CHAPTER 7

1.​ What is the auditor’s responsibility in a CIS (Computer Information Systems)

environment?​
A. Designing the control system​
B. Operating the client’s software​
C. Obtaining an understanding of internal control to assess control risk​
D. Preparing financial statements​

2.​ Which of the following is a unique characteristic of a CIS environment?​

A. Frequent manual entry errors​
B. Lack of visible transaction trails​
C. Decentralized data storage​
D. External reconciliation​

3.​ A consistent performance of tasks in a CIS environment means:​

A. Clerical errors occur frequently​
B. Computer processes transactions in exactly the same way​
C. Manual review is still necessary​
D. Adjustments must be made regularly​

4.​ In a computerized system, what increases the risk of unauthorized data manipulation?​
A. Limited system access​
B. Strong internal controls​
C. Ease of access to data and programs​
D. Lack of segregation of duties​

5.​ A situational example: One employee is responsible for input, processing, and output
review. What risk does this pose?​
A. Lack of segregation of duties​
B. Overdocumentation​
C. System crash​
D. Duplicate reports​

6.​ What is a system-generated transaction?​

A. Transaction recorded by hand​
B. Transaction based on manual processing​
C. A transaction initiated automatically by the computer system​
D. Error report generation​

7.​ In CIS, data and program storage media are considered vulnerable because:​
A. They are heavy​
B. They are too secure​
C. Data can be easily lost or altered without trace​
D. They are on paper​

8.​ Which control procedure type ensures the accuracy of an entire information system?​
A. Input control​
B. General control​
C. Output control​
D. Application control​

9.​ Segregation between CIS and user departments ensures:​

A. Flexibility in programming​
B. User authority​
C. System independence and control integrity​
D. Budget efficiency​
10.​In a CIS environment, who prepares and verifies input data?​
A. Programmer​
B. Systems analyst​
C. Data entry operator​
D. Librarian​

11.​What is the role of a systems analyst?​

A. Design and evaluate systems and prepare specifications for programs​
B. Operate the computer​
C. Enter employee data​
D. Secure backup files​

12.​Who is responsible for operating the computer and processing transactions?​

A. Programmer​
B. Computer operator​
C. Systems analyst​
D. Auditor​

13.​What is the function of a librarian in a CIS department?​

A. Maintain custody of programs, documentation, and files​
B. Write reports​
C. Audit security access​
D. Backup server maintenance​

14.​Why is segregation of duties within CIS crucial?​

A. To increase staff morale​
B. To prevent computer-related frauds and unauthorized access​
C. To reduce hardware costs​
D. To comply with tax laws​

15.​What is the minimum segregation of duties required in small CIS environments?​

A. Programmer and operator must work together​
B. Systems development and computer operations must be separated​
C. Operators may also develop programs​
D. All roles can be combined​

16.​What is the main purpose of systems development controls?​

A. Ensure programs are approved, tested, and documented properly​
B. Monitor payroll​
C. Manage inventory​
D. Process taxes​

17.​What is a basic access control in computer systems?​

A. Barcode scanning​
B. Passwords and restricted login access​
C. Batch numbering​
D. Sales authorization​

18.​A data recovery control includes:​

A. Employee training​
B. Off-site backup and file storage​
C. System redundancy​
D. Voucher control​

19.​The “grandfather-father-son” approach is related to:​

A. Payment authorization​
B. File retention for data recovery​
C. Staff promotion​
 D. Inventory tracking​

20.​What is the goal of monitoring controls?​

A. Approve budgets​
B. Evaluate effectiveness of CIS operations​
C. Measure profitability​
D. Record expenses​

21.​Application controls are applied during:​

A. Equipment maintenance​
B. Input, processing, and output stages​
C. Audit reporting​
D. Payroll computation​

22.​A situational example: An employee mistypes an SSS number. Which control will detect
it?​
A. Limit check​
B. Field check​
C. Output validation​
D. File access review​

23.​What does a validity check do?​

A. Adds header codes​
B. Verifies input against predefined acceptable values​
C. Analyzes revenue​
D. Tests file structures​

24.​A self-checking digit control is used to:​

A. Increase report length​
B. Alter system codes​
C. Detect transposition errors​
D. Adjust salaries​

25.​What is a limit check designed to do?​

A. Ensure input data does not exceed predefined maximums​
B. Summarize data​
C. Authorize budget requests​
D. Print output files​

