CEBU CPAR CENTER

Mandaue City, Cebu

AUDITING THEORY
AUDITING IN A COMPUTER INFORMATION SYSTEMS (CIS)
ENVIRONMENT
Related PSAs/PAPSs: 
PSA 401; PAPS 1001, 1002, 1003, 1008 and 1009PSA 401 –
Auditing in a Computer Information Systems (CIS) Environment
1. Which statement is incorrect when auditing in a
CIS environment?
a. A CIS environment exists when a computer of any type or size
is involved in the processing by the entity of financial information
of significance to the audit, whether that computer is operated by
the entity or by a third party.
b. The auditor should consider how a CIS environment affects the
audit.
c. The use of a computer changes the processing, storage and
communication of financial information and may affect the
accounting and internal control systems employed by the entity.
d. A CIS environment changes the overall objective and scope of
an audit.
2. Which of the following standards or group of standards
is mostly affected by a computerized information system
environment?
a. General standards 
c. Reporting standards
b. Second standard of field work
d. Standards of fieldwork 
3. Which of the following is least considered if the auditor has
to determine whether specializedCIS skills are needed in an
audit?a. The auditor needs to obtain a sufficient understanding of
the accounting and internal controlsystem affected by the CIS
environment.b. The auditor needs to determine the effect of
the CIS environment on the assessment ofoverall risk and of
risk at the account balance and class of transactions
level.c. Design and perform appropriate tests of controls and
substantive procedures.d. The need of the auditor to
make analytical procedures during the completion stage of audit.
4. It relates to materiality of the financial statement assertions
affected by the
computerprocessing.a. Threshold b. Relevance c. Complexityd.
Significance 
5. Which of the following least likely indicates a complexity
of computer processing?a. Transactions are exchanged
electronically with other organizations without manual reviewof
their propriety.b. The volume of the transactions is such that users
would find it difficult to identify and correcterrors in
processing.c. The computer automatically generates material
transactions or entries directly to anotherapplications.d. The
system generates a daily exception report.
6. The nature of the risks and the internal characteristics in
CIS environment that the auditors are mostly concerned include
the following except:
a. Lack of segregation of functions. c. Lack of transaction trails.b.
Dependence of other control over computer processing.d. Cost-
benefit ratio.
7. Which of the following is least likely a risk characteristic
associated with CIS environment?a. Errors embedded in an
application’s program logic maybe difficult to manually detect on
atimely basis.b. Many control procedures that would ordinarily be
performed by separate individuals inmanual system maybe
concentrated in CIS.c. The potential unauthorized access to
data or to alter them without visible evidence
maybegreater.d. Initiation of changes in the master file is
exclusively handled by respective users.
8. Which of the following significance and complexity of the CIS
activities should an auditor leastunderstand?a. The
organizational structure of the client’s CIS activities.b. La
significance and complexity of computer processing in each significant accountingapplication.d. The use of software packages instead of customized software.
ck of transaction trails.c. The

Page 2 of 15 
AT-030507
PAPS 1001 – CIS Environments – Stand-Alone Personal
Computers9. Which statement is correct regarding personal
computer systems?a. Personal computers or PCs are economical
yet powerful self-contained general purposecomputers consisting
typically of a central processing unit (CPU), memory, monitor,
diskdrives, printer cables and modems.b. Programs and data
are stored only on non-removable storage media.c. Personal
computers cannot be used to process accounting transactions
and producereports that are essential to the preparation of
financial statements.d. Generally, CIS environments in
which personal computers are used are the same withother CIS
environments.10. A personal computer can be used in various
configurations, includinga. A stand-alone workstation operated by
a single user or a number of users at different times.b. A
workstation which is part of a local area network of personal
computers.c. A workstation connected to a server.d. All of the abo
ve.11. Which statement is incorrect regarding personal computer
configurations?a. The stand-alone workstation can be
operated by a single user or a number of users atdifferent times
accessing the same or different programs.b. A stand-alone
workstation may be referred to as a distributed system.c. A local
area network is an arrangement where two or more personal
computers are linkedtogether through the use of special software
and communication lines.d. Personal computers can be linked to
servers and used as part of such systems, forexample, as an
intelligent on-line workstation or as part of a distributed
accounting system.12. Which of the following is the least likely
characteristic of personal computers?a. They are small
enough to be
transportable.b. They are relatively expensive.c. They can be
placed in operation quickly.d. The operating system software is
less comprehensive than that found in larger
computerenvironments.13. Which of the following is an inherent
characteristic of software package?a. They are typically
used without modifications of the programs.b. The programs are
tailored-made according to the specific needs of the user.c. They
are developed by software manufacturer according to a particular
user’sspecifications.d. It takes a longer time of implementation.14.
Which of the following is not normally a removable storage
media?a. Compact disk c. Tapesb. Diskettesd. Hard disk 15. It is
a computer program (a block of executable code) that
attaches itself to a legitimateprogram or data file and uses its as a
transport mechanism to reproduce itself without theknowledge of
the user.a.
Virusc. System management programb. Utility program d. Encrypt
ion16. Which statement is incorrect regarding internal control
in personal computer environment?a. Generally, the CIS
environment in which personal computers are used is less
structuredthan a centrally-controlled CIS environment.b. Controls
over the system development process and operations may not be
viewed by thedeveloper, the user or management as being as
important or cost-effective.c. In almost all commercially
available operating systems, the built-in security provided
hasgradually increased over the years.d. In a typical
personal computer environment, the distinction between general
CIS controlsand CIS application controls is easily ascertained.17.
