Information Technology

Question 1

When companies use information technology (IT) extensively, evidence may be available only in electronic form. What is an auditor’s best course of action in such situations?

A. Assess the control risk as high

B. Use audit software to perform analytical procedures

C. Use generalized audit software to extract evidence from client databases

D. Perform limited tests of controls over electronic data

Answer 1

C.

Generalized audit software (GAS) makes it possible for an auditor to access data in electronic form; typically GAS will analyze data and present results in a meaningful and convenient form. Assessing control risk as high may result in unnecessary additional audit procedures; an IT system may have strong internal control, and consequently, low control risk. Analytics cannot be performed if the information is available only in electronic form and there is no means to access it. If data is available only in electronic form, tests of controls over that data likely should be extensive, rather than limited.

Question 2

An auditor would most likely be concerned with which of the following controls in a distributed data processing system?

A. Hardware controls

B. Systems documentation controls

C. Access controls

D. Disaster recovery controls

Answer 2

C.

A distributed data processing system is one in which many different users have access to the main computer through various computer locations. Thus, access controls, which restrict access to the main computer, are necessary to maintain a strong internal control structure, because those with access to the computer are in a position to perform incompatible functions. Hardware controls, systems documentation controls, and disaster recovery controls would not be as important in assessing control risk and would not likely present unusual problems in a distributed system.

Question 3

Which of the following controls is a processing control designed to ensure the reliability and accuracy of data processing?

Limit test

Validity check test

Answer 3

Yes; Yes

Computers can be programmed to perform a wide range of edit tasks on records as they are being inputted into the system. If a particular record does not meet the test, it would not be processed. Edit tests include limit tests, validity check tests, check digit tests, etc. This is an example of a specific question you shouldn’t hang your head over if it appears on the exam. While all topics covered on the exam are important, a question like this that probably was covered in one or two sentences does not carry the amount of weight as some of the clearly more pressing topics do.

Question 4

Which of the following statements is correct concerning internal control in an electronic data interchange (EDI) system?

A. Preventive controls generally are more important than detective controls in EDI systems.

B. Control objectives for EDI systems generally are different from the objectives for other information systems.

C. Internal controls in EDI systems rarely permit control risk to be assessed at below the maximum.

D. Internal controls related to the segregation of duties generally are the most important controls in EDI systems.

Answer 4

A.

Preventive controls are generally more important than detective controls in EDI systems because of the speed with which goods and services are delivered. Objectives remain the same as for other information systems. Internal controls in EDI systems must be strong to minimize losses. Segregation of duties is not as important as protection of assets in an EDI system.

Question 5

Which of the following controls most likely would assure that an entity can reconstruct its financial records?

A. Hardware controls are built into the computer by the computer manufacturer.

B. Backup diskettes or tapes of files are stored away from originals.

C. Personnel who are independent of data input perform parallel simulations.

D. System flowcharts provide accurate descriptions of input and output operations.

Answer 5

B.

Backup files stored off-site are an effective means of preserving data in the event of a catastrophe or other loss of information requiring the reconstruction of the material. Hardware controls are built into the computer to detect and report hardware malfunctions. Parallel simulation refers to internal controls practiced within the company. System flowcharts that provide an accurate description of input and output operations refer to internal controls directed at the flow of processing information through the company.

Question 6

An auditor anticipates assessing control risk at a low level in a computerized environment. Under these circumstances, on which of the following procedures would the auditor initially focus?

A. Programmed control procedures

B. Application control procedures

C. Output control procedures

D. General control procedures

Answer 6

D.

When an auditor anticipates assessing control risk at a low level in a computerized environment, generally, the auditor would initially focus on general control procedures, which are those controls that relate to all or many computerized accounting activities and often include control over the development, modification, and maintenance of computer programs and control over the use of and changes to data maintained on computer files.

Question 7

To obtain evidence that online access controls are properly functioning, an auditor most likely would

A. Create checkpoints at periodic intervals after live data processing to test for unauthorized use of the system

B. Examine the transaction log to discover whether any transactions were lost or entered twice due to a system malfunction

C. Enter invalid identification numbers or passwords to ascertain whether the system rejects them

D. Vouch a random sample of processed transactions to assure proper authorization

Answer 7

C.

Password controls, used in restricting access to computers, are designed to preclude access capa­bilities of those employees whose regular functions are incompatible with computer use. To obtain evidence that user identification and password controls are functioning as designed, an auditor would most likely examine a sample of invalid passwords or numbers to determine whether the computer is recognizing the invalid passwords and rejecting access.

Answer (A) checks the level of authorization an employee has once within the system rather than access to the online system.

Answer (B) is a procedure for determining the completeness of transac­tion processing.

Answer (D) does not address whether the online access is being limited or circumvented.

Question 8

Which of the following statements most likely represents a disadvantage for an entity that keeps microcomputer-prepared data files rather than manually prepared files?

