Roque Quick Auditing Theory Chapter 6.pdf
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Roque Quick Auditing Theory Chapter 6.pdf as PDF for free.
More details
- Words: 17,861
- Pages: 83
Loading documents preview...
364
CHAPTER
6
Auditing in a Computer Information Systems (CIS) or Information Technology (IT) Environment 1. IT has several significant effects on an entity. Which ~f ~e following would be important from an auditing perspective.
I. The potential for material misstatement. II. The visibility of information. III. Changes in the organiza.tional structure.
365
Auditing in a CIS or IT Environment 6 ctt~.PrER
A 1 and II only : and III only 6 1 2.
C. II and III only D. I, II, and III
use of a computer changes the processing, storage, and of financial information. A CIS environment co affect the following, except ~.ayThe accounting and internal control systems of the enti-
Th~rnunication
B
c: o.
~e overall objective and scope of an audit. The auditor's design and performance of tests of control and substantive procedures to satisfy the audit objectives. The specific procedures to obtain knowledge of the entity's accounting and internal control systems.
A CIS environment does not affect the overall objective and scope of an audit.
3. The following are benefits of using IT-based controls, ex-
cept A. Ability to process large volume of transactions.
B. Over-reliance on computer-generated reports. c. Ability to replace manual controls with computer-based controls. D. Reduction in misstatements du~ to consistent processing of transactions. 4. Which of the following statements c0ncerning the Internet is incorrect? A. The Internet is a shared public network that enables communication with other entities and individuals around the world. B. The Internet is a private network that only allows access to authorized persons or entities.
-366
CPA EXAMINATION REVIEWER:
AUDITING THEORY
C. The Internet is interoperable, which means that any computer connected to the Internet can communicate with-any other computer connected to the Internet. D. The Internet is a worldwide network that allows entities to engage in e-commerce/e-business activities. 5. In planning the portions of the audit which may be affected by the client's CIS environment, the auditor should obtain an understanding of the significance and complexity of the CIS activities- and the availability of data for use in the audit. The following relate to the complexity of CIS activities ex· cept when A. Transactions are exchanged electronically with other or· ganizations (for example, in electronic data interchange systems [EDI]). B. Complicated computations of financial information. ar~ performed by the computer and/ or material transa~ion or entries are generated automatically without inde· pendent validation. . d by C. Material financial statement assertions are affecte the computer processing. Id find D. The volume of transactions is such that users w~u it difficult to identify and correct errors in processing . . ns affect· The materiality of the financial statement assertIO lexitY, ed by the CfS relates to the significance, not the cornP of computer processing.
·n
. . onrnent ' 6. The auditor shall consider the entity's . CIS envir cceptablY designing audit procedures to reduce risk t~ ~n :orreet? low level. Which of the following statements rs '" t change A. The auditor's specific audit objectives d~ ~~nuallY or whether financial information is processe by computer.
cHAPiER
B.
c. o.
6 Auditing in a CIS or IT Environment
367
The methods of applying audit procedures to gather audit evidence are not influenced by the methods' of computer processing. The auditor may use either manual audit procedures, computer-assisted audit techniques (CAATs), or a ·combination of both to obtain sufficient appropriate audit evidence. In some CIS environments, it may be difficult or impossible for the auditor to obtain certain data for inspection, inquiry, or confirmation without the aid of a computer.
The methods of applying audit procedures to gather audit evidence may be influenced by the methods of computer processing. 7. Regardless· of the nature of an entity's information system, the auditor must consider internal control. In a CIS environment, the auditor must, at a minimum, have A. A background in programming procedures. B. An expertise in computer systems analysis. c. A sufficient knowledge of the computer's operating system. D. A sufficient knowledge of the computer information system.
The auditor should have a sufficient knowledge of the CIS to plan, direct, supervise, and review the work performed. Answers A and B are incorrect because an auditor need not have expertise in programming and co~puter systems analysis. If specialized CIS skills are needed !n the audit, the auditor may seek the assistance of an auditor's expert. ·
368
CPA EXAMINATION REVIEWER: AUDITING THEORY
Answer C is incorrect because the auditor should have sufficient knowledge of the entire CIS, not only of the computer's · operating system. 8. Who is ultimately responsible for the design and implementation of cost-effective controls in a CIS environment? A. The internal audit manager B. The entity's management C. The CIS manager D. The control group in the CIS department
An entity's management is ultimately responsible for designing and implementing systems that will provide reason· able assurance that the entity's objectives will be achieved.
9. Are the following risks greater in CIS than in manual sys· terns? Erroneous data conversion Erroneous source document preparation Repetition of errors Concentration of data
.e
Yes
Yes
Yes
Q Yes
Yes No Yes
Yes No No
Yes Yes Yes
No Yes Yes
8
~
d s or is The preparation of source documents either prece e the not done at all in a computer information syste~. Th~~ en· risk of erroneous source document preparation m a C risk vironment may be equal to c.>r less than the equivalent in a manual system.
to ma·
In a CIS environment, the computer converts data cti0 ns· chine-readable form prior to processing of trans~ n the This will increclse the risk of input error. In additt~c~ions computer's ability to uniformly process like trans
TER ct-IAP
6 Auditing in a CIS or IT Environment
369
with the same processing instructions will ordinarily result in all transactions being processed incorrectly if there are programming errors (or other systematic errors in hardware or software). Also, the concentration of data stored on magnetic disk increases the risk of loss of valuable financial information from damage or theft. 1o. Which of the following is not a hardware element in an IT environment? A. Scanners B. CD-ROM drive c. Application programs o. Modems
An IT environment consists of hardware and software components. Computer hardware consists of the computer and all other physical equipment. The software component consists of computer programs that are either purchased from a software vendor or developed in-house by the entity. Application software-a type of computer softwareperforms desired processing tasks such as payroll processing. Answers A, B, and D are incorrect because optical scanners, CD-ROM drive, and modems are elements of computer hardware.
11. Which of the following c;omputer hardware elements is not associated with data input? A. Touch screen B. Printer C. Mouse D. 0ptical scanner
370
CPA EXAMINATION REVIEWER: AUDITING THEORY
A printer is an output device that produces a hard copy of computer processing results. Answers A, C, and D are incorrect because a touch screen, a mouse, and an optical scanner can be used for data input. 12. A hardware element. that takes the computer's digital infor· mation and transforms it into signals that can be sent over ordinary telephone lines is a/an A. Intelligent terminal B. Point-of-sale terminal C. Terminal emulator D. Modem
A modem converts data in digital form into analog or wave form (the process is called modulation) so that data can be sent to remote locations through the telephone system. The modem at the receiving end of the transmission path converts the analog or wave form back to the digital f~r~ (the process is called demodulation) used by the termina or CPU. 13. Uninterruptible power supplies are used in computer faci to minimize the risk of A. Crashing disk drive read-write heads. B. Dropping bits in data transmission. C. Failing to control concurrent access to data· D. Losing data stored in main memory.
rties 1
bat·
. ator or An unmterruptible power source such as a gener the like· tery backup used in a computer facility will redu~e rneJJloo' lihood of losing data stored in the computer's main .
ER
cf"fAPT
6 Auditing in a CIS or IT Environment
371
in the event of an electrical failure such as a power outage or voltage fluctuation. 14. In a computer system, the parts of the operating system program and language translator program are stored in the A. Read only memory (ROM). B. Random access memory (RAM). Magnetic tape drive. o. Magnetic disk drive.
c.
·ROM consists of semiconductor chips that can be read from (but not written to) and are used as permanent storage of the operating system and language translator. Answers B, C, and Dare incorrect because RAM and magnetic tape and disk drives are temporary storage devices. 15. A characteristic that distinguishes computer processing from manual processing is A. The potential for systematic error is ordinarily greater in manual processing than in computerized processing. B. Errors or fraud in computer processing will be detected soon after their occurrences. C. Most computer systems are designed so that transaction trails useful for audit purposes do not exist. D. Computer processing virtually eliminates the occurrence of computational errors normally associated with manual processing.
Computational or clerical errors are virtually eliminated in computer processing because of the computer's capability to uniformly process like transactions with the same processing instructions.
· ··-
':.
.. . ·· .·.
. ~ ··.._"!-;:-- ' ......
.
':'
:~..
~7.2
CPA EXAMINATION REVIEWER: AUDITING THEORY
Answer A is incorrect because the risk of systematic or programming error is greater in computer processing than in manual processing. The computer's ability to subject like transactions to uni· form processing will result in all transactions being processed incorrectly if there are errors embedded in the pro· gram logic. Answer B is incorrect because errors or fraud in computer processing may remain undetected for long periods of time, or worse, may never be detected at all. The potential for observing errors or fraud is reduced in computer processing because of decreased human involve· ment in.handling transactions processed by CIS. Answer C is incorrect because CIS are designed to include transaction trails. However, some transaction trails in com· puter processing may exist for only a short period of time or only in computer-readable form.
16. An affordable yet powerful self-contained general ~u~ computer which consists typically of a central processing u~d (CPU), monitor, keyboard, disk drives, printer cables, a modems is a/an A. Personal computer B. Mainframe C. On-line computer D. Terminal
w 1 17. A CIS where two or more personal ·computers are rnKed unica· 111
~eth~r through the use of special software and corTlare, d8'
tion Imes and allows the sharing of application softW
\
cHApTER
6 Auditing in a CIS or IT Environment
373
.
ta tiles; and computer peripherals such as printers and opti-
cal scanners is a/an A. Local area network (LAN) B. on-line system c. Batch processing system o. Wide area network (WAN)
Each personal computer linked to a LAN is called a workstation that can access data, software, and other resources through a file server-a linked PC that manages the network. A LAN is usually confined to a small geographic location such as a building or two or more adjacent buildings. Two or more LANs can be linked together to form a wide area network (WAN). 18. A file server in a local area network (LAN) is A. A workstation that is dedicated to a single user on the LAN. B. A computer that stores programs and data files for users of the LAN. C. The cabling that physically interconnects the nodes of the LAN. 11. A device that connects the LAN to other networks.
Common resources such as programs and data shared by LAN nodes are stored and managed by special-purpose computers called file servers. Answer A is incortect because a workstation or node in a LAN is called a client
.... 374
CPA EXAMINATION REVIEWER: AUDITING THEORY
Answer C is incorrect because the cabling that physically interconnects the nodes of the LAN is the communications link. Answer D is incorrect because bridges and gateways are used to link networks together. Bridges connect LANs of the same type while . gateways connect LANs of different types. 19. Audit team members can use the same database and programs when their PCs share a hard disk and printer on a LAN. Which of the following communication devices enables a PC to connect to a LAN? A. A network interface card (NIC) that plugs into the motherboard. B. A fax modem that sends signals through telephone lines. C. An internal modem that plugs into the motherboard. . D. An external modem with a cable connection to a senal port.
A workstation's physical connection to the LAN is achieved through a network interface card (NIC) which plugs into one of the expansion slots in the PC. Answers B, C, and D. are incorrect because modems connect PCs to ordinary telephone lines. 20. A computer information system that allows individual du~~ to develop and execute application programs, enter an ~r is cess data, and generate reports in a decentralized mann called a/an A. Online system B. Batch processing system C. End-user computing D. Networking
.....:R
ct!AP'"'
6 Auditing in a CIS or IT Environment
375
In end-user computing, management empowers individual users to develop and execute application programs, enter and process data, and generate computer processing results. This system is an example of decentralized processing and usually involves the use of PCs. 21.
Which of the following statements most likely represents a disadvantage for an entity that maintains data files on personal computers (PCs) rather than manually prepared files? A. It is usually more difficult to compare recorded accountability with the physical count of assets. B. Random error associated with processing similar transactions in different ways is usually greater. c. Attention is focused on the accuracy of the programming process rather than errors in individual transactions. o. It is usually easier for unauthorized persons to access and alter the files.
In a PC environment, unauthorized individuals can easily gain access to and change data files without visible evidence. Answer A is incorrect because the ability to compare information in the file with the physical count of assets does not depend on the method used in maintaining the files. Answer B is incorrect because an advantage of CIS is the computer's ability to process like transactions in the same way. Answer C is incorrect because focusing on the accuracy of the programming process is an advantage of CIS. 22. The following are risks specific to IT environments, A. Reduced segregation of duties.
except
376
CPA EXAMINATION REVIEWER: AUDITING THEORY
:Iii
B. Loss of data due to insufficient backup. C. Increased human involvement. D. Reliance on the functioning capabilities of hardware and software.
23. Most personal computers have both a CD-ROM drive and a hard disk drive. The major difference between the two types of storage is that a hard disk . A. Is suitable for an online system, whereas a CD-ROM is not. B. Provides an automatic audit trail, whereas a CD-ROM does not. Has a much larger storage capacity than a CD-ROM. D. Is a direct-access storage medium, whereas a CD-ROM is a sequential-access storage medium.
c.
t.
il ~
24. What type of online computer system is characterized by data that are assembled from more than one location and records that are updated immediately? A. Online, batch processing system B. Online, real-time processing system C. Online, inquiry system D. Online, downloading/uploading system
In an online processing system, individual transactionsc~~~ entered through workstations or terminals that are nected to the mainframe. ·ng sys· A type of online system is online, real-time processi ·ng of tern that involves immediate validation and processiusers data input to update related computer files that aIJoWt deci· to receive the output soon enough to affect a curren 5ion to be made.
~j
~~ re ca.
~ ~.
t D,
I~ .
t
~s
~ti
cf"IApTER
6 AUditing in a CIS or IT Environment
377
A swer A is incorrect because in an online, batch processing ~tem, individual transactions are entered through remote ?rminals, subjected to certain validation routines and add~ to a transaction file containing other transactions en~ered during the period. The transaction file is to be subjected to further validation checks and then used in updating the relevant master file in the subsequent processing cycle. Answer C is incorrect because in an online, inquiry system, users are restricted to making inquiries of master files (for example, inquiry of a customer account balance). Answer D is incorrect because online, uploading/downloading system involves the transfer of data between the mainframe and workstations. 25. Misstatements in a batch computer system caused by incorrect programs or data may not be detected immediately oecause A. The processing of transactions in a batch system is not uniform. B. There are time delays in processing transactions in a batch system. C. The identification of errors in input data typically is not part of the program. D. Errors in some transactions may cause rejection of other transactions in the batch.
In a batch processing system, similar transactions are processed in groups or batches periodically-for example, daily, weekly, or ·even monthly. Hence, errors in a given batch
318
CPA EXAMINATION REVIEWER: AUDITING THEORY
may be detected only after the lapse of considerable time fro.m the initiation of the transactions. Answer A is incorrect because like transactions are processed uniformly in a batch system. Answer C is incorrect because data validation routines may be embedded in the computer program. Answer D is incorrect because although similar transactions i are processed together in batches, individual transactions ji are not dependent upon one another.
I
26. Which of the following features is least likely to be found in an online, real-time processing system? A. Turnaround documents B. User manuals C. Preformatted screens D. Automatic error correction
A turnaround document is a source document generated by the computer system as output and·then later used as in· put for subsequent proce&sing. Turnaround documents ~re least likely to be found in an online, real-time processing system because it normally does not use source.documents· Answer B is incorrect because user manuals provide expla· ~ations on the proper use of the system, making theill an important component of the real-time system. Answer C is · incorrect · because users usually interact withte
the mainframe through preformatted screens of rerno terminals.
. f
r
ct-IApTER
6 Auditing in a CIS or.IT Environment
379 ,
Answer D is incorrect because automatic error correction is a principal advantage of real-time systems-that is, error; are immediately detected and corrected. Which of the following is usually not a factor to consider in 7 2 . designing and implementing an onlin~, real-time system? A. Priority allocation B. Queues c. Interrupts o. Hardware diagnostics
computers are designed to include hardware diagnostic routines that allow identification of hardware problems such as a parity check to determine if the integrity of the bit structure of each character has been destroyed during the internal transmission of data within the system. Hardware diagnostic routines are applicable to all systems, not only to online, real-time systems. Answers A and B are incorrect because priority allocation and queues are important factors in real-time sy5tems. Both of them relate to deciding which jobs should be given priority in processing. Answer C is incorrect because interrupts allow high priority jobs to get immediate action. In a multiprogramming environment, work on one program is interrupted so the CPU may attend to another. 28. Workstations or terminals are an integral component of online computer systems. Which of the following statements concerning workstations is incorrect?
380
CPA EXAMINATION REVIEWER: AUDITING THEORY
A. Workstations may be located either locally ·or at remote sites. B. Both local and remote workstations require the use of telecommunications to link them to the main computer. C. Local workstations are connected directly to the main computer through cables. D. Workstations may be used by different users, for different purposes, in different locations, all at the same time.
Only remote workstations require the use of telecommunications to link them to the main computer. Local workstations are linked through cables. 29. Online computer systems use workstations or terminals that are located either locally or at remote sites. There are two types of workstations: general purpose terminals and special purpose termir·als. General· purpose terminals include the following, except A. Basic keyboard and monitor B. Point of sale devices C. Intelligent terminal D. Personal computers
General purpose terminals include:
• •
· gda· Basic keyboard and monitor - used for ent~nn dis· ta without any validation checks; the momtor plays data from the computer system. . ns of the
Intelligent terminal - performs the functtodd'tional basic keyboard and monitor with the a :J1linal. functions ot' validating data within the .te other maintaining transaction logs, and perfornung local processing.
ct'IApTER
6 Auditing in a CIS or IT Environment •
381
personal computers - perform all the functions of an intelligent terminal with additional local processing and storage capabilities.
special purpose terminals include:
•
Point of sale devices - used to rec-ord sales transactions as they occur and to transmit them to the main computer such as electronic cash registers and optical scanners.
• Automated teller machines (ATMs) - used to initiate, validate, record, transmit, and complete various banking transactions. 30. The "test data approach" A. Involves reprocessing actual entity data using the entity's computer software. 8. Involves reprocessing actual entity data using the auditor's computer software. Is where dummy transactions are prepared by the auditor and processed under the auditor's control using the entity's computer software. D. Is where actual transactions are prepared by the auditor.
c.
31. Which of the following is a primary example of source data automation? A. A subsidiary ledger 8. A utility bill C. Point-of-sale (POS) scanners in malls D. A bill of lading 32. Express Padala, Inc. stated in one of its mission statements that "positive control of each package will be maintained by
· · ·:~
': ~
• 1 ....;,:. • •
~
( ••
. • \.. .
=!.
.
.
.
i... ;_.. _. ~ ' ".:,.. • ~\- ·. ' 1 ·
• • ... , :_ ..
:
.
382
CPA EXAMINATION REVIEWER: AUDITING THEORY
utilizing ... electronic tracking and tracing systems." Express Padala uses what type of IT system? A. Batch processing which features immediate updating as to the location of packages. B. Real-time processing which features updating at fixed time periods. C. Batch processing which features updating at fixed time periods. D. Real-time processing which features immediate updating as to the location of packages.
33. In a file-oriented approach to data and information, data is maintained in many separate files. This may create prob· terns for organizations because of A. Multiple users. B. Multiple transaction files. C. Multiple master files which may contain redundant data. D. A lack of sophisticated file maintenance software.
34.
refers to the combination of the database, ra the Database Management System (DBMS), and the app ic • tion programs that access the database through the DBMS. A. Data warehouse B. Database administrator C. Database system D. Database manager
35. Who is the individual responsible for the database? A. B. C. D.
Data coordinator Database master Database administrator Database manager
ER
ct'IAPT
6 Auditing in a CIS or IT Environment
383
Which feature of many database systems simplifies the crea36· tion of reports by allowing users to specify the data elements desired and the format of the output? A. Report generator B. Report writer c. Report printer o. Report creator 37, Which of the following is probably the most significant effect of database technology on accounting? A. Quicker access to and greater use of accounting information in decision-making. B. Replacement of the double-entry system. c. Change in the nature of financial reporting. D. Elimination of traditional records such as journals and ledgers. 38. An entity should have a disaster recovery plan to ensure that data processing capacity can be restored as smoothly and quickly as possible. The following would typically be part of an adequate disaster recovery plan, except A. A system upgrade due to operating sy~tem software changes. B. Backup computer and telecommunication facilities. C. Scheduled electronic vaulting of files. D. Uninterruptible power systems installed for key system components. 39. Which of the following statements concerning computer program modifications is il)correct? A. After the amended program has received final approval, the change is implemented by replacing the production version with the developmental version.
~-
384
CPA EXAMINATION REVIEWER: AUDITING THEORY
B. During the modification process, the developmental version of the program must be kept separate from the production version. C. When a program change is submitted for approval, a list of all required updates should be compiled and then approved by management and program users. D. Only material program changes should be thoroughly tested and documented. 40. Old and new systems operating simultaneously in all locations is a test approach known as parallel testing. Pilot testing involves implementing a new system in one part of the organization, while other locations continue to use the current system.
A. True; False
C. False; True
B. Both are True
D. Both are False
41. A collection of data that is shared and used by a number of different users for different purposes is a A. Database B. Memory C. File D. Record . f data that The standard defines "database" as a collectJOn t pur· & differen
°
is sl}ared and used by a number of users ,or
poses.
