Chapter 7 [Salosagcol] Flashcards
Which statement is incorrect when auditing in a CIS environment?
a. A CIS environment exists when a computer of any type or size is involved in the processing by the entity of financial information of significance to the audit, whether that computer is operated by the entity or by a third party
b. The auditor should consider how a CIS environment affects the audit
c. The use of a computer changes the processing, storage, and communication of financial information and may affect the accounting and internal control systems employed by the entity
d. A CIS environment changes the overall objective and scope of an audit
d
An important characteristic of CIS is uniformity of processing. Therefore, a risk exists that:
a. Auditors will not be able to access data quickly
b. Auditors will not be able to determine if data is processed consistently
c. Erroneous processing can result in the accumulation of a great number of misstatements in a short period of time
d. All of the above
c
Which of the following is not a benefit of using IT based controls?
a. Ability to process large volumes of transactions
b. Ability to replace manual controls with computer-based controls
c. Reduction in misstatements due to consistent processing of transactions
d. Over-reliance on computer generated reports
d
The characteristics that distinguish computer processing from manual processing include the following:
- Computer processing uniformly subjects like transactions to the same instructions
- Computer systems always ensure that complete transaction trails useful for audit purposes are preserved for indefinite periods
- Computer processing virtually eliminates the occurrence of clerical errors normally associated with manual processing
- Control procedures as to segregation of functions may no longer be necessary in computer environment
a. All of the above statements are true
b. Only statements (2) and (4) are true
c. Only statements (1) and (3) are true
d. All of the above statements are false
c
Which of the following is not risk specific to CIS environments?
a. Reliance on the functioning capabilities of hardware and software
b. Increased human involvement
c. Loss of data due to insufficient backup
d. Unauthorized access
b
Which of the following is not a risk specific to CIS environments?
a. Need for CIS experienced staff
b. Separation of CIS duties from accounting functions
c. Improved audit trail
d. Hardware and data vulnerability
c
Which of the following statements is not correct?
a. The overall objective and scope of an audit do not change in a CIS environment
b. When computer or CIS are introduced, the basic concept of evidence accumulation remains the same
c. Most CIS rely extensively on the same type of procedures for control that are used in manual processing system
d. The specific methods appropriate for implementing the basic auditing concepts do not change, as systems become more complex
d
The use of CIS will least likely affect the
a. The procedures followed by the auditor in obtaining a sufficient understanding of the accounting and internal control systems
b. The auditor’s specific audit objectives
c. The consideration of inherent risk and control risk through which the auditor arrives at the risk assessment
d. The auditor’s design and performance of tests of control and substantive procedures appropriate to meet the audit objective
b
Which of the following is unique to CIS?
a. Error listing
b. Flowchart
c. Questionnaires
d. Pre-numbered documents
a
CIS has several significant effects on an organization. Which of the following would not be important from an auditing perspective?
a. Organizational changes
b. The visibility of information
c. The potential for material misstatement
d. None of above; i.e., they are all important
d
Where computer processing is used in significant accounting applications, internal controls may be defined by classifying control procedures into two types: general and
a. Administrative
b. Specific
c. Application
d. Authorization
c
A control which relates to all parts of the CIS is called a(n)
a. Systems control
b. General control
c. Applications control
d. Universal control
b
Controls which apply to a specific use of the system are called
a. Systems controls
b. General controls
c. Applications controls
d. User controls
c
Application controls are applicable on specific use of system, which includes validity checks, input controls, identification, authentication, etc.
Some CIS control procedures relate to all CIS activities (general controls) and some relate to specific tasks (application controls). General controls include
a. Controls designed to ascertain that all data submitted to CIS for processing have been properly authorized
b. Controls that relate to the correction and resubmission of data that were initially incorrect
c. Controls for documenting and approving programs and changes to programs
d. Controls designed to assure the accuracy of the processing results
c
Which of the following statements is correct?
a. Auditors should evaluate application controls before evaluating general controls
b. Auditors should evaluate application controls and general controls simultaneously
c. Auditors should evaluate general controls before evaluating application controls
d. None of these statements is correct
c
Which of the following is a component of general controls?
a. Processing controls
b. Output controls
c. Back-up and contingency planning
d. Input controls
c
Which of the following is least likely to be a general control over computer activities?
a. Procedures for developing new programs and systems
b. Requirements for system documentation
c. An access control
d. A control total
d
Which of the following is an example of general control?
a. Input validation checks
b. Control total
c. Operations manual
d. Generalized audit software
c
Which of the following is not a general control?
a. The plan of organization and operation of CIS activity
b. Procedures for documenting, reviewing, and approving systems and procedures
c. Processing controls
d. Hardware controls
c
Which of the following activities would most likely be performed in the CIS department?
