate manual intervention
• Generalized Audit Software (GAS) - Various types of • Potential loss of data
software that may include customized programs, utility
software, and generalized audit software for performing Auditor’s Procedures in CIS Environment
tests of controls and substantive tests. Customized In CIS environment, the auditor’s consideration of internal
programs are written specifically for a client. control includes an assessment of computerized as well as
Commercially produced utility software is used for manual controls. Also, audit procedures may include
sorting, merging, and other file maintenance tasks. computerized and manual procedures for considering
Generalized audit software also performs such file internal control and for performing substantive tests.
maintenance tasks but generally requires a more limited
understanding of the client’s hardware and software
• Use of an IT specialist
In determining whether specialized IT skills are needed to
features. Functions that GAS may do include:
design and perform the audit, the auditor considers factors
a. Record extraction – Extract (copy) records that
such as (1) complexity of entity’s systems and IT controls,
meet certain criteria, such as (1) accounts
(2) significance of changes made to existing systems, or
receivable balances over the credit limit (2)
implementation of new systems, (3) extent to which data
Inventory items with negative quantities or
is shared among systems, (4) extent of entity’s
unreasonably large quantities (3) Uncosted
participation in electronic commerce, (5) entity’s use of
inventory items and (4) transactions with related
emerging technologies, (6) significance of audit evidence
parties.
available only in electronic form.
b. Sorting (e.g., ascending or descending order)
c. Summarization, such as (1) by customer account
number (2) inventory turnover statistics and (3) • Procedures an auditor may assign to a professional
Duplicate sales invoices. possessing IT skills

Page 6 of 15 www.prtc.com.ph CIS

EXCEL PROFESSIONAL SERVICES, INC.

a. Inquiring of entity’s IT personnel on how data and Businesses utilizes data analytics to evaluate operational,
transaction are initiated, recorded, processed, and financial, and other data to identify any departures from
reported, and how IT controls are designed the norm (e.g., anomaly detection, potential risks) and
b. Inspecting systems documentation opportunities as well for enhancement or advancement
c. Observing operation of IT controls
d. Planning and performing of tests of IT controls It has five (5) stages:
a. Define question – involves the identification of
• Documenting the understanding of internal control goals and objectives that the business is trying to
a. For an information system with a large volume of achieve. Key Performance Indicators (KPIs) must
transactions that are electronically initiated, be identified (i.e., financial ratios, variances).
recorded, processed, or reported, may include b. Obtain relevant data (information discovery) – it
flowcharts, questionnaires, or decision tables allows valuable analysis, more precise correlations,
b. For an information system with limited or no use of and construction of meaningful analysis models
IT, or for which few transactions are processed and forecasts.
(e.g., long-term debt) a memorandum may be c. Clean or normalize data – it consists of getting rid
sufficient of useless information and identifying missing data
c. When an auditor is performing only substantive to strengthen data integrity.
tests to restrict detection risk to an acceptable d. Analyze data – this is to determine as to whether
level, the auditor should obtain evidence about the data are the exact data needed. It also
the accuracy and completeness of the information involves collecting new and different data, revising
original question and formulating new questions.
• Effects of IT on assessment of control risk
In determining whether to assess control risk at the The following are application types of different data
maximum level or at a lower level, the auditor should analytics methods:
consider (1) Nature of the assertion, (2) Volume of 1. Descriptive analysis – most basic and used
transactions, (3) Nature and complexity of systems, method, it concentrates on reporting actual
including use of IT and (4) Nature of available audit results.
evidence, including evidence in electronic form. 2. Diagnostic analysis – provides the insights into
the reason certain results occurred.
3. Predictive analysis – applying assumptions to
• In designing tests of automated controls
data and predicting future results.
a. The inherent consistency of IT processing may allow
4. Prescriptive analysis – concentrates on what
the auditor to reduce the extent of testing (e.g., use
business needs to do for the predicted futures
a smaller sample)
results to occur.
b. Computer-assisted audit techniques may be needed 5. Anomaly detection – identifies unusual patterns
for automated controls or deviations from the norm or expected
results.
6. Network analysis – analyzing network data and
statistics to find pattern.
• Effects of IT on restriction of detection risk
a. An auditor may assess control risk at the maximum 7. Text analysis – involves the utilization of text
mining and natural language algorithms to find
and perform substantive tests to restrict detection
patterns in unstructured text.
risk when he or she believes that the substantive
tests by themselves would be more efficient than
performing tests of controls; (for example client has e. Communicate results - this is to ensure the
accuracy of information used, conclusions, and
only a limited number of transactions related to
recommendations with the appropriate
fixed assets and long-term debt and the auditor can
management.
readily obtain corroborating evidence in the form of
documents and confirmations.)
Common Terms for Data Analytics:
b. When evidence is entirely or almost entirely Big Data – describes any that describes any voluminous
electronic, the auditor in some circumstances may amount of structured, semi- structured, or unstructured
need to perform tests of controls. This is because it data that has the potential to be mined for information to
may be impossible to design effective substantive reveal relationships and dependencies or to predict
tests that by themselves provide sufficient evidence outcomes and behaviors.
in circumstances such as when the client 4 Vs of Big Data – volume, variety, velocity and
veracity
- Uses IT to initiate order using predetermined Volume - describe the large amount of data captured
decisions rules and to pay related payables
over time.
based on system generating information, and
Variety - data exist in a wide variety of file types.
no other documentation is produced Velocity - data exist in a wide variety of file types.
- Provides electronic service to customers (e.g., Veracity - data exist in a wide variety of file types.
Internet service provider or telephone Value (the 5th V in Big Data) – it is only as valuable as
company) and uses IT to log service provided, the business outcomes it makes possible
initiate bills, process billing, and automatically Data mining - the search for unexpected relationships
record amounts in accounting records. among data. It combines information technology and
statistics with a goal of analyzing data from different
perspectives and summarizing it into useful information. It
Data Analytics is an iterative process by means of continuous review and
rethinking (i.e., enhancements of previous analysis) while
It encompasses the quantitative and qualitative procedures working to obtain the desired results.
and methodologies to retrieve data out of data sources and Simple regression - process of deriving a linear
then inspect the identified and required data based on data equation that describes the relationship between two
type to assist the decision-making process. variables (y = a + bx).