.
d to create,
42. Which of the following computer software is use maintain, and operate a database? A. Application software B. Systems software C. Database management system (DBMS)
~R
cHAP•~
6 Auditing in a CIS or IT Environment
385
0 . Database administrator
The DBMS is used to create, maintain, and operate a database. It facilitates the physical storage of the data, maintains the interrelationships among the data, and makes the data available to application programs. 43. The two important characteristics of a database system are A. The database and the DBMS. s. Data sharing and data independence. c. The DBMS and data sharing. D. The DBMS and data independence.
The two important characteristics of a database system are data sharing and data independence. Data sharing can be achieved if the database contains data which are setup with defined relationships and are organized in a manner that permits several users to access and use the data in different application programs. The need for data sharing creates the need for data independence from application programs. Through the DBMS, data are recorded only once, for use by different application programs. There will be true data independence if the structure of data can be changed without affecting the application programs, and vice versa. 44. To protect the integrity of the database, data sharing by different users requires organization, coordination, rules, and guidelines. The individual responsible for managing the database resource is the A. Programmer B. Database administrator
386
CPA EXAMINATION REVIEWER: AUDITING THEORY
C. User D. CIS manager
The database administrator is responsible generally for the definition; structure, security, operational control, and efficiency of databases, including the definition of the rules by which data are accessed and stored. 45. An auditor who wishes to trace data through several applica· tion programs should know what programs use the data, which files contain the data, and which printed reports dis· play the data. In a database system, the information could be foun·d in a A. Decision table B. Data dictionary C. Database schema I). Data encryptor
A software within the DBMS that keeps track of the location of the data in the database is called data dictionary. Answer A is incorrect because a decision table is a matrix .presentation of the decision points and related actions in· eluded in a computer program. Answer C is incorrect because the database schema de· scribes the database structure. ·Answer D is incorrect because an encryptor encodes sages.
.
46. Which of the following is the greatest advantage of a base system? A. Data redundancy can be reduced. B. Backup and recovery procedures are minimized.
111 es·
data·
\
b
Auditing in a CIS or IT Environment
387
cHApTER
Multiple occurrences of data items are useful for cone. sistency checking. conversion to a database system is inexpensive and can 0 · be accomplished quickly.
In a database system, data redundancy is kept to a minimum because the DBMS records the data once, for use by various application programs. Storage structures are created that make the application programs independent of the location of the data. Because each item in the database has a standard definition, name, and format; and related items are linked by a system of pointers,. the application programs need only to specify the data name, not the location. Answer B is incorrect because backup and recovery procedures in a database system are just as crucial as in a traditional flat-file system. ' Answer C is incorrect because data redundancy-that is, multiple occurrences of data items-is substantially reduced in a database system.
11!-
~ [~ ~1
Answer D is incorrect because converting large amount of data to a database is costly and time consuming. 47. The following statements relate to a database management system (DBMS) application environment. Which is false? A. Data definition is independent of any one program. B. The physical structure of the data is independent of user needs. · C. Data are used concurrently by different users.
. · ~,.
388
..
\
--.,,-. "'"·__::-,_.::-"".. ...---~~ ~-_-- .~--· .. - --~::--·
CPA EXAMINATION REVIEWER: AUDITING THEORY
D. Data are shared by passing files between programs or systems. In a database system, application programs share the data · in the common database for different purposes. Thus, there is no need to pass files between applications. 48. Which of the following is an advantage of a database management system (DBMS)? A. A decreased vulnerability as the DBMS has numerous security controls to prevent disasters. B. Each organizational unit takes responsibility and control for its own data. C. Data independence from application programs. D. The cost of the CIS department decreases because users are now responsible for establishing their own data handling techniques. An important characteristic of a database system is that a~· plications are independent of the database structure. 'fhts allows programs to be developed for the user's spect"fiC needs without concern for data retrieval problems. Moreo· ver, changes to the physical or logical structure of the data~ base can be made without the need to modify any of the ap plication programs that use the database. Answer A is incorrect because the DBMS is no safer than anY other computer information systems.
·t de· Answer B is incorrect because each organizational un~ ms velops its application programs that will use the data ite in the common database.
cHApTER
6 Auditing in a CIS or IT Environment
389
Answer D is incorrect because data handling techniques r_e.main to be the responsibility of the CIS department. Which of the following is usually a benefit of transmitting 49 · transactions in an electronic data interchange (EDI) environment? A. A reduced need to test computer controls related to sales and collections transactions. e. A compressed business cycle with lower year-end receivables balances. c. No need to rely on third-party service providers to ensure security. o. An increased opportunity to apply statistical sampling techniques to account balances.
Because EDI transactions are transmitted and processed in real time, delays are eliminated in receiving and processing an order, shipping goods, and receiving payment. Thus, EDI compresses an entity's business cycle and results in lower year-end receivables balances. Answer A is incorrect because the use of a complex processing system increases the need to test computer controls. Answer C is incorrect because an EDI system typically uses a VAN (value added network) as a third-party service ·provider, and reliance on VAN controls may be critical. Answer D is incorrect becal,\se all transactions (not just a sample) may be tested with the aid of computer technology. SO. The internal controls over computer processing indude bOtf:,. manual procedures and procedures designed ·i nto c;om~ programs (programmed control procedures). Th~ manual .,
-· 390
CPA EXAM/NATION REVIEWER: AUDITING THEORY
a·mf programmed control procedures comµ11~t! the general CIS controls and CIS application controls. The purpose of general controls is to . A. Est~blish specific control procedures over the accounting applications in order to provide reasonable assurance that all transactions are authorized and recorded and are processed completely, accurately, and on a timely basis. B: Establish a framework of overall controls over the CIS activities and to provide a reasonable level of assurance that the · overall objectives of internal control are achieved. C. Provide reasonable assurance that systems are devel· oped and maintained in an authorized and efficient man· ner. D .. Provide reasonable assurance that access to data and computer programs is restricted to authorized personnel.
as
The purpose of general CIS controls is to establish a frame· work of overall controls · over the CIS activities and to ~ro· vide a reasonable level of assurance that the overall obiec· tives of internal control are achieved.
General CIS controls may include: • • • • •
Organization and management controls. . tenance Application systems development and mam controls. Computer operation controls. Systems software controls. Data entry and program controls. .
ecili' 1· hrnent of s~ 5 the Answer A. is incorrect because the estab is .c,,tions 1 . . app 1I"' control procedures over the accounting purpose of CIS application controls.
cW'pTER
6 Auditing in a CIS or IT Environment
391
Answer C is incorrect because controls designed to provide easonable assurance that systems are developed and main~ined in an authorized and efficient manner are application systems development and maintenance controls. Answer D is incorrect because controls designed to provide reasonable .assurance that access to data and programs are restricted to authorized personnel are data entry and program controls.
51. CIS application controls include the following, except
A. Controls over input. B. controls over processing and computer data files. c. Controls over output. o. Controls over access to systems software and documentation.
Restricting access to systems software and documentation to authorized personnel is a general CIS control. CIS application controls include: 1. Controls over input - designed to provide reasonable assurance that: • • •
Only authorized transactions are submitted for processing. All authorized transactions are accurately converted into machine-readable form. Incorrect transactions are rejected, corrected, and, if necessary, resubmitted on a timely basis.
2. Controls over processing and computer data files designed to provide reasonable assurance that:
392
CPA EXAMINATION REVIEWER: AUDITING THEORY
•
• • •
All transactions are processed as authorized . No authorized transactions are omitted. No unauthorized transactions are processed. Processing errors are identified and corrected on a timely basis.
3. Controls over output - designed to provide reasonable assurance that: • •
The results of processing are accurate. Output is distributed only to authorized users.
52. The auditor is required to consider how an entity's general CIS controls affect the CIS applications significant to the audit. Accordingly, the auditor should A. Review the design of the general CIS controls only. 8. Review the design of the CIS application controls only. C. Review the design of the general CIS controls before reviewing the as application controls. re D. Review the design of the CIS application controls befo reviewing the design of the general CIS controls. Jications General CIS controls that relate to some or a II app tion are typically interdependent controls in that thei.r o~eracon· is often essential to the effectiveness of CIS apphcadno~gn of · w the es•plica· tro ls. A more efficient approac h is to rev1e the general CIS controls before reviewing the CIS ap tion controls. al contrOls 53. The two broad categories of IT controls a~e gener ontrols and application controls. General controls rn~lu.de ccomputer A. For developing, maintaining, and mod1fyin9 ..rll!leprograms. . ion of e1 'v 8. That relate to the correction and resubmiss ous data.
6 Auditing in a CIS or IT Environment
393
cl'IApTER
Designed to provide reasonable assurance that only auC. thorized users receive output from processing. Designed to provide reasonable assurance that all data 0 · submitted for processing have been properly authorized.
General controls relate to all or many IT activities and often include organization and management controls, application systems development and maintenance controls, computer operation controls, systems software controls, and data entry and program controls. Answers B, C, and Dare incorrect because controls over ·correction of erroneous input data, output distribution, and authorization of input data are IT application controls. 54. Which of the following statements concerning application controls is correct? A. Application controls relate to all aspects of the IT function. B. Application controls relate to the processing of individual transactions. c. Application controls relate to various aspects of the IT function including software and hardware acquisitions. D. Application controls relate to various aspects of the IT function including physical security and the processing of transactions in various cycles. SS. The significance of hardware controls is that they A. Ensure that run-to-run totals in application systems are consistent. B. Reduce the incidence of user input errors in online systems. C. Ensure correct programming of operating system functions. D. Assure that machine instructions are executed correctly.
394
CPA EXAMINATION REVIEWER: AUDITING THEORY
To detect and control errors arising from the use of computer equipment, hardware controls are built into the equipment by the manufacturer, such as parity checks, read-afterwrite checks, and echo checks. Answer A is incorrect because run-to-run totals are used to determine the completeness of update in an online system. Separate totals are accumulated for all transactions pro· cessed throughout a period and compared with the total of items submitted for comput~r processing. Answer B is incorrect because input controls such as the use of limit checks, self-checking digits, and input screens can reduce the incidence of user input errors in on line systems. Answer C is incorrect because computer programmers and/or systems analysts are responsible for correcting program errors. 56. The following statements relate to internal control in an elec· tronic data interchange (EDI) environment. Which is true? A. ~n EDI systems, preventive controls are generally more important than detective controls. B. Control objectives for EDI systems generally are different from the objectives for other computer information sys· terns.
C. Internal controls that relate to the segregation of dutie~ generally are the most important controls in EDI sys terns. D. Internal controls in EDI systems rarely permit control nsK at below the maximum.
In all i~formation systems-manual and computerized~ preventive contr0 l . coll s are more important than detective
··'
·
cHApff
R
6 Auditing in a CIS or IT Environment
395
trols because typically, the benefits exceed the costs. In an EDI environment, it may be difficult to apply detective controls once a transaction enters the computer system. Answer B is incorrect because the basic objectives of internal control are the same regardless of the nature of data processing. Answer C is incorrect because adequate segregation of incompatible functions in a CIS environment may not be feasible. Answer D is incorrect because control risk in an EDI system may be assessed at below the maximum level if relevant controls exist and tests of controls provide evidence that those controls are functioning ef!'ectively.
57, An entity has recently converted its revenue/receipt cycle from a manual processing to an online, real-time processing system. Which is the most probable result associated with conversion to the new computerized processing system? A. Less segregation of traditional duties. B. Significant increase in processing time. C. Reduction in the entity's risk exposures. D. Increase in processing errors.
The basic segregation of functions-authorization, recordkeeping, and asset custody-in a manual system is not usually feasible in a computerized system because of decreased human involvement in processing financial information. Answer Bis incorrect because processing time is decreased in a computerized system .
.. ~1 '
396
CPA EXAMINATION REVIEWER: AUDITING THEORY
Answer C is incorrect because computer processing does not necessarily reduce the number of risk exposures. Answer D is incorrect because processing errors will decrease as a result of the conversion to a new computerized system. 58. The most important segregation of duties in the organization of the information ~-ystems function is A. Using different programming personnel to maintain utility programs from those who maintain the application programs. . B. Having a separate information officer at the top level of the organization outside of the accounting function. C. Assuring that those responsible for programming the system do not have access to data processing operations. D. Not allowing the data librarian to assist in data processing operations.
An important general CIS control is segregation of ~utiesj Although some separation of duties common in a manua system may not be feasible in a CIS environment, some func· tions should not be combined. hould
The functions of systems analysts and programmers 5 tors. not be combined with the functions of computer opera ffect Programmers and systems analysts may be able to ~ere· changes in programs, files, and controls and should t fore have no access to computer equipment. ,
O JllOdifY
Computer-operators should have no opportunity t J11Il1ing programs and data files, and should not have progra
-rr:R
cHAl'.' 1...
6 Auditing in a CIS or IT Environment
397
duties or responsibility for installing new or modifying existing systems. Answer A is incorrect because computer programmers handle all types of computer software. Answer B is incorrect because having a separate information officer at the top level of the organization outside of the accounting function would be less critical than separation of duties between programmers and computer operators. Answer D is Incorrect because computer librarians may assist in data processing operations. However, because they maintain control over system and program documentation and data files, they should not have access to computer equipment. 59. A systems analyst should have access to each of the following, except A. Edit criteria B. Source code C. Password identification tables D. User procedures
Unauthorized changes to application programs and data files can be made by the analyst if he/she has access to password identification tables. Answers A, B, and D are incorrect because the systems analyst needs access to ·edit criteria, source code, and user procedures.
398
CPA EXAMINATION REVIEWER: AUDITING THEC?RY
60. Which of the following would represent an internal control weakness in an IT environment? A. The computer librarian maintains custody of computer application programs and files. · B. The data control group is solely responsible for distributing computer-generated reports. · C. Computer operators have access to operator instructions and have the authority to modify application programs. D. Computer programmers write and modify programs designed by systems analysts.
·) .•.. )'
Computer operators should have access to operator instructions so they can perform their duties. However, they should not have the authority to modify application pr?- . grams. Answer A is incorrect because the computer librarian is responsible for maintaining custody and recordkeeping for computer application programs and data files.
I
,1,
t;.I '
I I
.
°;
Answer B is incorrect because an appr.opriate function the data control group is distribution of computer outpu and other reports .
Answer _D is incor~e~t because computer program~e~da~; responsible for wntmg and revising programs design systems analysts.
l •••
I. I;
weel
61. The manager of computer operations prepares a coPY schedule of planned computer processing and send~ a roee· to the computer librarian. The control objective this P ato!'S· dure serves is to A. Authorize the release of data files to computer oper B. Specify the distribution of computer results. . C. Specify file r~tention and disaster recovery policies.
TER
cf-IAP
o.
6 Auditing in a CIS or IT Environment
399
Keep improper and unauthorized transactions from entering the computer facility. .
A computer librarian has in his/her custody data files, programs, and documentation, all of which are his/her accountability. The weekly schedule of. planned computer processing provides authorization for release of files to computer operators and a consequent transfer of accountability. Answers B and D are incorrect because the data control group keeps unauthorized and improper transactions from entering the computer facility and specifies the distribution of computer results. Answer C is incorrect because file retention and disaster recovery policies are specified in the entity's backup and recovery plan. 62. One of the major problems in a CIS environment is that incompatible duties may be performed by the same individual. One compensating control is the use of A. Computer-generated hash totals B. A computer log . C. A self-checking digit system D. Echo checks
Computer and software· usage is recorded in a computer (console) log, including operator interventions during computer processing. A compensating control for the lack of adequate segregation of duties is by proper monitoring of the computer log. For example, a computer log may include a list of operator interventions during computer processing.
400
CPA EXAMINATION REVIEWER: AUDITING THEO.RV
Answer A is incorrect because hash totals are control totals calculated using nonfinancial data (for example, the sum of sales order numbers) to keep track of the records in a batch. Answer C is incorrect because a self-checking digit system is an input control to detect data coding errors. It involves adding a control digit to a code (for example, a bank account number) when it is originally designed to allow the code's integrity to be established during subsequent processing. Answer D is incorrect because echo check is a hardware control that involves the receiver of the message returning the message to the sender to determine if the correct mes· sage was received. 63. In the organization of the information systems function, the most important separation of duties is A. Using different programming personnel to maintain utility programs from those who maintain the application pro· grams. B. Assuring that those responsible for programming the system do not have access to data processing opera· tions. C. Not allowing the data librarian to assist in data pro· cessing operations. f 0 d. Having a separate information officer at the top level the organization outside of the accounting function. 64. An entity has recently ~onverted its purchasing c:yc~e rr;~h: manual process to an online computer system. Which. to following is a probable result associated with conversion the new IT system? A. Traditional duties are less separated. B. Increased processing time. C. Reduction in the entity's risk exposure.
TER
cHAP
o.
6 Auditing in a CIS or IT Environment
401
Increased processing errors.
65, An entity s~ould plan the physical location of its computer facility. Whrch of the following is the primary consideration for selecting a computer site? A. It should be in the basement or on the ground floor. a. It should maximize the visibility of the computer. c. It should minimize the distance that data control personnel must travel to deliver data and reports and be easily accessible by a majority of company personnel. o. It should provide security.
The computer and other peripheral pieces of hardware should be protected from disasters such as fire, flood, sabotage, and theft. Thus, the primary consideration for selecting a computer. site should be the security of the computer facility. Answer A is incorrect because the basement or the ground floor is not always a secured place. For example, installing a computer facility on the ground floor or in the basement of an old office building in Malabon City could be disastrous because of frequent flooding. Answer B is incorrect because maximizing the visibility of the computer would be an invitation to burglars and other computer criminals. Answer C is incorrect because a majority of entity personnel need not have an easy access to rnmputer site since only autho!ized personnel should be allowed in the computer facility. ,,
'-:-.~-· -r-r.-;
- ~ ~.: ,
.
.
.
-
..: . .u·r.
CPA EXAMINATION REVIEWER: AUDITING THEORY
66. Which of the following ·statements regarding security concerns for notebook computers is false? A. The primary methods of control usually involve application controls. · B. Centralized control over the selection and acquisition of hardware and software is a major concern. C. Some conventional controls such as segregation of duties may not be feasible. D. As their use becomes more sophisticated, the degree of concern regarding physical security increases.
General controls apply to all CIS activities. Given the nature of notebook computers, general controls to prevent theft of equipment and data and restrict access to the use of equipment and data must be the primary concerns. 67. The following are a database administrator's responsibilities,
except A. Develop application programs to access the database. B. Design the content and organization of the database. C. Protect the database and its software. . D. Monitor and improve the efficiency of the database.
adrninis· Systems analysts and programmers, not a da~abase ucation trator, have the responsibility of developing app p·r ograms to access the database. . . ·n the con· Answer B, C, and Dare incorrect because desig?• gthe data· tent and organization of the database; protecung·ng the ef· base and its software; and monitoring and impr~~·iJitieS of il ficiency of the database are appropriate responsi database administrator. I
I
cHAPTER
a.
6 ·Auditing in a CIS or IT Environment
403
Which of the following groups should have the operational responsibility for the accuracy and completeness of computer-based information? A. External auditors B. Internal auditors c. Users D. Top management
6
Users are in the best position to review the accuracy and completeness of computer output in relation to the input provided. Thus, the operational responsibility for the accuracy and completeness of computer-based information should be placed on users. Answer A is incorrect because the primary purpose of external auditing is the expression of an opinion on an entity's financial statements. .
.
Answer B is incorrect because internal auditing is an independent appraisal activity within an organization. Therefore, internal auditors should not have operational responsibility. Answer D is incorrect because top management is responsible for the overall control of the CIS. 69. An inexperienced computer operator mounted an incorre~ version of the accounts receivable master file on a tape drive during processing. Consequently, the entire processing run had to be repeated at a prohibitive cost. Which of the following software controls would be most eff~ctive in preventing this type of operator error from affecting the processing of files? A. File header and label check
.................................................... J ··~r----
.,, ~.
404
CPA EXAMINATION REVIEWER: AUDITING THEORY
B. Data transmission check C. Memory isolation protection D. Unauthorized access protection
An effective control to reduce the risk of mounting an incorrect version of a master file is the use of external, header, and trailer labels. An external label is a human-readable label written on a gummed paper to be attached to the file. A header label is a machine-readable label at the beginning of a file that identifies it. A trailer label is also a machine· readable label at the end of a file containing control totals and record counts. Answer B is incorrect because only the accuracy of the communication is verified by a data transmission check Answer C is incorrect because memory isolation protecti0? (also called boundary protection) ensures that while ~~ltl· pie jobs are running simultaneously, the memory partition allocated to each job is not changed. Answer Dis incorrect because access controls (for examP~~ the use of personal identification codes such as passwor d and PINs) ensure that unauthorized access to programs an files is prevented. 70. Which of the following is the best method to prevent thorized alteration of online records? A. Computer sequence checks B. Computer matching C. Database access controls D. Key verification
unau·
\
1-
ctiApTE
R
6 Auditing in a CIS or IT Environment
405
unauthorized access to online records can be prevented by establishing and implementing access controls to ensure that only authorized personnel have access to the company's database.
71. Which of the following would least likely ensure the development of an effective application system? A. Involvement of management in the development stage. B. Active participation by user departments in the development stage. Post..implementation reviews.. Prioritization of application systems to be developed.
c. o.