A. Attention is focused on the accuracy of the programming process rather than errors in individual transactions.

B. It is usually easier for unauthorized persons to access and alter the files.

C. Random error associated with processing similar transactions in different ways is usually greater.

D. It is usually more difficult to compare recorded accountability with physical count of assets.

Answer 8

B.

Many internal control procedures once performed by separate individuals in manual systems may be concentrated in systems that use computer processing. Therefore, an individual who has access to the computer may be in a position to perform incompatible functions. Answers (a) and (c) are false statements. Detailed ledger accounts may be maintained as easily with microcomputer data files as with manually prepared files.

Question 9

Which of the following characteristics distinguishes computer processing from manual processing?

A. Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing

B. The potential for systematic error is ordinarily greater in manual processing than in computerized processing

C. Errors or fraud in computer processing will be detected soon after their occurrences

D. Most computer systems are designed so that transaction trails useful for audit purposes do not exist

Answer 9

A.

An advantage of computer processing is that it virtually eliminates computational errors. Errors or fraud are not detected more quickly when computer processing is used. The potential for systematic errors is greater in computer processing than in manual processing. Transaction trails useful for audit purposes are created but the data may be available for only a short period of time.

Question 10

An auditor would least likely use computer software to

A. Construct parallel simulations

B. Access client data files

C. Prepare spreadsheets

D. Assess IT control risk

Answer 10

D.

After obtaining an understanding of the client’s IT controls, the auditor must assess control risk for the IT portion of the client’s internal control. Assessing control risk is the process of evaluating the effectiveness of an entity’s internal control policies and procedures in preventing or detecting material misstatements in the financial statements. Procedures to judge the effectiveness of internal control design would include inquiries, observations, and inspections. One would not need computer software to accomplish this task. Gaining access to client data files, preparing spreadsheets, and constructing parallel simulations would all make use of com­puter software.

Editor’s note: Remember the keyword in the question, least likely.

Question 11

An IT input control is designed to ensure that

A. Only authorized personnel have access to the computer area.

B. Machine processing is accurate.

C. Data received for processing are properly authorized and converted to machine readable form.

D. Electronic data processing has been performed as intended for the particular application.

Answer 11

C.

Input controls are designed to provide reasonable assurance that data received by IT have been properly authorized, converted into machine readable form and identified as well as that data has not been lost, added, duplicated, or otherwise improperly changed.

Answer (A) describes an access control.

Answer (B) describes an output control.

Answer (D) describes a processing control.

Question 12

Internal control is ineffective when computer department personnel

A. Design documentation for computerized systems

B. Participate in computer software acquisition decisions

C. Originate(开始，开创；起源，开端) changes in master files

D. Provide physical security for program files

Answer 12

C.

Internal control is considered ineffective when computer department personnel can: (1) originate or correct transactions, (2) authorize transactions, (3) prepare the initial data, (4) maintain custody or control over non-EDP assets, (5) authorize a change in controls, or (6) originate master file changes.

Question 13

Which of the following is a general control that would most likely assist an entity whose systems analyst left the entity in the middle of a major project?

A. Grandfather-father-son record retention

B. Input and output validation routines

C. Systems documentation

D. Check digit verification

Answer 13

C.

When an entity’s systems analyst leaves the entity in the middle of a major project, the greatest assistance in continuing the project could be obtained from systems documentation that adequately describes the systems operations and procedures up to that point in time. Given good documentation, a new systems analyst could immediately begin to understand the systems operations.

Question 14

Which of the following input controls is a numeric value computed to provide assurance that the original value has not been altered in construction or transmission?

A. Hash total

B. Parity check

C. Encryption

D. Check digit

Answer 14

D.

A check digit is a digit that is appended to a piece of numeric data following a pre-specified routine. A hash total is a numeric total with meaning only as a control. A parity check is an extra bit attached to the end of a string of bits to detect errors resulting from electronic interference when transmitting the string. Encryption is the conversion of a message into a coded message.

Question 15

In parallel simulation, actual client data are reprocessed using an auditor software program. An advantage of using parallel simulation, instead of performing tests of controls without a computer, is that

A. The test includes all types of transaction errors and exceptions that may be encountered.

B. The client’s computer personnel do not know when the data are being tested.

C. There is no risk of creating potentially material errors in the client’s data.

D. The size of the sample can be greatly expanded at relatively little additional cost.

Answer 15

D.

Compared to auditing without a computer, the size of the sample can be greatly expanded at little cost using a computer. Parallel simulation might not include all types of transaction errors and exceptions that may be encountered. Using parallel simulation is no guarantee that the client’s personnel are unaware that the data is being tested. As there is little risk of creating material errors in the client’s data with a non-computer audit procedure, this hardly can be said to be an advantage of parallel simulation using a computer over not using a computer at all.

Question 16

When an auditor tests the internal controls of a computerized accounting system, which of the following is true of the test data approach?

A. Test data are coded to a dummy subsidiary so they can be extracted from the system under actual operating conditions.

B. Test data programs need not be tailor-made by the auditor for each client’s computer applications.

C. Test data programs usually consist of all possible valid and invalid conditions regarding compliance with internal controls.