Page 7 of 15 www.prtc.com.ph CIS

EXCEL PROFESSIONAL SERVICES, INC.

Multiple regression - it is used when there is more than Hadoop - is an open-source, Java-based software
one independent variable framework that stores large amounts of data and runs
Standard error - measures how well the linear equation applications on clusters of commodity hardware
represents the data In-memory analytics - analyzes data from system
Goodness-of-fit test - assists with determining whether memory instead of secondary storage. This approach
the sample is representative of the population (validates
assumptions).
Confidence level - the percentage of times that a Data Visualization
sample is expected to be representative of the population
(i.e., a confidence level of 95% should result in This refers to any effort to help readers or other users
representative samples 95% of the time). understand the significance of data by placing it in a visual
Confidence interval - for a given confidence level is the context, such as a graph or chart such as the following:
range around a sample value that is expected to contain
the true population value. a. Statistical Control Charts - graphic aids for
Sensitivity analysis - uses trial-and-error to determine monitoring the status of any process subject to
the effects of changes in variables or assumptions on acceptable or unacceptable variations during
results. It is useful in deciding whether expending repeated operations.
additional resources to obtain better forecasts is justified. b. Pareto Diagrams - a bar chart that assists
Simulation - is a sophisticated refinement of probability managers in quality control analysis.
theory and sensitivity analysis c. Histograms - similar to a Pareto diagram but the
Monte Carlo Simulation - method often is used in major distinction is that histograms display a
simulation to generate the individual values for a random continuum for the independent variable.
variable. The performance of a quantitative model under d. Fishbone Diagrams (also called Cause-and-Effect
uncertainty may be investigated by randomly selecting Diagram) - is a total quality management process
values for each of the variables in the model (based on the improvement method that is useful in studying
probability distribution of each variable) and then causation (why the actual and desired situations
calculating the value of the solution. differ).
Delphi Approach - solicits opinions from experts, e. Boxplots - provides a visual to illustrate how tight
summarizes the opinions, and feeds the summaries back or spread-out data is and whether any outliers
to the experts (without revealing participants to each exist by displaying the data distribution in quartiles
other). f. Tables - illustrates data in rows and columns.
Time Series Analysis (also called trend analysis) - the g. Dot Plots (similar to a histogram) - a graph that
process of projecting future trends based on experience. It illustrates the distribution for each factor using
is a regression model in which the independent variable is dots.
time. h. Line Charts - illustrates information as a series of
Predictive Analytics - is technology that uses data data points (commonly known as markers)
(historical, current, and predicted), statistical algorithms, connected by a straight line. It is effective for
and machine learning techniques to draw insights on such identifying patterns.
trends as consumer or industry behavior patterns. i. Scatter Plots (similar to a line chart) - utilizes the
Exploratory Data Analysis (EDA) - is an approach to horizontal (variable x) and vertical (variable y)
data analysis that differs from traditional modeling and axes to illustrate the correlation among two
analytic techniques by encouraging the data itself to reveal variables.
its underlying structure rather than prematurely applying a j. Bubble Charts – similar to a scatter plot; however,
hypothesis or statistical method. It is often used as a first a bubble chart incorporates a third variable
step or pre-step in the data analysis process. consisting of a grouping of data points represented
What-if Analysis - process of determining the effects on by the size of the bubble.
outcomes in a model through changes in scenarios. k. Pie Charts - a graph in the shape of a circle with
Goal-seeking - occurs when the decision maker has a each “pie slice” representing relative sections of a
specific outcome in mind and needs to determine how it whole population size.
can be achieved.