An effective application system is one that meets the organization's objectives. The order in which the applications are implemented does not necessarily influence a system's effectiveness. Answer A is incorrect because the inv9lvement of management assures that proper resources will be made available during development.
'
'
~
I rl •!t·
I f
'
Answer B is incorrect because active participation by users will assure that their information needs (i.e., the system's objectives) will be satisfied. Answer C is incorrect because post-implementation reviews are necessary to ensure that a newly developed application system includes appropriate controls and meets management directives .
f.i'
72. Which of the following would most likely cause a problem in
L
the computer program development process? A. User specifications are inadvertently misunderst~d.
Ir ~
c•
.r ~.
;
r·
~-: ·
" 1
406
CPA EXAMINATION REVIEWER: AUDITING THEORY
B. Programmers use specialized application tools to simulate the system being developed. C. Programmers take a longer amount Of time to develop the computer program than expected. D. Written user specifications are used to develop detail program code. Program development involves coding programs in accord· ance with user specifications. Thus, a misunderstanding about user specifications can have fundamental and perva· sive repercussions. Answer B is incorrect because using specialized application simulation tools should prevent problems. Answer C is incorrect because although taking a longer amount of time to develop the computer program than ex· . pected is undesirable, it does not necessarily preclude the achievement of objectives. Answer D is incorrect because the system design should in· corporate user specifications.
73. Which _of the ~allowing controls would most likely. provi:: protection against unauthorized changes in production P grams? A. Restricting programmer access to the computer ro?rn'ent B. Requiring two operators to be present during equipl11 Qperation. C. Limiting program access solely to operators. D. Implementing management review of daily run I095· eJllS
The risk of unauthorized changes will be reduced if sY;! tile analysts, programmers, and others are denied acces~
ER
cHAPT
6 Auditing in a CIS or IT Environment
407
resident production programs. However, computer operators should have access to the production programs in order to run the programs. Answers A and Bare in.correct because unauthorized changes to production programs can be made by programmers at terminals regardless of whether they are denied access to the· computer room and regardless of whether two operator~ are present during equipment operation. Answer D is incorrect because management review of computer (console) logs, not run logs, would be an effective control. 74. Which of the following would most likely indicate that a computer virus is present? A. Numerous copyright violations due to unauthorized use of purchased software. B. Unexplained losses of or changes to data. C. Frequent power surges that harm computer equipment. D. Inadequate backup, recovery, and contingency plans.
A virus is a program that attaches itself to a legitimate program to penetrate the operating system and cause destruction to the operating system, application programs, and data files. For example, a virus can simply copy itself a number of times within the main memory to destroy resident programs and data. Answers A, C, and D are incorrect because copyright violations, frequent power surges, and inadequate backup, recovery, and contingency plans are not indicators of a computer virus.
---~
408
CPA EXAMINATION REVIEWER: AUDITING THEORY
75. Which of the following operating procedures would most likely increase an entity's exposure to computer viruses? A. Downloading public-domain software from electronic bulletin boards. B. Installing original copies of purchased software on hard disk drives. C. Frequent backup of files. D. Encryption of data files.
Personal computers are a major source of virus penetration. Downloading public-domain software carries a risk that vi· rus-infected data may enter the system. Answer B is incorrect because original copies of purchased software should be virus-free. Answers C and D are incorrect because viruses are spread through distribution of infected files, not through encryp· tion or frequent backup of files. 76. An entity installed antivirus software on all its personal .corn~ puters. The soft.ware was designed to prevent initial in~ tions, stop replication attempts detect infections after thetr ' components, an~ rerno"e o~currence, n:'ark affected system in9 viruse~ ~rom infected components. The major risk in relV on ant1virus software is that it may A. Consume too many system resources. B. Interfere with system operations. C. Not detect certain viruses. D. Make software installation too complex.
A ti · d toe~· n. viral programs (also called vaccines) are use f r t1te
amine application and operating system programs ~pro· presence of viruses and remove them from the affecte s afld gram Howev viruse · er, a vaccine works only on known
cHAPTE
R
6 Auditing in a CIS or IT Environment
409
there is no guararitee that it will work if a virus has been mutated. Answers A and B are incorrect because antiviral software can be set to execute at startup so as not to consume too many system resources. Answer D is ·incorrect because installation of antiviral software is not an overly complex process.
77, The accountant who prepared a spreadsheet model for workload forecasting left the company, and his successor was unable to understand how to use the spreadsheet.. The best control to permit new employees to un_derstand internally developed progr~ms is A. Adequate backups are made for spreadsheet models. B. Use of end-user computing resources is monitored. End-user computing efforts are consistent with strategic plans. D. Documentation standards exist.and are followed.
c.
Because of inadequate program documentation, the ·accountant's successor could not use the spreadsheet model. New employees will be able to understand internally developed programs if documentation standards exist and are being followed. Answer A is incorrect because the accountant's successor could not use the spreadsheet model due to inadequate documentation, not inadequate backups. Answer Bis incorrect because monitoring means controlling the use of resources.
;_· : j
CPA EXAMINATION REVIEWER: AUDITING THEORY
Answer C is incorrect because ensuting consistency with strategic plans refates to the systemJs effectiveness. 78. What is the appropriate term for_the process of monitoring, evaluating, and modifying a system? A. Feasibility study B. Maintenance C. Implementation D. Analysis
Systems maintenance means keeping a new system that has been designed and implemented current with user needs. This basically involves revising the system and application programs to meet new user needs and to correct design er· rors. The responsibility for systems maintenance is as· sumed by systems analysts and programmers. Answer A is incorrect because a feasibility study is made ~o determine the technical, legal, operational, and sche·d~. e (i.e., the company's ability to implement the project wit in an acceptable time) feasibility of a proposed system. tiOO in·
Answer C is incorrect because system implementa . 05 . . r at10 · volves data c?nversion; cod ing a nd test1~~ app icm loYpurchase and mstallation of equipment; trammg of e P5ys· ees; system documentation; and installation of the new tern. . ·nvoJves a Answer D is incorrect because systems analysis 1 , needs, 5 survey of the current system, an analysis of the user and gathering and evaluation of facts. ·1y t0 rirnari 79. Program documentation is a control designed P provide reas9nable assurance that
TER
ct-W'
6 Auditing in a CIS or IT Environment
A. Programs are s. No one uses sons. c. programs are o. Programmers
41,
kept up to date and perform·as intended. the computer hardware for personal rea· free of syntax and logic errors. have access to operational materials.
Program documentation provides detailed information about each application program including the source program, file formats and record layouts, program flowcharts, written authorizations for all program changes, and operating instructions. For a computer system to operate efficiently, adequate and up-to-date program documentation is necessary. Answer B is incorrect because program documentation cannot ensure security of computer hardware. Answer C is incorrect because debugging should uncover errors in programs. Answer D is incorrect because programme·r s should not have access to operational materials such as the tape library or information on disk files. ·
80. An entity updates its accounts receivable master file weekly and retains the master files and corresponding tlpdate transactions for the most recent two-week period. The purpose of this periodic retention of master files and transaction data is to A. Validate groups of update transactions for each version. B. Permit reconstruction of the master file if needed. C. Verify run-to-run control totals ~or receivables. D. Match internal labels to avoid writing on the wrong volume.
4t2
CPA EXAMINATION REVIEWER: AUDITING_TfiEORY
The grandparent-parent-child approach (also called grandfather-father-son approach) is used in sequential file batch systems. This backup technique begins when the current master file (the parent) is processed against a transaction file to create a new updated master file (the child). When a new batch of transactions is processed, the child becomes the parent (the current master file), and the parent (the original master file) becomes the grandparent or backup file. As described, the grandparent-parent-child backup tech· nique involves the creation and retention of three generations of master files to enable reconstruction of destroyed or corrupted rriaster file. The systems designer is responsible for determining the number of backup files needed for each application. The de· signer should consider the degree of file activity and the fi· nancial relevance of the system in making such a decision. t. routinesd . Answers A an d D are mcorrect because va1·d 1 a 10n and internal labels may prevent data from being destroye . but do not allow recovery of lost or destroyed data. to· Answer C is incorrect because verification of run-to-run y cover · tals ensures completeness of proce·ssing, not data re
sys·
81. An entity's contingency plans for computer informationents· terns should include appropriate backup arrange~dered . b cons1 Wh1ch of the following arrangements would e . e alrrtost too vendor-dependent when vital operations requir immeqiate availability of computer resources? A. A "cold site" arrangement. B. A "hot site" arrangement.
\
cHApTER
6 Auditing In a CIS or IT Environment
413
C. A "cold and hot site~' arrangement.
o.
. Using excess capacity at another data center within the entity.
A "cold site" is a backup facility that has all the needed computer resources in place except the computer equipment. This backup arrangement is too vendor-dependent because it relies on the vendor's timely delivery of the needed computer equipment. Answer B is incorrect because a "hot site" backup facility has all the needed resources in place, including the computer equipment, and is therefore not vendor-dependent. Answer C is incorrect because a "cold and hot site" backup facility has a "hot site" component that is fully configured and available for immediate use while the "cold site" is being configured, making it not too vendor-de.pendent. Answer Dis incorrect because having excess capacity at another data center within an entity means that there are available resources that can be used.
82. Which of the following is the primary objective of
secu~·ity
software? A. To detect the presence of computer viruses. B. To monitor the segregation of functional responsibilities within applications. C. To prevent installation of unauthorized utility software. D. To control access to information system resources.
The primary objective of security software is to keep unauthorized intruders from accessing information system resources and data files.
CPA EXAMINATION REVIEWER: AUDITING THEORY
414
Answer A is incorrect because antiviral software, not securi· ty software, detects the presence of computer viruses. Answer Bis incorrect because security software can be used t~ establish, not monitor, separation of duties. Answer C is incorrect because security software can be used to control the use of utility software, not-to prevent installa· tion of unauthorized utility software. 83. All administrative and professional staff in an entity's legal department prepare documents on terminals connected to a host LAN file server. Which of the following is the best con· trol over unauthorized access to sensitive documents in the system? A. Required entry of passwords for access to the system. B. Required entry of passwords for access to individual documents. C. Physical security for all .disks containing document files. D. Periodic server backup and storage in a secure area.
Effective access controls normally require differe~t P:~d words to access the system to read certain data files, . . . , r unau othe~ mformat10n system resources. The control ~ve 355• thonzed access to sensitive documents is required p word entry for access to individual documents.
A
. .
sswords
nswer A is incorrect because required entry of pa nn~ for a~cess to the system allows all departmental perso to gam access to all documents in the system. flopPY Answer C is incorrect because a LAN may not use disks.
ct.JAPTE
R
6 Auditing in a CIS or IT Environment
415
Answer D is incorrect because although periodic server backup and storage in a secure area is a good security/backup control procedure, it would not prevent intruders from accessing sensitive documents online. 84. An internal auditor has just concluded a physical security audit of a data center which is primarily engaged in topsecret defense contract work. The auditor has recommended biometric authentication for workers entering the building. The recommendation might include devices that verify all of the following, except A. Fingerprints B. Password patterns c. Speech patterns D. Retina patterns
The use of biometric devices is considered the ultimate in user authentication procedures. These devices are used to establish an individual's identity by measuring various personal characteristics, fingerprints, voiceprints, retina prints, or signature characteristics. 85. Which of the following best describes the process called authentication? A. The system verifies the identity of the user. B. The user identifies himself/herself to the system. C. The user indicates to the system that the transaction was processed correctly; D. The system verifies that the user is entitled to enter the transactions requested.
Authentication is the process of verifying the identity of the user. Biometric devices are used to authenticate an individual's ideritity using physiological or behavioral traits such as retina patterns, fingerprints, and speech patterns.
416
CPA EXAMINATION REVIEWER: AUDITING THEORY
Answer B is incorrect because when a user identifies himself/herself to the system, it does not necessarily mean that the system verifies his/her identity. Answer C is incorrect because this is an application control that relates to the accuracy of processing transactions. Answer D is incorrect because authentication does not nee· essarily include determining the ·functions of a user whose identity has been verified·.
86. Which of the following assurances is not provided by an application control? A. Review and approval procedures for new systems are set by policy and adhered to. e B. Authorized transactions are completely processed one and only once. C. Transaction data are complete and accurate. D. Processing results are received _by the intended user.
are con· Review and approval procedures for new systems hich is trols over _systems development and maintenance, w one of the general controls. h ob· Answers B, C, and D are incorrect because these are t e jectives of application controls. . 5 of ttiree 87. Data processing activities may be classified in ter~ Which of stages or processes: input, processing, and ou~pt~d with the the following activities is not normally associa input stage? A. Recording B. Batching C. Reporting D. Verifying
cHAPTER
6 Auditing in a CIS or IT Environment
417
Reporti~g is normally associated with the output stage. output 1s th~ result of computer processing, for example, a hard copy printout of a report, magnetic files, or invoices.
Answers A, B, and D are incorrect because recording, batching, and verifying are normally associated with the input stage. 88. Which of the following is the purpose of input controls? A. To ensure the authorization of access to data files. B. To ensure the completeness, accuracy, and validity of updating. c. To ensure the completeness, accuracy, and validity of input. D. To ensure the authorization of access to program files.
Input controls are designed to provide reasonable assurance that data received for computer processing are complete, accurate, and valid. Answers A and D are incorrect because ensuring the authorization of access to data and program files is the objective of access controls. Answer B is incorrect because ensuring the completeness, accuracy, and validity of updating is the objective of processing controls. 89. If a control total were to be computed on each of the following data items, which would best be identified as a hash total for a payroll IT application? . A. Employee numbers. B. Total debit and credit amounts. C. Gross wages earned by employees. D. Total hours worked.
f ... -r . •.
' 418
CPA EXAM/NATION REVIEWER: AUDITING THEORY
90. An entity uses the account code 699 for depreciation expense. However, one of the company data input clerks often codes depreciation expense as 996. The highest account code in the company's system is 700. What programmed control procedure would detect this error? A. Pre-data input check. B. Sequence check. C. Valid-code test. D. Valid-character test. 91. Which of the following provides the most valuable information for detecting unauthorized input from a terminal? A. User error repGrt B. Transaction log C. Error file D. Console log printout A transaction log is a permanent record of all comple~ely
validated transactions received for computer processing. Subsequent comparison of the transaction log with autho~; ized transactions such as authorized source documents WI detect unauthorized input from a terminal. . . ty lists A nswer A is incorrect because a user error report on
input that fails the validation tests. . . . d to store Answer C is incorrect because an error file is use and correct error records detected during validation.
d of Answer D is incorrect because a console log is a reco:du~I ..ndiVI computer and software usage. It does not recor d 1 transactions transmitted from a terminal. .
rers have
92. Many customers, managers, employees, and supP 'cofllptJt' blamed the computer for making errors. In realttY,
R cf-IAPTE
6 Auditing in a CIS or IT Environment
419
ers make very few mechanical errors. Which of the following is the most likely source of errors in a fully operational computer-based system? A. . Systems analysis and programming B. operator error Processing D. Input
c.
It is garbage-in, garbage-out in computer. processingerroneous input results in erroneous output. Answer A is incorrect because proper design and implemen-. tation of computer programs would eliminate most syntax and logic errors or bugs. Answer B is incorrect because operator (run) manuals which describe how to run the system, decrease the chance of operator error. Answer C is incorrect because, once a program has been thoroughly tested (for example, by creating hypothetical master files and transaction files to be processed by the progra m being tested), the processing of appropriate data does not result in errors. 93. Data conversion is the transcription of transaction data from source documents to magnetic tape or disk suitable for computer processing. Which of the following data conver.sion methods is most difficult to audit? A. Keying data to disk for online processing. B. Keying data to disk for batch processing. _ C. Reading source data usihg optical character rec::ognition. D. Keying data to sot,1rce documents for magnetic ink character recognition.
420 CPA EXAMINATION REVIEWER:
AUDITING THEORY
Data conve~sion in onJine systems is difficult to audit because there 1s usuaUy no visible audit trail. Transactio · · d d· J ns are t ransm1tte Irect y from terminals and hard copy source documents are often Jacking. Answer Bis incorrect because keying data to disk for batch processing creates records that can be readily tested. An.5wer C is incorrect because hard copy source documents are retained in optical character recognition. Moreover, this method reduces the risks of conversion error. Answer D is incorrect because magnetic ink character recognition provides hard copy source documents that can be used for audit purposes. · 94.
Which of the following best describes the online data processing control called preformatting? 'terns to A. The display of a document with blanks for data 1 be entered by the terminal operator.. d' cover er· B. A program initiated prior to regular input to c~sn be car· rors in data before entry so that the errors ·
rected. . . a that reciu1·res c. A series of requests for required input da~efore a subsean acceptable response to each request ·on quent request is made. . for a transactl D A check to determine if all data rtems . . al operator. have been entered by the termin line ·n oil be use d I roacJl• A preformatted screen approach m~~der this aP~ fl1 0n· systems to . avoid data e~try er~ors. is Jayed on.thfroffl 8 blanks for specified data items will be dd ~a entrY 15
itor. This is most appropriate when
a
ER
cfiP.l'T
6 Auditing in a CIS or IT Environment
421
source document. Moreover, the screen format may even be in the form of a transaction document. Answer B is incorrect because an edit/validation routine is a program initiated prior to regular input to discover errors in data before entry so that errors can be corrected. Answer C is incorrect because the dialogue approach is another screen prompting method that is most appropriate for data received orally, e.g., by phone. Answer D is incorrect because a check to determine if all data items for a transaction have been entered by the terminal operator is called completeness check. 95. When erroneous data are detected by computer program controls, such data may be excluded from processing and printed on an error report. Who should review and follow up this error report? A. Systems analyst B. Data control group C. Computer operator D. Computer programmer
Many entities have a data control group (independent of the computer processing operation) that acts as liaison between the end user and data processing. The data control group is responsible for receiving from users, transaction documents for processing; and controlling the distribution of computer output such as documents and reports. It is responsible for following up error reports to ensure that erroneous records are corrected by users and reprocessed by the computer center.
422
CPA EXAMINATION REVIEWER AUDITING THEORY
Answers A. C, and D are incorrect because systems analysts, computer operators, and computer programmers are not independent of computer operations. 96. If a payroll system continues to pay employees who have been terminated, control weaknesses most likely exist because A. Input file label checking routines built into the program were ignored by the operator. B. Programmed controls such as limit checks should have been built into the system. C. Procedures were not implemented to verify and control the receipt by the computer processing department of all transactions prior to processing. D. There were inadequate manual controls maintained outside the computer system.
In a payroll system the authorization to pay employees ' hich is ex· should come from the personnel department, w .• . d t Hence,'0 ternal to the computer processing epartmen · teJJJ adequat~ controls maintained outside the computer 5Y~5 to are likely to allow the payments to terminated employe continue without being detected. . e of input Answers A, B, and C are incorrect because. the usd tect un· file labels, limit checks, and batch totals will not e authorized transactions.
.
we
cornpanY1 . puter ter 97. In the accounting system of Samantha amounts of cash disbursements entered at a c~rnrnniediatelY h' h 1 1" on minal are transmitted to the computer, ~ icfor displaY transmits the amounts back to the terminal erator to the terminal screen. This display enables the op A. Establish the validity of the account number. B. Prevent the overpayment of the account.
cHApTER
6 Auditing in a CIS or IT Environment
423
C. verify the accura~ ~f the amount entered. o. verify the authonzat1on of the disbursement.
Displaying the amounts entered on the terminal screen allows the terminal operator to visually verify the accuracy of the amounts entered. 98
Which of the following input validation checks is least likely ' to be appropriate in an online, real-time system? A. Sign check · B. Sequence check c. Reasonableness check o. Redundant data check
The sequence check control is appropriate only in systems that use sequential master files. This control determines if the records are in proper order by comparing the sequence of each record in the batch with the previous record. Because records are not processed sequentially in an online, real-time system, this control is not likely to be appropriate. Answers A, C, and D are appropriate in an online, real-time system. A sign check tests data to determine if they have appropri- , ate arithmetic sign. A reasonableness check determines if an amount falls within predefined limits. For example, the number of hours worked in a single day should be neither less than zero nor more than 12. · A redundancy check assures that an application· process~s each record only once ..
• 424
CPA EXAMINATION REVIEWER: AUDITING THEORY
99. A receiving clerk keyed in a shipment from a remote termi· nal and inadvertently omitted the purchase order number. Which of the following controls would most likely detect this error? A. Completeness check B. Compatibility check C. Sequence check D. Reasonableness test A completeness test identifies missing data within a single transaction record (for example, missing purchase order number on the shipping document) or records within a batch of transaction data. Answer B is incorrect because a compatibility check (also called field test) d~termines whether a field contains proper characters. Answer C is incorrect because a sequence check determines if records have been properly sorted. Answer D is incorrect because a reasonableness test deter· mines if the value is within predetermined limits. 100. A wholesaler of automotive parts has a computerized ~illi~ . intor syst ~m. Because of a clerical error while entering billed mat1on from the sales order, one of its customers was Which for only three of the five items ordered and received. dY of the following controls could have prevented or prornP detected this clerical error? ac· A. Periodic comparison of total accounts receivable per ·va· counts receivable master file with total accounts recei ble per accounts receivable control account. . voice B. A completeness check that does not allow a sales iri to be processed if key fields are blank.