D. Test data are processed with the client’s computer and the results are compared with the auditor’s predetermined results.

Answer 16

D.

In the test data approach to testing a computerized accounting system, test data are processed by the client’s computer programs under the auditor’s control. No dummy subsidiary is involved. Test data must be customized to each audit. The auditor need not include test data for all possible valid and invalid conditions.

Question 17

Which of the following methods of testing application controls utilizes a generalized audit software package prepared by the auditors?

A. Program code checking

B. Parallel simulation

C. Controlled reprocessing

D. Integrated testing facility

Answer 17

B.

Parallel simulation involves creating a model of the EDP system to be tested. The auditor reviews the application system to gain an understanding of its functioning and then utilizes a generalized audit software package to create a model or simulation of the application processing. In program code checking, the auditor reviews the client’s program documentation, including a narrative description and source code. In controlled reprocessing, the auditor maintains control over the reprocessing of previously processed results using a version of the program the auditor has tested, and compares the computer output of the original processing and reprocessing. An integrated test facility includes processing of dummy records with the client’s records using the client’s program.

Question 18

When an auditor tests a computerized accounting system, which of the following is true of the test data approach?

A. Several transactions of each type must be tested.

B. Test data are processed by the client’s computer programs under the auditor’s control.

C. Test data must consist of all possible valid and invalid conditions.

D. The program tested is different from the program used throughout the year by the client.

Answer 18

B.

In the test data approach to testing a computerized accounting system, test data are processed by the client’s computer programs under the auditor’s control. The auditor will determine how many transactions and what types of transactions to test which may or may not include several transactions of each type. The auditor need not include test data for all possible valid and invalid conditions. The object is to test the client’s program that is used throughout the year and the auditor must take steps to make sure that the program being tested is the one that is actually used in routine processing; thus, a different program would not be tested.

Question 19

Which of the following is usually a benefit of using electronic funds transfer for international cash transactions?

A. Improvement of the audit trail for cash receipts and disbursements

B. Creation of self-monitoring access controls

C. Reduction of the frequency of data entry errors

D. Off-site storage of source documents for cash transactions

Answer 19

C.

With EDI, information is entered into a system once and transmitted to other parties. These other parties do not have to re-enter the information into their systems, eliminating an opportunity for errors to occur. Using EDI, audit trails typically are less clear, if anything. Creation of self-monitoring access controls and off-site storage of source documents for cash transactions could occur with or without EDI.

Question 20

Which of the following is a computer-assisted audit technique that permits an auditor to insert the auditor’s version of a client’s program to process data and compare the output with the client’s output?

A. Test data module

B. Frame relay protocol

C. Remote node router

D. Parallel simulation

Answer 20

D.

A parallel simulation is a computer-assisted audit technique that permits an auditor to insert the auditor’s version of a client’s program to process data and compare the output with the client’s output.

Question 21

Which of the following would an auditor ordinarily consider the greatest risk regarding an entity’s use of electronic data interchange (EDI)?

A. Authorization of EDI transactions

B. Duplication of EDI transmissions

C. Improper distribution of EDI transactions

D. Elimination of paper documents

Answer 21

C.

Improper transactions or disclosure of transactions, regardless of the media, are usually the greatest risk. Appropriate authorization of EDI transactions doesn’t present a risk. Duplication of EDI transactions likely would be found by one of the involved parties upon reconciliation. Elimination of paper documents is a goal of EDI.

Question 22

Which of the following strategies would a CPA most likely consider in auditing an entity that processes most of its financial data only in electronic form, such as a paperless system?

A. Continuous monitoring and analysis of transaction processing with an embedded audit module

B. Increased reliance on internal control activities that emphasize the segregation of duties

C. Verification of encrypted digital certificates used to monitor the authorization of transactions

D. Extensive testing of firewall boundaries that restrict the recording of outside network traffic

Answer 22

A.

When a client processes financial data in electronic form without paper documentation, the auditor may audit on a more continuous basis than a traditional system, as a convenience, and may be required to audit on a more continuous basis to obtain sufficient, competent evidence as documentation for some transactions may be available only for a limited time. An embedded audit module can facilitate this ‘continuous’ auditing. If anything, an auditor may rely less on internal control activities that emphasize the segregation of duties. Digital certificate verification and testing of firewall boundaries are more concerned with security than internal control.

Question 23

Able Co. uses an online sales order processing system to process its sales transactions. Able’s sales data are electronically sorted and subjected to edit checks. A direct output of the edit checks most likely would be a

A. Report of all missing sales invoices

B. File of all rejected sales transactions

C. List of all voided shipping documents

D. Printout of all user code numbers and passwords

Answer 23

B.

The most likely output from an online sales order processing system is a file of all rejected sales transactions. An edit check occurs when information is entered into the system. A report of all missing sales invoices would be generated by the system, but not as a direct output from an edit check. Answers (c) and (d) are not relevant outputs from the online sales order processing system, but would be outputs of other applications.

