Online system master Files Errors

terminals :
updating of
- =
immediate result T
-
manual It

systematic error
random error
-

main Frame -computational error-programming

error

derical error

manual batch
CPA REVIEW SCHOOL OF THE PHILIPPINES AT-9510
Manila
Input Out put
processing

• supercomputers
AUDITING THEORY • Personal computers/ desktop/ laptop
CPA Review
• PDA: personal digital assistant (phone) (handheld PC)

AUDITING IN AN IT ENVIRONMENT EDP / CIS / IT

Manual System: manual controls (operated by ppl)

IT system: manual controls & programmed controls

1. An IT environment exists when a computer of any type or size is involved in the processing
by the entity of financial information of significance to the audit, whether the computer is
operated by the entity or by a third party. significant >
- How IT controls are to

L service providers processing financial into for the entity

2. The overall objective and scope of an audit does not change in an IT environment.

3. An IT environment may affect:

a. The procedures followed in obtaining a sufficient understanding of the accounting and
internal control systems.
b. The consideration of the inherent and control risk.
c. The design and performance of tests of controls and substantive procedures.

4. The auditor should have sufficient knowledge of the IT to plan, direct, and review the work
performed.

5. If specialized skills are needed, the auditor would seek the assistance of a professional
possessing such skills, who may be either on the auditor’s staff or an outside professional.
If company is high sophisticated, may ask assistance in IT expert groups in the firm or externally

6. In planning the portions of the audit which may be affected by the client’s IT environment,
the auditor should obtain an understanding of the significance and complexity of the IT
activities and the availability of data for use in the audit.

7. When the IT activities are significant, the auditor should also obtain an understanding of
the IT environment and whether it may influence the assessment of inherent and control
risks.

8. The auditor should consider the IT environment in designing audit procedures to reduce
audit risk to an acceptably low level. The auditor can use either manual audit procedures,
computer-assisted audit techniques, or a combination of both to obtain sufficient evidential
matter.

RISK ASSESSMENTS AND INTERNAL CONTROL:

IT CHARACTERISTICS AND CONSIDERATIONS

Organizational Structure

Characteristics of an IT organizational structure includes:

a. Concentration of functions and knowledge Decrease human involvement
Although most systems employing IT methods will include certain manual operations,
generally the number of persons involved in the processing of financial information is
significantly reduced.

b. Concentration of programs and data

Transaction and master file data are often concentrated, usually in machine-readable form,
either in one computer installation located centrally or in a number of installations
distributed throughout the entity.

Page 1 of 12 Pages
CPAR - MANILA AT-9510

Nature of Processing
The use of computers may result in the design of systems that provide less visible evidence than
those using manual procedures. In addition, these systems may be accessible by a larger number
of persons.
System characteristics that may result from the nature of IT processing include:

a. Absence of input documents

• Data may be entered directly into the computer system without supporting document.
• In some on-line transaction systems, written evidence of individual data entry
authorization (e.g., approval for order entry) may be replaced by other procedures,
such as authorization controls contained in computer programs (e.g., credit limit
approval).

b. Lack of visible audit trail

The transaction trail may be partly in machine-readable form and may exist only for a limited
period of time (e.g., audit logs may be set to overwrite themselves after a period of time or
when the allocated disk space is consumed).

c. Lack of visible output

Certain transactions or results of processing may not be printed, or only summary data may
be printed.

d. Ease of access to data and computer programs

Data and computer programs may be accessed and altered at the computer or through the
use of computer equipment at remote locations. Therefore, in the absence of appropriate
controls, there is an increased potential for unauthorized access to, and alteration of, data
and programs by persons inside or outside the entity.

Design and Procedural Aspects

The development of IT will generally result in design and procedural characteristics that are
different from those found in manual systems. These different design and procedural aspects of
IT include:

a. Consistency of performance
IT systems perform functions exactly as programmed and are potentially more reliable than
manual systems, provided that all transaction types and conditions that could occur are
anticipated and incorporated into the system. On the other hand, a computer program that
is not correctly programmed and tested may consistently process transactions or other data
erroneously.

b. Programmed control procedures

The nature of computer processing allows the design of internal control procedures in
computer programs.

c. Single transaction update of multiple or data base computer files

A single input to the accounting system may automatically update all records associated
with the transaction.

d. Systems generated transactions

Certain transactions may be initiated by the IT system itself without the need for an input
document.

e. Vulnerability of data and program storage media

Large volumes of data and the computer programs used to process such data may be stored
on portable or fixed storage media, such as magnetic disks and tapes. These media are
vulnerable to theft, loss, or intentional or accidental destruction.