MULTIPLE CHOICE

COMPUTER INFORMATION SYSTEMS (CIS) ENVIRONMENT

1. Which statement is incorrect when auditing in a CIS a. A CIS environment exists when a computer of any
environment? type or size is involved in the processing by the
entity of financial information of significance to the
Page 8 of 15 www.prtc.com.ph CIS
EXCEL PROFESSIONAL SERVICES, INC.

audit, whether that computer is operated by the d. It takes a longer time of implementation.
entity or by a third party.
b. The auditor should consider how a CIS environment 8. It is a computer program (a block of executable code)
affects the audit. that attaches itself to a legitimate program or data file
c. The use of a computer changes the processing, and uses its as a transport mechanism to reproduce
storage and communication of financial information itself without the knowledge of the user.
and may affect the accounting and internal control a. Virus
systems employed by the entity. b. Utility program
d. A CIS environment changes the overall objective c. System management program
and scope of an audit. d. Encryption

2. Which of the following is least likely a risk characteristic 9. A warehouse employee of a retail firm concealed the
associated with CIS environment? theft of merchandise inventory items by entering
a. Errors embedded in an application’s program logic adjustments to the computer-based inventory records
maybe difficult to manually detect on a timely basis. indicating that the items had been damaged or lost.
b. Many control procedures that would ordinarily be Which control would be most suitable for preventing this
performed by separate individuals in manual system fraud?
maybe concentrated in CIS. a. Check digits in inventory item numbers
c. The potential unauthorized access to data or to alter b. Validity checks on inventory item numbers
them without visible evidence maybe greater. c. Passwords allowing changes to inventory records
d. Initiation of changes in the master file is exclusively that are assigned only to authorized employees
handled by respective users. d. Removal of computer terminals from the
warehouse
3. Corrections to transaction data in which errors have
been detected should be made by the: 10. Which of the following least likely protects critical and
a. computer operator. sensitive information from unauthorized access in a
b. data control clerk. personal computer environment?
c. user departments. a. Using secret file names and hiding the files.
d. Programmer. b. Keeping of back up copies offsite.
e. Information systems director. c. Employing passwords.
d. Segregating data into files organized under separate
4. In order to maintain good internal control: file directories.
a. computer operators need to be good programmers.
b. programmers should have control over day-to-day 11. It refers to plans made by the entity to obtain access to
production runs. comparable hardware, software and data in the event of
c. computer operators should be allowed to make their failure, loss or destruction.
changes in programs as needed in order to keep the a. Back-up c. Anti-virus
computer running. b. Encryption d. Wide Area Network (WAN)
d. programmers and computer operators should be in
separate organizational units of the information 12. Operating documentation is of primary interest to:
systems function. a. computer operators.
e. the data librarian should be able to operate the b. computer programmers.
computer. c. systems analysts.
d. users.
5. Which of the following responsibilities should not be e. operations management.
assigned to members of the information systems
function? 13. Computer systems that enable users to access data and
a. Designing new information systems programs directly through workstations are referred to
b. Preparing documentation for new information as
systems a. Online computer systems
c. Maintaining a data and program library b. Database management systems (DBMS)
d. Initiating changes to the files maintained in the c. Personal computer systems
database d. Database systems
e. Processing transaction data
14. Which of the following employees in a firm's information
6. Which is the most objectionable assignment of systems function should be responsible for designing
responsibilities within the information systems function? new or improved transaction processing procedures?
a. Programmers maintain the processing and output a. Flowchart editor d. Control-group supervisor
controls for applications. b. Programmer e. Database administrator
b. Systems analysts maintain systems documentation. c. Systems analyst
c. Data processing supervisors schedule the
processing times for applications. 15. In an online/real time processing system
d. Data control clerks establish controls over batches a. Individual transactions are entered at workstations,
of transactions received from user departments. validated and used to update related computer files
e. Data librarians maintain custody over data files. immediately.
b. Individual transactions are entered at a workstation,
7. Which of the following is an inherent characteristic of subjected to certain validation checks and added to
software package? a transaction file that contains other transactions
a. They are typically used without modifications of the entered during the period.
programs. c. Individual transactions immediately update a memo
b. The programs are tailored-made according to the file containing information which has been extracted
specific needs of the user. from the most recent version of the master file.
c. They are developed by software manufacturer d. The master files are updated by other systems.
according to a particular user’s specifications.

