Which of the following statements most likely represents a disadvantage for an entity that

maintains data files on personal computers (PCs) rather than manually prepared files?

It is usually more difficult to compare recorded accountability with the physical count of
assets.

Random error associated with processing similar transactions in different ways is usually
greater.

Attention is focused on the accuracy of the programming process rather than errors in
individual transactions.

It is usually easier for unauthorized persons to access and alter the files.
Ans.
It is usually easier for unauthorized persons to access and alter the files.

A characteristic that distinguishes computer processing from manual processing is

The potential for systematic error is ordinarily greater in manual processing than in computerized
processing.

Errors or fraud in computer processing will be detected soon after their occurrences.

Most computer systems are designed so that transaction trails useful for audit purposes do not
exist.

Computer processing virtually eliminates the occurrence of computational errors normally

associated with manual processing.
Ans.
Computer processing virtually eliminates the occurrence of computational errors normally
associated with manual processing.

A common difficulty in auditing a computerized accounting system is

Data can be erased from the computer with no visible evidence.

Because of the lack of an audit trail, computer systems have weaker controls and more
substantive testing is required.

Because of the uniform nature of transaction processing, computer systems have strong controls
and less substantive testing is required.

The large dissemination of entry points into the computer system leads to weak overall reliance
on information generated by a computer.
Ans.
Data can be erased from the computer with no visible evidence.
Which of the following statements most likely represents a disadvantage for an entity that keeps
microcomputer-prepared data files rather than manually prepared files?

Random error associated with processing similar transactions in different ways is usually greater.

It is usually more difficult to compare recorded accountability with physical count of assets.

Attention is focused on the accuracy of the programming process rather than errors in individual
transactions.

It is usually easier for unauthorized persons to access and alter the files.
Ans.
It is usually easier for unauthorized persons to access and alter the files.

Computer systems are typically supported by a variety of utility software packages that are
important to an auditor because they

May enable unauthorized changes to data files if not properly controlled.

Are very versatile programs that can be used on hardware of many manufacturers.
May be significant components of a client’s application programs.
Are written specifically to enable auditors to extract and sort data.
Ans.
May enable unauthorized changes to data files if not properly controlled.

A characteristic that distinguishes computer processing from manual processing is

The potential for systematic error is ordinarily greater in manual processing than in computerized
processing.

Errors or fraud in computer processing will be detected soon after their occurrences.

Most computer systems are designed so that transaction trails useful for audit purposes do not
exist.

Computer processing virtually eliminates the occurrence of computational errors normally

associated with manual processing.
Ans.
Computer processing virtually eliminates the occurrence of computational errors normally
associated with manual processing.

Which of the following activities would most likely be performed in the CIS department?

Initiation of changes to master records

Conversion of information to machine-readable form
Correction of transactional errors
Initiation of changes to existing applications
Ans.
Conversion of information to machine-readable form
Which would largely change in an audit of a CIS environment?

The overall objective and scope of an audit

The basic concept of evidence accumulation
Type of procedures for control
Specific methods in implementing the basic audit concepts
Ans.
Specific methods in implementing the basic audit concepts

The use of a computer changes the processing, storage, and communication of financial
information. A CIS environment may affect the following, except

The accounting and internal control systems of the entity.

The overall objective and scope of an audit.

The auditor’s design and performance of tests of control and substantive procedures to satisfy the
audit objectives.

The specific procedures to obtain knowledge of the entity’s accounting and internal control
systems.
Ans.
The overall objective and scope of an audit.

Which of the following is not an advantage of a computerized accounting system?

Computers process transactions uniformly

Computers help alleviate human errors
Computers can process many transactions quickly
Computers leave a thorough audit trail which can be easily followed
Ans.
Computers leave a thorough audit trail which can be easily followed

Which attribute below relates more to computer processing than manual processing?

There is always an assurance that complete transaction trails useful for audit purposes are
preserved for indefinite purpose.

Control procedures as to segregation of functions may no longer be necessary

The likelihood of clerical errors is increased.

Similar transactions are uniformly subjected to similar instructions.

Ans.
Similar transactions are uniformly subjected to similar instructions.
A common difficulty in auditing a computerized accounting system is:

Data can be erased from the computer with no visible evidence.

Because of the lack of an audit trail, computer systems have weaker controls and more
substantive testing is required.

Because of the uniform nature of transaction processing, computer systems have strong controls
and less substantive testing is required.

The large dissemination of entry points into the computer system leads to weak overall reliance
on information generated by a computer.
Ans.
Data can be erased from the computer with no visible evidence.