Page 2 of 12 Pages
 CPAR - MANILA AT-9510

INTERNAL CONTROLS IN AN IT ENVIRONMENT

Review first general controls before reviewing application controls

GENERAL IT CONTROLS—to establish a framework of overall control over the IT activities and
to provide a reasonable level of assurance that the overall objectives of internal control are
achieved. General controls: related to all applications
Application controls: computerized system
e.g. billing system, payroll system, inventory system: input > processing > output
General IT controls may include: * each application must have input, processing, and output controls

a. Organization and management controls—designed to define the strategic direction

and establish an organizational framework over IT activities, including: Segregation of incompatible functions
• Strategic information technology plan
• IT policies and procedures
• Segregation of incompatible functions
• Monitoring of IT activities performed by third party consultants

b. Development and maintenance controls—designed to provide reasonable assurance

that systems are developed or acquired, implemented and maintained in an authorized and
efficient manner. They also typically are designed to establish control over:
• Project initiation, requirements definition, systems design, testing, data conversion, go-
live decision, migration to production environment, documentation of new or revised
systems, and user training.
• Acquisition and implementation of off-the-shelf packages.
• Request for changes to the existing systems.
• Acquisition, implementation, and maintenance of system software.

c. Delivery and support controls—designed to control the delivery of IT services and

include:
common back-up
• Establishment of service level agreements against which IT services are measured.
>
-

3 generational Files
• Performance and capacity management controls.
"Grandfather-Father son'
• Event and problem management controls.
concept
• Disaster recovery/contingency planning, training, and file backup.
latest - son • Computer operations controls.
- -
b
Father • Systems security. Passwords and pins
-

Grandfather • Physical and environment controls.

d. Monitoring controls—designed to ensure that IT controls are working effectively as

planned. These include:
• Monitoring of key IT performance indicators.
• Internal/external IT audits.

Each function is one application

IT APPLICATION CONTROLS—to establish specific control procedures over the application

also serve as processing
systems in order to provide reasonable assurance that all transactions are authorized, recorded,
controls
and are processed completely, accurately and on a timely basis. IT application controls include:
· Can be manual: data controller ; Programmed: Validation of Programs

• key verification a. Controls over input—designed to provide reasonable assurance that:

• Field check / field
size check • Transactions are properly authorized before being processed by the computer.
• Validity check
• Missing data check
• Transactions are accurately converted into machine readable form and recorded in the
• Sequence check computer data files.
• Self checking digit/ • Transactions are not lost, added, duplicated or improperly changed.
check digit
• Incorrect transactions are rejected, corrected and, if necessary, resubmitted on a timely
-
transposition error

• Limit check /
Reasonable test basis. To provide reasonable assurance that data submitted for processing are complete, properly authorized, and
• Control totals (3) accurately translated into machine-readable form

Control totals test b. Controls over processing and computer data files—designed to provide reasonable
1. Batch total test
assurance that: To provide reasonable assurance that input data are processed accurately, not lost, added, excluded, duplicated, or improperly changed
2. Item count /
Record Count
3. Hash total
• Transactions, including system generated transactions, are properly processed by the
computer.
• Transactions are not lost, added duplicated or improperly changed.
Page 3 of 12 Pages
 CPAR - MANILA AT-9510

• Processing errors (i.e., rejected data and incorrect transactions) are identified and
corrected on a timely basis.

c. Controls over output—designed to provide reasonable assurance that:

To provide reasonable assurance that results of processing are complete, accurate, and that
• data controller’s
• Results of processing are accurate. these outputs are distributed only to authorized personnel
function
• Application • Access to output is restricted to authorized personnel.
controls • Output is provided to appropriate authorized personnel on a timely basis.