Personal computers are susceptible to theft, physical damage,
unauthorized access or misuseof equipment. Which of the
following is least likely a physical security to restrict
access topersonal computers when not in use?a. Using
door locks or other security protection during non-business
hours.b. Fastening the personal computer to a table
using security cables.c. Locking the personal computer in
a protective cabinet or shell.d. Using anti-
virus software programs.
18. Which of the following is not likely a control over removable
storage media to preventmisplacement, alteration without
authorization or destruction?a. Using cryptography, which is
the process of transforming programs and information
into anunintelligible form.b. Placing responsibility for such media
under personnel whose responsibilities include dutiesof software
custodians or librarians.c. Using a program and data file check-in
and check-out system and locking the designatedstorage
locations.d. Keeping current copies of diskettes, compact disks or
back-up tapes and hard disks in afireproof container, either on-
site, off-site or both.19. Which of the following least likely protects
critical and sensitive information from unauthorizedaccess in a
personal computer environment?a. Using secret file names and
hiding the
files.b. Keeping of back up copies offsite.c. Employing passwords.
d. Segregating data into files organized under separate
file directories.20. It refers to plans made by the entity to obtain
access to comparable hardware, software anddata in the event
of their failure, loss or destruction.a. Back-upb. Encryption c. Anti-
virus d. Wide Area Network (WAN)21. The effect of personal
computers on the accounting system and the associated risks will
leastlikely depend ona. The extent to which the personal
computer is being used to process accountingapplications.b. The
type and significance of financial transactions
being processed.c. The nature of files and programs utilized in the
applications.d. The cost of personal computers.22. The auditor
may often assume that control risk is high in personal computer
systems since , itmay not be practicable or cost-effective for
management to implement sufficient controls toreduce the risks of
undetected errors to a minimum level. This least likely
entaila. More physical examination and confirmation of
assets.b. More analytical procedures than tests
of details.c. Larger sample sizes.d. Greater use of computer-
assisted audit techniques, where appropriate.PAPS 1002 –
CIS Environments – On-Line Computer Systems23. Computer
systems that enable users to access data and programs
directly throughworkstations are referred to asa. On-
line computer systemsc. Personal computer systemsb. Database 
management systems (DBMS) d. Database systems24. On-line
systems allow users to initiate various functions directly. Such
functions
include:I. Entering transactions III. Requesting reportsII. Making in
quiries IV. Updating master filesa.I, II, III and
IVc. I and IIb. I, II and III d. I and IV25. Many different types
of workstations may be used in on-line computer systems. The
functionsperformed by these workstations least likely depend
on theira. Logic b. Transmission c. Storaged. Cost 26. Types of
workstations include General Purpose Terminals and
Special Purpose Terminals.Special Purpose Terminals
includea. Basic keyboard and monitorc. Point of sale devices b. In
telligent terminal d. Personal computers27. Special Purpose
Terminal used to initiate, validate, record, transmit and complete
variousbanking
transactionsa. Automated teller machinesc. Intelligent terminalb. 
Point of sale devices d. Personal computers28. Which statement
is incorrect regarding workstations?a. Workstations may be
located either locally or at remote sites.b. Local workstations are
connected directly to the computer through cables.c. Remote
workstations require the use of telecommunications to link them to
the computer.
d. Workstations cannot be used by many users, for different purposes, in
different locations,all at the same time.29. On-line computer systems may
be classified according toa. How information is entered into the
system.b. How it is processed.c. When the results are available
to the user.d. All of the above.30. In an on-line/real time processing
systema. Individual transactions are entered at workstations, validated and
used to update relatedcomputer files immediately.b. Individual
transactions are entered at a workstation, subjected to certain validation
checksand added to a transaction file that contains other transactions
entered during the period.c. Individual transactions immediately update a
memo file containing information which hasbeen extracted from the most
recent version of the master file.d. The master files are updated by other
systems.31. It combines on-line/real time processing and on-line/batch
processing.a. On-Line/Memo Update (and Subsequent Processing)b. On-
Line Downloading/Uploading Processingc.
On-Line/Inquiryd. On-Line/Combined Processing32. It is a communication
system that enables computer users to share computer
equipment,application software, data and voice and video transmissions.a.
Networkb. File server c. Host d. Client33. A type of network that multiple
buildings are close enough to create a campus, but the spacebetween the
buildings is not under the control of the company
isa. Local Area Network (LAN)c. Metropolitan Area Network (MAN) b. Wide 
Area Network (WAN) d. World Wide Web (WWW)34. Which of the following
is least likely a characteristic of Wide Area Network (WAN)?a. Created
to connect two or more geographically separated LANs.b. Typically
involves one or more long-distance providers, such as a telephone
company toprovide the connections.c. WAN connections tend to be faster
than LAN.d. Usually more expensive than LAN.35. Gateway isa. A
hardware and software solution that enables communications between two
dissimilarnetworking systems or protocols.b. A device that forwards
frames based on destination addresses.c. A device that connects and
passes packets between two network segments that use thesame
communication protocol.d. A device that regenerates and retransmits the
signal on a network.36. A device that works to control the flow of data
between two or more network segmentsa. Bridgeb.