The characteristics that distinguish computer processing from manual processing include
the following:
1) Computer processing uniformly subjects like transactions to the same
instructions.
2) Computer systems always ensure that complete transaction trails useful for
audit purposes are preserved for indefinite period
3) Computer processing virtually eliminates the occurrence of clerical errors
normally associated with manual processing.
4) Control procedures as to segregation of functions may no longer be necessary
in a computer environment.

All of the above statements are true

Only statements (1) and (3) are true
Only statements (2) and (4) are true
All of the above statements are false
Ans.
Only statements (1) and (3) are true

Which of the following is least likely to be considered by an auditor considering engagement of

an information technology (IT) specialist on an audit?

Complexity of client’s systems and IT controls

Requirements to assess going concern status
Client’s use of emerging technologies
Extent of entity’s participation in electronic commerce
Ans.
Requirements to assess going concern status
. Which of the following input controls describes a “self-checking digit”?

Data need to be entered twice to assure no commitment of error

Data need to be in a required field format field check
Data need to be complete before and after processing
Data need to be added with a mathematically calculated digit to detect transposition
errors
Ans.
Data need to be added with a mathematically calculated digit to detect transposition errors

A customer intended to order 100 units of product Z96014, but incorrectly ordered non-existent
product Z96015. Which of the following controls most likely would detect this error?

Check digit verification

Record count
Hash total
Redundant data check
Ans.
Check digit verification

.Which of the following statements is correct concerning internal control when a client is using
an electronic data interchange system for its sales?

Controls should be established over determining that all suppliers are included in the system.

Encryption controls may help to assure that messages are unreadable to unauthorized persons.

A value-added-network (VAN) must be used to assure proper control.

Attention must be paid to both the electronic and “paper” versions of transactions.
Ans.
Encryption controls may help to assure that messages are unreadable to unauthorized persons.

The internal controls over computer processing include both manual procedures and procedures
designed into computer programs (programmed control procedures). These manual and
programmed control procedures comprise the general CIS controls and CIS application controls.
The purpose of general CIS controls is to

Establish specific control procedures over the accounting applications in order to provide
reasonable assurance that all transactions are authorized and recorded and are processed
completely, accurately, and on a timely basis.

Establish a framework of overall controls over the CIS activities and to provide a reasonable
level of assurance that the overall objectives of internal control are achieved.
Provide reasonable assurance that systems are developed and maintained in an authorized and
efficient manner.

Provide reasonable assurance that access to data and computer programs is restricted to
authorized personnel.
Ans.
Establish a framework of overall controls over the CIS activities and to provide a reasonable
level of assurance that the overall objectives of internal control are achieved.

Computer personnel least likely

Participate in computer software acquisition

Design documentation for computerized systems
Originate changes in master files
Provide physical security for program files
Ans.
Originate changes in master files

In planning the portions of the audit which may be affected by the client’s CIS environment, the
auditor should obtain an understanding of the significance and complexity of the CIS activities
and the availability of data for use in the audit. The following relate to the complexity of CIS
activities except when

Transactions are exchanged electronically with other organizations (for example, in electronic
data interchange systems [EDI]).

Complicated computations of financial information are performed by the computer and/or

material transactions or entries are generated automatically without independent validation.

Material financial statement assertions are affected by the computer processing.

The volume of transactions is such that users would find it difficult to identify and correct errors
in processing.
Ans.
Material financial statement assertions are affected by the computer processing.

Which of the following is a computer test made to ascertain whether a given characteristic
belongs to the group?

Parity check
Validity check
Echo check
Limit check
Ans.
Validity check
An entity should plan the physical location of its computer facility. Which of the following is
the primary consideration for selecting a computer site?

It should be in the basement or on the ground floor.

It should maximize the visibility of the computer.

It should minimize the distance that data control personnel must travel to deliver data and reports
and be easily accessible by a majority of company personnel.

It should provide security.

Ans.
It should provide security.

An entity installed antivirus software on all its personal computers. The software was designed
to prevent initial infections, stop replication attempts, detect infections after their occurrence,
mark affected system components, and remove viruses from infected components. The major
risk in relying on antivirus software is that it may

Consume too many system resources.

Interfere with system operations.
Not detect certain viruses.
Make software installation too complex
Ans.
Not detect certain viruses.

Which of the following is a risk that is higher when an electronic funds transfer (EFT)
system is used?