Review of general IT controls

General IT controls that relate to some or all applications are typically interdependent controls in
that their operation is often essential to the effectiveness of IT application controls. Accordingly,
it may be more efficient to review the design of the general controls before reviewing the
application controls. Analyst/programmer
- Operators must not be

>
controllers -

only function

Review of IT application controls <

user departments

Lall other functions not applicable to IT

is done here

IT application controls which the auditor may wish to test include:

IT Department: conversion and processing of data
1. Manager / CIS Director: exercise control over CIS operation
a. Manual controls exercised by the user 2. Systems analyst: designs new systems, prepares specs for programmer
b. Controls over system output separate
3. Computer programmer: preps computer operating instructions
c. Programmed control procedures 4. Computer Operator: operates computer to process transactions
5. Data encoders / Data Entry Operator: preps and verifies input data for processing
6. Data controllers / Control group: reviews and monitors input, distributes output to authorized
7. IT Librarian: custody of systems documentation, programs, and files

IT ENVIRONMENTS – STAND-ALONE PERSONAL COMPUTERS

1. A personal computer (PC) can be used in various configurations. These include:

a. a stand-alone workstation operated by a single user or a number of users at different
times;
b. a workstation which is a part of a Local Area Network (LAN) of PCs; and
c. a workstation connected to a server.

2. In a stand-alone PC environment, it may not be practicable or cost-effective for

management to implement sufficient controls to reduce the risks of undetected error to a
minimum level.

3. After obtaining the understanding of the accounting system and control environment, the
auditor may find it more cost-effective not to make a further review of general controls or
application controls, but to concentrate audit efforts on substantive procedures.

IT ENVIRONMENTS – ON-LINE COMPUTER SYSTEMS

1. On-line computer systems are computer systems that enable users to access data and
programs directly through terminal devices.

2. On-line systems allow users to directly initiate various functions such as:
a. entering transactions d. updating master files
b. making inquiries e. electronic commerce activities
c. requesting reports

3. Types of terminals used in on-line systems:

A. General purpose terminals
1. Basic keyboard and screen 3. PCs
2. Intelligent terminal
B. Special purpose terminals
1. Point-of-sale devices 2. Automated Teller Machines (ATM)

Page 4 of 12 Pages
CPAR - MANILA AT-9510

4. Types of on-line computer systems:

a. On-line/Real Time Processing Transaction > updates immediately: master file

Individual transactions are entered at terminal devices, validated, and used to update
related computer files immediately. Transaction File

b. On-line/Batch Processing Transaction > update: stored temporary file > updated at end of period: master-file

Individual transactions are entered at a terminal device, subjected to certain validation

checks, and added to a transaction file that contains other transactions entered during
the period. Later, during a subsequent processing cycle, the transaction file may be
validated further and then used to update relevant master file.
File (memo File

temporary
c. On-line/Memo Update (and Subsequent Processing) Transaction > memo file > transaction file > master file

- Combines on-line/real-time and on-line/batch processing. ATM is a combination of Real Time and Batch System
- Individual transactions immediately update a memo file containing information that
has been extracted from the most recent version of the master file. Inquiries are
made from this memo file.
- These same transactions are added to a transaction file for subsequent validation and
updating of the master file on a batch basis.

d. On-line/Inquiry
- Restricts users at terminal devices to making inquiries of master file.
- Master files are updated by other systems, usually on a batch basis.

e. On-line Downloading/Uploading Processing Transfer of files only

- On-line downloading refers to the transfer of data from a master file to an intelligent
terminal device for further processing by a user.

NETWORK ENVIRONMENT
1. A network environment is a communication system that enables computer users to share
computer equipment, application software, data, and voice and video transmissions.

2. A file server is a computer with an operating system that allows multiple users in a network
to access software applications and data files.

3. Basic types of networks

a. Local Area Network (LAN) c. Metropolitan Area Network (MAN)
b. Wide Area Network (WAN)

IT ENVIRONMENTS - DATABASE SYSTEMS

1. Database – A collection of data that is shared and used by many different users for
different purposes.

2. Two components of database systems:

a. Database
b. Database Management System (DBMS) – software that creates, maintains, and operates
the database.

3. Characteristics of database systems

a. Data sharing b. Data independence

ELECTRONIC DATA INTERCHANGE (EDI) – the electronic exchange of transactions, from

one entity’s computer to another entity’s computer through an electronic communications
network. In Electronic Fund Transfer (EFT) Systems, for example, electronic transactions replace
checks as a means of payment.
Page 5 of 12 Pages
 CPAR - MANILA AT-9510

EDI controls include:

a. Authentication – controls must exist over the origin, proper submission, and proper
delivery of EDI communications to ensure that the EDI messages are accurately sent
and received to and from authorized customers and suppliers.
b. Encryption – involves conversion of plain text data to cipher text data to make EDI
messages unreadable to unauthorized persons.
c. VAN controls – A value added network (VAN) is a computer service organization that
provides network, storage, and forwarding (mailbox) services for EDI messages.