Routerc. Repeater d. Switch37. The undesirable characteristics of on-line
computer systems least likely includea. Data are usually subjected
to immediate validation checks.b. Unlimited access of users to all of the
functions in a
particular application.c. Possible lack of visible transaction trail.d. Potential 
programmer access to the system.38. Certain general CIS controls that are
particularly important to on-line processing least
likelyincludea. Access controls.b. System development and maintenance c
ontrols.c. Edit, reasonableness and other validation tests.d. Use of anti-
virus software program.39. Certain CIS application controls that are
particularly important to on-line processing least likelyincludea. Pre-
processing authorization.c. Transaction logs. b. Cut-off procedures. d. Bala
ncing.
 

Page 5 of 15 
AT-030507
40. Risk of fraud or error in on-line systems may be reduced
in the following circumstances, excepta. If on-line data entry is
performed at or near the point where transactions originate, there
isless risk that the transactions will not be recorded.b. If invalid
transactions are corrected and re-entered immediately, there is
less risk that suchtransactions will not be corrected and re-
submitted on a timely basis.c. If data entry is performed on-line by
individuals who understand the nature of thetransactions involved,
the data entry process may be less prone to errors than when it
isperformed by individuals unfamiliar with the nature of the
transactions.d. On-line access to data and programs through
telecommunications may provide greateropportunity for access to
data and programs by unauthorized persons.41. Risk of fraud or
error in on-line computer systems may be increased for the
following reasons,excepta. If workstations are located
throughout the entity, the opportunity for unauthorized use
of aworkstation and the entry of unauthorized transactions may
increase.b. Workstations may provide the opportunity for
unauthorized uses such as modification ofpreviously entered
transactions or balances.c. If on-line processing is interrupted for
any reason, for example, due to faultytelecommunications, there
may be a greater chance that transactions or files may be lostand
that the recovery may not be accurate and complete.d. If
transactions are processed immediately on-line, there is less risk
that they will beprocessed in the wrong accounting period.42. The
following matters are of particular importance to the auditor in an
on-line computer system,excepta. Authorization, completeness
and accuracy of on-line transactions.b. Integrity of records
and processing, due to on-line access to the system by many
users andprogrammers.c. Changes in the performance of audit
procedures including the use of CAAT's.d. Cost-benefit ratio
of installing on-line computer system.PAPS 1003 –
CIS Environments – Database Systems43. A collection of data
that is shared and used by a number of different users for
differentpurposes.a.
Databaseb. Information file c. Master file d. Transaction file44.
Which of the following is least likely a characteristic of a database
system?a. Individual applications share the data in the database
for different purposes.b. Separate data files are maintained for
each application and similar data used by severalapplications
may be repeated on several different files.c. A software facility is
required to keep track of the location of the data in
the database.d. Coordination is usually performed by a group of
individuals whose responsibility is typicallyreferred to as
"database administration."45. Database administration tasks
typically includeI. Defining the database structure.II. Maintaining
data integrity, security and completeness.III. Coordinating
computer operations related to the database.IV. Monitoring
system performance.V. Providing administrative support.a. All of t
he aboveb. All except I c. II and V only d. II, III and V only46. Due
to data sharing, data independence and other characteristics of
database systemsa. General CIS controls normally have a greater
influence than CIS application controls ondatabase
systems.b. CIS application controls normally have a greater
influence than general CIS controls ondatabase
systems.c. General CIS controls normally have an equal influence
with CIS application controls ondatabase systems.d. CIS
application controls normally have no influence on database
systems.47. Which statement is incorrect regarding the general
CIS controls of particular importance in adatabase environment?
a. Since data are shared by many users, control may be
enhanced when a standard approachis used for developing each
new application program and for application programmodification.
b. Several data owners should be assigned responsibility
for defining access and securityrules, such as who can use the
data (access) and what functions they can
perform(security).c. User access to the database can be restricted
through the use of passwords.d. Responsibilities for performing
the various activities required to design, implement andoperate a
database are divided among technical, design, administrative and
userpersonnel.48. These require a database administrator to
assign security attributes to data that cannot bechanged by
database users.a. Discretionary access controls c. Name-
dependent restrictionsb. Mandatory access controlsd. Content-
dependent restrictions.49. A discretionary access control wherein
users are permitted or denied access to data resourcedepending
on the time series of accesses to and actions they have
undertaken on dataresources.a. Name-
dependent restrictions c. Context-dependent restrictionb. Content-
dependent restrictiond. History-dependent restriction 50. The
effect of a database system on the accounting system and the
associated risks will leastlikely depend on:a. The extent to
which databases are being used by accounting
applications.b. The type and significance of financial transactions
being processed.c. The nature of the database, the DBMS, the
database administration tasks and
theapplications.d. The CIS application controls.51. Audit
procedures in a database environment will be affected principally
bya. The extent to which the data in the database are used by the
accounting system.b. The type and significance of
financial transactions being processed.c. The nature of the
database, the DBMS, the database administration tasks and
theapplications.d. The general CIS controls which are particularly
important in a database environment.PAPS 1008 –
Risk Assessments and Internal Control – CIS Characteristics and
Considerations
52. Which statement is incorrect regarding the characteristics of a
CIS organizational structure?a. Certain data processing personnel
may be the only ones with a detailed knowledge
of theinterrelationship between the source of data, how it is
processed and the distribution anduse of the output.b. Many
conventional controls based on adequate segregation
of incompatible functions maynot exist, or in the absence of
access and other controls, may be less effective.c. Transaction
and master file data are often concentrated, usually in machine-
readable form,either in one computer installation located centrally
or in a number of installationsdistributed throughout an
entity.d. Systems employing CIS methods do not include manual
operations since the number ofpersons involved in the processing
of financial information is significantly reduced.53. System
characteristics that may result from the nature of CIS processing
include, excepta. Absence of input documents.b. Lack of visible tr
ansaction trail.c. Lack of visible output.d.Difficulty of access to
data and computer programs. 54. The development of CIS will
generally result in design and procedural characteristics that
aredifferent from those found in manual systems. These different
design and procedural aspectsof CIS include,
except:a. Consistency of performance.b. Programmed control pro
cedures.c. Vulnerability of data
and program storage mediad. Multiple transaction update
of multiple computer files or databases.55. Which statement is
incorrect regarding internal controls in a CIS environment?