Improper change control procedures

Unauthorized access and activity
Insufficient online edit checks
Inadequate backups and disaster recovery procedures
Ans.
Unauthorized access and activity

A manufacturer is considering using bar-code identification for recording information on parts

used by the manufacturer. A reason to use bar codes rather than other means of identification is
to ensure that

The movement of all parts is recorded.

The movement of parts is easily and quickly recorded.
Vendors use the same part numbers.
Vendors use the same identification methods.
Ans.
The movement of parts is easily and quickly recorded.
. End-user computing is an example of which of the following?

Client/server processing
A distributed system
Data mining
Decentralized processing
Ans.
Decentralized processing

End-user computing is most likely to occur on which of the following types of computers?

Mainframe
Minicomputers
Personal computers
Personal reference assistants
Ans.
Personal computers

Which of the following functions within the CIS department are incompatible?

Systems analyst and programming

Computer and data entry operator
Data input and data conversion
None of the above
Ans.
Data input and data conversion

An entity should plan the physical location of its computer facility. Which of the following is
the primary consideration for selecting a computer site?

It should be in the basement or on the ground floor.

It should maximize the visibility of the computer.

It should minimize the distance that data control personnel must travel to deliver data and reports
and be easily accessible by a majority of company personnel.

It should provide security.

Ans.
It should provide security.

Which of the following would not be an appropriate procedure for testing the general control
activities of an information system?

Inquiries of client personnel.

Inspecting computer logs.
Testing for the serial sequence of source documents.
Examination of the organizational chart to determine the segregation of duties.
Ans.
Testing for the serial sequence of source documents.

In entering the billing address for a new client in Emil Company’s computerized database, a clerk
erroneously entered a non-existent zip code. As a result, the first month’s bill mailed to the new
client was returned to Emil Company. Which one of the following would most likely have led to
discovery of the error at the time of entry into Emil Company’s computerized database?

Limit test
Validity test
Parity test
Record count test
Ans.
Validity test

A company often revises its production processes. The changes may entail revisions to
processing programs. Ensuring that changes have a minimal impact on processing and result in
minimal risk to the system is a function of

Security administration
Change control
Problem tracking
Problem-escalation procedures
Ans.
Change control

Management is concerned that data uploaded from a microcomputer to the company’s mainframe
system in batch processing may be erroneous. Which of the following controls would best
address this issue?

The mainframe computer should be backed up on a regular basis.

Two persons should be present at the microcomputer when it is uploading data.

The mainframe computer should subject the data to the same edits and validation routines that
online data entry would require.

The users should be required to review a random sample of processed data

Ans.
The mainframe computer should subject the data to the same edits and validation routines that
online data entry would require.

Totals of amounts in computer-record data fields, which are not usually added but are used only
for data processing control purposes are called
Records total
Hash totals
Financial totals
Field totals
Ans.
Hash totals

Which of the following passwords would be most difficult to crack?

1stSMURF>?Vladz
Ambotsimu
12 HOUSE 24
pass56word
Ans.
12 HOUSE 24

Which of the following is correct about check digits?

They should be used for all data codes

They are always at the end of a data code.
They do not affect processing efficiency.
They are designed to detect transcription errors.
Ans.
They are designed to detect transcription errors.

Which of the following is not an example of an application control?

An equipment failure causes an error message on the monitor.

There is a preprocessing authorization of the sales transactions.
There are reasonableness tests for the unit-selling price of a sale.
After processing, all sales transactions are reviewed by the sales department.
Ans.
An equipment failure causes an error message on the monitor.

Internal control is ineffective when computer personnel

Participate in computer software acquisition

Design documentation for computerized systems
Originate changes in master files
Provide physical security for program files
Ans.
Originate changes in master files

Which of the following is correct concerning batch processing of transactions?

Transactions are processed in the order they occur, regardless of type.

It has largely been replaced by on-line real-time processing in all but legacy systems.

It is more likely to result in an easy-to-follow audit trail than is on-line transaction processing.

It is used only in non-database applications.

Ans.
It is more likely to result in an easy-to-follow audit trail than is on-line transaction processing.

The possibility of erasing a large amount of information stored on magnetic tape most likely
would be reduced by the use of

File protection rings

Check digits
Completeness tests
Conversion verification
Ans.
File protection rings

If a control total were to be computed on each of the following data items, which would best be
identified as a hash total for a payroll CIS application?

Net pay
Hours worked
Department numbers
Total debits and total credits
Ans.
Department numbers

Which of the following is unique to CIS?