AUDIT APPROACHES
Black box approach 1. Auditing around the computer – the auditor ignores or bypasses the computer processing
function of an entity’s EDP system. Simple, easy to follow audit trail Input vs Output (ignores processing part) Errors not in the output will
not be detected
2. Auditing with the computer – the computer is used as an audit tool.
White box approach 3. Auditing through the computer – the auditor enters the client’s system and examines directly
the computer and its system and application software. Audits the processing itself

COMPUTER ASSISTED AUDIT TECHNIQUES FOR TESTS OF CONTROLS

I. Program analysis – techniques that allow the auditor to gain an understanding of the client’s
Test Data Audit Software

X
program.
1. Code review – involves actual analysis of the logic of the program’s processing routines.
Generalized Purpose -

Driven

Audit software software

I

highly sophisticated
It systems

2. Comparison programs – programs that allow the auditor to compare computerized files.

3. Flowcharting software – used to produce a flowchart of a program’s logic and may be

used both in mainframe and microcomputer environments.

4. Program tracing and mapping – Program tracing is a technique in which instruction

executed is listed along with control information affecting that instruction. Program
mapping identifies sections of code which may be a potential source of abuse.

5. Snapshot – This technique “takes a picture” of the status of program execution,

intermediate results, or transaction data at specified processing points in the program
processing.

II. Program testing – involves the use of auditor-controlled actual or simulated data.

1. Historical audit techniques – test the audit computer controls at a point in time.

a. TEST DATA
• A set of dummy transactions specifically designed to test the control activities that
- Valide invalid
Auditor's test Data
conditions are planted

management claims to have incorporated into the processing programs.

processed using
-

• Shifts control over processing to the auditor by using the client’s software to
ram

Output compare

manu ally
Auditor's
output
expected
process auditor-prepared test data that includes both valid and invalid conditions.
• If embedded controls are functioning properly, the client’s software should detect
all the exceptions planted in the auditor’s test data.
• Ineffective if the client does not use the software tested.

b. BASE CASE SYSTEM EVALUATION (BCSE)

• Develops test data that purports to test every possible condition that an auditor
expects a client’s software will confront.
• Provides an auditor with much more assurance than test data alone, but expensive
to develop and therefore cost-effective only in large computer systems.

Page 6 of 12 Pages
 CPAR - MANILA AT-9510

Provided assurance that program tested by auditor is the same program

c. INTEGRATED TEST FACILITY (ITF) used by client in processing transactions
Auditor's test Data Client's Data
• A variation of test data whereby simulated data and actual data are run
processed using simultaneously with the client’s program and computer results are compared with
auditor’s predetermined results.
Client's program

Output comp are

manually
Auditor's
output
expected
• It provides assurance that the software tested is actually used to prepare financial
reports.

d. PARALLEL SIMULATION
Client's Data Client's Data
• It involves processing of client’s live (actual) data utilizing an auditor’s generalized
Client'sP rogram Auditor's program
audit software.
output compare
• If an entity’s controls have been operating effectively, the client’s software should
generate the same exceptions as the auditor’s software.
Output
manually

• It should be performed on a surprise basis, if possible.

e. CONTROLLED REPROCESSING
• A variation of parallel simulation, it involves processing of actual client data
through a copy of the client’s application program.

2. Continuous audit techniques – test the audit computer controls throughout a period.

a. AUDIT MODULES – programmed audit routines incorporated into an application

program that are designed to perform an audit function such as a calculation, or
logging activity.

b. SYSTEMS CONTROL AUDIT REVIEW FILES (SCARFs) – logs that collect transaction
information for subsequent review and analysis by the auditor.

c. AUDIT HOOKS – “exits” in an entity’s computer program that allows an auditor to

insert commands for audit processing.

d. TRANSACTION TAGGING – a transaction record is “tagged” and then traced through

critical control points in the information system.

e. EXTENDED RECORDS – this technique attaches additional audit data which would not
otherwise be saved to regular historic records and thereby helps to provide a more
complete audit trail.