Page 9 of 15 www.prtc.com.ph CIS

EXCEL PROFESSIONAL SERVICES, INC.

16. It is a communication system that enables computer b. Any and all changes in application programs have
users to share computer equipment, application the authorization and approval of management.
software, data and voice and video transmissions. c. Provisions exist to protect data files from
a. Network c. Host unauthorized access, modification, or destruction.
b. File server d. Client d. Both computer operators and programmers have
unlimited access to the programs and data files.
17. The following matters are of particular importance to the
auditor in an online computer system, except 24. The reporting of accounting information plays a central
a. Authorization, completeness and accuracy of online role in the regulation of business operations. Preventive
transactions. controls are an integral part of virtually all accounting
b. Integrity of records and processing, due to online processing systems, and much of the information
access to the system by many users and generated by the accounting system is used for
programmers. preventive control purposes. Which one of the following
c. Changes in the performance of audit procedures is not an essential element of a sound preventive control
including the use of CAAT's. system?
d. Cost-benefit ratio of installing online computer a. Separation of responsibilities for the recording,
system. custodial, and authorization functions.
b. Sound personnel policies.
18. Which of the following is least likely a characteristic of a c. Documentation of policies and procedures.
database system? d. Implementation of state-of-the-art software and
a. Individual applications share the data in the hardware.
database for different purposes.
b. Separate data files are maintained for each 25. Which of the following most likely represents a
application and similar data used by several significant deficiency in the internal control structure?
applications may be repeated on several different a. The systems analyst review applications of data
files. processing and maintains systems documentation.
c. A software facility is required to keep track of the b. The systems programmer designs systems for
location of the data in the database. computerized applications and maintains output
d. Coordination is usually performed by a group of controls.
individuals whose responsibility is typically referred c. The control clerk establishes control over data
to as "database administration." received by the EDP department and reconciles
control totals after processing
19. The applications of auditing procedures using the d. The accounts payable clerk prepares data for
computer as an audit tool refer to computer processing and enters the data into the
a. Integrated test facility computer.
b. Data-based management system
c. Auditing through the computer 26. An auditor most likely would introduce test data into a
d. Computer-assisted audit techniques computerized payroll system to test internal controls
related to the
20. Consists of generalized computer programs designed to a. Existence of unclaimed payroll checks held by
perform common audit tasks or standardized data supervisors.
processing functions. b. Early cashing of payroll checks by employees.
a. Package or generalized audit software c. Discovery of invalid employee ID numbers.
b. Customized or purpose-written programs d. Proper approval of overtime by supervisors.
c. Utility programs
d. System management programs 27. Which of the following controls most likely would assure
21. An internal auditor noted the following points when that an entity can reconstruct its financial records?
conducting a preliminary survey in connection with the a. Hardware controls are built into the computer by the
audit of an EDP department. Which of the following computer manufacturer.
would be considered a safeguard in the control system b. Backup diskettes or tapes of files are stored away
on which the auditor might rely? from originals.
a. Programmers and computer operators correct daily c. Personnel who are independent of data input
processing problems as they arise. perform parallel simulations.
b. The control group works with user organizations to d. System flowcharts provide accurate descriptions of
correct rejected input. input and output operations.
c. New systems are documented as soon as possible
after they begin processing live data. 28. When an auditor tests a computerized accounting
d. The average tenure of employees working in the system, which of the following is true of the test data
EDP department is ten months. approach?
a. Test data must consist of all possible valid and
22. Some of the more important controls that relate to invalid conditions.
automated accounting information systems are validity b. The program tested is different from the program
checks, limit checks, field checks, and sign tests. These used throughout the year by the client.
are classified as c. Several transactions of each type must be tested.
a. Control total validation routines d. Test data are processed by the client’s computer
b. Hash totaling programs under the auditor’s control.
c. Output controls
d. Input validation routines 29. Which of the following methods of testing application
controls utilizes a generalized audit software package
23. Which one of the following represents a lack of internal prepared by the auditors?
control in a computer-based information system? a. Parallel simulation
a. The design and implementation is performed in b. Integrated testing facility approach
accordance with management’s specific c. Test data approach
authorization. d. Exception report tests

Page 10 of 15 www.prtc.com.ph CIS

EXCEL PROFESSIONAL SERVICES, INC.

b. that relate to the correction and resubmission of

30. Where disk files are used, the grandfather-father-son data that were initially incorrect.
updating backup concept is relatively difficult to c. for documenting and approving programs and
implement because the changes to programs.
a. Location of information points on disks is an d. designed to assure the accuracy of the processing
extremely time consuming task. steps.
b. Magnetic fields and other environmental factors
cause off-site storage to be impractical. 38. The use of a programmed check or edit test with respect
c. Information must be dumped in the form of hard to transaction data is an example of a:
copy if it is to be reviewed before used in updating. a. preventive control c. corrective control
d. Process of updating old records is destructive. b. detective control d. check control