Error listing
Flowchart
Questionnaires
Pre-numbered documents
Ans.
Error listing

ABC Co. updates its accounts receivable master file weekly and retains the master files and
corresponding update transactions for the most recent 2-week period. The purpose of this
practice is to

Verify run-to-run control totals for receivables

Match internal labels to avoid writing on the wrong volume
Permit reconstruction of the master file if needed
Validate groups of update transactions for each
Ans.
Permit reconstruction of the master file if needed

Able Co. uses an online sales order processing system to process its sales transactions.
Able’s sales data are electronically sorted and subjected to edit checks. A direct output of
the edit checks most likely would be a

Report of all missing sales invoices

File of all rejected sales transactions
Printout of all user code numbers and passwords
List of all voided shipping documents
Ans.
File of all rejected sales transactions

After the preliminary phase of the review of a client’s computer controls, an auditor may decide
not to perform tests of controls (compliance tests) related to the controls within the computer
portion of the client’s internal control. Which of the following would not be a valid reason for
choosing to omit such tests?

The controls duplicate operative controls existing elsewhere in the structure.

There appear to be major weaknesses that would preclude reliance on the stated procedure.

The time and dollar costs of testing exceed the time and peso savings in substantive testing if the
tests of controls show the controls to be operative.

The controls appear adequate.

Ans.
The controls appear adequate.

An auditor would be most likely to assess control risk at the maximum level in an electronic
environment with automated system-generated information when

Sales orders are initiated using predetermined, automated decision rules.

Payables are based on many transactions and large in peso amount.
Fixed asset transactions are few in number, but large in peso amount.
Accounts receivable records are based on many transactions and are large in peso amount.
Ans.
Fixed asset transactions are few in number, but large in peso amount.

A company using EDI (electronic data interchange) made it a practice to track the functional
acknowledgments from trading partners and to issue warning messages if acknowledgments did
not occur within a reasonable length of time. What risk was the company attempting to address
by this practice?
Transactions that have not originated from a legitimate trading partner may be inserted into the
EDI network.

Transmission of EDI transactions to trading partners may sometimes fail.

There may be disagreement between the parties as to whether the EDI transactions form a legal
contract.

EDI data may not be accurately and completely processed by the EDI software.
Ans.
Transmission of EDI transactions to trading partners may sometimes fail.

Which of the following is an example of how specific controls in a database environment may
differ from controls in a non-database environment?

Controls should exist to ensure that users have access to and can update only the data elements
that they have been authorized to access.

Controls over data sharing by diverse users within an entity should be the same for every user.

The employee who manages the computer hardware should also develop and debug the computer
programs.

Controls can provide assurance that all processed transactions are authorized, but cannot verify
that all authorized transactions are processed.
Ans.
Controls should exist to ensure that users have access to and can update only the data elements
that they have been authorized to access.

Adequate control over access to data processing may help deter improper use or alteration of data
files. The control can best be provided by

User and terminal identification controls, such as passwords

The use of back-up files or data recovery controls
An adequate librarianship function controlling access to files
Batch processing of all input through a centralized, well-guarded facility
Ans.
User and terminal identification controls, such as passwords

An auditor anticipates assessing control risk at a low level in a CIS environment. Under these
circumstances, on which of the following procedures would the auditor initially focus?

Programmed control procedures

Application control procedures
Output control procedures
General control procedures
Ans.
General control procedures
In traditional information systems, computer operators are generally responsible for backing up
software and data files on a regular basis. In distributed or cooperative systems, ensuring that
adequate backups are taken is the responsibility of

User management
Systems programmers
Data entry clerks
Tape librarians
Ans.
User management

The completeness test of computer-generated sales figures can be tested by comparing the
number of items listed on the daily sales report with the number of items billed on the actual
invoices. This process uses

Check digits
Control totals
Validity tests
Process tracing data
Ans.
Control totals

.Which of the following controls most likely would assure that an entity can reconstruct its
financial records?

Hardware controls are built into the computer by the computer manufacturer.
Backup diskettes or tapes of files are stored away from originals.
Personnel who are independent of data input perform parallel simulations.
System flowcharts provide accurate descriptions of input and output operations.
Ans.
Backup diskettes or tapes of files are stored away from originals.

To obtain evidence that online access controls are properly functioning, an auditor most likely
would

Create checkpoints at periodic intervals after live data processing to test for unauthorized use of
the system.

Examine the transaction log to discover whether any transactions were lost or entered twice due
to a system malfunction.

Enter invalid identification numbers or passwords to ascertain whether the system rejects them.

Vouch a random sample of processed transactions to assure proper authorization.