III. Review of operating system and other systems software

1. JOB ACCOUNTING DATA/OPERATING SYTEMS LOGS – these logs that track particular
functions, include reports of the resources used by the computer system. The auditor
may be able to use them to review the work processed, to determine whether
unauthorized applications were processed and to determine that authorized applications
were processed properly.

2. LIBRARY MANAGEMENT SOFTWARE – this logs changes in programs, program modules,

job control language, and other processing activities.

3. ACCESS CONTROL AND SECURITY SOFTWARE – this restricts access to computers to

authorized personnel through techniques such as only allowing certain users with “read-
only” access or through use of encryption.

COMPUTERIZED AUDIT TOOLS

1. Audit software – computer programs used to process data of audit significance from the
client’s accounting system.
a. Package programs (also called generalized audit software) – programs that can be used
in numerous clients. They can be designed to perform different audit tasks such as:
Page 7 of 12 Pages
CPAR - MANILA AT-9510

1. reading computer files 4. creating data files

2. selecting samples 5. Printing reports in an auditor-specified format
3. performing calculations
b. Purpose-written programs (also called special-purpose or custom-designed programs) –
computer programs designed for specific audit tasks.
c. Utility programs – part of the systems software that perform routine CIS tasks. They are
generally NOT designed for audit purposes.

2. Electronic spreadsheets – contain a variety of predefined mathematical operations and

functions that can be applied to data entered into the cells of a spreadsheet.

3. Automated workpaper software – designed to generate a trial balance, lead schedules,

and other reports useful for the audit. The schedules and reports can be created once the
auditor has either manually entered or electronically imported through using the client’s
account balance information into the system.

4. Text retrieval software - allow the user to view any text that is available in an electronic
format. The software program allows the user to browse through text files much as a user
would browse through books.

5. Database management systems – manage the creation, maintenance, and processing of

information. The data are organized in the form of predefined records, and the database
software is used to select, update, sort, display, or print the records.

6. Public databases – may be used to obtain accounting information related to particular

companies and industries.

7. Word processing software

FACTORS TO CONSIDER IN USING CAAT

1. Degree of technical competence in IT.

2. Availability of CAAT and appropriate computer facilities.
3. Impracticability of manual tests.
4. Effectiveness and efficiency.
5. Timing of tests – The auditor should make arrangements with the client for the retention of
the needed data or to time the work when such data are available.

Controlling the CAAT application

Procedures to control the use of AUDIT SOFTWARE may include:
1. Participating in the design and testing of computer programs.
2. Checking the coding of the program.
3. Requesting the client’s IT personnel to review the operating system instructions.
4. Running the audit software on small test files before running them on main data files.
5. Ensuring that the correct files were used.
6. Obtaining evidence that the audit software functioned as planned.
7. Establishing appropriate security measures to safeguard against manipulation of the entity’s
data files.

Procedures to control the use of TEST DATA may include:

1. Controlling the sequence of submission of test data where it spans several processing cycles.
2. Performing test runs.
3. Predicting the results of test data.
4. Confirming that the current version of the program was used.
5. Obtaining reasonable assurance that the programs used to process the test data were used
by the entity throughout the applicable audit period.

Page 8 of 12 Pages
 CPAR - MANILA AT-9510

MULTIPLE CHOICE QUESTIONS

1. Which of the following characteristics distinguishes computer processing from manual

processing?
Errors
A. Computer processing virtually eliminates the occurrence of computational error normally
associated with manual processing.
*
manual It
B. Errors or fraud in computer processing will be detected soon after their occurrences.
-
random error

-computational
-

systematic

error-programming
C. The potential for systematic error is ordinarily greater in manual processing than in
error

error

derical error
computerized processing. baliktad computerized

D. Most computer systems are designed so that transaction trails useful for audit purposes
do not exist. there is audit trail not visible mostly
an ,

2. Which of the following is correct concerning batch processing of transactions? by batch &
by type

A. Transactions are processed in the order they occur, regardless of type. by type
B. It has largely been replaced by on-line real-time processing in all but legacy systems.
C. It is more likely to result in an easy-to-follow audit trail than is on-line transaction
processing. can be non-online
D. It is used only in nondatabase applications.

common back-up 3. Which of the following procedures would an entity most likely include in its computer disaster
-
>
recovery plan?
3 generational Files