Auditing in a CIS or IT Environment cHAprER 6
425
prenumbered shipping documents together with a proc. cedure for follow up anytime there is not a one-to-one relationship between shipping documents and sales invoices. Matching line control counts produced by the computer 0 · with predetermined line control counts.
Aune control count could have prevented or promptly detected the clerical error. This control technique involves a count of individual line items on a document. Missing lines can be detected by simply comparing these counts with predetermined line control counts for each document. Answer A is incorrect because the three-item sales invoice would be the basis for updating both the accounts receivable master file and control account. Hence, no discrepancy would be disclosed by the comparison. Answer B is incorrect because a completeness check would not detect the billing error because other sales invoices may properly contain three or fewer lines. Answer C is incorrect because although the sales invoice has missing lines, it exists and can be matched with the shipping document. 101. Which of the following computerized control procedures would most likely provide reasonable assurance that data uploaded from personal computers to a mainframe are complete and that no additional data are added? A. Field-level edit controls that .test each field for alphanumerical integrity. B. Self-checking digits to ensure that only authorized part numbers are added to the database.
426·
CPA EXAMINATION REVIEWER: AUDITING THEORY
C. Batch control totals, including financial totals and hash totals. · D. Passwords that effectively limit access to only those authorized to upload the data to the mainframe.
Batch totals which consist of record counts, financial or control totals, and hash totals can be used to ensure the ac· curacy and completeness of data uploaded from personal computers to a mainframe. After the uploading process, these totals are reconciled with predetermined totals to test if the data have been completely transferred. A record count (also called item count) is the total number of records in a batch. A financial or control total is the total peso value of a fi· nancial field, for example, the total sales invoice amounts. A hash total is the total of a unique nonfinancial field, for example, the total of purchase order numbers in a batch.
h do not pro· Answers A, B, and D are incorrect because t ey d vide assurance about the completeness of data uploa ·
.
siVe cor·
102. An entity's labor distribution report requires extend to inac·
rections each month because of labor hours ch~rg~ ut corr tive jobs. Which of the following data processing inP trots appears to be missing? A. Validity check B. Limit check C. Missing data check D. Control total
cl'if'piER
6
Auditing in a CIS or IT Environment
427
Udity ~hecks compare actual values in a field (for exan:va transaction code) against acceptable (valid) values m ple, a aster file. If the value in the field does not match o~e t~et:e acceptable values, the record is considered to ~e m 0 r If the computer checks first for validity of the Jobs, · d to inactive · · erro labor· hours would not be erroneously assigne jobs. Answer B is incorrect because a limit check determines if the value in the field exceeds a predetermined limit. Answer C is incorrect because missing data checks are used to determine if a field contains blank spaces. The computer considers a record in error if blanks are detected where data values are expected. Answer D is incorrect because control totals are used to reconcile computer input with processing results. I
I
\
\
103. If, in reviewing an application system, it is noted that batch controls are not used, which of the foilowing statements by the user of the system is acceptable as a compensating control? A. "The volume of transactions prohibits batching." B. "We do a 100°/o physical review of the input document to· the output document." C. "We do.a 100°/o key verification of all data input." D. "The supervisor must approve all inputs."
A 100% phys_ical review of the input documen~ to the output document will provide evidence that all records are completely and accurately p-rocessed. Thus, this procedure will compensate for the lack of batch control totals . .
• 428
CPA EXAMINATION REVIEWER: AUDITING THEORY
Answer A is incorrect because the use of batch control totals is most appropriate in managing high volumes of transaction data. Answer C is incorrect because a 100% key verification does not assure that all records submitted for processing were keypunched: Answer D is incorrect because the supervisor's approval of all inputs does not assure that all approved inputs were processed.
104. A mail-order retailer of low-cost novelty items is receiving an increasing number of complaints from customers about the wrong merchandise being shipped. The order code for items has the format WWXXYYZZ which has the following mean· ing: WW major category XX minor category YY identifies the .item ZZ identifies the catalog In .many cases, the wrong merchandise was sent beca:, adJacent characters in the order code had been transpos ·s 1 The most effective control to prevent this erroneous input to AU . se a master fil.e reference for order codes to~ the existence of items to B. Separate the parts of. the order code with hYPhmake the characters easier to read. rT1 for C. Add check digits to the order codes and verify the each order. h iteffl D. Require customers to specify the name for eac they order.
all
cHAPTE
R
6 Auditing in a CIS or IT Environment
429
Transposition errors can corrupt data codes and cause serious data processing problems if they go undetected. An effective control to detect data coding errors is by ad.ding a check digit (or digits) to a data code. The check digit is the result of the mathematical calculation done based on the original data code (the simplest form is to add all the digits in the code). During the input process, the system recalculates the check digit for each input and compares the result with the check digit attached to the data code entered. Answer A is incorrect because order codes containing transposed characters may match other items in the file. Thus, the use of a master file reference code would not detect erroneous order codes. Answer B is incorrect because the use of hyphens would make the order code easier to read, but would not detect order codes with transposed characters. Answer D is incorrect because requiring customers to specify the name for each item they order would generally not allow detection of erroneous codes. 105. Which of the following is the major purpose of the auditor's study and evaluation of the company's computer processing operations? A. Ensure the exercise of due professional care. B. Evaluate the reliability and integrity of financial information. C. Become familiar with the company's means of identifying, measuring, classifying, and reporting information.
430
CPA EXAMINATION REVIEWER: AUDITING THEORY
o·.
Evaluate the competence of computer processing operating personnel.
The auditor studies and evaluates information systems primarily to ascertain whether financial data are accurate, reli· able, timely, and complete. Answer A is incorrect because auditors are required to exer· cise due professional care in all audits. Answer C is incorrect because becoming familiar with the company's information system is a means to achieve the au· ditor's principal objective. Answer Dis incorrect because evaluating the competenced~f 1 computer processing operating personnel is not the a~ • tor's primary purpose of evaluating the company's in or· mation system.
mentof 106. When the auditor chooses to use only the non-IT seg t as a client's control to assess control risk, it is referre~I ~inQ auditing around the computer. Which one of ~he fad~ air 1 conditions need not be present to apply this au proach? . enable A. The output must be listed in sufficient detail to the auditor to trace individual transactions. er ttiat B. The source documents must be filed in a mann makes it possible to locate them. · in a non· C. The source documents must be available machine language. . .h D. Computer programs must be available in Enghs · t
men
assess 1s 107. The followi~g ~tatements relate to the a~ditor nt. Whicl1 of control nsk m an entity's computer environrne correct? 1
5
ct-!AprER
6 Auditing in a CIS or IT Environment
431
The auditor usually can ignore the computer system if A. he/she can obtain an understanding of the controls outside the computer information system. B. If the general controls are ineffective, the auditor ordinarily can assess control risk at a low level if the application controls are effective. c. The auditor's objectives with respect to the assessment of control risk are the same as in a manual system. o. The auditor must obtain an understanding of the internal control and test controls fn computer environments.
The overall objective and scope of an audit does not change in a CIS environment. Regardless of the information system used by the entity-manual or computerized, the auditor is required to obtain an understanding of internal control and assess control risk to plan the audit. Answer A is incorrect because, when an entity's computer information system is significant (i.e., it has a material effect on financial statement assertions), the auditor is required to obtain an understanding of the CIS environment and determine whether it may influence the assessment of inherent and control risks. Answer B is incorrect because, if general controls are ineffective, the auditor is unlikely to assess control risk at a low level, regardless of whether application controls have been designed and implemented for each significant accounting application. Answer D is 'incorrect because tests of controls should be performed only when the auditor's risk assessment includ~s an expectation of the operating effectiveness of controls· (i.e., control risk is assessed at below the maxi.mum), or
f -· .. ;:' r
-
432
CPA EXAMINATION REVIEWER: AUDITING THEORY 1
when substantive procedures alone do · not provide sufficient appropriate audit evidence at the assertion level. 108. Computer programs and data that the auditor may use as part of the audit procedures to process data of audit signifi· cance contained in an entity's information system are called
A. CAATs B. DOOGs C. BIIKs
D. BIIRDs Computer-assisted audit techniques (CAATs) are com· puter programs and data that the auditor may use in per· forming various audit procedures, including the following: • tests of details of transactions and balances • analytical review procedures • tests of general and application controls . • sampling programs to extract data for audit testing . h entJ· • reperformance of calculations performed by t e ty's accounting system
BIIKs and
Answers B, C, and Dare incorrect because DOOGs, BllRDs are not used in information technology (IT) ..
'
. ftWare to 109. One common type of CAAT is the use of audit 5 ;ntor· process data of audit significance from the entity'sd pop· mation system. An audit software that has widesprea puter 111 ularity because it is easy to use and requires little cosed on background· on the part of the auditor; it can b_e ~to per· both n:ainframe and PC systems; it allows_ th,e audit~ter p~ form his/her tests independent of the entity s ~orn~ data in cessing personnel; and it can be used to audit t e · most file formats and structures is called a A. Customized program.
?
'.
~
J
c~ApTER
6 Auditing in a CIS or IT Environment
433
.
a.
purpose-written program. . C Utility program. ·. package or ~eneralized audit software (GAS). 0
The easy-to-use and flexibility features of generalized audit softWare (GAS) make it very popular to auditors in the au~it of information technology (IT) environments. This audit softWare is designed to perform common audit tasks or standardized data processing functions, such as the following: • reading data files • selecting and analyzing information • summarizing and totaling files • performing or verifying calculations • creating data files • providing totals of unusual items • reporting in an auditor-specified format Answers A and B are incorrect because customized or purpose-written programs are designed to perform audit tasks in specific circumstances. These programs are used when· an entity's computer information system is so unique or complex that any GAS is deemed unsuitable. Answer C is incorrect because utility programs are part of the operating system and security software packages that are provided by computer manufacturers and software vendors. This software performs routine data processing functions, such as sorting, copying, creating, merging, erasing, and printing files. It is not generally designed for audit purposes and may not contain audit features, such as record counts or control totals.
434
CPA EXAMINATION REVIEWER: AUDITING THEORY
110. Customized or purpose-written programs perform audit tasks in specific circumstances where package audit software is deemed unsuitable usually because system constraints make it difficult or impossible to use. A purpose-written program may be developed by The auditor The entity being audited An outside programmer hired by the auditor
8.
12
~
No Yes
Yes Yes
Yes No
Q No No
Yes
Yes
No
No
111. These computer programs are enhanced productivity tools that are typically part of a sophisticated operating systems environment, for example, data retrieval software or code comparison software. A. Purpose-written programs B. System management programs C. Utility programs D. Generalized audit software 112. Embedded audit routines are sometimes built into an entity's computer information system to provide data for later .use ~ the auditor. One technique invol·-1es embedding audit so ~are modul~s v:'ithin an application system to provide co~~ tmuous morntonng of the entity's transactions. Thes~ auin· modul:s are used to create logs that collect transactio~ gs 0 formation for subsequent review by the auditor. These are called A. Systems control audit review files (SCARFs) B. Console logs C. Computer logs D. IT logs
.'
cHAprER
6 Auditing in a CIS or IT Envimnment
435
When an accounting application is processed by computer, 3 11 · an auditor cannot venfy the reliable operation of programmed .controls by . . . . A. Periodically submitting auditor-prepared test data to same computer process and evaluating the results. constructing a processing system for accounting applica, 6 tions and processing actual data from throughout the period through both the client's program and the auditor's program. c. Manually comparing detail transaction files used by an edit program with the prc:>gram's generated error listings to determine that errors were properly identified by the edit program. o. Manually reperforming, as of a moment in time, the processing of input data and comparing the simulated results with the actual results.
The effectiveness of programmed controls may not be tested if auditing around the computer (also called the black box approach) is to be applied. This involves manual comparison of the input dat~ with the computer output. Because programmed controls are built into the computer program, the auditor should instead apply the white box approach. This means that the auditor should have an indepth understanding of how the programmed controls func.: tion and should consider using CAATs in testing their effectiveness. Answer A is incorrect because the use of the test data approach is an effective method of evaluating the reliability of programmed control procedures.
436
CPA EXAMINATION REVIEWER: AUDITING THEORY
Answer B is incorrect because parallel simulation is also an effective method of evaluating the reliability of programmed controls. Answer C is incorrect because manually comparing the output of an auditor's edit program with the error listings generated by the client's program would provide evidence about the reliability of programmed controls. 114. Auditing through the computer must be used when A. Generalized audit software is not available. B. Processing is primarily online and updating is real-time. C. Input transactions are batched and system logic is straightforward. D. Processing primarily consists of sorting the input data and updating the master file sequentially.
Auditing through the computer involves an in-depth understanding of the computer program's logic. This approac.h is appropriate when a complex and significant application ~s involved and evidence external to the computer system JS unlikely to be available-for example, in an online, real-time d't system. Answer A is incorrect because, in deciding on what au~e approach is appropriate-auditing through or around computer, the auditor determines whether evidence e~ter~ nal to the computer is available, not whether generalize audit software is available.
au-
Answer C is incorrect because, in a simple batch syste~· ap· diting around the computer (the black box approach) JS uch 5 propri=:lte because evidence external to the computer, 3 r11. as printouts and source documents, can be directly ex ined by the auditor.
TER
cHAP
6 Auditing in a CIS or IT Environment
437
Answer D is incorre~t because, when processing is simple (for exa~ple, when ~Iles are stored and processed sequentially), evidence outside the computer is likely to be available. 115 . When an auditor tests a computer information system which ' of the following is true of the test data approach? A. Test data are processed by the client's computer programs under the auditor's control. B. Several transactions of each type must be tested. c. Test data must consist of all possible valid and invalid conditions. o. The program tested is different from the program used throughout the year by the entity.
Under the test data approach, the auditor processes a specially prepared set of input data containing possible valid and invalid conditions using the client's application program. The results of each test are compared with predetermined results, based on the auditor's understanding of the programmed controls. This approach will allow the auditor to maP:e an objective evaluation of the program logic and the effectiveness of programmed controls. Answer B is incorrect because only one of each transaction type needs to be tested and evaluated. Answer C is incorrect because the auditor tests only those controls that are relevant to the financial statement audit. Answer D i-s incorrect because, if the program to be used for testing is different from the program used throughout the
.. ._; ... . ..
. .~
•.. :i..~···-'
.,.~.-:-:r-- . .-. ~~...-.~~ -..,_~·_,. •.. ~ ·.,
r
·~~~tL4~ .. ll'!x~;11:mw~ . m~ .. ! --- ~'=·~ - -..~-~ - "' = · .-: :t'.::;+:,::-~ r •: :+":"'ii';: : .; ."'.'~ , fF~.
:i:· - -<: .-.-._: :-;...
...
·: ·: ~
:t
438
CPA EXAMINATION REVIEWER: AUDITING THEORY
year by the client, no assurance can be obtained about the effectiveness of programmed controls. 116. An auditor who is testing IT controls in a payroll system , would most likely use test data that contain conditions such as A. Payroll checks with unauthorized signatures. B. Deductions not authorized by employees. C. Time tickets with invalid job numbers. D. Overtime not approved by supervisors. 117. Auditors have learned that increased computerization has created more opportunities for computer fraud but has also led to the development of computer audit techniques to detect frauds. A type of fraud that has occurred in the banking industry is a programming fraud in which the programmer designs a program to calculate daily interest on savings ac· counts to four decimal points . . The programmer then trun· cates the last two digits and adds it to his account balance. Which of the following CAATs would be most effective in de· tecting this type of fraud? A. Generalized audit software that selects account balances for confirmation with the depositor. B. Snapshot. C. Parallel simulation. D. SCARF (Systems Control and Audit Review File).
a
In parallel simulation, the auditor uses specially pr:; pared computer program that simulates key features processes of the application program to be tested. Program logic and controls are evaluated by comparing t~~ results of processing actual data using the simulation p~s ?ram wit~ the results of processing the same actual data mg the client's application program. '·'
cHApTER
6 Auditing in a CIS or IT Environment
439
p rallel simulation is the most effective CAAT application bacause the amounts credited to the depositors' accounts
c:n be compared with amounts calculated by the auditor's simulation program. Answer A is incorrect because confirmation of a depositor's account balance may fail to detect errors involving a very insignificant amount (i.e., less than one centavo daily). Answers B and D are incorrect because SCARFs and snapshots will not detect the computer fraud described. 118. To obtain evidence that online access controls are properly functioning, an auditor is most likely to A. Vouch a random sample of processed transactions to assure proper authorization. B. Create checkpoints at periodic intervals after live data processing to test for unauthorized use of the system. c. Enter invalid identification numbers or passwords to ascertain whether the system rejects them. D. Examine the transaction log to discover whether any transactions were lost or entered twice because of a system malfunction.
The auditor can directly test whether online acc~ss controls are properly functioning by attempting to gain access to the system by using invalid identification numbers or passwords. Answer A is incorrect because unauthorized transactions may be entered by any intruder who knows valid identification numbers or passwords.
-· 440
CPA EXAMINATION REVIEWER: AUDITING THEORY
Answer B is incorrect because, in batch computer systems checkpoints are used as a recovery procedure. ' Answer Dis incorrect because examining the transaction log to discover whether any transactions were lost or duplicated would not determine if online access controls are functioning effectively. 119. Which of the following CAATs allows fictitious and real transactions to be processed together without the knowledge of client operating personnel? A. Data entry monitor B. Integrated test facility (ITF) C. Parallel simulation D. Input control matrix
The integrated test facility (ITF) approach enables the a~di tor to test a computer· program's logic and controls during. its normal operation. Under this approach, fictitious re~ ords for dummy units (for example, a division, a ~~part~ ment, or a dummy entity) are integrated with legiuma records in the database. dons are During normal computer processing, test transac . st the merged with actual transactions and processed again dummy records in the master file. 'th· . b tested w1 . Because computer applications with ITF can e es audit out intervention of operating personnel, ITF en~an~idence. efficiency and increases the reliability of the audit e onitof
d ta entrY rn st· Answers A and D are incorrect because a d'tor in te 1 and input control matr:ix are not used by the au ing an entity's computer information system.
\
\
cHAPTER 6 Auditing in a CIS or IT Environment
441
Answer C is in,correct because, in parallel simulation, real (not fictitious) tran~actions are reprocessed. .
;.
1
fi.
~
~·. n
120. In auditing an_ online perp~tual inventory system, an auditor selected certain file-updating transactions for detailed testing. The audit tech.nique that will provide a computer trail of all relevant processrng steps applied to a specific transaction is called A. Snapshot B. Simulation Tagging and tracing Code comparison
c. o.
Tagging and tracing involves selection of specific transactions to be tagged (by attaching an 'indicator at input) and traced through critical control points in the computer information system. The computer trail can be printed or stored in a computer file for the auditor's evaluation.
1
~
Answers A, B, and Dare incorrect because snapshot, simulation, and code comparison do not provide a trail of all relevant processing steps. TRUE OR FALSE
m·
1. A hash total is a numeric value computed to provide assur-
M.
ance that the original value has not been altered in construction or transmission.
:~ ~·
2. General controls include data validation controls.
442
CPA EXAMINATION REVIEWER: AUDITING THEORY
3. A limit or reasonableness test is a test to ensure that a numerical value does not exceed some predetermined value.
4. The control environment component of internal controls includes access to computer prog·rams.
5. As opposed to a manual control, an automated control should function consistently in the absence of program changes.
6. The
~isplay monitor is a software component of
a computer
system.
7. The systems analyst should not be allowed access to program listings of application programs.
8. The posting of a transaction, as it occurs, to several Rlechs, without intermediate printouts is a characteristic of a bat processed computer system.
9. Controls which are built in by the
~anufacturer
to detect
equipment failure are called input controls.
, data 10. Echo checks, data encryption, and parity checks are transmission controls. .
.
auditor'
11. When applying the test data approach, auditors use the di· controlled software to do the same operations that ent's software does, using the same data files. sterns is
12.
A problem f~r a ~P~ associated with advanced rr.~Ymachine that the audit trail 1s sometimes generated onlY 1 readable form.
6 Auditing in a CIS or IT Environment
443
ctiAp'fEFt
C ntrols which are designed to assure that the information 0 13· 0 cessed by the computer is authorized, complete, and ac~~rate are called input controls. A system in which the end user is responsible for the devel14· oprnent and execution of t~e computer .application that he or she uses is called decentralized computing. 15
In an IT-intensive environment, most processing controls are · programmed controls.
16. 17
An example of an access control is a check digit.
. output controls are designed to assure that data generated by the computer are used appropriately by management.
lB. An internal control deficiency occurs when computer personnel originate changes in customer master files. 19. Auditing through the computer is generally used when processing is primarily on line and updating is real-time. 20. General controls have a pervasive effect on the operating effectiveness of application controls. 21. Random errors are more likely in a batch system than in an online system. 22. Auditing by testing the input and output of a computer system instead of the computer program itself will detect all program errors, regardless of the nature of the output. 23. In an IT system, automated equipment controls or hardware controls are designed to detect and control errors arising from the use of equipment.