Ans.
Enter invalid identification numbers or passwords to ascertain whether the system rejects them.

An auditor would most likely be concerned with which of the following controls in a distributed
data processing system?

Hardware controls
Systems documentation controls
Access controls
Disaster recovery controls
Ans.
Access controls

A company is concerned that a power outage or disaster could impair the computer
hardware’s ability to function as designed. The company desires off-site backup
hardware facilities that are fully configured and ready to operate within several hours.

The company most likely should consider a

Cold site
Cool site
Warm site
Hot site
Ans.
Hot site

A “hot site” is most frequently associated with

Disaster recovery
Online relational database design
Source programs
Temperature control for computer
Ans.
Disaster recovery

Application controls do not include

Controls designed to ascertain that all data submitted to CIS for processing have been properly
authorized

Controls that relate to the correction and resubmission of data that were initially incorrect

Controls for documenting and approving programs and changes to programs

Controls designed to assure the accuracy of the processing results

Ans.
Controls for documenting and approving programs and changes to programs

To reduce security exposure when transmitting proprietary data over communication lines, a
company should use

Asynchronous modems
Authentic techniques
Call-back procedures
Cryptographic devices
Ans.
Cryptographic devices

Which of the following is an encryption feature that can be used to authenticate the
originator of a document and ensure that the message is intact and has not been tampered
with?

Heuristic terminal
Perimeter switch
Default settings
Digital signatures
Ans.
Digital signatures

Using microcomputers in auditing may affect the methods used to review the work of staff
assistants because

The audit fieldwork standards for supervision may differ.

Documenting the supervisory review may require assistance of consulting services personnel.

Supervisory personnel may not have an understanding of the capabilities and limitations of
microcomputers.

Working paper documentation may not contain readily observable details of calculations.
Ans.
Working paper documentation may not contain readily observable details of calculations.

Good planning will help an organization restore computer operations after a processing outage.
Good recovery planning should ensure that

Backup/restart procedures have been built into job streams and programs.
Change control procedures cannot be bypassed by operating personnel.
Planned changes in equipment capacities are compatible with projected workloads.
Service level agreements with owners of applications are documented.
Ans.
Backup/restart procedures have been built into job streams and programs.
 Which of the following is a risk that is higher when an electronic funds transfer (EFT)
system is used?

Improper change control procedures

Unauthorized access and activity
Insufficient online edit checks
Inadequate backups and disaster recovery procedures
Ans.
Unauthorized access and activity

A widely used disaster recovery approach includes

Encryption
Firewalls
Regular backups
Surge protectors
Ans.
Regular backups

Choose the incorrect statement about General IT-controls?

They relate to all parts of the CIS environment or activities.

They are policies and procedures that relate to many applications and support the effective
functioning of application controls.

They apply to mainframe, mini-frame, and end-user environments.

They are manual or automated procedures that typically operate at a business process level and
apply to the processing of transactions by individual applications.
Ans.
They are manual or automated procedures that typically operate at a business process level and
apply to the processing of transactions by individual applications.

A corporation receives the majority of its revenue from top-secret military contracts with the
government. Which of the following would be of greatest concern to an auditor reviewing a
policy about selling the company’s used microcomputers to outside parties?

Whether deleted files on the hard disk drive have been completely erased
Whether the computer has viruses
Whether all software on the computer is properly licensed
Whether the computer has terminal emulation software on it
Ans.
Whether deleted files on the hard disk drive have been completely erased
If an auditor is using test data in a client's computer system to test the integrity of the systems
output, which of the following types of controls is the auditor testing?

General controls
Quantitative test controls
User controls
Application controls
Ans.
Application controls

Where disk files are used, the grandfather-father-son updating backup concept is relatively
difficult to implement because the

Location of information points on disks is an extremely time-consuming task.

Magnetic fields and other environmental factors cause off-site storage to be impractical.

Information must be dumped in the form of hard copy if it is to be reviewed before used in
updating.

Process of updating old records is destructive.

Ans.
Process of updating old records is destructive.

Which of the following is an example of a validity check?

The computer ensures that a numerical amount in a record does not exceed some predetermined
amount.

As the computer corrects errors and data are successfully resubmitted to the system, the causes of
the errors are printed out.

The computer flags any transmission for which the control field value did not match that of an
existing file record.

After data for a transaction are entered, the computer sends certain data back to the terminal for
comparison with data originally sent.
Ans.
The computer flags any transmission for which the control field value did not match that of an
existing file record.