a. Manual and computer control procedures comprise the overall
controls affecting the CISenvironment (general CIS controls) and
the specific controls over the accountingapplications (CIS
application controls).
b. The purpose of general CIS controls is to establish a
framework of overall control over theCIS activities and to provide
a reasonable level of assurance that the overall objectives
ofinternal control are achieved.c. The purpose of CIS application
controls is to establish specific control procedures over
theapplication systems in order to provide reasonable assurance
that all transactions areauthorized and recorded, and are
processed completely, accurately and on a timely basis.d. The
internal controls over computer processing, which help to
achieve the overall objectivesof internal control, include only the
procedures designed into computer programs.56. General CIS
controls may include,
except:a. Organization and management controls. c. Delivery and 
support controls.b.Development and maintenance
controls.d. Controls over computer data files.57. CIS application
controls include, excepta. Controls over input.b. Controls over
processing and computer data
files.c. Controls over output.d. Monitoring controls.58. Which
statement is incorrect regarding the review of general CIS
controls and CIS applicationcontrols?a. The auditor should
consider how these general CIS controls affect the CIS
applicationssignificant to the audit.b. General CIS controls that
relate to some or all applications are
typically interdependentcontrols in that their operation is often
essential to the effectiveness of CIS applicationcontrols.c. Control
over input, processing, data files and output may be carried out by
CIS personnel,by users of the system, by a separate control
group, or may be programmed intoapplication software.d. It
may be more efficient to review the design of the application
controls before reviewing thegeneral controls.59. Which
statement is incorrect regarding the evaluation of general CIS
controls and CISapplication controls?a. The general CIS
controls may have a pervasive effect on the processing of
transactions inapplication systems.b. If general CIS controls are
not effective, there may be a risk that misstatements might
occurand go undetected in the application systems.c. Manual
procedures exercised by users may provide effective control at
the applicationlevel.d. Weaknesses in general CIS controls
cannot preclude testing certain CIS applicationcontrols.PAPS
1009 – Computer-Assisted Audit Techniques (CAATs)60. The
applications of auditing procedures using the computer as an
audit tool refer
toa. Integrated test facility c. Auditing through the computerb. Dat
a-based management systemd. Computer assisted audit techniqu
es 61. Which statement is incorrect regarding CAATs?a. CAATs
are often an efficient means of testing a large number of
transactions or controlsover large populations.b. To ensure
appropriate control procedures, the presence of the auditor is not
necessarilyrequired at the computer facility during the running of a
CAAT.c. The general principles outlined in PAPS 1009 apply
in small entity IT environments.d. Where smaller volumes of data
are processed, the use of CAATs is more cost
effective.62. Consists of generalized computer programs
designed to perform common audit tasks orstandardized data
processing
functions.a. Package or generalized audit softwarec. Utility progra
msb. Customized or purpose-written programs d. System manage
ment programs63. Audit automation least likely
includea. Expert systems.b. Tools to evaluate a client’s risk
management procedures.c. Manual working papers.d. Corporate
and financial modeling programs for use as predictive audit tests.
QUIZZERS1. An internal auditor noted the following points when
conducting a preliminary survey inconnection with the audit of an EDP
department. Which of the following would be considered asafeguard in the
control system on which the auditor might rely?a. Programmers and
computer operators correct daily processing problems as they arise.b. The
control group works with user organizations to correct rejected input.c. New
systems are documented as soon as possible after they begin processing
live data.d. The average tenure of employees working in the EDP
department is ten months.2. An on-line access control that checks
whether the user’s code number is authorized to initiate aspecific type of
transaction or inquiry is referred to asa.
Passwordc. Compatibility test b. Limit check d. Reasonableness test3. A
control procedure that could be used in an on-line system to provide an
immediate check onwhether an account number has been entered on a
terminal accurately is
aa. Compatibility test c. Record countb. Hash totald. Self-checking digit 4. 
A control designed to catch errors at the point of data
entry isa. Batch totalc. Self-checking digit b. Record count d. Checkpoints5. 