26.​What is the purpose of control totals in input controls?​

A. Identify employee errors​
B. Count the number of forms​
C. Ensure completeness and accuracy of input data before and after processing​
D. Increase processing speed​

27.​Which of the following is NOT an input control?​

A. Key verification​
B. Field check​
C. Parallel simulation​
D. Limit check​

28.​What do processing controls ensure?​

A. Authorization of new accounts​
B. Hiring of system analysts​
C. Accurate and complete processing of data​
D. Compliance with payroll policies​
29.​What is the primary goal of output controls?​
A. Test input errors​
B. Ensure output is complete, accurate, and distributed only to authorized
personnel​
C. Prevent file duplication​
D. Monitor power supply​

30.​Who should review CIS output for reasonableness?​

A. Programmer​
B. Authorized person who understands the expected output​
C. System operator​
D. Payroll staff​

31.​Why must the effectiveness of general controls be evaluated before application controls?​
A. General controls are optional​
B. Application controls depend on the effectiveness of general controls​
C. General controls are part of payroll​
D. To assess tax policies​

32.​What does a test of control in a CIS environment aim to assess?​

A. Whether internal controls are functioning as intended​
B. Tax compliance​
C. Employee satisfaction​
D. User access logs​

33.​Which of the following is a method of testing application controls?​

A. Cash flow analysis​
B. Audit around the computer​
C. Sales revenue forecast​
D. Manual ledger tracing​

34.​A situational example: The auditor only reviews inputs and outputs without checking the
process. What audit method is used?​
A. Auditing around the computer (black box approach)​
B. CAATs​
C. Analytical review​
D. Data simulation​

35.​What is a limitation of auditing around the computer?​

A. It’s very costly​
B. It requires high-level programming​
C. It assumes the program processed transactions accurately without verifying
the logic​
D. It delays reporting​

36.​What method involves directly testing the client's system with fictitious transactions?​
A. Parallel simulation​
B. Test data technique​
C. Analytical review​
D. File recovery method​

37.​A situational example: The auditor inputs test transactions and compares the output to
expected results. What technique is this?​
A. Audit around the computer​
B. Test data​
C. System evaluation​
D. Output control​
38.​What is the key limitation of the test data method?​
A. Too expensive​
B. Program tested might not be the one used throughout the period​
C. Too complex​
D. Lacks documentation​

39.​What technique addresses the limitation of test data by integrating testing into the actual
system?​
A. Black box testing​
B. Integrated test facility (ITF)​
C. Analytical procedure​
D. External observation​

40.​How does an integrated test facility work?​

A. By modifying user reports​
B. By creating dummy accounts for continuous test processing​
C. By reviewing system logs​
D. By performing backup processes​

41.​What is a risk when using ITF?​

A. Incorrect output​
B. Contaminating actual client files​
C. Weak output control​
D. Data duplication​

42.​What is parallel simulation?​

A. Client tests the system​
B. Auditor reprocesses actual transactions using an auditor-created program​
C. Internal control review​
D. Duplicate transaction posting​

43.​What software is often used in parallel simulation?​

A. Payroll system​
B. Generalized audit software​
C. File tracking software​
D. Management dashboards​

44.​Purpose-written programs are designed for:​

A. Internal training​
B. Performing audit tasks in specific situations​
C. Managing taxes​
D. CIS staff scheduling​

45.​What does the snapshot technique do?​

A. Captures transaction flow through the system for review​
B. Detects payroll errors​
C. Verifies backups​
D. Tests user access​

46.​What is SCARF in a computerized audit environment?​

A. A report template​
B. Embedded audit software for continuous transaction monitoring​
C. A data input tool​
D. A system for backups​
47.​A situational example: The auditor needs to monitor high-risk transactions continuously.
What technique should be used?​
A. Parallel simulation​
B. Test data​
C. SCARF​
D. Reperformance​

48.​Which of the following best describes CAATs?​

A. Audit plan framework​
B. Computer programs used by auditors to test client's systems and controls​
C. Internal reports​
D. Manual audit records​

49.​When is CAAT most appropriate?​

A. When control testing is complete​
B. When output is available​
C. When no visible evidence exists of transactions or processing​
D. When audit is delayed​

50.​A situational example: The auditor observes that a client's CIS has no audit trail. What
should be used?​
A. Audit around the computer​
B. CAATs like snapshot or SCARF​
C. Internal memo​
D. Fieldwork checklist​