The management of ABC Co. suspects that someone is tampering with pay rates by
entering changes through the Co.’s

remote terminals located in the factory. The method ABC Co. should implement to
protect the system from these unauthorized alterations to the system’s files is
Batch totals
Checkpoint recovery
Passwords
Record count
Ans.
Passwords

Which of the following is a password security problem?

Users select passwords that are not listed in any online dictionary.
Users have accounts on several systems with different passwords.
Users copy their passwords on note paper, which is kept in their wallets.
Users are assigned passwords when accounts are created, but do not change them.
Ans.
Users are assigned passwords when accounts are created, but do not change them.

The employee entered “40” in the “hours worked per day” field. Which check would detect this
unintentional error?

Numeric/alphanumeric check
Sign check
Limit check
Missing data check
Ans.
Limit check

Which is most likely correct about “white

box audit” or “auditing through the computer”?

It is more appropriate for a system that performs relatively uncomplicated processes and
produces detail output.

It does not detect program errors which do not show up in the output sampled.

It permits no direct assessment of actual processing

The focus is more on the processing rather than the input and output components of the system.
Ans.
The focus is more on the processing rather than the input and output components of the system.

Smith Corporation has numerous customers. A customer file is kept on disk storage. Each
customer file contains name, address, credit limit, and account balance. The auditor wishes to
test this file to determine whether credit limits are being exceeded. The best procedure for the
auditor to follow would be to
Develop test data that would cause some account balances to exceed the credit limit and
determine if the system properly detects such situations.

Develop a program to compare credit limits with account balances and print out the details of any
account with a balance exceeding its credit limit.

Request a printout of all account balances so they can be manually checked against the credit
limits.

Request a printout of a sample of account balances so they can be individually checked against
the credit limits.
Ans.
Develop a program to compare credit limits with account balances and print out the details of any
account with a balance exceeding its credit limit.

A primary reason auditors are reluctant to use an ITF is that it requires them to

Reserve specific master file records and process them at regular intervals

Collect transactions and master file records in a separate file

Notify user personnel so they can make manual adjustments to output

Identify and reserve the fictitious entries to avoid contamination of master file
Ans.
Identify and reserve the fictitious entries to avoid contamination of master file

Auditors often make use of computer programs that perform routine processing functions such as
sorting and merging. These programs are made available by electronic data processing companies
and others and are specifically referred to as

Compiler programs
Supervisory programs
Utility programs
User programs
Ans.
Utility programs

In auditing through a computer, the test data method is used by the auditors to test the

Accuracy of input data

Validity of the output
Procedures contained within the program
Normalcy of distribution of test data
Ans.
Procedures contained within the program
An auditor who wishes to capture an entity’s data as transactions are processed and continuously
test the entity’s computerized information system most likely would use which of the following
techniques?

Snapshot application
Embedded audit module
Integrated data check
Test data generator
Ans.
Embedded audit module

An auditor is least likely to find that a client’s data is input through

Magnetic tape reader

Dynamic linking character reader
Point-of-sale recorders
Touch sensitive screens
Ans.
Dynamic linking character reader

Which of the following is an incorrect statement regarding testing strategies related to auditing
through the computer?

The test data approach involves processing the client's data on a test basis to determine the
integrity of the system.

The test data approach involves processing the auditor's test data on the client's computer system
to determine whether computer-performed controls are working properly.

Test data should include all relevant data conditions that the auditor is interested in testing.

When the auditor uses the embedded audit module approach, an audit module is inserted in the
client's system to capture transactions with certain characteristics.
Ans.
The test data approach involves processing the client's data on a test basis to determine the
integrity of the system.

It involves application of auditing procedures using the computer as an audit tool. This includes
computer programs and data the auditor uses as part of the audit procedures to process data of
audit significance contained in an entity’s information systems.

Test data approach

Computer-assisted audit techniques
Generalized audit software
Auditing around the computer
Ans.
Computer-assisted audit techniques
Which is most likely correct about “whitebox audit” or “auditing through the computer”?

It is more appropriate for a system that performs relatively uncomplicated processes and
produces detail output.

It does not detect program errors which do not show up in the output sampled.

It permits no direct assessment of actual processing

The focus is more on the processing rather than the input and output components of the system.
Ans.
The focus is more on the processing rather than the input and output components of the system.