Program documentation is a control designed primarily to
ensure thata. Programmers have access to the tape library or
information on disk files.b. Programs do
not make mathematical errors.c. Programs are kept up to date and
perform as intended.d. Data have been entered and processed.6. Some of
the more important controls that relate to automated accounting
information systemsare validity checks, limit checks, field checks, and sign
tests. These are classified
asa. Control total validation routines c. Output controlsb. Hash totalingd. In
put validation routines 7. Most of today’s computer systems have hardware
controls that are built in by the computermanufacturer. Common hardware
controls area. Duplicate circuitry, echo check, and internal
header labelsb. Tape file protection, cryptographic protection, and
limit checksc. Duplicate circuitry, echo check, and dual readingd. Duplicate
circuitry, echo check, tape file protection, and internal header labels8.
Computer manufacturers are now installing software programs permanently
inside thecomputer as part of its main memory to provide protection from
erasure or loss if there isinterrupted electrical power. This concept is known
asa. File integrity c. Random access memory (RAM)b. Software controld.
Firmware 9. Which one of the following represents a lack of internal control
in a computer-based informationsystem?a. The design and implementation
is performed in accordance with management’s specificauthorization.b. Any
and all changes in application programs have the authorization and
approval ofmanagement.c. Provisions exist to protect data files from
unauthorized access, modification, or destruction.d. Both computer
operators and programmers have unlimited access to the programs
anddata files.10. In an automated payroll processing environment, a
department manager substituted the timecard for a terminated employee
with a time card for a fictitious employee. The fictitiousemployee had the
same pay rate and hours worked as the terminated employee. The
bestcontrol technique to detect this action using employee identification
numbers would be aa. Batch totalb. Hash totalc. Record count d.
Subsequent check11. An employee in the receiving department keyed in a
shipment from a remote terminal andinadvertently omitted the purchase
order number. The best systems control to detect this errorwould
bea. Batch total c. Sequence checkb. Completeness testd. Reasonablenes
s test
 

Page 9 of 15 
AT-030507
12. The reporting of accounting information plays a central role in
the regulation of businessoperations. Preventive controls are an
integral part of virtually all accounting processingsystems, and
much of the information generated by the accounting system is
used forpreventive control purposes. Which one of the following is
not an essential element of a soundpreventive control system?
a. Separation of responsibilities for the recording, custodial,
and authorization
functions.b. Sound personnel policies.c. Documentation of policie
s and procedures.d. Implementation of state-of-the-
art software and hardware.13. The most critical aspect regarding
separation of duties within information systems is betweena.
Project leaders and programmers c.
Programmers and systems analystsb. Programmers and compute
r operatorsd. Data control and file librarians14. Whether or not a
real time program contains adequate controls is most effectively
determinedby the use
ofa. Audit software c. A tracing routineb. An integrated test facility
d. A traditional test deck15. Compatibility tests are sometimes
employed to determine whether an acceptable user isallowed to
proceed. In order to perform compatibility tests, the system
must maintain anaccess control matrix. The one item that is not
part of an access control matrix is aa. List of all authorized user
code numbers and passwords.b. List of all files maintained on
the system.c. Record of the type of access to which each user is
entitled.d. Limit on the number of transaction inquiries that can be
made by each user in a specifiedtime period.16. Which one of the
following input validation routines is not likely to be appropriate in
a real timeoperation?
a. Field checkc. Sequence check b. Sign check d. Redundant dat
a check17. Which of the following controls is a processing control
designed to ensure the reliability andaccuracy of data
processing?Limit test Validity check testa. Yes Yesb. No Noc. No 
Yesd. Yes No18. Which of the following characteristics
distinguishes computer processing from manualprocessing?
a. Computer processing virtually eliminates the occurrence of
computational error normallyassociated with manual
processing.b. Errors or irregularities in computer processing
will be detected soon after their occurrences.c. The potential for
systematic error is ordinarily greater in manual processing than
incomputerized processing.d. Most computer systems are
designed so that transaction trails useful for audit do
not exist.19. Which of the following most likely represents
a significant deficiency in the internal controlstructure?a. The
systems analyst review applications of data processing and
maintains systemsdocumentation.b. The systems
programmer designs systems for computerized applications
and maintainsoutput controls.c. The control clerk
establishes control over data received by the EDP department
andreconciles control totals after processingd. The accounts
payable clerk prepares data for computer processing and enters
the data intothe computer.20. Which of the following activities
would most likely be performed in the EDP Department?
a. Initiation of changes to master records.b. Conversion of informa
tion to machine-readable
form.c. Correction of transactional errors.d. Initiation of changes t
o existing applications.
 

Page 10 of 15 
AT-030507
21. For control purposes, which of the following should be
organizationally segregated from thecomputer operations
function?a. Data conversionc. Systems development b.
Surveillance of CRT messages d. Minor maintenance according t
o a schedule22. Which of the following is not a major reason
for maintaining an audit trail for a computersystem?
a. Deterrent to irregularitiesc. Analytical procedures b. Monitoring 
purposes d. Query answering23. In an automated payroll system,
all employees in the finishing department were paid the rate
ofP75 per hour when the authorized rate was P70
per hour. Which of the following controlswould have been most
effective in preventing such an error?a. Access controls
which would restrict the personnel department’s access to the
payrollmaster file data.b. A review of all authorized pay
rate changes by the personnel department.c. The use of batch
control totals by department.d. A limit test that compares the
pay rates per department with the maximum rate for
allemployees.24. Which of the following errors would be detected
by batch controls?a. A fictitious employee as added to the
processing of the weekly time cards by the
computeroperator.b. An employee who worked only 5 hours in the
week was paid for 50 hours.c. The time card for one employee
was not processed because it was lost in transit betweenthe
payroll department and the data entry
function.d. All of the above.25. The use of a header label in
conjunction with magnetic tape is most likely to prevent errors
bythea. Computer operatorc. Computer programmerb. Keypunch 
operator d. Maintenance technician26. For the accounting system
of ACME Company, the amounts of cash disbursements
enteredinto an EDP terminal are transmitted to the computer that
immediately transmits the amountsback to the terminal for
display on the terminal screen. This display enables the operator
to
a.