444
CPA EXAMINATION REVIEWER: AUDITING THEORY
. 24. Logging in to the company's information systems via a .password is an application control. 25. Controls that relate to a specific use of the IT system, such as the processing of sales or cash receipts, are called gen· eral controls.
cHApTER
f(EY
6 Auditing in a CIS or IT Environment
445
ANSWERS
c
c
1. D
25. B
49. B
73.
2. B 3. B
26. A
50. B
74. B
98. B
27. D
51. D
75. A
99. A
4. B
28. B
52.
c
100. D
c
29. B
53. A
77. D
101.
c c
54. B
78. B
102. A ·
55. D
79. A
103. B
5.
c
76.
97.
c
6. B
30.
7. D
31.
8. B
32. D
56. A
80. B
104.
9. D
33.
57. A
81. A
105. B
c
34.
106. D
35.
59.
83. B
107.
12. D
36. B
60.
c c c
82. D
11. B
c c c
84. B
108. A
13. D
37. A
61. A
85. A
109. D
14. A
38. A
62. B
86. A
110. B
15. D
39. D
63. B
87.
111. B
16. A
40. B
64. A
88.
c c
17. A
41. A
65. D
89. A
113. D
18. B
42.
c
66. A
90.
c
114. B
19. A
43. B
67. A
91. B
115. A
c
44. B
68.
c
92. D
116.
21. D
45. B
69. A
93. A
117.
c c
22.
c
'16. A
70.
c
94. A
118.
c
23.
c
47. D
71. D
95. B
119. B
c
72. A
96. D
120.
10.
20.
24. B
48.
58.
c
c
112.· A
c
CPA EXAMINATION REVIEWER: AUD\T\NG THEOR.'t'
446 TRUE OR fALSE 1. fa\se
6. fa\se
11. Fa\se
16. Fa\se
2. fa\se
7. false
12. True
17. False
3. True
8. false
13. True
18. True
9. false
14. Fa\se
19. True
24. False
4. false
s.
15. True
20. True
25. fa\se
10. True
True
21. fa\se 22. fa\se 23.
true
CHAPTER
6
Auditing in a Computer Information Systems (CIS) or Information Technology (IT) Environment 1. IT has several significant effects on an entity. Which ~f ~e following would be important from an auditing perspective.
I. The potential for material misstatement. II. The visibility of information. III. Changes in the organiza.tional structure.
365
Auditing in a CIS or IT Environment 6 ctt~.PrER
A 1 and II only : and III only 6 1 2.
C. II and III only D. I, II, and III
use of a computer changes the processing, storage, and of financial information. A CIS environment co affect the following, except ~.ayThe accounting and internal control systems of the enti-
Th~rnunication
B
c: o.
~e overall objective and scope of an audit. The auditor's design and performance of tests of control and substantive procedures to satisfy the audit objectives. The specific procedures to obtain knowledge of the entity's accounting and internal control systems.
A CIS environment does not affect the overall objective and scope of an audit.
3. The following are benefits of using IT-based controls, ex-
cept A. Ability to process large volume of transactions.
B. Over-reliance on computer-generated reports. c. Ability to replace manual controls with computer-based controls. D. Reduction in misstatements du~ to consistent processing of transactions. 4. Which of the following statements c0ncerning the Internet is incorrect? A. The Internet is a shared public network that enables communication with other entities and individuals around the world. B. The Internet is a private network that only allows access to authorized persons or entities.
-366
CPA EXAMINATION REVIEWER:
AUDITING THEORY
C. The Internet is interoperable, which means that any computer connected to the Internet can communicate with-any other computer connected to the Internet. D. The Internet is a worldwide network that allows entities to engage in e-commerce/e-business activities. 5. In planning the portions of the audit which may be affected by the client's CIS environment, the auditor should obtain an understanding of the significance and complexity of the CIS activities- and the availability of data for use in the audit. The following relate to the complexity of CIS activities ex· cept when A. Transactions are exchanged electronically with other or· ganizations (for example, in electronic data interchange systems [EDI]). B. Complicated computations of financial information. ar~ performed by the computer and/ or material transa~ion or entries are generated automatically without inde· pendent validation. . d by C. Material financial statement assertions are affecte the computer processing. Id find D. The volume of transactions is such that users w~u it difficult to identify and correct errors in processing . . ns affect· The materiality of the financial statement assertIO lexitY, ed by the CfS relates to the significance, not the cornP of computer processing.
·n
. . onrnent ' 6. The auditor shall consider the entity's . CIS envir cceptablY designing audit procedures to reduce risk t~ ~n :orreet? low level. Which of the following statements rs '" t change A. The auditor's specific audit objectives d~ ~~nuallY or whether financial information is processe by computer.
cHAPiER
B.
c. o.
6 Auditing in a CIS or IT Environment
367
The methods of applying audit procedures to gather audit evidence are not influenced by the methods' of computer processing. The auditor may use either manual audit procedures, computer-assisted audit techniques (CAATs), or a ·combination of both to obtain sufficient appropriate audit evidence. In some CIS environments, it may be difficult or impossible for the auditor to obtain certain data for inspection, inquiry, or confirmation without the aid of a computer.
The methods of applying audit procedures to gather audit evidence may be influenced by the methods of computer processing. 7. Regardless· of the nature of an entity's information system, the auditor must consider internal control. In a CIS environment, the auditor must, at a minimum, have A. A background in programming procedures. B. An expertise in computer systems analysis. c. A sufficient knowledge of the computer's operating system. D. A sufficient knowledge of the computer information system.
The auditor should have a sufficient knowledge of the CIS to plan, direct, supervise, and review the work performed. Answers A and B are incorrect because an auditor need not have expertise in programming and co~puter systems analysis. If specialized CIS skills are needed !n the audit, the auditor may seek the assistance of an auditor's expert. ·
368
CPA EXAMINATION REVIEWER: AUDITING THEORY
Answer C is incorrect because the auditor should have sufficient knowledge of the entire CIS, not only of the computer's · operating system. 8. Who is ultimately responsible for the design and implementation of cost-effective controls in a CIS environment? A. The internal audit manager B. The entity's management C. The CIS manager D. The control group in the CIS department
An entity's management is ultimately responsible for designing and implementing systems that will provide reason· able assurance that the entity's objectives will be achieved.
9. Are the following risks greater in CIS than in manual sys· terns? Erroneous data conversion Erroneous source document preparation Repetition of errors Concentration of data
.e
Yes
Yes
Yes
Q Yes
Yes No Yes
Yes No No
Yes Yes Yes
No Yes Yes
8
~
d s or is The preparation of source documents either prece e the not done at all in a computer information syste~. Th~~ en· risk of erroneous source document preparation m a C risk vironment may be equal to c.>r less than the equivalent in a manual system.
to ma·
In a CIS environment, the computer converts data cti0 ns· chine-readable form prior to processing of trans~ n the This will increclse the risk of input error. In additt~c~ions computer's ability to uniformly process like trans
TER ct-IAP
6 Auditing in a CIS or IT Environment
369
with the same processing instructions will ordinarily result in all transactions being processed incorrectly if there are programming errors (or other systematic errors in hardware or software). Also, the concentration of data stored on magnetic disk increases the risk of loss of valuable financial information from damage or theft. 1o. Which of the following is not a hardware element in an IT environment? A. Scanners B. CD-ROM drive c. Application programs o. Modems
An IT environment consists of hardware and software components. Computer hardware consists of the computer and all other physical equipment. The software component consists of computer programs that are either purchased from a software vendor or developed in-house by the entity. Application software-a type of computer softwareperforms desired processing tasks such as payroll processing. Answers A, B, and D are incorrect because optical scanners, CD-ROM drive, and modems are elements of computer hardware.
11. Which of the following c;omputer hardware elements is not associated with data input? A. Touch screen B. Printer C. Mouse D. 0ptical scanner
370
CPA EXAMINATION REVIEWER: AUDITING THEORY
A printer is an output device that produces a hard copy of computer processing results. Answers A, C, and D are incorrect because a touch screen, a mouse, and an optical scanner can be used for data input. 12. A hardware element. that takes the computer's digital infor· mation and transforms it into signals that can be sent over ordinary telephone lines is a/an A. Intelligent terminal B. Point-of-sale terminal C. Terminal emulator D. Modem
A modem converts data in digital form into analog or wave form (the process is called modulation) so that data can be sent to remote locations through the telephone system. The modem at the receiving end of the transmission path converts the analog or wave form back to the digital f~r~ (the process is called demodulation) used by the termina or CPU. 13. Uninterruptible power supplies are used in computer faci to minimize the risk of A. Crashing disk drive read-write heads. B. Dropping bits in data transmission. C. Failing to control concurrent access to data· D. Losing data stored in main memory.
rties 1
bat·
. ator or An unmterruptible power source such as a gener the like· tery backup used in a computer facility will redu~e rneJJloo' lihood of losing data stored in the computer's main .
ER
cf"fAPT
6 Auditing in a CIS or IT Environment
371
in the event of an electrical failure such as a power outage or voltage fluctuation. 14. In a computer system, the parts of the operating system program and language translator program are stored in the A. Read only memory (ROM). B. Random access memory (RAM). Magnetic tape drive. o. Magnetic disk drive.
c.
·ROM consists of semiconductor chips that can be read from (but not written to) and are used as permanent storage of the operating system and language translator. Answers B, C, and Dare incorrect because RAM and magnetic tape and disk drives are temporary storage devices. 15. A characteristic that distinguishes computer processing from manual processing is A. The potential for systematic error is ordinarily greater in manual processing than in computerized processing. B. Errors or fraud in computer processing will be detected soon after their occurrences. C. Most computer systems are designed so that transaction trails useful for audit purposes do not exist. D. Computer processing virtually eliminates the occurrence of computational errors normally associated with manual processing.
Computational or clerical errors are virtually eliminated in computer processing because of the computer's capability to uniformly process like transactions with the same processing instructions.
· ··-
':.
.. . ·· .·.
. ~ ··.._"!-;:-- ' ......
.
':'
:~..
~7.2
CPA EXAMINATION REVIEWER: AUDITING THEORY
Answer A is incorrect because the risk of systematic or programming error is greater in computer processing than in manual processing. The computer's ability to subject like transactions to uni· form processing will result in all transactions being processed incorrectly if there are errors embedded in the pro· gram logic. Answer B is incorrect because errors or fraud in computer processing may remain undetected for long periods of time, or worse, may never be detected at all. The potential for observing errors or fraud is reduced in computer processing because of decreased human involve· ment in.handling transactions processed by CIS. Answer C is incorrect because CIS are designed to include transaction trails. However, some transaction trails in com· puter processing may exist for only a short period of time or only in computer-readable form.
16. An affordable yet powerful self-contained general ~u~ computer which consists typically of a central processing u~d (CPU), monitor, keyboard, disk drives, printer cables, a modems is a/an A. Personal computer B. Mainframe C. On-line computer D. Terminal
w 1 17. A CIS where two or more personal ·computers are rnKed unica· 111
~eth~r through the use of special software and corTlare, d8'
tion Imes and allows the sharing of application softW
\
cHApTER
6 Auditing in a CIS or IT Environment
373
.
ta tiles; and computer peripherals such as printers and opti-
cal scanners is a/an A. Local area network (LAN) B. on-line system c. Batch processing system o. Wide area network (WAN)
Each personal computer linked to a LAN is called a workstation that can access data, software, and other resources through a file server-a linked PC that manages the network. A LAN is usually confined to a small geographic location such as a building or two or more adjacent buildings. Two or more LANs can be linked together to form a wide area network (WAN). 18. A file server in a local area network (LAN) is A. A workstation that is dedicated to a single user on the LAN. B. A computer that stores programs and data files for users of the LAN. C. The cabling that physically interconnects the nodes of the LAN. 11. A device that connects the LAN to other networks.
Common resources such as programs and data shared by LAN nodes are stored and managed by special-purpose computers called file servers. Answer A is incortect because a workstation or node in a LAN is called a client
.... 374
CPA EXAMINATION REVIEWER: AUDITING THEORY
Answer C is incorrect because the cabling that physically interconnects the nodes of the LAN is the communications link. Answer D is incorrect because bridges and gateways are used to link networks together. Bridges connect LANs of the same type while . gateways connect LANs of different types. 19. Audit team members can use the same database and programs when their PCs share a hard disk and printer on a LAN. Which of the following communication devices enables a PC to connect to a LAN? A. A network interface card (NIC) that plugs into the motherboard. B. A fax modem that sends signals through telephone lines. C. An internal modem that plugs into the motherboard. . D. An external modem with a cable connection to a senal port.
A workstation's physical connection to the LAN is achieved through a network interface card (NIC) which plugs into one of the expansion slots in the PC. Answers B, C, and D. are incorrect because modems connect PCs to ordinary telephone lines. 20. A computer information system that allows individual du~~ to develop and execute application programs, enter an ~r is cess data, and generate reports in a decentralized mann called a/an A. Online system B. Batch processing system C. End-user computing D. Networking
.....:R
ct!AP'"'
6 Auditing in a CIS or IT Environment
375
In end-user computing, management empowers individual users to develop and execute application programs, enter and process data, and generate computer processing results. This system is an example of decentralized processing and usually involves the use of PCs. 21.
Which of the following statements most likely represents a disadvantage for an entity that maintains data files on personal computers (PCs) rather than manually prepared files? A. It is usually more difficult to compare recorded accountability with the physical count of assets. B. Random error associated with processing similar transactions in different ways is usually greater. c. Attention is focused on the accuracy of the programming process rather than errors in individual transactions. o. It is usually easier for unauthorized persons to access and alter the files.
In a PC environment, unauthorized individuals can easily gain access to and change data files without visible evidence. Answer A is incorrect because the ability to compare information in the file with the physical count of assets does not depend on the method used in maintaining the files. Answer B is incorrect because an advantage of CIS is the computer's ability to process like transactions in the same way. Answer C is incorrect because focusing on the accuracy of the programming process is an advantage of CIS. 22. The following are risks specific to IT environments, A. Reduced segregation of duties.
except
376
CPA EXAMINATION REVIEWER: AUDITING THEORY
:Iii
B. Loss of data due to insufficient backup. C. Increased human involvement. D. Reliance on the functioning capabilities of hardware and software.
23. Most personal computers have both a CD-ROM drive and a hard disk drive. The major difference between the two types of storage is that a hard disk . A. Is suitable for an online system, whereas a CD-ROM is not. B. Provides an automatic audit trail, whereas a CD-ROM does not. Has a much larger storage capacity than a CD-ROM. D. Is a direct-access storage medium, whereas a CD-ROM is a sequential-access storage medium.
c.
t.
il ~
24. What type of online computer system is characterized by data that are assembled from more than one location and records that are updated immediately? A. Online, batch processing system B. Online, real-time processing system C. Online, inquiry system D. Online, downloading/uploading system
In an online processing system, individual transactionsc~~~ entered through workstations or terminals that are nected to the mainframe. ·ng sys· A type of online system is online, real-time processi ·ng of tern that involves immediate validation and processiusers data input to update related computer files that aIJoWt deci· to receive the output soon enough to affect a curren 5ion to be made.
~j
~~ re ca.
~ ~.
t D,
I~ .
t
~s
~ti
cf"IApTER
6 AUditing in a CIS or IT Environment
377
A swer A is incorrect because in an online, batch processing ~tem, individual transactions are entered through remote ?rminals, subjected to certain validation routines and add~ to a transaction file containing other transactions en~ered during the period. The transaction file is to be subjected to further validation checks and then used in updating the relevant master file in the subsequent processing cycle. Answer C is incorrect because in an online, inquiry system, users are restricted to making inquiries of master files (for example, inquiry of a customer account balance). Answer D is incorrect because online, uploading/downloading system involves the transfer of data between the mainframe and workstations. 25. Misstatements in a batch computer system caused by incorrect programs or data may not be detected immediately oecause A. The processing of transactions in a batch system is not uniform. B. There are time delays in processing transactions in a batch system. C. The identification of errors in input data typically is not part of the program. D. Errors in some transactions may cause rejection of other transactions in the batch.
In a batch processing system, similar transactions are processed in groups or batches periodically-for example, daily, weekly, or ·even monthly. Hence, errors in a given batch
318
CPA EXAMINATION REVIEWER: AUDITING THEORY
may be detected only after the lapse of considerable time fro.m the initiation of the transactions. Answer A is incorrect because like transactions are processed uniformly in a batch system. Answer C is incorrect because data validation routines may be embedded in the computer program. Answer D is incorrect because although similar transactions i are processed together in batches, individual transactions ji are not dependent upon one another.
I
26. Which of the following features is least likely to be found in an online, real-time processing system? A. Turnaround documents B. User manuals C. Preformatted screens D. Automatic error correction
A turnaround document is a source document generated by the computer system as output and·then later used as in· put for subsequent proce&sing. Turnaround documents ~re least likely to be found in an online, real-time processing system because it normally does not use source.documents· Answer B is incorrect because user manuals provide expla· ~ations on the proper use of the system, making theill an important component of the real-time system. Answer C is · incorrect · because users usually interact withte
the mainframe through preformatted screens of rerno terminals.
. f
r
ct-IApTER
6 Auditing in a CIS or.IT Environment
379 ,
Answer D is incorrect because automatic error correction is a principal advantage of real-time systems-that is, error; are immediately detected and corrected. Which of the following is usually not a factor to consider in 7 2 . designing and implementing an onlin~, real-time system? A. Priority allocation B. Queues c. Interrupts o. Hardware diagnostics
computers are designed to include hardware diagnostic routines that allow identification of hardware problems such as a parity check to determine if the integrity of the bit structure of each character has been destroyed during the internal transmission of data within the system. Hardware diagnostic routines are applicable to all systems, not only to online, real-time systems. Answers A and B are incorrect because priority allocation and queues are important factors in real-time sy5tems. Both of them relate to deciding which jobs should be given priority in processing. Answer C is incorrect because interrupts allow high priority jobs to get immediate action. In a multiprogramming environment, work on one program is interrupted so the CPU may attend to another. 28. Workstations or terminals are an integral component of online computer systems. Which of the following statements concerning workstations is incorrect?
380
CPA EXAMINATION REVIEWER: AUDITING THEORY
A. Workstations may be located either locally ·or at remote sites. B. Both local and remote workstations require the use of telecommunications to link them to the main computer. C. Local workstations are connected directly to the main computer through cables. D. Workstations may be used by different users, for different purposes, in different locations, all at the same time.
Only remote workstations require the use of telecommunications to link them to the main computer. Local workstations are linked through cables. 29. Online computer systems use workstations or terminals that are located either locally or at remote sites. There are two types of workstations: general purpose terminals and special purpose termir·als. General· purpose terminals include the following, except A. Basic keyboard and monitor B. Point of sale devices C. Intelligent terminal D. Personal computers
General purpose terminals include:
• •
· gda· Basic keyboard and monitor - used for ent~nn dis· ta without any validation checks; the momtor plays data from the computer system. . ns of the
Intelligent terminal - performs the functtodd'tional basic keyboard and monitor with the a :J1linal. functions ot' validating data within the .te other maintaining transaction logs, and perfornung local processing.
ct'IApTER
6 Auditing in a CIS or IT Environment •
381
personal computers - perform all the functions of an intelligent terminal with additional local processing and storage capabilities.
special purpose terminals include:
•
Point of sale devices - used to rec-ord sales transactions as they occur and to transmit them to the main computer such as electronic cash registers and optical scanners.
• Automated teller machines (ATMs) - used to initiate, validate, record, transmit, and complete various banking transactions. 30. The "test data approach" A. Involves reprocessing actual entity data using the entity's computer software. 8. Involves reprocessing actual entity data using the auditor's computer software. Is where dummy transactions are prepared by the auditor and processed under the auditor's control using the entity's computer software. D. Is where actual transactions are prepared by the auditor.
c.
31. Which of the following is a primary example of source data automation? A. A subsidiary ledger 8. A utility bill C. Point-of-sale (POS) scanners in malls D. A bill of lading 32. Express Padala, Inc. stated in one of its mission statements that "positive control of each package will be maintained by
· · ·:~
': ~
• 1 ....;,:. • •
~
( ••
. • \.. .
=!.
.
.
.
i... ;_.. _. ~ ' ".:,.. • ~\- ·. ' 1 ·
• • ... , :_ ..
:
.
382
CPA EXAMINATION REVIEWER: AUDITING THEORY
utilizing ... electronic tracking and tracing systems." Express Padala uses what type of IT system? A. Batch processing which features immediate updating as to the location of packages. B. Real-time processing which features updating at fixed time periods. C. Batch processing which features updating at fixed time periods. D. Real-time processing which features immediate updating as to the location of packages.
33. In a file-oriented approach to data and information, data is maintained in many separate files. This may create prob· terns for organizations because of A. Multiple users. B. Multiple transaction files. C. Multiple master files which may contain redundant data. D. A lack of sophisticated file maintenance software.