a. Initiation of changes to master records
b. Conversion of information to machine-readable form
c. Correction of transactional errors
d. Initiation of changes to existing applications
b
Which of the following IT duties should be separated from the others
a. Systems development
b. Operations
c. IT management
d. All of the above should be separated
d
For control purposes, which of the following should be organizationally segregated from the computer operations functions?
a. Data conversion
b. Systems development
c. Minor maintenance according to a schedule
d. Processing of data
b
Which of the following computer-related employees should not be allowed access to the program listings of application programs?
a. The systems analyst
b. The programmer
c. The operator
d. The librarian
c
Which of the following statements about general controls is not correct?
a. Backup and disaster recovery plans should identify alternative hardware to process company data
b. Successful IT development efforts should require the involvement of IT and non-IT personnel
c. The chief information officer should report to senior management and the board
d. Programmers should have access to computer operations to aid users in resolving problems
d
Where computers are used, the effectiveness of internal control depends, in part, upon whether the organizational structure includes any incompatible combinations. Such a combination would exist when there is no separation of duties between
a. Documentarian librarian and manager of programming
b. Programming and computer operator
c. Systems analyst and programmer
d. Processing control clerk and keypunch supervisor
b
Which of the following is a general control that would most likely assist an entity whose system analyst left the entity in the middle of a major project?
a. Grandfather-father-son record retention
b. Data encryption
c. Systems documentation
d. Check digit verification
c
Internal control is ineffective when computer department personnel
a. Participate in computer software acquisition decision
b. Design documentation for computerized systems
c. Originate changes in master files
d. Provide physical security for program files
c
An example of an access control is a
a. Check digit
b. Password
c. Test facility
d. Read-only memory
b
Access control in an on-line CIS can best be provided in most circumstances by
a. An adequate librarianship function controlling access to files
b. A label affixed to the outside of a file medium holder that identifies the contents
c. Batch processing of all input through a centralized, well-guided facility
d. User and terminal identification controls, such as passwords
d
Controls which are built in by the manufacturer to detect equipment failure are called
a. Input controls
b. Data integrity controls
c. Hardware controls
d. Manufacturer’s controls
c
In a CIS environment, automated equipment controls or hardware controls are designed to
a. Correct errors in the computer programs
b. Monitor and detect errors in source documents
c. Detect and control errors arising from the use of equipment
d. Arrange data in a logical sequential manner for processing purposes
c
To determine that user ID and password controls are functioning, an auditor would most likely
a. Test the system by attempting to sign on using invalid user identifications and passwords
b. Write a computer program that simulates the logic of the client’s access control software
c. Extract a random sample of processed transactions and ensure that the transactions were appropriately authorized
d. Examine statements signed by employees stating that they have not divulged their user identifications and passwords to any other person
a
Adequate control over access to data processing is required to
a. Deter improper use or manipulation of data files and programs
b. Ensure that only console operators have access to program documentation
c. Minimize the need for backup data files
d. Ensure that hardware controls are operating effectively and as designed by the computer manufacturer
a
The management of ZNVS Co. suspects that someone is tampering with pay rates by entering changes through the Co.’s remote terminals located in the factory. The method ZNVS Co. should implement to protect the system from these unauthorized alterations to the system’s files is
a. Batch totals
b. Checkpoint recovery
c. Passwords
d. Record count
c
Passwords for microcomputer software programs are designed to prevent
a. Inaccurate processing of data
b. Unauthorized access to the computer
c. Incomplete updating of data files
d. Unauthorized access to the software
d
The possibility of losing a large amount of information stored in computer files most likely would be reduced by the use of
a. Back-up files
b. Check digits
c. Completeness tests
d. Conversion verification
a
Which of the following controls most likely would assume that an entity can reconstruct its financial records?
a. Hardware controls are built into the computer by the computer manufacturer
b. Backup diskettes or tapes of files are stored away from originals
c. Personnel who are independent of data input perform parallel simulations
d. System flowcharts provide accurate descriptions of input and output operations
b
Unauthorized alteration of on-line records can be prevented by employing
a. Key verification
b. Computer sequence checks
c. Computer matching
d. Data base access controls
d
XYZ Company updates its accounts receivable master file weekly and retains the master files and corresponding transactions for the most recent two-week period. The purpose of this practice is to
a. Verify run-to-run control totals for receivables
b. Match internal labels to avoid writing on the wrong volume
c. Permit reconstruction of the master file if needed
d. Validate groups of update transactions for each
c
Which of the following is not a general control?
a. Separation of duties
b. Systems development
c. Output controls
d. Hardware controls
c
General controls include all of the following except:
a. Systems development
b. Online security
c. Check digit
d. Hardware controls
c
Which of the following is not a general control?
a. Computer performed validation tests of input accuracy
b. Equipment failure causes error messages on monitor
c. Separation of duties between programmer and operator
d. Adequate program run instructions for operating the computer
a