PAPS 1009 (Computer-Assisted Audit Techniques) states, “Customized or purpose-

written programs perform audit tasks in specific circumstances where package audit
software is deemed unsuitable usually because system constraints make it difficult or
impossible to use.” A purpose-written program may be developed by

1) The auditor
2) The entity being audited
3) An outside programmer hired by the auditor

1) No 2) Yes 3) Yes
1) Yes 2) Yes 3) Yes
1) Yes 2) No 3) No
1) No 2) No 3) No
Ans.
1) Yes 2) Yes 3) Yes

Parallel simulation is an audit technique employed to verify processing logic by making

use of audit test programs. These audit test programs "simulate" the processing logic of
an application program or programs under review. Which statement indicates the use of
parallel simulation audit technique?

Live transactions are processed using live programs

.Live transactions are processed using test master file.
Test transactions are processed using test programs.
Live transactions are processed using test programs.
Ans.
Live transactions are processed using test programs.

Which of the following combinations is correct?

1) Integrated test facility
2) Test data
3) Paralel simulation

(1) Test data, live program; (2) Test data, test program; (3) Live data, test program

(1) Live data, live program; (2) Live data, test program; (3) Test data, test program

(1) Live data, test program; (2) Test data, test program (3) Test data, test program

(1) Test data, live program; (2) Test data, live program; (3) Live data, test program
Ans.
(1) Test data, live program; (2) Test data, live program; (3) Live data, test program

Which of the following is not among the errors that an auditor might include in the test data
when auditing a client’s computer system?

Numeric characters in alphanumeric fields

Authorized code
Differences in description of units of measure
Illogical entries in fields whose logic is tested by programmed consistency checks
Ans.
Numeric characters in alphanumeric fields

A retail entity uses electronic data interchange (EDI) in executing and recording most of its
purchase transactions. The entity’s auditor recognized that the documentation of the transactions
will be retained for only a short period of time. To compensate for this limitation, the auditor
most likely would

Increase the sample of EDI transactions to be selected for cutoff tests.

Perform tests several times during the year, rather than only at year-end.
Plan to make a 100% count of the entity’s inventory at or near the year-end.
Decrease the assessed level of control risk for the existence or occurrence assertion.
Ans.
Perform tests several times during the year, rather than only at year-end.

In a highly automated information processing system tests of control

Must be performed in all circumstances

Are never required
May be required in some circumstances
Are required in first year audits
Ans.
May be required in some circumstances
Which of the following computer-assisted auditing techniques allows fictitious and real
transactions to be processed together without client operating personnel being aware of
the testing process?

Parallel simulation
Integrated test facility approach
Test data approach
Exception report tests
Ans.
Integrated test facility approach

An auditor estimates that 10,000 checks were issued during the accounting period. If a computer
application control which performs a limit check for each request is to be subjected to the
auditor’s test data approach, the sample should include

Approximately 1,000 items

A number of test items determined by the auditor to be sufficient under the circumstances

A number of test items determined by the auditor’s reference to the appropriate sampling tables

One transaction
Ans.
One transaction

The following are benefits of using IT-based controls, except

Ability to process large volume of transactions.

Over-reliance on computer-generated reports.
Ability to replace manual controls with computer-based controls.
Reduction in misstatements due to consistent processing of transactions.
Ans.
Over-reliance on computer-generated reports.

Which of the following strategies would a CPA most likely consider in auditing an entity
that processes most of its financial data only in electronic form, such as a paperless system?

Continuous monitoring and analysis of transaction processing with an embedded audit module

Increased reliance on internal control activities that emphasize the segregation of duties

Verification of encrypted digital certificates used to monitor the authorization of transactions

Extensive testing of firewall boundaries that restrict the recording of outside network traffic
Ans.
Continuous monitoring and analysis of transaction processing with an embedded audit module
Parallel simulation is an audit technique employed to verify processing by making use of audit
test programs. These audit test programs “simulate” the processing logic of an application
program or progress under review. Which statement indicates the use of parallel simulation?

Live transactions are processed using live programs

Live transactions are processed with test master file
Test transactions are processed using test programs
Live transactions are processed using test programs
Ans.
Live transactions are processed using test programs

An auditor most likely would introduce test data into a computerized payroll system to test
controls related to the

Existence of unclaimed payroll checks held by supervisors

Early cashing of payroll checks by employees
Discovery of invalid employee I.D. numbers
Proper approval of overtime by supervisors
Ans.
Discovery of invalid employee I.D. numbers

Which of the following methods of testing application controls utilizes a generalized audit
software package prepared by the auditors?