34.
refers to the combination of the database, ra the Database Management System (DBMS), and the app ic • tion programs that access the database through the DBMS. A. Data warehouse B. Database administrator C. Database system D. Database manager
35. Who is the individual responsible for the database? A. B. C. D.
Data coordinator Database master Database administrator Database manager
ER
ct'IAPT
6 Auditing in a CIS or IT Environment
383
Which feature of many database systems simplifies the crea36· tion of reports by allowing users to specify the data elements desired and the format of the output? A. Report generator B. Report writer c. Report printer o. Report creator 37, Which of the following is probably the most significant effect of database technology on accounting? A. Quicker access to and greater use of accounting information in decision-making. B. Replacement of the double-entry system. c. Change in the nature of financial reporting. D. Elimination of traditional records such as journals and ledgers. 38. An entity should have a disaster recovery plan to ensure that data processing capacity can be restored as smoothly and quickly as possible. The following would typically be part of an adequate disaster recovery plan, except A. A system upgrade due to operating sy~tem software changes. B. Backup computer and telecommunication facilities. C. Scheduled electronic vaulting of files. D. Uninterruptible power systems installed for key system components. 39. Which of the following statements concerning computer program modifications is il)correct? A. After the amended program has received final approval, the change is implemented by replacing the production version with the developmental version.
~-
384
CPA EXAMINATION REVIEWER: AUDITING THEORY
B. During the modification process, the developmental version of the program must be kept separate from the production version. C. When a program change is submitted for approval, a list of all required updates should be compiled and then approved by management and program users. D. Only material program changes should be thoroughly tested and documented. 40. Old and new systems operating simultaneously in all locations is a test approach known as parallel testing. Pilot testing involves implementing a new system in one part of the organization, while other locations continue to use the current system.
A. True; False
C. False; True
B. Both are True
D. Both are False
41. A collection of data that is shared and used by a number of different users for different purposes is a A. Database B. Memory C. File D. Record . f data that The standard defines "database" as a collectJOn t pur· & differen
°
is sl}ared and used by a number of users ,or
poses.
.
d to create,
42. Which of the following computer software is use maintain, and operate a database? A. Application software B. Systems software C. Database management system (DBMS)
~R
cHAP•~
6 Auditing in a CIS or IT Environment
385
0 . Database administrator
The DBMS is used to create, maintain, and operate a database. It facilitates the physical storage of the data, maintains the interrelationships among the data, and makes the data available to application programs. 43. The two important characteristics of a database system are A. The database and the DBMS. s. Data sharing and data independence. c. The DBMS and data sharing. D. The DBMS and data independence.
The two important characteristics of a database system are data sharing and data independence. Data sharing can be achieved if the database contains data which are setup with defined relationships and are organized in a manner that permits several users to access and use the data in different application programs. The need for data sharing creates the need for data independence from application programs. Through the DBMS, data are recorded only once, for use by different application programs. There will be true data independence if the structure of data can be changed without affecting the application programs, and vice versa. 44. To protect the integrity of the database, data sharing by different users requires organization, coordination, rules, and guidelines. The individual responsible for managing the database resource is the A. Programmer B. Database administrator
386
CPA EXAMINATION REVIEWER: AUDITING THEORY
C. User D. CIS manager
The database administrator is responsible generally for the definition; structure, security, operational control, and efficiency of databases, including the definition of the rules by which data are accessed and stored. 45. An auditor who wishes to trace data through several applica· tion programs should know what programs use the data, which files contain the data, and which printed reports dis· play the data. In a database system, the information could be foun·d in a A. Decision table B. Data dictionary C. Database schema I). Data encryptor
A software within the DBMS that keeps track of the location of the data in the database is called data dictionary. Answer A is incorrect because a decision table is a matrix .presentation of the decision points and related actions in· eluded in a computer program. Answer C is incorrect because the database schema de· scribes the database structure. ·Answer D is incorrect because an encryptor encodes sages.
.
46. Which of the following is the greatest advantage of a base system? A. Data redundancy can be reduced. B. Backup and recovery procedures are minimized.
111 es·
data·
\
b
Auditing in a CIS or IT Environment
387
cHApTER
Multiple occurrences of data items are useful for cone. sistency checking. conversion to a database system is inexpensive and can 0 · be accomplished quickly.
In a database system, data redundancy is kept to a minimum because the DBMS records the data once, for use by various application programs. Storage structures are created that make the application programs independent of the location of the data. Because each item in the database has a standard definition, name, and format; and related items are linked by a system of pointers,. the application programs need only to specify the data name, not the location. Answer B is incorrect because backup and recovery procedures in a database system are just as crucial as in a traditional flat-file system. ' Answer C is incorrect because data redundancy-that is, multiple occurrences of data items-is substantially reduced in a database system.
11!-
~ [~ ~1
Answer D is incorrect because converting large amount of data to a database is costly and time consuming. 47. The following statements relate to a database management system (DBMS) application environment. Which is false? A. Data definition is independent of any one program. B. The physical structure of the data is independent of user needs. · C. Data are used concurrently by different users.
. · ~,.
388
..
\
--.,,-. "'"·__::-,_.::-"".. ...---~~ ~-_-- .~--· .. - --~::--·
CPA EXAMINATION REVIEWER: AUDITING THEORY
D. Data are shared by passing files between programs or systems. In a database system, application programs share the data · in the common database for different purposes. Thus, there is no need to pass files between applications. 48. Which of the following is an advantage of a database management system (DBMS)? A. A decreased vulnerability as the DBMS has numerous security controls to prevent disasters. B. Each organizational unit takes responsibility and control for its own data. C. Data independence from application programs. D. The cost of the CIS department decreases because users are now responsible for establishing their own data handling techniques. An important characteristic of a database system is that a~· plications are independent of the database structure. 'fhts allows programs to be developed for the user's spect"fiC needs without concern for data retrieval problems. Moreo· ver, changes to the physical or logical structure of the data~ base can be made without the need to modify any of the ap plication programs that use the database. Answer A is incorrect because the DBMS is no safer than anY other computer information systems.
·t de· Answer B is incorrect because each organizational un~ ms velops its application programs that will use the data ite in the common database.
cHApTER
6 Auditing in a CIS or IT Environment
389
Answer D is incorrect because data handling techniques r_e.main to be the responsibility of the CIS department. Which of the following is usually a benefit of transmitting 49 · transactions in an electronic data interchange (EDI) environment? A. A reduced need to test computer controls related to sales and collections transactions. e. A compressed business cycle with lower year-end receivables balances. c. No need to rely on third-party service providers to ensure security. o. An increased opportunity to apply statistical sampling techniques to account balances.
Because EDI transactions are transmitted and processed in real time, delays are eliminated in receiving and processing an order, shipping goods, and receiving payment. Thus, EDI compresses an entity's business cycle and results in lower year-end receivables balances. Answer A is incorrect because the use of a complex processing system increases the need to test computer controls. Answer C is incorrect because an EDI system typically uses a VAN (value added network) as a third-party service ·provider, and reliance on VAN controls may be critical. Answer D is incorrect becal,\se all transactions (not just a sample) may be tested with the aid of computer technology. SO. The internal controls over computer processing indude bOtf:,. manual procedures and procedures designed ·i nto c;om~ programs (programmed control procedures). Th~ manual .,
-· 390
CPA EXAM/NATION REVIEWER: AUDITING THEORY
a·mf programmed control procedures comµ11~t! the general CIS controls and CIS application controls. The purpose of general controls is to . A. Est~blish specific control procedures over the accounting applications in order to provide reasonable assurance that all transactions are authorized and recorded and are processed completely, accurately, and on a timely basis. B: Establish a framework of overall controls over the CIS activities and to provide a reasonable level of assurance that the · overall objectives of internal control are achieved. C. Provide reasonable assurance that systems are devel· oped and maintained in an authorized and efficient man· ner. D .. Provide reasonable assurance that access to data and computer programs is restricted to authorized personnel.
as
The purpose of general CIS controls is to establish a frame· work of overall controls · over the CIS activities and to ~ro· vide a reasonable level of assurance that the overall obiec· tives of internal control are achieved.
General CIS controls may include: • • • • •
Organization and management controls. . tenance Application systems development and mam controls. Computer operation controls. Systems software controls. Data entry and program controls. .
ecili' 1· hrnent of s~ 5 the Answer A. is incorrect because the estab is .c,,tions 1 . . app 1I"' control procedures over the accounting purpose of CIS application controls.
cW'pTER
6 Auditing in a CIS or IT Environment
391
Answer C is incorrect because controls designed to provide easonable assurance that systems are developed and main~ined in an authorized and efficient manner are application systems development and maintenance controls. Answer D is incorrect because controls designed to provide reasonable .assurance that access to data and programs are restricted to authorized personnel are data entry and program controls.
51. CIS application controls include the following, except
A. Controls over input. B. controls over processing and computer data files. c. Controls over output. o. Controls over access to systems software and documentation.
Restricting access to systems software and documentation to authorized personnel is a general CIS control. CIS application controls include: 1. Controls over input - designed to provide reasonable assurance that: • • •
Only authorized transactions are submitted for processing. All authorized transactions are accurately converted into machine-readable form. Incorrect transactions are rejected, corrected, and, if necessary, resubmitted on a timely basis.
2. Controls over processing and computer data files designed to provide reasonable assurance that:
392
CPA EXAMINATION REVIEWER: AUDITING THEORY
•
• • •
All transactions are processed as authorized . No authorized transactions are omitted. No unauthorized transactions are processed. Processing errors are identified and corrected on a timely basis.
3. Controls over output - designed to provide reasonable assurance that: • •
The results of processing are accurate. Output is distributed only to authorized users.
52. The auditor is required to consider how an entity's general CIS controls affect the CIS applications significant to the audit. Accordingly, the auditor should A. Review the design of the general CIS controls only. 8. Review the design of the CIS application controls only. C. Review the design of the general CIS controls before reviewing the as application controls. re D. Review the design of the CIS application controls befo reviewing the design of the general CIS controls. Jications General CIS controls that relate to some or a II app tion are typically interdependent controls in that thei.r o~eracon· is often essential to the effectiveness of CIS apphcadno~gn of · w the es•plica· tro ls. A more efficient approac h is to rev1e the general CIS controls before reviewing the CIS ap tion controls. al contrOls 53. The two broad categories of IT controls a~e gener ontrols and application controls. General controls rn~lu.de ccomputer A. For developing, maintaining, and mod1fyin9 ..rll!leprograms. . ion of e1 'v 8. That relate to the correction and resubmiss ous data.
6 Auditing in a CIS or IT Environment
393
cl'IApTER
Designed to provide reasonable assurance that only auC. thorized users receive output from processing. Designed to provide reasonable assurance that all data 0 · submitted for processing have been properly authorized.
General controls relate to all or many IT activities and often include organization and management controls, application systems development and maintenance controls, computer operation controls, systems software controls, and data entry and program controls. Answers B, C, and Dare incorrect because controls over ·correction of erroneous input data, output distribution, and authorization of input data are IT application controls. 54. Which of the following statements concerning application controls is correct? A. Application controls relate to all aspects of the IT function. B. Application controls relate to the processing of individual transactions. c. Application controls relate to various aspects of the IT function including software and hardware acquisitions. D. Application controls relate to various aspects of the IT function including physical security and the processing of transactions in various cycles. SS. The significance of hardware controls is that they A. Ensure that run-to-run totals in application systems are consistent. B. Reduce the incidence of user input errors in online systems. C. Ensure correct programming of operating system functions. D. Assure that machine instructions are executed correctly.
394
CPA EXAMINATION REVIEWER: AUDITING THEORY
To detect and control errors arising from the use of computer equipment, hardware controls are built into the equipment by the manufacturer, such as parity checks, read-afterwrite checks, and echo checks. Answer A is incorrect because run-to-run totals are used to determine the completeness of update in an online system. Separate totals are accumulated for all transactions pro· cessed throughout a period and compared with the total of items submitted for comput~r processing. Answer B is incorrect because input controls such as the use of limit checks, self-checking digits, and input screens can reduce the incidence of user input errors in on line systems. Answer C is incorrect because computer programmers and/or systems analysts are responsible for correcting program errors. 56. The following statements relate to internal control in an elec· tronic data interchange (EDI) environment. Which is true? A. ~n EDI systems, preventive controls are generally more important than detective controls. B. Control objectives for EDI systems generally are different from the objectives for other computer information sys· terns.
C. Internal controls that relate to the segregation of dutie~ generally are the most important controls in EDI sys terns. D. Internal controls in EDI systems rarely permit control nsK at below the maximum.
In all i~formation systems-manual and computerized~ preventive contr0 l . coll s are more important than detective
··'
·
cHApff
R
6 Auditing in a CIS or IT Environment
395
trols because typically, the benefits exceed the costs. In an EDI environment, it may be difficult to apply detective controls once a transaction enters the computer system. Answer B is incorrect because the basic objectives of internal control are the same regardless of the nature of data processing. Answer C is incorrect because adequate segregation of incompatible functions in a CIS environment may not be feasible. Answer D is incorrect because control risk in an EDI system may be assessed at below the maximum level if relevant controls exist and tests of controls provide evidence that those controls are functioning ef!'ectively.
57, An entity has recently converted its revenue/receipt cycle from a manual processing to an online, real-time processing system. Which is the most probable result associated with conversion to the new computerized processing system? A. Less segregation of traditional duties. B. Significant increase in processing time. C. Reduction in the entity's risk exposures. D. Increase in processing errors.
The basic segregation of functions-authorization, recordkeeping, and asset custody-in a manual system is not usually feasible in a computerized system because of decreased human involvement in processing financial information. Answer Bis incorrect because processing time is decreased in a computerized system .
.. ~1 '
396
CPA EXAMINATION REVIEWER: AUDITING THEORY
Answer C is incorrect because computer processing does not necessarily reduce the number of risk exposures. Answer D is incorrect because processing errors will decrease as a result of the conversion to a new computerized system. 58. The most important segregation of duties in the organization of the information ~-ystems function is A. Using different programming personnel to maintain utility programs from those who maintain the application programs. . B. Having a separate information officer at the top level of the organization outside of the accounting function. C. Assuring that those responsible for programming the system do not have access to data processing operations. D. Not allowing the data librarian to assist in data processing operations.
An important general CIS control is segregation of ~utiesj Although some separation of duties common in a manua system may not be feasible in a CIS environment, some func· tions should not be combined. hould
The functions of systems analysts and programmers 5 tors. not be combined with the functions of computer opera ffect Programmers and systems analysts may be able to ~ere· changes in programs, files, and controls and should t fore have no access to computer equipment. ,
O JllOdifY
Computer-operators should have no opportunity t J11Il1ing programs and data files, and should not have progra
-rr:R
cHAl'.' 1...
6 Auditing in a CIS or IT Environment
397
duties or responsibility for installing new or modifying existing systems. Answer A is incorrect because computer programmers handle all types of computer software. Answer B is incorrect because having a separate information officer at the top level of the organization outside of the accounting function would be less critical than separation of duties between programmers and computer operators. Answer D is Incorrect because computer librarians may assist in data processing operations. However, because they maintain control over system and program documentation and data files, they should not have access to computer equipment. 59. A systems analyst should have access to each of the following, except A. Edit criteria B. Source code C. Password identification tables D. User procedures
Unauthorized changes to application programs and data files can be made by the analyst if he/she has access to password identification tables. Answers A, B, and D are incorrect because the systems analyst needs access to ·edit criteria, source code, and user procedures.
398
CPA EXAMINATION REVIEWER: AUDITING THEC?RY
60. Which of the following would represent an internal control weakness in an IT environment? A. The computer librarian maintains custody of computer application programs and files. · B. The data control group is solely responsible for distributing computer-generated reports. · C. Computer operators have access to operator instructions and have the authority to modify application programs. D. Computer programmers write and modify programs designed by systems analysts.
·) .•.. )'
Computer operators should have access to operator instructions so they can perform their duties. However, they should not have the authority to modify application pr?- . grams. Answer A is incorrect because the computer librarian is responsible for maintaining custody and recordkeeping for computer application programs and data files.
I
,1,
t;.I '
I I
.
°;
Answer B is incorrect because an appr.opriate function the data control group is distribution of computer outpu and other reports .
Answer _D is incor~e~t because computer program~e~da~; responsible for wntmg and revising programs design systems analysts.
l •••
I. I;
weel
61. The manager of computer operations prepares a coPY schedule of planned computer processing and send~ a roee· to the computer librarian. The control objective this P ato!'S· dure serves is to A. Authorize the release of data files to computer oper B. Specify the distribution of computer results. . C. Specify file r~tention and disaster recovery policies.
TER
cf-IAP
o.
6 Auditing in a CIS or IT Environment
399
Keep improper and unauthorized transactions from entering the computer facility. .
A computer librarian has in his/her custody data files, programs, and documentation, all of which are his/her accountability. The weekly schedule of. planned computer processing provides authorization for release of files to computer operators and a consequent transfer of accountability. Answers B and D are incorrect because the data control group keeps unauthorized and improper transactions from entering the computer facility and specifies the distribution of computer results. Answer C is incorrect because file retention and disaster recovery policies are specified in the entity's backup and recovery plan. 62. One of the major problems in a CIS environment is that incompatible duties may be performed by the same individual. One compensating control is the use of A. Computer-generated hash totals B. A computer log . C. A self-checking digit system D. Echo checks
Computer and software· usage is recorded in a computer (console) log, including operator interventions during computer processing. A compensating control for the lack of adequate segregation of duties is by proper monitoring of the computer log. For example, a computer log may include a list of operator interventions during computer processing.
400
CPA EXAMINATION REVIEWER: AUDITING THEO.RV
Answer A is incorrect because hash totals are control totals calculated using nonfinancial data (for example, the sum of sales order numbers) to keep track of the records in a batch. Answer C is incorrect because a self-checking digit system is an input control to detect data coding errors. It involves adding a control digit to a code (for example, a bank account number) when it is originally designed to allow the code's integrity to be established during subsequent processing. Answer D is incorrect because echo check is a hardware control that involves the receiver of the message returning the message to the sender to determine if the correct mes· sage was received. 63. In the organization of the information systems function, the most important separation of duties is A. Using different programming personnel to maintain utility programs from those who maintain the application pro· grams. B. Assuring that those responsible for programming the system do not have access to data processing opera· tions. C. Not allowing the data librarian to assist in data pro· cessing operations. f 0 d. Having a separate information officer at the top level the organization outside of the accounting function. 64. An entity has recently ~onverted its purchasing c:yc~e rr;~h: manual process to an online computer system. Which. to following is a probable result associated with conversion the new IT system? A. Traditional duties are less separated. B. Increased processing time. C. Reduction in the entity's risk exposure.
TER
cHAP
o.
6 Auditing in a CIS or IT Environment
401
Increased processing errors.
65, An entity s~ould plan the physical location of its computer facility. Whrch of the following is the primary consideration for selecting a computer site? A. It should be in the basement or on the ground floor. a. It should maximize the visibility of the computer. c. It should minimize the distance that data control personnel must travel to deliver data and reports and be easily accessible by a majority of company personnel. o. It should provide security.
The computer and other peripheral pieces of hardware should be protected from disasters such as fire, flood, sabotage, and theft. Thus, the primary consideration for selecting a computer. site should be the security of the computer facility. Answer A is incorrect because the basement or the ground floor is not always a secured place. For example, installing a computer facility on the ground floor or in the basement of an old office building in Malabon City could be disastrous because of frequent flooding. Answer B is incorrect because maximizing the visibility of the computer would be an invitation to burglars and other computer criminals. Answer C is incorrect because a majority of entity personnel need not have an easy access to rnmputer site since only autho!ized personnel should be allowed in the computer facility. ,,
'-:-.~-· -r-r.-;
- ~ ~.: ,
.
.
.
-
..: . .u·r.
CPA EXAMINATION REVIEWER: AUDITING THEORY
66. Which of the following ·statements regarding security concerns for notebook computers is false? A. The primary methods of control usually involve application controls. · B. Centralized control over the selection and acquisition of hardware and software is a major concern. C. Some conventional controls such as segregation of duties may not be feasible. D. As their use becomes more sophisticated, the degree of concern regarding physical security increases.
General controls apply to all CIS activities. Given the nature of notebook computers, general controls to prevent theft of equipment and data and restrict access to the use of equipment and data must be the primary concerns. 67. The following are a database administrator's responsibilities,
except A. Develop application programs to access the database. B. Design the content and organization of the database. C. Protect the database and its software. . D. Monitor and improve the efficiency of the database.
adrninis· Systems analysts and programmers, not a da~abase ucation trator, have the responsibility of developing app p·r ograms to access the database. . . ·n the con· Answer B, C, and Dare incorrect because desig?• gthe data· tent and organization of the database; protecung·ng the ef· base and its software; and monitoring and impr~~·iJitieS of il ficiency of the database are appropriate responsi database administrator. I
I
cHAPTER
a.
6 ·Auditing in a CIS or IT Environment
403
Which of the following groups should have the operational responsibility for the accuracy and completeness of computer-based information? A. External auditors B. Internal auditors c. Users D. Top management
6
Users are in the best position to review the accuracy and completeness of computer output in relation to the input provided. Thus, the operational responsibility for the accuracy and completeness of computer-based information should be placed on users. Answer A is incorrect because the primary purpose of external auditing is the expression of an opinion on an entity's financial statements. .
.