Establish the validity of the account number
b.
Verify the amount was entered accurately
c.
Verify the authorization of the disbursements
d.
Prevent the overpayment of the account27. When EDP programs
or files can be accessed from terminals, users should be required
toenter a(an)a. Parity check c. Self-
diagnostic testb. Personal identification coded. Echo check28.
The possibility of erasing a large amount of information stored on
magnetic tape most likelywould be reduced by the use
ofa. File protection ringc. Completeness testsb. Check digits d. Co
nversion verification29. Which of the following controls most likely
would assure that an entity can reconstruct itsfinancial records?
a.
Hardware controls are built into the computer by the computer
manufacturer.
b.
Backup diskettes or tapes of files are stored away from originals.
c.
Personnel who are independent of data input perform parallel
simulations.
d.
System flowcharts provide accurate descriptions of input and
output operations.30. Mill Co. uses a batch processing method to
process its sales transactions. Data on Mill’s salestransaction
tape are electronically sorted by customer number and are
subject to programmededit checks in preparing its invoices, sales
journals, and updated customer account balances.One of the
direct outputs of the creation of this tape most likely would be a
a.
Report showing exceptions and control totals.
b.
Printout of the updated inventory records.
c.
Report showing overdue accounts receivable.
d.
Printout of the sales price master file.
31. Using microcomputers in auditing may affect the methods
used to review the work of staffassistants because
a.
The audit field work standards for supervision may differ.
b.
Documenting the supervisory review may require assistance of
consulting servicespersonnel.
c.
Supervisory personnel may not have an understanding of the
capabilities and limitations ofmicrocomputers.
d.
Working paper documentation may not contain readily observable
details of calculations.32. An auditor anticipates assessing control
risk at a low level in a computerized environment.Under these
circumstances, on which of the following procedures would the
auditor initiallyfocus?
a. Programmed control procedures c. Output control proceduresb. 
Application control proceduresd. General control procedures 33.
After the preliminary phase of the review of a client’s EDP
controls, an auditor may decide notto perform tests of controls
(compliance tests) related to the control procedures within the
EDPportion of the client’s internal control structure. Which of
the following would not be a validreason for choosing to omit
such tests?
a.
The controls duplicate operative controls existing elsewhere in the
structure.
b.
There appear to be major weaknesses that would preclude
reliance on the statedprocedure.
c.
The time and costs of testing exceed the time and costs in
substantive testing if the tests ofcontrols show the controls to be
operative.
d.
The controls appear adequate.34. Which of the following client
electronic data processing (EDP) systems generally can
beaudited without examining or directly testing the EDP computer
programs of the system?
a.
A system that performs relatively uncomplicated processes and
produces detailed output.
b.
A system that affects a number of essential master files and
produces a limited output.
c.
A system that updates a few essential master files and produces
no printed output otherthan final balances.
d.
A system that performs relatively complicated processing and
produces very little detailedoutput.35. Computer systems are
typically supported by a variety of utility software packages that
areimportant to an auditor because they
a.
May enable unauthorized changes to data files if not properly
controlled.
b.
Are very versatile programs that can be used on hardware of
many manufacturers.
c.
May be significant components of a client’s application programs.
d.
Are written specifically to enable auditors to extract and sort
data.36. To obtain evidence that online access controls are
properly functioning, an auditor most likelywould
a.
Create checkpoints at periodic intervals after live data processing
to test for unauthorizeduse of the system.
b.
Examine the transaction log to discover whether any transactions
were lost or entered twicedue to a system malfunction
c.
Enter invalid identification numbers or passwords to ascertain
whether the system rejectsthem.
d.
Vouch a random sample of processed transactions to assure
proper authorization37. Which of the following statements most
likely represents a disadvantage for an entity thatkeeps
microcomputer-prepared data files rather than manually prepared
files?
a.
Attention is focused on the accuracy of the programming process
rather than errors inindividual transactions.
b.
It is usually easier for unauthorized persons to access and alter
the files.
c.
Random error associated with processing similar transactions in
different ways is usuallygreater.
d.
It is usually more difficult to compare recorded accountability with
physical count of assets.38. An auditor would least likely
use computer software to
a.
Access client data filesc. Assess EDP controls 
b.
Prepare spreadsheets d. Construct parallel simulations
39. A primary advantage of using generalized audit software
packages to audit the financialstatements of a client that uses
an EDP system is that the auditor may
a.
Consider increasing the use of substantive tests of transactions in
place of analyticalprocedures.
b.
Substantiate the accuracy of data through self-checking digits and
hash totals.
c.
Reduce the level of required tests of controls to a relatively small
amount.
d.
Access information stored on computer files while having a limited
understanding of theclient’s hardware and software features.40.
Auditors often make use of computer programs that perform
routine processing functions suchas sorting and merging. These
programs are made available by electronic data
processingcompanies and others and are specifically referred to
as
a.