Question 24

Which of the following statements is correct concerning the security of messages in an electronic data interchange (EDI) system?

A. When the confidentiality of data is the primary risk, message authentication is the preferred control rather than encryption.

B. Encryption performed by physically secure hardware devices is more secure than encryption performed by software.

C. Message authentication in EDI systems performs the same function as segregation of duties in other information systems.

D. Security at the transaction phase in EDI systems is not necessary because problems at that level will usually be identified by the service provider.

Answer 24

B.

Physically secure hardware devices are less likely to be compromised than software. For example, having a password sent to your phone to authenticate that you are indeed Jane Doe is preferred in ensuring proper authentication and permission(s) to an EDI system. Message authentication provides assurance about messages’ sources. Encryption provides assurance about privacy. Message authentication performs similarly to control duties in non-IT systems, but not the segregation of duties aspect. Service providers usually do not provide security at the transaction level.

Question 25

An entity has the following invoices in a batch:

Invoice #Product QuantityUnit Price

201 F10 150$ 5.00

202 G15 200$10.00

203 H20 250$25.00

204 K35 300$30.00

Which of the following most likely represents a hash total?

A. FGHK80

B. 4

C. 204

D. 810

Answer 25

D.

Hash control is used to verify the completeness of the inputted data. Hash totals can be employee numbers, or invoice numbers. Thus, the hash total of invoice numbers is 810 (201 + 202 + 203 + 204).

B. 204 is a specific invoice number.

C. FGHK80 is not a hash total.

D. 4 is a record count.

Question 26

Which of the following is an example of how specific internal controls in a database environment may differ from controls in a nondatabase environment?

A. Controls should exist to ensure that users have access to and can update only the data elements that they have been authorized to access.

B. Controls over data sharing by diverse users within an entity should be the same for every user.

C. The employee who manages the computer hardware should also develop and debug the computer programs.

D. Controls can provide assurance that all processed transactions are authorized, but cannot verify that all authorized transactions are processed.

Answer 26

A.

Controls in a database environment can be very specific as to which elements of a record can be accessed or changed, resulting in a more detailed set of authorizations. Controls over data sharing should be appropriate for each user, usually resulting in diverse controls. Preferably, hardware management and software development are segregated. The relationship between authorization and processing usually is the same within a database and a non-database environment.

Question 27

An auditor will most likely use computer-assisted audit techniques, rather than manual techniques when it is necessary to

A. Examine all data in an accounts payable file.

B. Review approval of dividends.

C. Verify unrecorded legal liabilities.

D. Assess compliance with policies and procedures related to information security.

Answer 27

The correct answer is (A).

An auditor will most likely use computer-assisted audit techniques, rather than manual techniques when it is necessary to examine all data in an accounts payable file. This is extensive work that can only be done through computer-assisted audit techniques, as it would take too long to do it manually. Computer-assisted Audit Techniques (CAATs) are most useful in analyzing large volume accounts and transactions.

(B) is incorrect because dividends are approved by the board of directors. To verify approval of dividends, the auditor has to review minutes of the meetings of the board of directors

(C) is incorrect because unrecorded legal liability, also known as contingent liability is disclosed in the notes to accounts. There is no computer processing involved, as these liabilities are still unrecorded.

(D) is incorrect because assessing compliance with policies and procedures related to information security would come under the scope of information security audit

Question 28

Processing data through the use of simulated files provides an auditor with information about the operating effectiveness of control policies and procedures. One of the techniques involved in this approach makes use of

A. Controlled reprocessing

B. An integrated test facility

C. Input validation

D. Program code checking

Answer 28

B.

Processing data through the use of simulated files makes use of an integrated test facility. Using this method, the auditor creates a fictitious entity within the client’s actual data files. The auditor then processes fictitious data for the entity as part of the client’s regular data processing. Controlled reprocessing involves the processing of the client’s actual data through the auditor’s controlled copy of the client’s program. Input validation is concerned only that the inputted data is accurate. Program code checking involves analysis of the client’s actual program.

Question 29

An auditor who wishes to capture an entity’s data as transactions are processed and continuously test the entity’s computerized information system most likely would use which of the following techniques?

A. Snapshot application

B. Embedded audit module

C. Integrated data check

D. Test data generator

Answer 29

B.

Embedded audit modules are coded into a client’s application to collect data for the auditor. Integrated data checks and test data generators involve auditor-controlled fictitious data. Snapshot applications capture screen images

Question 30

Which of the following tasks can be achieved using generalized audit software?

A. Determining acceptable risk levels for substantive testing of account balances.

B. Filtering data based on accounts receivable data recording.

C. Detecting transactions that may be suspicious due to alteration of data input.

D. Assessing likelihood of fraud based on input of fraud risk factors.

Answer 30

The correct answer is (B).