"Grandfather-Father son' A. Develop an auxiliary power supply to provide uninterrupted electricity. UPS - Disaster Prevention
concept B. Store duplicate copies of critical files in a location away from the computer center. Physical backup
latest - C. Maintain a listing of entity passwords with the network manager.
son
Security of files
- -
Father D. Translate data for storage purposes with a cryptographic secret code.
-

Grandfather

4. What technology is needed in order to convert a paper document into a computer file?
A. Optical character recognition C. Bar-coding scanning
B. Electronic data interchange D. Joining and merging

5. A manufacturer of complex electronic equipment such as oscilloscopes and microscopes has

been shipping its products with thick paper manuals but wants to reduce the cost of producing
and shipping this documentation. Of the following, the best medium for the manufacturer to
use to accomplish this is directed website
or to

A. Write-once-read-many. C. Compact disc/read-only memory.

B. Digital audio tape. D. Computer-output-to-microform.

6. Misstatements in a batch computer system caused by incorrect programs or data may not be
detected immediately because
A. Errors in some transactions may cause rejection of other transactions in the batch.
B. The identification of errors in input data typically is not a part of the program.
C. There are time delays in processing transactions in a batch system.
D. The processing of transactions in a batch system is not uniform.

7. A client is concerned that a power outage or disaster could impair the computer hardware’s
ability to function as designed. The client desires off-site back-up hardware facilities that are
fully configured and ready to operate within several hours. The client most likely should
consider a
A. Cold site. -
I-incomplete
-

too dependent
vendor
period
longer
configured
complete but not yet

prepare
to
C. Warm site.
B. Cool site. D. Hot site. T Fullyconfiguare
-

8. What type of computer system is characterized by data that are assembled from more than
online
- one location and records that are updated immediately?
A. Microcomputer system L
real-time
C. Batch processing system
B. Minicomputer system D. On-line, real-time system

9. End-user computing is most likely to occur on which of the following types of computers?
A. Mainframe C. Personal computers segregationno

Of duties
: extensive
ST

B. Minicomputers D. Personal reference assistants

Page 9 of 12 Pages
CPAR - MANILA AT-9510
PC, flash disks, hard disks

10. Which of the following statements most likely represents a disadvantage for an entity that
keeps microcomputer-prepared data files rather than manually prepared files? -
Folder

A. Random error associated with processing similar transactions in different ways is usually
greater.
B. It is usually more difficult to compare recorded accountability with physical count of
assets.
C. Attention is focused on the accuracy of the programming process rather than errors in
individual transactions.
D. It is usually easier for unauthorized persons to access and alter the files. control control : access

Another disadvantage: virus

11. To avoid invalid data input, a bank added an extra number at the end of each account number
and subjected the new number to an algorithm. This technique is known as
A. Optical character recognition C. A dependency check
B. A check digit Self check digit D. A format check

12. Preventing someone with sufficient technical skill from circumventing security procedures and
making changes to production programs is best accomplished by
A. Reviewing reports of jobs completed.
B. Comparing production programs with independently controlled copies.
C. Running test data periodically.
D. Providing suitable segregation of duties.

13. An entity has the following invoices in a batch:

Invoice No. Product Quantity Unit Price
201 F10 150 P 5.00
202 G15 200 10.00
203 H20 250 25.00
204 K35 300 30.00
Hash
total
810

Which of the following most likely represents a hash total?

A. FGHK80 C. 204
B. 4 D. 810

14. Which of the following controls is a processing control designed to ensure the reliability and
accuracy of data processing?

Validity
Limit test check test
A. Yes Yes
B. Yes No
C. No Yes
D. No No

15. Which of the following activities would most likely be performed in the information systems
department?
A. Initiation of changes to master records.
B. Conversion of information to machine-readable form. Processing and conversion
C. Correction of transactional errors.
D. Initiation of changes to existing applications.
Online = access controls

16. When computer programs or files can be accessed from terminals, users should be required
to enter a(n)
A. Parity check C. Self-diagnosis test
B. Personal identification code D. Echo check

17. Which of the following is an example of a validity check?

A. The computer ensures that a numerical amount in a record does not exceed some
predetermined amount. Limit check
B. As a computer corrects errors and data are successfully resubmitted to the system, the
causes of the errors are printed out.

Page 10 of 12 Pages
CPAR - MANILA AT-9510

C. The computer flags any transmission for which the control field value did not match that
of an existing file record.
D. After data for a transaction are entered, the computer sends certain data back to the
terminal for comparison with data originally sent.