Compiler programsc. Utility programs 
b.
Supervisory programs d. User programs41. Smith
Corporation has numerous customers. A customer file is kept on
disk storage. Eachcustomer file contains name, address, credit
limit, and account balance. The auditor wishes totest this file to
determine whether the credit limits are being exceeded. The best
procedure forthe auditor to follow would be to
a.
Develop test data that would cause some account balances to
exceed the credit limit anddetermine if the system properly
detects such situations.
b.
Develop a program to compare credit limits with account balances
and print out the detailsof any account with a balance exceeding
its credit limit.
c.
Request a printout of all account balances so they can be
manually checked against thecredit limits.
d.
Request a printout of a sample of account balances so they can
be individually checkedagainst the credit limits.42. The use of
generalized audit software package
a.
Relieves an auditor of the typical tasks of investigating
exceptions, verifying sources ofinformation, and evaluating
reports.
b.
Is a major aid in retrieving information from computerized files.
c.
Overcomes the need for an auditor to learn much about
computers.
d.
Is a form of auditing around the computer.43. An auditor used test
data to verify the existence of controls in a certain computer
program.Even though the program performed well on the test, the
auditor may still have a concern that
a.
The program tested is the same one used in the regular
production runs.
b.
Generalized audit software may have been a better tool to use.
c.
Data entry procedures may change and render the test useless.
d.
The test data will not be relevant in subsequent audit
periods.44. An auditor most likely would introduce test data into a
computerized payroll system to testinternal controls related to the
a.
Existence of unclaimed payroll checks held by supervisors.
b.
Early cashing of payroll checks by employees.
c.
Discovery of invalid employee I.D. numbers.
d.
Proper approval of overtime by supervisors.45. When an auditor
tests a computerized accounting system, which of the following is
true of thetest data approach?
a.
Test data must consist of all possible valid and invalid conditions.
b.
The program tested is different from the program used throughout
the year by the client.
c.
Several transactions of each type must be tested.
d.
Test data are processed by the client’s computer programs under
the auditor’s control.46. Which of the following statements is not
true to the test data approach when testing acomputerized
accounting system?
a.
The test need consist of only those valid and invalid conditions
which interest the auditor
b.
Only one transaction of each type need be tested.
c.
The test data must consist of all possible valid and invalid
conditions.
d.
Test data are processed by the client’s computer programs under
the auditor’s control.47. Which of the following is not among the
errors that an auditor might include in the test datawhen auditing
a client’s EDP system?
a.
Numeric characters in alphanumeric fields.
b.
Authorized code.
 

Page 13 of 15 
AT-030507
c.
Differences in description of units of measure.
d.
Illogical entries in fields whose logic is tested by programmed
consistency checks.48. An auditor who is testing EDP controls in
a payroll system would most likely use test data thatcontain
conditions such as
a.
Deductions not authorized by employees.
b.
Overtime not approved by supervisors.
c.
Time tickets with invalid job numbers.
d.
Payroll checks with unauthorized signatures.49. Auditing by
testing the input and output of an EDP system instead of the
computer programitself will
a.
Not detect program errors which do not show up in the output
sampled.
b.
Detect all program errors, regardless of the nature of the output.
c.
Provide the auditor with the same type of evidence.
d.
Not provide the auditor with confidence in the results of the
auditing procedures.50. Which of the following computer-assisted
auditing techniques allows fictitious and realtransactions to be
processed together without client operating personnel being
aware of thetesting process?
a.
Integrated test facilityc. Parallel simulation
b.
Input controls matrix d. Data entry monitor51. Which of
the following methods of testing application controls utilizes a
generalized auditsoftware package prepared by the auditors?
a.
Parallel simulationc. Test data approach
b.
Integrated testing facility approach d. Exception report tests52.
Misstatements in a batch computer system caused by incorrect
programs or data may not bedetected immediately because
a.
Errors in some transactions may cause rejection of other
transactions in the batch.
b.
The identification of errors in input data typically is not part of the
program.
c.
There are time delays in processing transactions in a batch
system.
d.
The processing of transactions in a batch system is not
uniform.53. Which of the following is not a characteristic of a
batch processed computer system?
a.
The collection of like transactions which are sorted and processed
sequentially against amaster file.
b.
Keypunching of transactions, followed by machine processing.
c.
The production of numerous printouts.
d.
The posting of a transaction, as it occurs, to several files, without
immediate printouts.54. Where disk files are used, the
grandfather-father-son 
updating backup concept is relativelydifficult to implement
because the
a.
Location of information points on disks is an extremely time
consuming task.
b.
Magnetic fields and other environmental factors cause off-site
storage to be impractical.
c.
Information must be dumped in the form of hard copy if it is to be
reviewed before used inupdating.
d.
Process of updating old records is destructive.55. An auditor
would most likely be concerned with which of the following
controls in a distributeddata processing system?
a.
Hardware controlsc. Access controls 
b.
Systems documentation controls d. Disaster recovery controls56. 
If a control total were computed on each of the following data
items, which would best beidentified as a hash total for a payroll
EDP application?
a.
Total debits and total credits c.Department numbers 
b.
Net pay d. Hours worked57. Which of the following is a computer
test made to ascertain whether a given characteristicbelongs to
the group?
a.
Parity check c. Echo check
b.