Generalized Audit Software Packages (GASPs) refer to a series of programs that allow the auditor to perform tests of controls and substantive tests directly on the client’s system or duplicate the client’s system for the auditor to perform a parallel simulation. GASPs may include programs to access client files for purposes of testing, e.g., analytical procedures may be performed on accounts receivable data like calculating ratios or filtering the data according to parameters set by the auditor.

(A), (C) and (D) are incorrect because automated software cannot determine acceptable risk levels, nor can it detect transactions that may be suspicious due to alteration. Automated software also cannot assess the likelihood of fraud. These are human tasks.

Question 31

An auditor most likely would test for the presence of unauthorized IT program changes by running

A. A program with test data

B. A check digit verification program

C. A source code comparison program

D. A program that computes control totals

Answer 31

C.

A source code comparison program could be used to compare the original code written for a spe­cific program to the current code in use for that program. Thus, it would make note of any differences in the pro­gram from the time it was originally written. Test data would generally be used to test the output of the program but would provide no evidence as to whether the program code had been changed. A check digit program involves the use of a digit that is added to the end of a piece of numeric data to permit the data to be checked for accuracy during input, processing, or output. Control totals are totals computed at different times in the com­puter process and are used as input, processing, and output controls. They would not provide evidence as to whether any changes were made to the original program code.

Question 32

In which of the following circumstances would an auditor expect to find that an entity implemented automated controls to reduce risks of misstatement?

A. When errors are difficult to predict

B. When misstatements are difficult to define

C. When large, unusual, or nonrecurring transactions require judgment

D. When transactions are high-volume and recurring

Answer 32

D.

An auditor would expect to find that an entity implemented automated controls to reduce risks of misstatement when transactions are high-volume and recurring; in situations where errors can be anticipated or predicted; or for control activities where the specific ways to perform the control can be adequately designed and automated. The other answer alternatives describe circumstances where judgment and discretion are required and thus manual controls of systems may be more suitable.

Question 33

Which of the following would most likely be a weakness in internal control of a client that utilizes microcomputers rather than a larger computer system?

A. Employee collusion possibilities are increased because microcomputers from one vendor can process the programs of a system from a different vendor.

B. The microcomputer operators may be able to remove hardware and software components and modify them at home.

C. Programming errors result in all similar transactions being processed incorrectly when those transactions are processed under the same conditions.

D. Certain transactions may be automatically initiated by the microcomputers and management’s authorization of these transactions may be implicit in its acceptance of the system design.

Answer 33

B.

Both large computer systems and microcomputers are vulnerable to employee collusion and programming errors. Microcomputer hardware and software could more readily be removed from a place of business than large computer systems.

Question 34

Matthews Corp. has changed from a system of recording time worked on clock cards to a computerized payroll system in which employees record time in and out with magnetic cards. The IT system automatically updates all payroll records. Because of this change

A. A generalized computer audit program must be used.

B. Part of the audit trail is altered.

C. Transactions must be processed in batches.

D. The potential for payroll related fraud is diminished.

Answer 34

B.

When time clock cards are used, they constitute a form of physical evidence that can be examined in determining the proper amount of wage expense. By changing to an IT system, part of the audit trail is altered–although not necessarily destroyed. The IT system can be audited in numerous ways that do not require the use of a generalized audit program. The system automatically updates the payroll records whenever anyone punches in or out. Batch processing is eliminated in this system. The potential for payroll fraud may or may not change depending on the internal controls incorporated into the new payroll system.

Question 35

Which of the following is not a major reason for maintaining an audit trail for a computer system?

A. Deterrent to fraud

B. Monitoring purposes

C. Analytical procedures

D. Query answering

Answer 35

C.

Analytical procedures involve the analysis of plausible relationships among both financial and nonfinancial data. A lack of an accounting audit trail for a computer system would not preclude the auditor from performing analytical procedures. Deterring fraud, monitoring the system, and answering queries are all major reasons for maintaining an audit trail.

Question 36

Which of the following control procedures most likely could prevent IT personnel from modifying programs to bypass programmed controls?

A. Periodic management review of computer utilization reports and systems documentation

B. Segregation of duties within IT for computer programming and computer operations

C. Participation of user department personnel in designing and approving new systems

D. Physical security of IT facilities in limiting access to IT equipment

Answer 36

B.

A control procedure for preventing employees from modifying programs to bypass programmed controls is to segregate the functions of programming and computer operations. Answers (A), (C), and (D) are all appropriate IT controls, but by themselves would not prevent IT employees from modifying programs.

Question 37

In auditing an entity’s computerized payroll transactions, an auditor would be least likely to use test data to test controls concerning

A. Overpayment of employees for hours not worked

B. Control and distribution of unclaimed checks

C. Withholding of taxes and Social Security contributions

D. Missing employee identification numbers

Answer 37

B.

In auditing an entity’s computerized payroll transactions, an auditor would be least likely to use test data to test controls concerning control and distribution of unclaimed checks. The other answer alternatives are examples of data that can be accessed and tested via computer applications while controls over unclaimed checks are more likely to be manual.