31. Which of the following is an example of a check digit? 39. Which of the following represents a sound organizational
a. An agreement of the total number of employees to control with respect to information system activities?
the total number of checks printed by the computer. a. Allowing the user departments to specify data
b. An algebraically determined number produced by processing standards
the other digits of the employee number. b. Allowing requests for system changes to be initiated
c. A logic test that ensures all employee numbers are by the computer operator
nine digits. c. Allowing the user departments to submit data for
d. A limit check that an employee’s hours do not processing directly to the computer operators
exceed 50 hours per work week. d. Allowing the user departments to prepare input data

32. In a computerized system, procedure or problem- 40. Which of the following policies or practices is most likely
oriented language is converted to machine language to represent a weakness in internal control pertaining to
through a(an) a computer-based system?
a. Interpreter c. Compiler a. Employees in the data processing department are
b. Verifier d. Converter prohibited from initiating requests for changes to
master files.
33. Test data, integrated test data and parallel simulation b. Computer programmers are not permitted to
each require an auditor to prepare data and computer operate the computer for regular processing runs,
programs. CPAs who lack either the technical expertise which involve programs that they have written.
or time to prepare programs should request from the c. Computer operators who run the programs
manufacturers or EDP consultants for pertaining to inventory are prohibited from
a. The program Code reconciling batch totals after computer runs.
b. Flowchart checks d. All corrections of errors in the master file are
c. Generalized audit software reviewed and approved by a supervisory level
d. Application controls employee who is a member of the data processing
department.
34. Which of the following should be a responsibility of the
information systems function? 41. In performing a risk-based audit, which risk
a. Initiating transactions assessment is completed initially by the IS auditor?
b. Initiating changes to programs a. Detection risk assessment
c. Maintaining custody over cash assets b. Control risk assessment
d. Processing transactions c. Inherent risk assessment
e. Correcting errors in transaction data d. Fraud risk assessment

35. Which one of the following represents a weakness in 42. The FIRST step in planning an audit is to:
internal control in computer-based AIS?
a. define audit deliverables.
a. Any and all changes in application programs have
b. finalize the audit scope and audit objectives
the authorization and approval of management.
c. gain an understanding of the business’s objectives.
b. Provisions exist to ensure the accuracy and integrity
a. develop the audit approach or audit strategy.
of computer processing of all files and reports.
c. Provisions exist to protect files from unauthorized
43. A company performs a daily backup of critical data and
access, modification, or destruction.
software files and stores the backup tapes at an offsite
d. Both computer operators and programmers have
location. The backup tapes are used to restore the files
unlimited access to the programs and data files.
in case of a disruption. This is a:
a. preventive control. c. corrective control.
36. To obtain evidence that user identification and password
b. management control. d. detective control.
control procedures are functioning as designed, an
auditor would most likely
44. What is considered the MOST critical element for the
a. Attempt to sign on to the system using invalid user
successful implementation of an information security
identifications and passwords.
(IS) program?
b. Write a computer program that simulates the logic
a. An effective enterprise risk management
of the client’s access control software.
(ERM)framework
c. Extract a random sample of processed transactions
b. Senior management commitment
and ensure that the transactions were appropriately
c. An adequate budgeting process
authorized.
d. Meticulous program planning
d. Examine statements signed by employees stating
that they have not divulged their user identifications
45. Which of the following tasks may be performed by the
and passwords to any other person.
same person in a well-controlled information processing
computer center?
37. General controls include controls:
a. Security administration and change management
a. designed to ascertain that all transaction data are
b. Computer operations and system development
accurate.

Page 11 of 15 www.prtc.com.ph CIS

EXCEL PROFESSIONAL SERVICES, INC.