Validity checkd. Limit check
 

Page 14 of 15 
AT-030507
58. A control feature in an electronic data processing system
requires the central processing unit(CPU) to send signals to the
printer to activate the print mechanism for each
character. Theprint mechanism, just prior to printing, sends a
signal back to the CPU verifying that the properprint position has
been activated. This type of hardware control is referred to as
a.
Echo checkc. Signal control
b.
Validity control d. Check digit control59. Which of the following is
an example of a check digit?
a.
An agreement of the total number of employees to the total
number of checks printed by thecomputer.
b.
An algebraically determined number produced by the other digits
of the employee number.
c.
A logic test that ensures all employee numbers are nine digits.
d.
A limit check that an employee’s hours do not exceed 50 hours
per work week.60. In a computerized system, procedure or
problem-oriented language is converted to machinelanguage
through a(an)
a.
Interpreter b. Verifierc. Compilerd. Converter61. A customer
erroneously ordered Item No. 86321 rather than item No.
83621. When this orderis processed, the vendor’s EDP
department would identify the error with what type of control?
a.
Key verifying c. Batch total
b.
Self-checking digitd. Item inspection62. The computer process
whereby data processing is performed concurrently with a
particularactivity and the results are available soon enough to
influence the course of action being takenor the decision being
made is called:
a.
Random access samplingc. On-line, real-time system 
b.
Integrated data processing d. Batch processing system63.
Internal control is ineffective when computer department
personnel
a.
Participate in computer software acquisition decisions.
b.
Design documentation for computerized systems.
c.
Originate changes in master file.
d.
Provide physical security for program files.64. Test data,
integrated test data and parallel simulation each require an
auditor to prepare dataand computer programs. CPAs who
lack either the technical expertise or time to prepareprograms
should request from the manufacturers or EDP consultants for
a.
The program Codec. Generalized audit software 
b.
Flowchart checks d. Application controls65. Which of the following
best describes a fundamental control weakness often associated
withelectronic data processing system?
a.
EDP equipment is more subject to system error than manual
processing is subject tohuman error.
b.
Monitoring is not an adequate substitute for the use of test data.
c.
EDP equipment processes and records similar transactions in a
similar manner.
d.
Functions that would normally be separated in a manual system
are combined in the EDPsystem like the function of programmers
and operators.66. Which of the following tasks could not be
performed when using a generalized audit softwarepackage?
a.
Selecting inventory items for observations.
b.
Physical count of inventories.
c.
Comparison of inventory test counts with perpetual records.
d.
Summarizing inventory turnover statistics for obsolescence
analysis.67. All of the following are “auditing through the
computer” techniques except
a.
Reviewing source codec. Automated tracking and mapping
b.
Test-decking d. Integrated test facility68. The output of a parallel
simulation should always be
a.
Printed on a report.
b.
Compared with actual results manually.
c.
Compared with actual results using a comparison program.
d.
Reconciled to actual processing output
 

Page 15 of 15 
AT-030507
69. Generalized audit software is a computer-assisted audit
technique. It is one of the widely usedtechnique for auditing
computer application systems. Generalized audit software is most
oftenused to
a.
Verify computer processing.
b.
Process data fields under the control of the operation manager.
c.
Independently analyze data files.
d.
Both a and b.70. From an audit viewpoint, which of the following
represents a potential disadvantage associatedwith the
widespread use of microcomputers?
a.
Their portability.
b.
Their ease of access by novice users.
c.
Their easily developed programs using spreadsheets which do
not have to be documented.
d.
All of the above.71. Which of the following functions would have
the least effect on an audit if it was not properlysegregated?
a.
The systems analyst and the programmer functions.
b.
The computer operator and programmer functions.
c.
The computer operator and the user functions.
d.
The applications programmer and the systems programmer.72.
To obtain evidence that user identification and password control
procedures are functioning asdesigned, an auditor would most
likely
a.
Attempt to sign on to the system using invalid user identifications
and passwords.
b.
Write a computer program that simulates the logic of the client’s
access control software.
c.
Extract a random sample of processed transactions and ensure
that the transactions wereappropriately authorized.
d.
Examine statements signed by employees stating that they have
not divulged their useridentifications and passwords to any other
person.
SUGGESTED ANSWERS
1. D2. D3. D4. D5. D6. D7. D8. D9. A10. D11. B12. B13. A14.
D15. A16. D17. D18. A19. B20. A21. D22. B23. A24. A25. D26.
C27. A28. D29. D30. A31. A32. A33. C34. C35. A36. B37. A38.
C39. C40. D41. D42. D43. A44. B45. A46. A47. B48. B49. D50.
D51. A52. D53. D54. D55. D56. D57. D58. D59. D60. D61. D62.
A63. CQUIZZERS 1. B2. C3. D4. C5. C6. D7. C8. D9. D10. B11.
B12. D13. B14. B15. D16. C17. A18. A19. B20. B21. C22. C23.
D24. D25. A26. B27. B28. A29. B30. A31. D32. D33. D34. A35.
A36. C37. B38. C39. D40. C41. B42. B43. A44. C45. D46. C47.
A48. C49. A50. A51. A52. C53. D54. D55. C56. C57. B58. A59.
B60. C61. B62. C63. C64. C65. D66. B67. A68. B69. C70. B71.
D72. A
- end of AT-5916 -