Parallel simulation
Exception report tests
Integrated test facility
Test data approach
Ans.
Parallel simulation

Auditing by testing the input and output of a computer system instead of the computer program
itself will

Not detect program errors which do not show up in the output sampled
Detect all program errors, regardless of the nature of the output
Provide the auditor with the same type of evidence as tests of application controls
Not provide the auditor with confidence in the results of the auditing procedures
Ans.
Not detect program errors which do not show up in the output sampled

When an auditor tests a computerized accounting system, which of the following is true of the
test data approach?

Several transactions of each type must be tested.

Test data are processed by the client’s computer programs under the auditor’s control.
Test data must consist of all possible valid and invalid conditions.
The program tested is different from the program used throughout the year by the client.
Ans.
Test data are processed by the client’s computer programs under the auditor’s control.

Which of the following does not support the “test data” approach?

Simulated transactions are processed through a system to generate results that are compared with
predetermined results.

The test data are processed by client’s computer programs under the auditor’s control.

The objective is to test whether the client’s programs can correctly handle valid and invalid
transactions. It does not, however, test all possible valid and invalid conditions.

It allows fictitious and real transactions to be processed together without the client operating
personnel being aware of the testing process.
Ans.
It allows fictitious and real transactions to be processed together without the client operating
personnel being aware of the testing process.

Which of the following statement is not true about test data?

Test data should consist only of conditions that interest the auditor.
Only one transaction of each type need be tested.
Test data must consist of all possible valid and invalid conditions.
Test data are processed by the client's software under the auditor's control.
Ans.
Test data must consist of all possible valid and invalid conditions.

Output controls ensure that the results of computer processing are accurate, complete, and
properly distributed. Which of the following is not a typical output control?

Reviewing the computer processing logs to determine that all of the correct computer jobs
executed properly

Matching input data with information on master files and placing unmatched items in a suspense
file

Periodically reconciling output reports to make sure that totals, formats, and critical details are
correct and agree with input

Maintaining formal procedures and documentation specifying authorized recipients of output

reports, checks, or other critical documents
Ans.
Matching input data with information on master files and placing unmatched items in a suspense
file
Which of the following is an example of auditing “around” the computer?

The auditor traces adding machine tapes of sales order batch totals to a computer printout of the
sales journal.

The auditor develops a set of hypothetical sales transactions and, using the client’s computer
program, enters the transactions into the system and observes the processing flow.

The auditor enters hypothetical transactions into the client’s processing system during client’s
processing of live data.

The auditor observes client personnel as they process the biweekly payroll. The auditor is
primarily concerned with computer rejection of data that fails to meet reasonableness limits.
Ans.
The auditor traces adding machine tapes of sales order batch totals to a computer printout of the
sales journal.

An ITF would be appropriate when the auditor needs to

Trace a complex logic path through an application system

Verify processing accuracy concurrently with processing
Monitor transactions in an application system continuously
Verify load module integrity for production programs
Ans.
Verify processing accuracy concurrently with processing

Which of the following computer-assisted auditing techniques processes client input data
on a controlled program under the auditor’s control to test controls in the computer
system?

Test data
Review of program logic
Integrated test facility
Parallel simulation
Ans.
Parallel simulation

A clerk inadvertently entered an account number 12368 rather than account number 12638. In
processing this transaction, the errors would be detected with which of the following controls?

Batch total
Key verifying
Self-checking digit
An internal consistency check
Ans.
Self-checking digit

General IT-controls do not include

Data center, network operations and hardware controls

Application system acquisition, development, and maintenance

Program changes and access security

Controls on procedures used to initiate, record, process and report transactions or other financial
data
Ans.
Controls on procedures used to initiate, record, process and report transactions or other financial
data

The auditor shall consider the entity’s CIS environment in designing audit procedures to reduce
risk to an acceptably low level. Which of the following statements is incorrect?

The auditor’s specific audit objectives do not change whether financial information is processed
manually or by computer.

The methods of applying audit procedures to gather audit evidence are not influenced by the
methods of computer processing.

The auditor may use either manual audit procedures, computer-assisted audit techniques
(CAATs), or a combination of both to obtain sufficient appropriate audit evidence.

In some CIS environments, it may be difficult or impossible for the auditor to obtain certain data
for inspection, inquiry, or confirmation without the aid of a computer.
Ans.
The methods of applying audit procedures to gather audit evidence are not influenced by the
methods of computer processing.

A critical aspect of a disaster recovery plan is to be able to regain operational capability as soon
as possible. In order to accomplish this, an organization can have an arrangement with its
computer hardware vendor to have a fully operational facility available that is configured to the
user's specific needs. This is best known as a (n)

Uninterruptible power system

Parallel system
Cold site
Hot site
Ans.
Hot site