c. System development and change management

d. System development and systems maintenance 54. It combines online/real time processing and
online/batch processing.
46. When a complete segregation of duties cannot be a. Online/Memo Update
achieved in an online system environment, which of the b. Online Downloading/Uploading Processing
following functions should be separated from the c. Online/inquiry
d. Online/combined processing
others?
a. Origination c. Recording 55. A type of network that multiple buildings are close
b. Authorization d. Correction enough to create a campus, but the space between the
buildings is not under the control of the company is
47. An IS auditor is verifying the IT policies and found that a. Local Area Network (LAN)
some of the policies have not been approved by b. Wide Area Network (WAN)
management (as required by policy), but the employees c. Metropolitan Area Network (MAN)
strictly follow the policies. What should the IS auditor d. World Wide Web (WWW)
do first?
a. Ignore the absence of management approval 56. Which of the following is least likely a characteristic of
because employees follow the policies Wide Area Network (WAN)?
b. Recommend the immediate management approval a. Created to connect two or more geographically
of the policies. separated LANs.
c. Emphasize the importance of approval to b. Typically involves one or more long-distance
management providers, such as a telephone company to provide
d. Report the absence of documented approval the connections.
c. WAN connections tend to be faster than LAN.
48. An IS auditor is reviewing changes to a company’s d. Usually more expensive than LAN.
disaster recovery (DR) strategy. The IS auditor notices
57. A collection of data that is shared and used by a number
that the recovery point objective (RPO) has been of different users for different purposes.
shortened for the company’s mission-critical a. Database c. Master file
application. What is the MOST significant risk of this b. Information file d. Transaction file
change?
a. The existing DR plan is not updated to achieve the 58. Database administration tasks typically include
new RPO I. Defining the database structure.
II. Maintaining data integrity, security and
b. The DR team has not been trained on the new RPO
completeness.
c. Backups are not done frequently enough to achieve III. Coordinating computer operations related to the
the new RPO database.
d. The plan has not been tested with the new RPO IV. Monitoring system performance.
V. Providing administrative support.
49. A poor choice of passwords and transmission over
a. All of the above c. II and V only
unprotected communications lines are example of:
b. All except I d. II, III and V only
a. Vulnerabilities c. Probabilities
b. Threats d. Impacts 59. General CIS controls may include, except:
a. Organization and management controls.
50. An IS auditor is planning an audit of a bank wire transfer b. Development and maintenance controls.
systems in the context of a regulation that requires bank c. Delivery and support controls.
to accurately report transactions. Which of the following d. Controls over computer data files.
represents the PRIMARY focus of the audit scope?
a. Data availability c. Currency of data 60. CIS application controls include, except
b. Data confidentiality d. Data integrity a. Controls over input.
b. Controls over processing and computer data files.
51. Online systems allow users to initiate various functions c. Controls over output.
directly. Such functions include: d. Monitoring controls.
I. Entering transactions III. Requesting reports
II. Making inquiries IV. Updating master files 61. Which statement is incorrect regarding CAATs?
a. I, II, III and IV c. I and II a. CAATs are often an efficient means of testing a large
b. I, II and III d. I and IV number of transactions or controls over large
populations.
52. Which of the following is the deliverable from the b. To ensure appropriate control procedures, the
analysis phase of systems development? presence of the auditor is not necessarily required
a. Approved project proposal at the computer facility during the running of a
b. Requirements CAAT.
c. Specifications c. The general principles outlined in PAPS 1009 apply
d. Selected hardware and software in small entity IT environments.
e. Installed physical system d. Where smaller volumes of data are processed, the
use of CAATs is more cost effective.
53. Which of the following is deliverable from the design
phase of systems development? 62. Audit automation least likely include
a. Approved project proposal a. Expert systems.
b. Requirements b. Tools to evaluate a client’s risk management
c. Specifications procedures.
d. Selected hardware and software c. Manual working papers.
e. Installed physical system

Page 12 of 15 www.prtc.com.ph CIS

EXCEL PROFESSIONAL SERVICES, INC.