Question 38

When using a computer to gather evidence, the auditor need not have working knowledge of the client’s programming language. However, it is necessary that the auditor understand the

A. Audit specifications

B. Database retrieval system

C. Programming techniques

D. Manual testing techniques

Answer 38

A.

Independent of the type of system used (manual or IT), an auditor must understand the audit specifications applicable to any given area of field work in order to be able to collect and analyze supporting evidence. An auditor who uses a computer to gather evidence does not have to understand programming techniques, the database retrieval system, or manual testing techniques.

Question 39

One of the major problems in an IT system is that incompatible functions may be performed by the same individual. One compensating control for this is the use of

A. Echo checks

B. A self-checking digit system

C. Computer-generated hash totals

D. A computer log

Answer 39

D.

A computer log provides evidence as to which employees used the computer system and the operations performed by them. As a result, the computer log will protect against unauthorized use of the IT system, and it will provide an audit trail with respect to incompatible operations performed by the same individual. Incompatible functions are the concern of general controls, i.e., controls that relate to all IT activities. An echo check is a hardware control aimed at determining whether the computer is operating properly. It has no effect on the control over incompatible functions. A self-checking digit system and computergenerated hash totals are input controls, i.e., they relate to application controls.

Question 40

Which of the following is an essential element of the audit trail in an electronic data interchange (EDI) system?

A. Disaster recovery plans that ensure proper back-up of files

B. Encrypted hash totals that authenticate messages

C. Activity logs that indicate failed transactions

D. Hardware security modules that store sensitive data

Answer 40

C.

Logs with failed transactions are examined to determine whether the corrected transactions were eventually executed and to detect attempts of unauthorized system use. Proper file backup is a recovery issue. Message authentication and hardware security modules are security issues.

Question 41

Which of the following outcomes is a likely benefit of information technology used for internal control?

A. Processing of unusual or nonrecurring transactions

B. Enhanced timeliness of information

C. Potential loss of data

D. Recording of unauthorized transactions

Answer 41

B.

A likely benefit of IT used for internal control is enhanced timeliness, availability, and accuracy of information. Processing of large, unusual, or nonrecurring transactions is an example of a circumstance where manual controls of systems may be more suitable. Potential loss of data or inability to access data as required as well as recording of unauthorized or nonexistent transactions or inaccurate recording of transactions are examples of specific risks that IT poses to an entity’s internal control.

Question 42

When an accounting application is processed by computer, an auditor cannot verify the reliable operation of programmed control procedures by

A. Constructing a processing system for accounting applications and processing actual data from throughout the period through both the client’s program and the auditor’s program

B. Manually comparing detail transaction files used by an edit program to the program’s generated error listings to determine that errors were properly identified by the edit program

C. Manually reperforming, as of a point in time, the processing of input data and comparing the simulated results to the actual results

D. Periodically submitting auditor-prepared test data to the same computer process and evaluating the results

Answer 42

C.

The auditor would not be able to verify the reliable operation of programmed control procedures by the reperformance of the processing of the client’s input data through the client’s computer program as it would produce the same output as that created by the client. The auditor would be able to verify the reliable operation of control procedures when he or she is submitting auditorprepared test data to the client’s computer process, submitting actual data to the auditor’s computer program, or utilizing an edit program, as these would allow the auditor to make comparisons between the client’s expected output, using the client’s data and computer program, and the auditor’s expected results using auditor-prepared data, the auditor’s computer program, and the auditor’s edit program.

Question 43

Which of the following is the primary reason that many auditors hesitate to use embedded audit modules?

A. Embedded audit modules cannot be protected from computer viruses.

B. Auditors are required to monitor embedded audit modules continuously to obtain valid results.

C. Embedded audit modules can easily be modified through management tampering.

D. Auditors are required to be involved in the system design of the application to be monitored.

Answer 43

D.

Embedded audit modules can be difficult to install once the application program is operational, but efficiently included during system design. Embedded audit modules can be protected from viruses as well as other applications. Sporadic or occasional monitoring of embedded audit modules can produce valid results. Management tampering can modify other applications as easily as embedded audit modules.

Question 44

When conducting fieldwork for a physical inventory, an auditor cannot perform which of the following steps using a generalized audit software package?

A. Observing inventory

B. Selecting sample items of inventory

C. Analyzing data resulting from inventory

D. Recalculating balances in inventory reports

Answer 44

A.

Observation of inventory cannot be done exclusively by computer. While the exact procedures performed will vary among software packages, generalized audit software is used to accomplish six basic types of audit tasks: (1) examining records for quality, completeness, consistency and correctness; (2) testing calculations and making computations; (3) comparing data on separate files; (4) selecting, printing and analyzing audit samples; (5) summarizing or resequencing data and performing analyses; and (6) comparing data obtained through other audit procedures with company records.

Question 45

Which of the following computer-assisted auditing techniques processes client input data on a controlled program under the auditor’s control to test controls in the computer system?

A. Test data

B. Review of program logic

C. Integrated test facility

D. Parallel simulation

Answer 45

D.