Answer B is incorrect because internal auditing is an independent appraisal activity within an organization. Therefore, internal auditors should not have operational responsibility. Answer D is incorrect because top management is responsible for the overall control of the CIS. 69. An inexperienced computer operator mounted an incorre~ version of the accounts receivable master file on a tape drive during processing. Consequently, the entire processing run had to be repeated at a prohibitive cost. Which of the following software controls would be most eff~ctive in preventing this type of operator error from affecting the processing of files? A. File header and label check
.................................................... J ··~r----
.,, ~.
404
CPA EXAMINATION REVIEWER: AUDITING THEORY
B. Data transmission check C. Memory isolation protection D. Unauthorized access protection
An effective control to reduce the risk of mounting an incorrect version of a master file is the use of external, header, and trailer labels. An external label is a human-readable label written on a gummed paper to be attached to the file. A header label is a machine-readable label at the beginning of a file that identifies it. A trailer label is also a machine· readable label at the end of a file containing control totals and record counts. Answer B is incorrect because only the accuracy of the communication is verified by a data transmission check Answer C is incorrect because memory isolation protecti0? (also called boundary protection) ensures that while ~~ltl· pie jobs are running simultaneously, the memory partition allocated to each job is not changed. Answer Dis incorrect because access controls (for examP~~ the use of personal identification codes such as passwor d and PINs) ensure that unauthorized access to programs an files is prevented. 70. Which of the following is the best method to prevent thorized alteration of online records? A. Computer sequence checks B. Computer matching C. Database access controls D. Key verification
unau·
\
1-
ctiApTE
R
6 Auditing in a CIS or IT Environment
405
unauthorized access to online records can be prevented by establishing and implementing access controls to ensure that only authorized personnel have access to the company's database.
71. Which of the following would least likely ensure the development of an effective application system? A. Involvement of management in the development stage. B. Active participation by user departments in the development stage. Post..implementation reviews.. Prioritization of application systems to be developed.
c. o.
An effective application system is one that meets the organization's objectives. The order in which the applications are implemented does not necessarily influence a system's effectiveness. Answer A is incorrect because the inv9lvement of management assures that proper resources will be made available during development.
'
'
~
I rl •!t·
I f
'
Answer B is incorrect because active participation by users will assure that their information needs (i.e., the system's objectives) will be satisfied. Answer C is incorrect because post-implementation reviews are necessary to ensure that a newly developed application system includes appropriate controls and meets management directives .
f.i'
72. Which of the following would most likely cause a problem in
L
the computer program development process? A. User specifications are inadvertently misunderst~d.
Ir ~
c•
.r ~.
;
r·
~-: ·
" 1
406
CPA EXAMINATION REVIEWER: AUDITING THEORY
B. Programmers use specialized application tools to simulate the system being developed. C. Programmers take a longer amount Of time to develop the computer program than expected. D. Written user specifications are used to develop detail program code. Program development involves coding programs in accord· ance with user specifications. Thus, a misunderstanding about user specifications can have fundamental and perva· sive repercussions. Answer B is incorrect because using specialized application simulation tools should prevent problems. Answer C is incorrect because although taking a longer amount of time to develop the computer program than ex· . pected is undesirable, it does not necessarily preclude the achievement of objectives. Answer D is incorrect because the system design should in· corporate user specifications.
73. Which _of the ~allowing controls would most likely. provi:: protection against unauthorized changes in production P grams? A. Restricting programmer access to the computer ro?rn'ent B. Requiring two operators to be present during equipl11 Qperation. C. Limiting program access solely to operators. D. Implementing management review of daily run I095· eJllS
The risk of unauthorized changes will be reduced if sY;! tile analysts, programmers, and others are denied acces~
ER
cHAPT
6 Auditing in a CIS or IT Environment
407
resident production programs. However, computer operators should have access to the production programs in order to run the programs. Answers A and Bare in.correct because unauthorized changes to production programs can be made by programmers at terminals regardless of whether they are denied access to the· computer room and regardless of whether two operator~ are present during equipment operation. Answer D is incorrect because management review of computer (console) logs, not run logs, would be an effective control. 74. Which of the following would most likely indicate that a computer virus is present? A. Numerous copyright violations due to unauthorized use of purchased software. B. Unexplained losses of or changes to data. C. Frequent power surges that harm computer equipment. D. Inadequate backup, recovery, and contingency plans.
A virus is a program that attaches itself to a legitimate program to penetrate the operating system and cause destruction to the operating system, application programs, and data files. For example, a virus can simply copy itself a number of times within the main memory to destroy resident programs and data. Answers A, C, and D are incorrect because copyright violations, frequent power surges, and inadequate backup, recovery, and contingency plans are not indicators of a computer virus.
---~
408
CPA EXAMINATION REVIEWER: AUDITING THEORY
75. Which of the following operating procedures would most likely increase an entity's exposure to computer viruses? A. Downloading public-domain software from electronic bulletin boards. B. Installing original copies of purchased software on hard disk drives. C. Frequent backup of files. D. Encryption of data files.
Personal computers are a major source of virus penetration. Downloading public-domain software carries a risk that vi· rus-infected data may enter the system. Answer B is incorrect because original copies of purchased software should be virus-free. Answers C and D are incorrect because viruses are spread through distribution of infected files, not through encryp· tion or frequent backup of files. 76. An entity installed antivirus software on all its personal .corn~ puters. The soft.ware was designed to prevent initial in~ tions, stop replication attempts detect infections after thetr ' components, an~ rerno"e o~currence, n:'ark affected system in9 viruse~ ~rom infected components. The major risk in relV on ant1virus software is that it may A. Consume too many system resources. B. Interfere with system operations. C. Not detect certain viruses. D. Make software installation too complex.
A ti · d toe~· n. viral programs (also called vaccines) are use f r t1te
amine application and operating system programs ~pro· presence of viruses and remove them from the affecte s afld gram Howev viruse · er, a vaccine works only on known
cHAPTE
R
6 Auditing in a CIS or IT Environment
409
there is no guararitee that it will work if a virus has been mutated. Answers A and B are incorrect because antiviral software can be set to execute at startup so as not to consume too many system resources. Answer D is ·incorrect because installation of antiviral software is not an overly complex process.
77, The accountant who prepared a spreadsheet model for workload forecasting left the company, and his successor was unable to understand how to use the spreadsheet.. The best control to permit new employees to un_derstand internally developed progr~ms is A. Adequate backups are made for spreadsheet models. B. Use of end-user computing resources is monitored. End-user computing efforts are consistent with strategic plans. D. Documentation standards exist.and are followed.
c.
Because of inadequate program documentation, the ·accountant's successor could not use the spreadsheet model. New employees will be able to understand internally developed programs if documentation standards exist and are being followed. Answer A is incorrect because the accountant's successor could not use the spreadsheet model due to inadequate documentation, not inadequate backups. Answer Bis incorrect because monitoring means controlling the use of resources.
;_· : j
CPA EXAMINATION REVIEWER: AUDITING THEORY
Answer C is incorrect because ensuting consistency with strategic plans refates to the systemJs effectiveness. 78. What is the appropriate term for_the process of monitoring, evaluating, and modifying a system? A. Feasibility study B. Maintenance C. Implementation D. Analysis
Systems maintenance means keeping a new system that has been designed and implemented current with user needs. This basically involves revising the system and application programs to meet new user needs and to correct design er· rors. The responsibility for systems maintenance is as· sumed by systems analysts and programmers. Answer A is incorrect because a feasibility study is made ~o determine the technical, legal, operational, and sche·d~. e (i.e., the company's ability to implement the project wit in an acceptable time) feasibility of a proposed system. tiOO in·
Answer C is incorrect because system implementa . 05 . . r at10 · volves data c?nversion; cod ing a nd test1~~ app icm loYpurchase and mstallation of equipment; trammg of e P5ys· ees; system documentation; and installation of the new tern. . ·nvoJves a Answer D is incorrect because systems analysis 1 , needs, 5 survey of the current system, an analysis of the user and gathering and evaluation of facts. ·1y t0 rirnari 79. Program documentation is a control designed P provide reas9nable assurance that
TER
ct-W'
6 Auditing in a CIS or IT Environment
A. Programs are s. No one uses sons. c. programs are o. Programmers
41,
kept up to date and perform·as intended. the computer hardware for personal rea· free of syntax and logic errors. have access to operational materials.
Program documentation provides detailed information about each application program including the source program, file formats and record layouts, program flowcharts, written authorizations for all program changes, and operating instructions. For a computer system to operate efficiently, adequate and up-to-date program documentation is necessary. Answer B is incorrect because program documentation cannot ensure security of computer hardware. Answer C is incorrect because debugging should uncover errors in programs. Answer D is incorrect because programme·r s should not have access to operational materials such as the tape library or information on disk files. ·
80. An entity updates its accounts receivable master file weekly and retains the master files and corresponding tlpdate transactions for the most recent two-week period. The purpose of this periodic retention of master files and transaction data is to A. Validate groups of update transactions for each version. B. Permit reconstruction of the master file if needed. C. Verify run-to-run control totals ~or receivables. D. Match internal labels to avoid writing on the wrong volume.
4t2
CPA EXAMINATION REVIEWER: AUDITING_TfiEORY
The grandparent-parent-child approach (also called grandfather-father-son approach) is used in sequential file batch systems. This backup technique begins when the current master file (the parent) is processed against a transaction file to create a new updated master file (the child). When a new batch of transactions is processed, the child becomes the parent (the current master file), and the parent (the original master file) becomes the grandparent or backup file. As described, the grandparent-parent-child backup tech· nique involves the creation and retention of three generations of master files to enable reconstruction of destroyed or corrupted rriaster file. The systems designer is responsible for determining the number of backup files needed for each application. The de· signer should consider the degree of file activity and the fi· nancial relevance of the system in making such a decision. t. routinesd . Answers A an d D are mcorrect because va1·d 1 a 10n and internal labels may prevent data from being destroye . but do not allow recovery of lost or destroyed data. to· Answer C is incorrect because verification of run-to-run y cover · tals ensures completeness of proce·ssing, not data re
sys·
81. An entity's contingency plans for computer informationents· terns should include appropriate backup arrange~dered . b cons1 Wh1ch of the following arrangements would e . e alrrtost too vendor-dependent when vital operations requir immeqiate availability of computer resources? A. A "cold site" arrangement. B. A "hot site" arrangement.
\
cHApTER
6 Auditing In a CIS or IT Environment
413
C. A "cold and hot site~' arrangement.
o.
. Using excess capacity at another data center within the entity.
A "cold site" is a backup facility that has all the needed computer resources in place except the computer equipment. This backup arrangement is too vendor-dependent because it relies on the vendor's timely delivery of the needed computer equipment. Answer B is incorrect because a "hot site" backup facility has all the needed resources in place, including the computer equipment, and is therefore not vendor-dependent. Answer C is incorrect because a "cold and hot site" backup facility has a "hot site" component that is fully configured and available for immediate use while the "cold site" is being configured, making it not too vendor-de.pendent. Answer Dis incorrect because having excess capacity at another data center within an entity means that there are available resources that can be used.
82. Which of the following is the primary objective of
secu~·ity
software? A. To detect the presence of computer viruses. B. To monitor the segregation of functional responsibilities within applications. C. To prevent installation of unauthorized utility software. D. To control access to information system resources.
The primary objective of security software is to keep unauthorized intruders from accessing information system resources and data files.
CPA EXAMINATION REVIEWER: AUDITING THEORY
414
Answer A is incorrect because antiviral software, not securi· ty software, detects the presence of computer viruses. Answer Bis incorrect because security software can be used t~ establish, not monitor, separation of duties. Answer C is incorrect because security software can be used to control the use of utility software, not-to prevent installa· tion of unauthorized utility software. 83. All administrative and professional staff in an entity's legal department prepare documents on terminals connected to a host LAN file server. Which of the following is the best con· trol over unauthorized access to sensitive documents in the system? A. Required entry of passwords for access to the system. B. Required entry of passwords for access to individual documents. C. Physical security for all .disks containing document files. D. Periodic server backup and storage in a secure area.
Effective access controls normally require differe~t P:~d words to access the system to read certain data files, . . . , r unau othe~ mformat10n system resources. The control ~ve 355• thonzed access to sensitive documents is required p word entry for access to individual documents.
A
. .
sswords
nswer A is incorrect because required entry of pa nn~ for a~cess to the system allows all departmental perso to gam access to all documents in the system. flopPY Answer C is incorrect because a LAN may not use disks.
ct.JAPTE
R
6 Auditing in a CIS or IT Environment
415
Answer D is incorrect because although periodic server backup and storage in a secure area is a good security/backup control procedure, it would not prevent intruders from accessing sensitive documents online. 84. An internal auditor has just concluded a physical security audit of a data center which is primarily engaged in topsecret defense contract work. The auditor has recommended biometric authentication for workers entering the building. The recommendation might include devices that verify all of the following, except A. Fingerprints B. Password patterns c. Speech patterns D. Retina patterns
The use of biometric devices is considered the ultimate in user authentication procedures. These devices are used to establish an individual's identity by measuring various personal characteristics, fingerprints, voiceprints, retina prints, or signature characteristics. 85. Which of the following best describes the process called authentication? A. The system verifies the identity of the user. B. The user identifies himself/herself to the system. C. The user indicates to the system that the transaction was processed correctly; D. The system verifies that the user is entitled to enter the transactions requested.
Authentication is the process of verifying the identity of the user. Biometric devices are used to authenticate an individual's ideritity using physiological or behavioral traits such as retina patterns, fingerprints, and speech patterns.
416
CPA EXAMINATION REVIEWER: AUDITING THEORY
Answer B is incorrect because when a user identifies himself/herself to the system, it does not necessarily mean that the system verifies his/her identity. Answer C is incorrect because this is an application control that relates to the accuracy of processing transactions. Answer D is incorrect because authentication does not nee· essarily include determining the ·functions of a user whose identity has been verified·.
86. Which of the following assurances is not provided by an application control? A. Review and approval procedures for new systems are set by policy and adhered to. e B. Authorized transactions are completely processed one and only once. C. Transaction data are complete and accurate. D. Processing results are received _by the intended user.
are con· Review and approval procedures for new systems hich is trols over _systems development and maintenance, w one of the general controls. h ob· Answers B, C, and D are incorrect because these are t e jectives of application controls. . 5 of ttiree 87. Data processing activities may be classified in ter~ Which of stages or processes: input, processing, and ou~pt~d with the the following activities is not normally associa input stage? A. Recording B. Batching C. Reporting D. Verifying
cHAPTER
6 Auditing in a CIS or IT Environment
417
Reporti~g is normally associated with the output stage. output 1s th~ result of computer processing, for example, a hard copy printout of a report, magnetic files, or invoices.
Answers A, B, and D are incorrect because recording, batching, and verifying are normally associated with the input stage. 88. Which of the following is the purpose of input controls? A. To ensure the authorization of access to data files. B. To ensure the completeness, accuracy, and validity of updating. c. To ensure the completeness, accuracy, and validity of input. D. To ensure the authorization of access to program files.
Input controls are designed to provide reasonable assurance that data received for computer processing are complete, accurate, and valid. Answers A and D are incorrect because ensuring the authorization of access to data and program files is the objective of access controls. Answer B is incorrect because ensuring the completeness, accuracy, and validity of updating is the objective of processing controls. 89. If a control total were to be computed on each of the following data items, which would best be identified as a hash total for a payroll IT application? . A. Employee numbers. B. Total debit and credit amounts. C. Gross wages earned by employees. D. Total hours worked.
f ... -r . •.
' 418
CPA EXAM/NATION REVIEWER: AUDITING THEORY
90. An entity uses the account code 699 for depreciation expense. However, one of the company data input clerks often codes depreciation expense as 996. The highest account code in the company's system is 700. What programmed control procedure would detect this error? A. Pre-data input check. B. Sequence check. C. Valid-code test. D. Valid-character test. 91. Which of the following provides the most valuable information for detecting unauthorized input from a terminal? A. User error repGrt B. Transaction log C. Error file D. Console log printout A transaction log is a permanent record of all comple~ely
validated transactions received for computer processing. Subsequent comparison of the transaction log with autho~; ized transactions such as authorized source documents WI detect unauthorized input from a terminal. . . ty lists A nswer A is incorrect because a user error report on
input that fails the validation tests. . . . d to store Answer C is incorrect because an error file is use and correct error records detected during validation.
d of Answer D is incorrect because a console log is a reco:du~I ..ndiVI computer and software usage. It does not recor d 1 transactions transmitted from a terminal. .
rers have
92. Many customers, managers, employees, and supP 'cofllptJt' blamed the computer for making errors. In realttY,
R cf-IAPTE
6 Auditing in a CIS or IT Environment
419
ers make very few mechanical errors. Which of the following is the most likely source of errors in a fully operational computer-based system? A. . Systems analysis and programming B. operator error Processing D. Input
c.
It is garbage-in, garbage-out in computer. processingerroneous input results in erroneous output. Answer A is incorrect because proper design and implemen-. tation of computer programs would eliminate most syntax and logic errors or bugs. Answer B is incorrect because operator (run) manuals which describe how to run the system, decrease the chance of operator error. Answer C is incorrect because, once a program has been thoroughly tested (for example, by creating hypothetical master files and transaction files to be processed by the progra m being tested), the processing of appropriate data does not result in errors. 93. Data conversion is the transcription of transaction data from source documents to magnetic tape or disk suitable for computer processing. Which of the following data conver.sion methods is most difficult to audit? A. Keying data to disk for online processing. B. Keying data to disk for batch processing. _ C. Reading source data usihg optical character rec::ognition. D. Keying data to sot,1rce documents for magnetic ink character recognition.
420 CPA EXAMINATION REVIEWER:
AUDITING THEORY
Data conve~sion in onJine systems is difficult to audit because there 1s usuaUy no visible audit trail. Transactio · · d d· J ns are t ransm1tte Irect y from terminals and hard copy source documents are often Jacking. Answer Bis incorrect because keying data to disk for batch processing creates records that can be readily tested. An.5wer C is incorrect because hard copy source documents are retained in optical character recognition. Moreover, this method reduces the risks of conversion error. Answer D is incorrect because magnetic ink character recognition provides hard copy source documents that can be used for audit purposes. · 94.
Which of the following best describes the online data processing control called preformatting? 'terns to A. The display of a document with blanks for data 1 be entered by the terminal operator.. d' cover er· B. A program initiated prior to regular input to c~sn be car· rors in data before entry so that the errors ·
rected. . . a that reciu1·res c. A series of requests for required input da~efore a subsean acceptable response to each request ·on quent request is made. . for a transactl D A check to determine if all data rtems . . al operator. have been entered by the termin line ·n oil be use d I roacJl• A preformatted screen approach m~~der this aP~ fl1 0n· systems to . avoid data e~try er~ors. is Jayed on.thfroffl 8 blanks for specified data items will be dd ~a entrY 15
itor. This is most appropriate when
a
ER
cfiP.l'T
6 Auditing in a CIS or IT Environment
421
source document. Moreover, the screen format may even be in the form of a transaction document. Answer B is incorrect because an edit/validation routine is a program initiated prior to regular input to discover errors in data before entry so that errors can be corrected. Answer C is incorrect because the dialogue approach is another screen prompting method that is most appropriate for data received orally, e.g., by phone. Answer D is incorrect because a check to determine if all data items for a transaction have been entered by the terminal operator is called completeness check. 95. When erroneous data are detected by computer program controls, such data may be excluded from processing and printed on an error report. Who should review and follow up this error report? A. Systems analyst B. Data control group C. Computer operator D. Computer programmer
Many entities have a data control group (independent of the computer processing operation) that acts as liaison between the end user and data processing. The data control group is responsible for receiving from users, transaction documents for processing; and controlling the distribution of computer output such as documents and reports. It is responsible for following up error reports to ensure that erroneous records are corrected by users and reprocessed by the computer center.
422
CPA EXAMINATION REVIEWER AUDITING THEORY
Answers A. C, and D are incorrect because systems analysts, computer operators, and computer programmers are not independent of computer operations. 96. If a payroll system continues to pay employees who have been terminated, control weaknesses most likely exist because A. Input file label checking routines built into the program were ignored by the operator. B. Programmed controls such as limit checks should have been built into the system. C. Procedures were not implemented to verify and control the receipt by the computer processing department of all transactions prior to processing. D. There were inadequate manual controls maintained outside the computer system.
In a payroll system the authorization to pay employees ' hich is ex· should come from the personnel department, w .• . d t Hence,'0 ternal to the computer processing epartmen · teJJJ adequat~ controls maintained outside the computer 5Y~5 to are likely to allow the payments to terminated employe continue without being detected. . e of input Answers A, B, and C are incorrect because. the usd tect un· file labels, limit checks, and batch totals will not e authorized transactions.