d. Corporate and financial modeling programs for use c. Systems development

as predictive audit tests. d. Minor maintenance according to a schedule

63. A control procedure that could be used in an online 72. In an automated payroll system, all employees in the
system to provide an immediate check on whether an finishing department were paid the rate of P75 per hour
account number has been entered on a terminal when the authorized rate was P70 per hour. Which of
accurately is a the following controls would have been most effective in
a. Compatibility test c. Record count preventing such an error?
b. Hash total d. Self-checking digit b. Access controls which would restrict the personnel
department’s access to the payroll master file data.
64. A control designed to catch errors at the point of data c. A review of all authorized pay rate changes by the
entry is personnel department.
a. Batch total c. Self-checking digit d. The use of batch control totals by department.
b. Record count d. Checkpoints e. A limit test that compares the pay rates per
department with the maximum rate for all
65. Program documentation is a control designed primarily employees.
to ensure that
a. Programmers have access to the tape library or 73. For the accounting system of ACME Company, the
information on disk files. amounts of cash disbursements entered into an EDP
b. Programs do not make mathematical errors. terminal are transmitted to the computer that
c. Programs are kept up to date and perform as immediately transmits the amounts back to the terminal
intended. for display on the terminal screen. This display enables
d. Data have been entered and processed. the operator to
a. Establish the validity of the account number
66. In an automated payroll processing environment, a b. Verify the amount was entered accurately
department manager substituted the time card for a c. Verify the authorization of the disbursements
terminated employee with a time card for a fictitious d. Prevent the overpayment of the account
employee. The fictitious employee had the same pay
rate and hours worked as the terminated employee. 74. An auditor anticipates assessing control risk at a low
The best control technique to detect this action using level in a computerized environment. Under these
employee identification numbers would be a circumstances, on which of the following procedures
a. Batch total c. Record count would the auditor initially focus?
b. Hash total d. Subsequent check a. Programmed control procedures
b. Application control procedures
67. An employee in the receiving department keyed in a c. Output control procedures
shipment from a remote terminal and inadvertently d. General control procedures
omitted the purchase order number. The best systems
control to detect this error would be 75. To obtain evidence that online access controls are
a. Batch total c. Sequence check properly functioning, an auditor most likely would
b. Completeness test d. Reasonableness test a. Create checkpoints at periodic intervals after live
data processing to test for unauthorized use of the
68. The most critical aspect regarding separation of duties system.
within information systems is between b. Examine the transaction log to discover whether any
a. Project leaders and programmers transactions were lost or entered twice due to a
b. Programmers and computer operators system malfunction
c. Programmers and systems analysts c. Enter invalid identification numbers or passwords to
d. Data control and file librarians ascertain whether the system rejects them.
d. Vouch a random sample of processed transactions
69. Which of the following characteristics distinguishes to assure proper authorization
computer processing from manual processing?
a. Computer processing virtually eliminates the 76. An auditor would least likely use computer software to
occurrence of computational error normally a. Access client data files
associated with manual processing. b. Prepare spreadsheets
b. Errors or irregularities in computer processing will c. Assess EDP controls
be detected soon after their occurrences. d. Construct parallel simulations
c. The potential for systematic error is ordinarily
greater in manual processing than in computerized 77. A primary advantage of using generalized audit software
processing. packages to audit the financial statements of a client
d. Most computer systems are designed so that that uses an EDP system is that the auditor may
transaction trails useful for audit do not exist. a. Consider increasing the use of substantive tests of
transactions in place of analytical procedures.
70. Which of the following activities would most likely be b. Substantiate the accuracy of data through self-
performed in the EDP Department? checking digits and hash totals.
a. Initiation of changes to master records. c. Reduce the level of required tests of controls to a
b. Conversion of information to machine-readable relatively small amount.
form. d. Access information stored on computer files while
c. Correction of transactional errors. having a limited understanding of the client’s
d. Initiation of changes to existing applications. hardware and software features.

71. For control purposes, which of the following should be 78. The use of generalized audit software package
organizationally segregated from the computer a. Relieves an auditor of the typical tasks of
operations function? investigating exceptions, verifying sources of
a. Data conversion information, and evaluating reports.
b. Surveillance of CRT messages

Page 13 of 15 www.prtc.com.ph CIS

EXCEL PROFESSIONAL SERVICES, INC.

b. Is a major aid in retrieving information from a. Security measures c. General controls