Test data is fictitious data run through the client’s programs under the auditor’s control; the purpose is to test controls in the computer system. A review of program logic does not test any data. Integrated test facilities are programs run with the client’s programs. Parallel simulation processes actual client data through an auditor-controlled program.

Question 46

Which of the following computer documentations would an auditor most likely utilize in obtaining an understanding of internal control?

A. Systems flowcharts

B. Record counts

C. Program listings

D. Record layouts

Answer 46

A.

An auditor is likely to use systems flowcharts in obtaining an understanding of internal control. Systems flowcharts show the flow of data through the system and the interrelationships between the processing steps and computer runs. A record count is an input control technique. Program listings are the source state­ments or language of the client’s programs. Record layouts are the input and output formats.

Question 47

A system that provides vendor and customer access to each other’s internal computer data to facilitate service, deliveries, and payment is called

A. Distributed processing

B. Electronic data interchange

C. Electronic mail

D. Timesharing

Answer 47

B.

Electronic data interchange is a method of conducting routine business transactions, such as inventory purchases. It relies on standardized guidelines that everyone can use. Distributed processing is an allocation of various processing tasks to various business divisions, with some tasks centralized and some decentralized. Electronic mail (email) refers to the electronic transmission of messages, including attached files from programs unrelated to the email software. A time-sharing center rents time on a central computer to several entities, with each entity having remote input and output devices. To each entity, it seems as if it is the only one using the system.

Question 48

Which of the following activities most likely would detect whether payroll data were altered during processing?

A. Monitor authorized distribution of data control sheets

B. Use test data to verify the performance of edit routines

C. Examine source documents for approval by supervisors

D. Segregate duties between approval of hardware and software specifications

Answer 48

B.

With test data, the auditor can readily compare actual results to anticipated results. Monitoring dis­tribution wouldn’t detect data alteration. Source documents could be correctly approved and data could be later altered in processing without impact on the source documents. Segregation of duties discourages fraud, but not unintentional mistakes. Further, approval of hardware and software specifications are not necessarily the most critical functions to segregate in the IT area.

Question 49

In an environment that is highly automated, an auditor determines that it is not possible to reduce detec­tion risk solely by substantive tests of transactions. Under these circumstances, the auditor most likely would

A. Perform tests of controls to support a lower level of assessed control risk

B. Increase the sample size to reduce sampling risk and detection risk

C. Adjust the materiality level and consider the effect on inherent risk

D. Apply analytical procedures and consider the effect on control risk

Answer 49

A.

When the auditor has determined that it is not possible or practicable to reduce the detection risks at the relevant assertion level to an acceptably low level with audit evidence obtained only from substantive procedures, s/he should perform tests of controls to obtain audit evidence about their operating effectiveness. The auditor may find it impossible to design effective substantive procedures that by themselves provide sufficient appropriate audit evidence at the relevant assertion level when an entity conducts its business using information technology (IT) and no documentation of transactions is produced or maintained, other than through the IT system. Increasing the sample size for substantive tests in this circumstance would be ineffective as the question states that it is not possible to reduce detection risk solely by substantive tests of transactions. Changing the materiality level would be inappropriate. Further, changing the materiality level does not have an effect on inherent risk, which is the susceptibility of an assertion to misstatement without any internal controls. Analytics performed by the auditor do not have an effect on control risk, which is the risk that the entity’s internal controls will not detect material misstatements in the financial statements.

Question 50

Which of the following is an engagement attribute for an audit of an entity that processes most of its financial data in electronic form without any paper documentation?

A. Discrete phases of planning, interim, and year-end fieldwork

B. Increased effort to search for evidence of management fraud

C. Performance of audit tests on a continuous basis

D. Increased emphasis on the completeness assertion

Answer 50

C.

When a client processes financial data in electronic form without paper documentation, the auditor may audit on a more continuous basis than a traditional system, as a convenience, and may be required to audit on a more continuous basis to obtain sufficient, competent evidence as documentation for some transactions may only be available for a limited time. This is the opposite of discreet phases of planning, interim, and year-end fieldwork. The level of effort to search for management fraud and emphasis on the completeness assertion likely would not be affected significantly.

Question 51

Which of the following activities would most likely be performed in the IT department?

A. Initiation of changes to master records

B. Initiation of changes to existing applications

C. Correction of transactional errors

D. Conversion of information to machine-readable form

Answer 51

D.

The IT department normally converts data (which is initially prepared elsewhere) into machine-readable form. The following duties are considered incompatible in the case of IT personnel: (1) transaction origination or correction, (2) transaction authorization, (3) initial data preparation, (4) custody or control over non-IT assets, (5) authorization or change of controls, and (6) origination of master file changes.

Question 52

Mill Co. uses a batch processing method to process its sales transactions. Data on Mill’s sales transaction tape are electronically sorted by customer number and are subjected to programmed edit checks in preparing its invoices, sales journals, and updated customer account balances. One of the direct outputs of the creation of this tape most likely would be a

A. Report showing exceptions and control totals

B. Printout of the updated inventory records

C. Report showing overdue accounts receivable

D. Printout of the sales price master file

Answer 52

The correct answer is (A).