18. A control feature in an electronic data processing system requires the central processing unit
(CPU) to send signals to the printer to activate the print mechanism for each character. The
print mechanism, just prior to printing, sends a signal back to the CPU verifying that the
proper print position has been activated. This type of hardware control is referred to as
A. Echo control. C. Signal control.
B. Validity control. D. Check digit control.

19. Which of the following most likely represents a significant deficiency in internal control?
A. The systems analyst reviews applications of data processing and maintains systems
documentation.
B. The systems programmer designs systems for computerized applications and maintains
output controls.
C. The control clerk establishes control over data received by the information systems
department and reconciles control totals after processing.
D. The accounts payable clerk prepares data for computer processing and enters the data
into the computer.

20. Internal control is ineffective when computer department personnel

A. Participate in computer software acquisition decisions.
B. Design documentation for computerized systems.
C. Originate changes in master files. Authorization
D. Provide physical security for program files.

21. An auditor would most likely be concerned with which of the following controls in a distributed
data processing system?
A. Hardware controls C. Access controls
B. Systems documentation controls D. Disaster recovery controls

22. An auditor anticipates assessing control risk at a low level in a computerized environment.
Under these circumstances, on which of the following activities would the auditor initially
focus?
A. Programmed control activities C. Output control activities
B. Application control activities D. General control activities

23. Auditing by testing the input and output of a computer system instead of the computer
program itself will
A. Not detect program errors which do not show up in the output sampled.
B. Detect all program errors, regardless of the nature of the output.
C. Provide the auditor with the same type of evidence.
D. Not provide the auditor with confidence in the results of the auditing procedures.

24. Which of the following client electronic data processing (EDP) systems generally can be
audited without examining or directly testing the EDP computer programs of the system?
A. A system that performs relatively uncomplicated processes and produces detailed output.
B. A system that affects a number of essential master files and produces a limited output.
C. A system that updates a few essential master files and produces no printed output other
than final balances.
D. A system that performs relatively complicated processing and produces very little detailed
output.

25. To obtain evidence that on-line access controls are properly functioning, an auditor most likely
would
A. Create checkpoints at periodic intervals after live data processing to test for unauthorized
use of the system.

Page 11 of 12 Pages
CPAR - MANILA AT-9510

B. Examine the transaction log to discover whether any transactions were lost or entered
twice due to a system malfunction.
C. Enter invalid identification numbers or passwords to ascertain whether the system rejects
them. Online: access control (pins and passwords)
D. Vouch a random sample of processed transactions to assure proper authorization.

26. An auditor most likely would introduce test data into a computerized payroll system to test
controls related to the
A. Existence of unclaimed payroll checks held by supervisors.
B. Early cashing of payroll checks by employees.
C. Discovery of invalid employee I.D. numbers. Test data: valid and invalid transactions
D. Proper approval of overtime by supervisors.

27. When an auditor tests a computerized accounting system, which of the following is true of
the test data approach?
A. Several transactions of each type must be tested.
B. Test data are processed by the client’s computer programs under the auditor’s control.
C. Test data must consist of all possible valid and invalid conditions. Base case system evaluation
D. The program tested is different from the program used throughout the year by the client. Not necessarily

28. Which of the following computer-assisted auditing techniques allows fictitious and real
transactions to be processed together without client operating personnel being aware of the
testing process?
A. Integrated test facility C. Parallel simulation
B. Input controls matrix D. Data entry monitor

29. Which of the following methods of testing application controls utilizes a generalized audit
software package prepared by the auditors?
A. Parallel simulation
B. Integrated testing facility approach
C. Test data approach
D. Exception report tests
Audit with computer Top Schedules :
per book ,
adjustments per audit
,

30. In creating lead schedules for an audit engagement, a CPA often uses automated work paper
software. What client information is needed to begin this process?
A. Interim financial information such as third quarter sales, net income, and inventory and
receivable balances.
B. Specialized journal information such as the invoice and purchase order numbers of the
last few sales and purchases of the year.
C. General ledger information such as account numbers, prior year account balances, and
current year unadjusted information. per books accounts & amounts
D. Adjusting entry information such as deferrals and accruals, and reclassification journal
entries.

--- END ---

Page 12 of 12 Pages