computerized files. b. Control objectives d. Application controls
c. Overcomes the need for an auditor to learn much
about computers. 88. The primary responsibility for establishing an adequate
d. Is a form of auditing around the computer. internal control structure within a computerized
information system rests with the:
79. Which of the following computer-assisted auditing a. auditors.
techniques allows fictitious and real transactions to be b. audit committee.
processed together without client operating personnel c. information systems director.
being aware of the testing process? d. higher-level management.
a. Integrated test facility c. Parallel simulation
b. Input controls matrix d. Data entry monitor 89. Which of the following generally enter transaction data
in online processing applications?
80. If a control total were computed on each of the following a. User departments c. Data control unit
data items, which would best be identified as a hash b. Computer operations d. Database administration
total for a payroll EDP application?
a. Total debits and total credits 90. Which of the following is a violation of internal control in
b. Net pay a computer-based system?
c. Department numbers a. The data librarian maintains custody of computer
d. Hours worked programs.
b. Computer operators are provided program
81. A customer erroneously ordered Item No. 86321 rather documentation.
than item No. 83621. When this order is processed, the c. The data control unit is solely responsible for the
vendor’s EDP department would identify the error with distribution of all computer output.
what type of control? d. Computer programmers write programs based on
a. Key verifying c. Batch total specifications developed by the systems analyst.
b. Self-checking digit d. Item inspection
91. Which of the following BEST describes the early stages
82. The computer process whereby data processing is of an IS audit?
performed concurrently with a particular activity and the a. Observing key organizational facilities
results are available soon enough to influence the b. Assessing the IS environment
course of action being taken or the decision being made c. Understanding the business process and
is called: environment applicable to the review
a. Random access sampling d. Reviewing prior IS audit reports
b. Integrated data processing
c. Online, real-time system 92. While developing a risk-based audit program, on which
d. Batch processing system of the following would the IS auditor MOST likely
focus?
83. Internal control is ineffective when computer a. Business processes c. Operational controls
department personnel b. Critical IT applications d. Business strategies
a. Participate in computer software acquisition
decisions. 93. Which of the following types of audit risk assumes an
b. Design documentation for computerized systems. absence of compensating controls in the area being
c. Originate changes in master file. reviewed?
d. Provide physical security for program files. a. Control risk c. Inherent risk
b. Detection risk d. Sampling risk
84. Which of the following tasks could not be performed
when using a generalized audit software package? 94. The PRIMARY use of generalized audit software (GAS)
a. Selecting inventory items for observations. is to:
b. Physical count of inventories. b. test controls embedded in programs.
c. Comparison of inventory test counts with perpetual c. test unauthorized access to data.
records. d. extract data of relevance to the audit
d. Summarizing inventory turnover statistics for e. reduce the need for transaction vouching
obsolescence analysis.
95. The approach an IS auditor should use to plan IS audit
85. The output of a parallel simulation should always be
coverage should be based on:
a. Printed on a report.
b. Compared with actual results manually. a. risk. c. professional skepticism.
b. materiality. d. detective control.
c. Compared with actual results using a comparison
program.
d. Reconciled to actual processing output. 96. Which of the following would be included in an IS
strategic plan?
86. Generalized audit software is a computer-assisted audit a. Specifications for planned hardware purchases
technique. It is one of the widely used technique for b. Analysis of future business objectives
auditing computer application systems. Generalized c. Target dates for development projects
audit software is most often used to d. Annual budgetary targets for the IS department
a. Verify computer processing.
b. Process data fields under the control of the 97. Which of the following is the MOST critical control over
operation manager. database administration?
c. Independently analyze data files. a. Approval of DBA activities
d. Both a and b. b. Segregation of duties
c. Review of access logs and activities
87. Which of the following is least affected by the presence d. Review of the use of database tools
of computer-based processing?
Page 14 of 15 www.prtc.com.ph CIS
EXCEL PROFESSIONAL SERVICES, INC.

98. In a small organization, where segregation of duties is c. I and III only.

not practical, an employee performs the function of d. I, II, and III.
computer operator and application programmer. Which
of the following controls should an IS auditor
102. Which of the following can be discovered using a
recommend?
a. Automated logging of changes to development data-mining process?
libraries a. Data structure
b. Additional staff to provide segregation of duties b. Previously unknow information
c. Procedures that verify that only approved program c. Artificial intelligence
changes are implemented d. Standard query reporting
d. Access controls to prevent the operator from
making program modifications
103. Which of the following best describes a
99. In a risk-based audit approach, the IS auditor must characteristic of big data?
consider the inherent risk as well as considering: a. Collected data often provides straightforward
a. How to eliminate the risk through the application of answers to users.
controls. b. Data collected are free from useless information or
b. The balance of loss potential vs. the cost to incorrect variables.
implement controls. c. Big data is in a visual context, such as a graph or
c. Whether the risk is material, regardless of chart, rather than a text format.
management’s tolerance for risk. d. Data of untapped markets is often not collected.
d. Whether the residual risk is higher than the
insurance coverage purchased 104. Which of the following best represents the
application of predictive analytics?
100. The IS auditor is reviewing a recently completed a. The human resource manager prepares an analysis
conversion to a new enterprise resource planning (ERP) to show which departments have the highest
system. As the final stage of the conversion process, the employee turnover.
organization ran the old and new systems in parallel for b. The website recommends pet toys and bedding
30 days before allowing the new system to run on its after the customer purchases pet food.
own. What is the MOST significant advantage to the c. A consultant organizes an analysis of causation for
organization by using this strategy? dissatisfied workers and possible interactions
a. Significant cost savings over other testing among causes.
approaches d. A cost accountant monitors whether direct
b. Assurance that new, faster hardware is compatible materials used are within the acceptable variations
with the new system for the last 6 months.
c. Assurance that the new system meets functional
requirements 105. Which is the correct order of the steps in the data
d. Increased resiliency during the parallel processing mining process?
time I. Perform regression analysis to generate an
equation that models the data.
II. Identify anomalies and unusual data records.
101. Which of the following are key technologies of big III. Prepare visual presentations and reports.
data? IV. Generalize the relationships among data.
I. In-memory analytics V. Find relationships between variables and group the
II. Data mining
relationships.
III. Text mining
a. I, V, IV, II, III.
a. I only. b. II, V, IV, I, III.
b. II only. c. II, I, IV, V, III.
d. II, IV, V, III, I.

Page 15 of 15 www.prtc.com.ph CIS