The computer process has built-in edit checks to generate exceptions and control totals.

Edit checks performed on batch processed data verify if each individual entry is appropriate and generates a list of rejected transactions for review by control clerk.

Edit checks ordinarily create an output file of rejected transactions.

The most likely output of edit checks is the creation of a report showing exceptions and control totals.

(B) is incorrect because a printout of the updated inventory records is generated from programs that utilize the information from the sales batch processing system, but is not directly produced from the sales system.
(C) is incorrect because a report showing overdue accounts receivable is obtained by preparing an accounts receivable aging schedule.
(D) is incorrect because a printout of the sales price master file represents information that is input into the computer system as a basis for the edit checks.

Question 53

Which of the following computer-assisted auditing techniques allows fictitious and real transactions to be processed together without client operating personnel being aware of the testing process?

A. Integrated test facility

B. Input controls matrix

C. Parallel simulation

D. Data entry monitor

Answer 53

A.

An integrated test facility (ITF) processes fictitious data with real data in order to test computer con­trols; client personnel are unaware of the testing. An input control matrix documents controls and their presence. Parallel simulation processes client input data on an auditor-controlled program to test controls; test data is not utilized. The term “data entry monitor” is not commonly used.

Question 54

The completeness of IT-generated sales figures can be tested by comparing the number of items listed on the daily sales report with the number of items billed on the actual invoices. This process uses

A. Check digits

B. Control totals

C. Process tracing data

D. Validity tests

Answer 54

B.

Control totals are an IT control technique whereby a total is computed at a given stage in the processing cycle and recomputed at a later point. The totals are then compared to ensure that no data was dropped, added, or misprocessed. A check digit is a number that is added within a numerical entry to check its accuracy. Process tracing data apparently refers to ‘tagging’ of data, a technique used by auditors to follow a transaction through the processing cycle. A validity test is designed to ensure that only data meeting specific criteria are allowed.

Question 55

In a computerized payroll system environment, an auditor would be least likely to use test data to test controls related to

A. Missing employee numbers

B. Proper approval of overtime by supervisors

C. Time tickets with invalid job numbers

D. Agreement of hours per clock cards with hours on time tickets

Answer 55

B

Proper approval of overtime most likely would be made by inspection of the related documents and reports to assess whether the authorization policy was applied. The computerized system would be unable to make such a judgment. The computerized payroll system could be utilized to test controls related to missing employee numbers, time tickets with invalid job numbers, and agreement of hours per clock cards with hours on time tickets.

Question 56

When evaluating internal control of an entity that processes sales transactions on the Internet, an auditor would be most concerned about the

A. Lack of sales invoice documents as an audit trail

B. Potential for computer disruptions in recording sales

C. Inability to establish an integrated test facility

D. Frequency of archiving and data retention

Answer 56

B

Computer disruptions could destroy the only record of an online transaction. Integrated test facilities, archiving, and data retention are issues that arise whether sales are on the Internet or entered into a computer system by the entity. By their nature, sales transactions processed on the Internet don’t involve sales invoice documents.

Question 57

Which of the following most likely represents a significant deficiency in internal control?

A. The systems programmer designs systems for computerized applications and maintains output controls.

B. The systems analyst reviews applications of data processing and maintains systems documentation.

C. The control clerk establishes control over data received by the IT department and reconciles control totals after processing.

D. The accounts payable clerk prepares data for computer processing and enters the data into the computer.

Answer 57

A.

A weakness in internal control exists where an individual is in a position to both perpetrate and conceal an error or fraud. Hence, a systems programmer should not be given any control over the review or distribution of the output of the IT system. It is part of the systems analyst’s job to review applications of data processing and to maintain systems documentation. It is part of the control clerk’s job to establish control over data received by the IT department and to reconcile control totals after processing. It is part of the accounts payable clerk’s normal duties to prepare data for computer processing and to enter the data into the computer.

Question 58

A primary advantage of using generalized audit software packages to audit the financial statements of a client is that the auditor may

A. Access information stored on computer files while having a limited understanding of the client’s hardware and software features

B. Consider increasing the use of substantive tests of transactions in place of analytical procedures

C. Substantiate the accuracy of data through self-checking digits and hash totals

D. Reduce the level of required tests of controls to a relatively small amount

Answer 58

A.

One of the reasons for using generalized audit software (GAS) is that it enables the auditor to gain access and test information stored in the client’s files without having to acquire a complete understanding of the client’s IT system. Although the use of GAS enables the auditor to deal more effectively with large quantities of data and produces economies in the audit while increasing the quality of the audit, it cannot replace analytical procedures. Self-checking digits and hash totals are controls in the client system. Reducing the level of required tests of controls to a relatively small amount is the result of assessing control risk and applying preliminary tests of controls, not a result of using a GAS package.