.
we
cornpanY1 . puter ter 97. In the accounting system of Samantha amounts of cash disbursements entered at a c~rnrnniediatelY h' h 1 1" on minal are transmitted to the computer, ~ icfor displaY transmits the amounts back to the terminal erator to the terminal screen. This display enables the op A. Establish the validity of the account number. B. Prevent the overpayment of the account.
cHApTER
6 Auditing in a CIS or IT Environment
423
C. verify the accura~ ~f the amount entered. o. verify the authonzat1on of the disbursement.
Displaying the amounts entered on the terminal screen allows the terminal operator to visually verify the accuracy of the amounts entered. 98
Which of the following input validation checks is least likely ' to be appropriate in an online, real-time system? A. Sign check · B. Sequence check c. Reasonableness check o. Redundant data check
The sequence check control is appropriate only in systems that use sequential master files. This control determines if the records are in proper order by comparing the sequence of each record in the batch with the previous record. Because records are not processed sequentially in an online, real-time system, this control is not likely to be appropriate. Answers A, C, and D are appropriate in an online, real-time system. A sign check tests data to determine if they have appropri- , ate arithmetic sign. A reasonableness check determines if an amount falls within predefined limits. For example, the number of hours worked in a single day should be neither less than zero nor more than 12. · A redundancy check assures that an application· process~s each record only once ..
• 424
CPA EXAMINATION REVIEWER: AUDITING THEORY
99. A receiving clerk keyed in a shipment from a remote termi· nal and inadvertently omitted the purchase order number. Which of the following controls would most likely detect this error? A. Completeness check B. Compatibility check C. Sequence check D. Reasonableness test A completeness test identifies missing data within a single transaction record (for example, missing purchase order number on the shipping document) or records within a batch of transaction data. Answer B is incorrect because a compatibility check (also called field test) d~termines whether a field contains proper characters. Answer C is incorrect because a sequence check determines if records have been properly sorted. Answer D is incorrect because a reasonableness test deter· mines if the value is within predetermined limits. 100. A wholesaler of automotive parts has a computerized ~illi~ . intor syst ~m. Because of a clerical error while entering billed mat1on from the sales order, one of its customers was Which for only three of the five items ordered and received. dY of the following controls could have prevented or prornP detected this clerical error? ac· A. Periodic comparison of total accounts receivable per ·va· counts receivable master file with total accounts recei ble per accounts receivable control account. . voice B. A completeness check that does not allow a sales iri to be processed if key fields are blank.
Auditing in a CIS or IT Environment cHAprER 6
425
prenumbered shipping documents together with a proc. cedure for follow up anytime there is not a one-to-one relationship between shipping documents and sales invoices. Matching line control counts produced by the computer 0 · with predetermined line control counts.
Aune control count could have prevented or promptly detected the clerical error. This control technique involves a count of individual line items on a document. Missing lines can be detected by simply comparing these counts with predetermined line control counts for each document. Answer A is incorrect because the three-item sales invoice would be the basis for updating both the accounts receivable master file and control account. Hence, no discrepancy would be disclosed by the comparison. Answer B is incorrect because a completeness check would not detect the billing error because other sales invoices may properly contain three or fewer lines. Answer C is incorrect because although the sales invoice has missing lines, it exists and can be matched with the shipping document. 101. Which of the following computerized control procedures would most likely provide reasonable assurance that data uploaded from personal computers to a mainframe are complete and that no additional data are added? A. Field-level edit controls that .test each field for alphanumerical integrity. B. Self-checking digits to ensure that only authorized part numbers are added to the database.
426·
CPA EXAMINATION REVIEWER: AUDITING THEORY
C. Batch control totals, including financial totals and hash totals. · D. Passwords that effectively limit access to only those authorized to upload the data to the mainframe.
Batch totals which consist of record counts, financial or control totals, and hash totals can be used to ensure the ac· curacy and completeness of data uploaded from personal computers to a mainframe. After the uploading process, these totals are reconciled with predetermined totals to test if the data have been completely transferred. A record count (also called item count) is the total number of records in a batch. A financial or control total is the total peso value of a fi· nancial field, for example, the total sales invoice amounts. A hash total is the total of a unique nonfinancial field, for example, the total of purchase order numbers in a batch.
h do not pro· Answers A, B, and D are incorrect because t ey d vide assurance about the completeness of data uploa ·
.
siVe cor·
102. An entity's labor distribution report requires extend to inac·
rections each month because of labor hours ch~rg~ ut corr tive jobs. Which of the following data processing inP trots appears to be missing? A. Validity check B. Limit check C. Missing data check D. Control total
cl'if'piER
6
Auditing in a CIS or IT Environment
427
Udity ~hecks compare actual values in a field (for exan:va transaction code) against acceptable (valid) values m ple, a aster file. If the value in the field does not match o~e t~et:e acceptable values, the record is considered to ~e m 0 r If the computer checks first for validity of the Jobs, · d to inactive · · erro labor· hours would not be erroneously assigne jobs. Answer B is incorrect because a limit check determines if the value in the field exceeds a predetermined limit. Answer C is incorrect because missing data checks are used to determine if a field contains blank spaces. The computer considers a record in error if blanks are detected where data values are expected. Answer D is incorrect because control totals are used to reconcile computer input with processing results. I
I
\
\
103. If, in reviewing an application system, it is noted that batch controls are not used, which of the foilowing statements by the user of the system is acceptable as a compensating control? A. "The volume of transactions prohibits batching." B. "We do a 100°/o physical review of the input document to· the output document." C. "We do.a 100°/o key verification of all data input." D. "The supervisor must approve all inputs."
A 100% phys_ical review of the input documen~ to the output document will provide evidence that all records are completely and accurately p-rocessed. Thus, this procedure will compensate for the lack of batch control totals . .
• 428
CPA EXAMINATION REVIEWER: AUDITING THEORY
Answer A is incorrect because the use of batch control totals is most appropriate in managing high volumes of transaction data. Answer C is incorrect because a 100% key verification does not assure that all records submitted for processing were keypunched: Answer D is incorrect because the supervisor's approval of all inputs does not assure that all approved inputs were processed.
104. A mail-order retailer of low-cost novelty items is receiving an increasing number of complaints from customers about the wrong merchandise being shipped. The order code for items has the format WWXXYYZZ which has the following mean· ing: WW major category XX minor category YY identifies the .item ZZ identifies the catalog In .many cases, the wrong merchandise was sent beca:, adJacent characters in the order code had been transpos ·s 1 The most effective control to prevent this erroneous input to AU . se a master fil.e reference for order codes to~ the existence of items to B. Separate the parts of. the order code with hYPhmake the characters easier to read. rT1 for C. Add check digits to the order codes and verify the each order. h iteffl D. Require customers to specify the name for eac they order.
all
cHAPTE
R
6 Auditing in a CIS or IT Environment
429
Transposition errors can corrupt data codes and cause serious data processing problems if they go undetected. An effective control to detect data coding errors is by ad.ding a check digit (or digits) to a data code. The check digit is the result of the mathematical calculation done based on the original data code (the simplest form is to add all the digits in the code). During the input process, the system recalculates the check digit for each input and compares the result with the check digit attached to the data code entered. Answer A is incorrect because order codes containing transposed characters may match other items in the file. Thus, the use of a master file reference code would not detect erroneous order codes. Answer B is incorrect because the use of hyphens would make the order code easier to read, but would not detect order codes with transposed characters. Answer D is incorrect because requiring customers to specify the name for each item they order would generally not allow detection of erroneous codes. 105. Which of the following is the major purpose of the auditor's study and evaluation of the company's computer processing operations? A. Ensure the exercise of due professional care. B. Evaluate the reliability and integrity of financial information. C. Become familiar with the company's means of identifying, measuring, classifying, and reporting information.
430
CPA EXAMINATION REVIEWER: AUDITING THEORY
o·.
Evaluate the competence of computer processing operating personnel.
The auditor studies and evaluates information systems primarily to ascertain whether financial data are accurate, reli· able, timely, and complete. Answer A is incorrect because auditors are required to exer· cise due professional care in all audits. Answer C is incorrect because becoming familiar with the company's information system is a means to achieve the au· ditor's principal objective. Answer Dis incorrect because evaluating the competenced~f 1 computer processing operating personnel is not the a~ • tor's primary purpose of evaluating the company's in or· mation system.
mentof 106. When the auditor chooses to use only the non-IT seg t as a client's control to assess control risk, it is referre~I ~inQ auditing around the computer. Which one of ~he fad~ air 1 conditions need not be present to apply this au proach? . enable A. The output must be listed in sufficient detail to the auditor to trace individual transactions. er ttiat B. The source documents must be filed in a mann makes it possible to locate them. · in a non· C. The source documents must be available machine language. . .h D. Computer programs must be available in Enghs · t
men
assess 1s 107. The followi~g ~tatements relate to the a~ditor nt. Whicl1 of control nsk m an entity's computer environrne correct? 1
5
ct-!AprER
6 Auditing in a CIS or IT Environment
431
The auditor usually can ignore the computer system if A. he/she can obtain an understanding of the controls outside the computer information system. B. If the general controls are ineffective, the auditor ordinarily can assess control risk at a low level if the application controls are effective. c. The auditor's objectives with respect to the assessment of control risk are the same as in a manual system. o. The auditor must obtain an understanding of the internal control and test controls fn computer environments.
The overall objective and scope of an audit does not change in a CIS environment. Regardless of the information system used by the entity-manual or computerized, the auditor is required to obtain an understanding of internal control and assess control risk to plan the audit. Answer A is incorrect because, when an entity's computer information system is significant (i.e., it has a material effect on financial statement assertions), the auditor is required to obtain an understanding of the CIS environment and determine whether it may influence the assessment of inherent and control risks. Answer B is incorrect because, if general controls are ineffective, the auditor is unlikely to assess control risk at a low level, regardless of whether application controls have been designed and implemented for each significant accounting application. Answer D is 'incorrect because tests of controls should be performed only when the auditor's risk assessment includ~s an expectation of the operating effectiveness of controls· (i.e., control risk is assessed at below the maxi.mum), or
f -· .. ;:' r
-
432
CPA EXAMINATION REVIEWER: AUDITING THEORY 1
when substantive procedures alone do · not provide sufficient appropriate audit evidence at the assertion level. 108. Computer programs and data that the auditor may use as part of the audit procedures to process data of audit signifi· cance contained in an entity's information system are called
A. CAATs B. DOOGs C. BIIKs
D. BIIRDs Computer-assisted audit techniques (CAATs) are com· puter programs and data that the auditor may use in per· forming various audit procedures, including the following: • tests of details of transactions and balances • analytical review procedures • tests of general and application controls . • sampling programs to extract data for audit testing . h entJ· • reperformance of calculations performed by t e ty's accounting system
BIIKs and
Answers B, C, and Dare incorrect because DOOGs, BllRDs are not used in information technology (IT) ..
'
. ftWare to 109. One common type of CAAT is the use of audit 5 ;ntor· process data of audit significance from the entity'sd pop· mation system. An audit software that has widesprea puter 111 ularity because it is easy to use and requires little cosed on background· on the part of the auditor; it can b_e ~to per· both n:ainframe and PC systems; it allows_ th,e audit~ter p~ form his/her tests independent of the entity s ~orn~ data in cessing personnel; and it can be used to audit t e · most file formats and structures is called a A. Customized program.
?
'.
~
J
c~ApTER
6 Auditing in a CIS or IT Environment
433
.
a.
purpose-written program. . C Utility program. ·. package or ~eneralized audit software (GAS). 0
The easy-to-use and flexibility features of generalized audit softWare (GAS) make it very popular to auditors in the au~it of information technology (IT) environments. This audit softWare is designed to perform common audit tasks or standardized data processing functions, such as the following: • reading data files • selecting and analyzing information • summarizing and totaling files • performing or verifying calculations • creating data files • providing totals of unusual items • reporting in an auditor-specified format Answers A and B are incorrect because customized or purpose-written programs are designed to perform audit tasks in specific circumstances. These programs are used when· an entity's computer information system is so unique or complex that any GAS is deemed unsuitable. Answer C is incorrect because utility programs are part of the operating system and security software packages that are provided by computer manufacturers and software vendors. This software performs routine data processing functions, such as sorting, copying, creating, merging, erasing, and printing files. It is not generally designed for audit purposes and may not contain audit features, such as record counts or control totals.
434
CPA EXAMINATION REVIEWER: AUDITING THEORY
110. Customized or purpose-written programs perform audit tasks in specific circumstances where package audit software is deemed unsuitable usually because system constraints make it difficult or impossible to use. A purpose-written program may be developed by The auditor The entity being audited An outside programmer hired by the auditor
8.
12
~
No Yes
Yes Yes
Yes No
Q No No
Yes
Yes
No
No
111. These computer programs are enhanced productivity tools that are typically part of a sophisticated operating systems environment, for example, data retrieval software or code comparison software. A. Purpose-written programs B. System management programs C. Utility programs D. Generalized audit software 112. Embedded audit routines are sometimes built into an entity's computer information system to provide data for later .use ~ the auditor. One technique invol·-1es embedding audit so ~are modul~s v:'ithin an application system to provide co~~ tmuous morntonng of the entity's transactions. Thes~ auin· modul:s are used to create logs that collect transactio~ gs 0 formation for subsequent review by the auditor. These are called A. Systems control audit review files (SCARFs) B. Console logs C. Computer logs D. IT logs
.'
cHAprER
6 Auditing in a CIS or IT Envimnment
435
When an accounting application is processed by computer, 3 11 · an auditor cannot venfy the reliable operation of programmed .controls by . . . . A. Periodically submitting auditor-prepared test data to same computer process and evaluating the results. constructing a processing system for accounting applica, 6 tions and processing actual data from throughout the period through both the client's program and the auditor's program. c. Manually comparing detail transaction files used by an edit program with the prc:>gram's generated error listings to determine that errors were properly identified by the edit program. o. Manually reperforming, as of a moment in time, the processing of input data and comparing the simulated results with the actual results.
The effectiveness of programmed controls may not be tested if auditing around the computer (also called the black box approach) is to be applied. This involves manual comparison of the input dat~ with the computer output. Because programmed controls are built into the computer program, the auditor should instead apply the white box approach. This means that the auditor should have an indepth understanding of how the programmed controls func.: tion and should consider using CAATs in testing their effectiveness. Answer A is incorrect because the use of the test data approach is an effective method of evaluating the reliability of programmed control procedures.
436
CPA EXAMINATION REVIEWER: AUDITING THEORY
Answer B is incorrect because parallel simulation is also an effective method of evaluating the reliability of programmed controls. Answer C is incorrect because manually comparing the output of an auditor's edit program with the error listings generated by the client's program would provide evidence about the reliability of programmed controls. 114. Auditing through the computer must be used when A. Generalized audit software is not available. B. Processing is primarily online and updating is real-time. C. Input transactions are batched and system logic is straightforward. D. Processing primarily consists of sorting the input data and updating the master file sequentially.
Auditing through the computer involves an in-depth understanding of the computer program's logic. This approac.h is appropriate when a complex and significant application ~s involved and evidence external to the computer system JS unlikely to be available-for example, in an online, real-time d't system. Answer A is incorrect because, in deciding on what au~e approach is appropriate-auditing through or around computer, the auditor determines whether evidence e~ter~ nal to the computer is available, not whether generalize audit software is available.
au-
Answer C is incorrect because, in a simple batch syste~· ap· diting around the computer (the black box approach) JS uch 5 propri=:lte because evidence external to the computer, 3 r11. as printouts and source documents, can be directly ex ined by the auditor.
TER
cHAP
6 Auditing in a CIS or IT Environment
437
Answer D is incorre~t because, when processing is simple (for exa~ple, when ~Iles are stored and processed sequentially), evidence outside the computer is likely to be available. 115 . When an auditor tests a computer information system which ' of the following is true of the test data approach? A. Test data are processed by the client's computer programs under the auditor's control. B. Several transactions of each type must be tested. c. Test data must consist of all possible valid and invalid conditions. o. The program tested is different from the program used throughout the year by the entity.
Under the test data approach, the auditor processes a specially prepared set of input data containing possible valid and invalid conditions using the client's application program. The results of each test are compared with predetermined results, based on the auditor's understanding of the programmed controls. This approach will allow the auditor to maP:e an objective evaluation of the program logic and the effectiveness of programmed controls. Answer B is incorrect because only one of each transaction type needs to be tested and evaluated. Answer C is incorrect because the auditor tests only those controls that are relevant to the financial statement audit. Answer D i-s incorrect because, if the program to be used for testing is different from the program used throughout the
.. ._; ... . ..
. .~
•.. :i..~···-'
.,.~.-:-:r-- . .-. ~~...-.~~ -..,_~·_,. •.. ~ ·.,
r
·~~~tL4~ .. ll'!x~;11:mw~ . m~ .. ! --- ~'=·~ - -..~-~ - "' = · .-: :t'.::;+:,::-~ r •: :+":"'ii';: : .; ."'.'~ , fF~.
:i:· - -<: .-.-._: :-;...
...
·: ·: ~
:t
438
CPA EXAMINATION REVIEWER: AUDITING THEORY
year by the client, no assurance can be obtained about the effectiveness of programmed controls. 116. An auditor who is testing IT controls in a payroll system , would most likely use test data that contain conditions such as A. Payroll checks with unauthorized signatures. B. Deductions not authorized by employees. C. Time tickets with invalid job numbers. D. Overtime not approved by supervisors. 117. Auditors have learned that increased computerization has created more opportunities for computer fraud but has also led to the development of computer audit techniques to detect frauds. A type of fraud that has occurred in the banking industry is a programming fraud in which the programmer designs a program to calculate daily interest on savings ac· counts to four decimal points . . The programmer then trun· cates the last two digits and adds it to his account balance. Which of the following CAATs would be most effective in de· tecting this type of fraud? A. Generalized audit software that selects account balances for confirmation with the depositor. B. Snapshot. C. Parallel simulation. D. SCARF (Systems Control and Audit Review File).
a
In parallel simulation, the auditor uses specially pr:; pared computer program that simulates key features processes of the application program to be tested. Program logic and controls are evaluated by comparing t~~ results of processing actual data using the simulation p~s ?ram wit~ the results of processing the same actual data mg the client's application program. '·'
cHApTER
6 Auditing in a CIS or IT Environment
439
p rallel simulation is the most effective CAAT application bacause the amounts credited to the depositors' accounts
c:n be compared with amounts calculated by the auditor's simulation program. Answer A is incorrect because confirmation of a depositor's account balance may fail to detect errors involving a very insignificant amount (i.e., less than one centavo daily). Answers B and D are incorrect because SCARFs and snapshots will not detect the computer fraud described. 118. To obtain evidence that online access controls are properly functioning, an auditor is most likely to A. Vouch a random sample of processed transactions to assure proper authorization. B. Create checkpoints at periodic intervals after live data processing to test for unauthorized use of the system. c. Enter invalid identification numbers or passwords to ascertain whether the system rejects them. D. Examine the transaction log to discover whether any transactions were lost or entered twice because of a system malfunction.
The auditor can directly test whether online acc~ss controls are properly functioning by attempting to gain access to the system by using invalid identification numbers or passwords. Answer A is incorrect because unauthorized transactions may be entered by any intruder who knows valid identification numbers or passwords.
-· 440
CPA EXAMINATION REVIEWER: AUDITING THEORY
Answer B is incorrect because, in batch computer systems checkpoints are used as a recovery procedure. ' Answer Dis incorrect because examining the transaction log to discover whether any transactions were lost or duplicated would not determine if online access controls are functioning effectively. 119. Which of the following CAATs allows fictitious and real transactions to be processed together without the knowledge of client operating personnel? A. Data entry monitor B. Integrated test facility (ITF) C. Parallel simulation D. Input control matrix
The integrated test facility (ITF) approach enables the a~di tor to test a computer· program's logic and controls during. its normal operation. Under this approach, fictitious re~ ords for dummy units (for example, a division, a ~~part~ ment, or a dummy entity) are integrated with legiuma records in the database. dons are During normal computer processing, test transac . st the merged with actual transactions and processed again dummy records in the master file. 'th· . b tested w1 . Because computer applications with ITF can e es audit out intervention of operating personnel, ITF en~an~idence. efficiency and increases the reliability of the audit e onitof
d ta entrY rn st· Answers A and D are incorrect because a d'tor in te 1 and input control matr:ix are not used by the au ing an entity's computer information system.
\
\
cHAPTER 6 Auditing in a CIS or IT Environment
441
Answer C is in,correct because, in parallel simulation, real (not fictitious) tran~actions are reprocessed. .
;.
1
fi.
~
~·. n
120. In auditing an_ online perp~tual inventory system, an auditor selected certain file-updating transactions for detailed testing. The audit tech.nique that will provide a computer trail of all relevant processrng steps applied to a specific transaction is called A. Snapshot B. Simulation Tagging and tracing Code comparison
c. o.
Tagging and tracing involves selection of specific transactions to be tagged (by attaching an 'indicator at input) and traced through critical control points in the computer information system. The computer trail can be printed or stored in a computer file for the auditor's evaluation.
1
~
Answers A, B, and Dare incorrect because snapshot, simulation, and code comparison do not provide a trail of all relevant processing steps. TRUE OR FALSE
m·
1. A hash total is a numeric value computed to provide assur-
M.
ance that the original value has not been altered in construction or transmission.
:~ ~·
2. General controls include data validation controls.
442
CPA EXAMINATION REVIEWER: AUDITING THEORY
3. A limit or reasonableness test is a test to ensure that a numerical value does not exceed some predetermined value.
4. The control environment component of internal controls includes access to computer prog·rams.
5. As opposed to a manual control, an automated control should function consistently in the absence of program changes.
6. The
~isplay monitor is a software component of
a computer
system.
7. The systems analyst should not be allowed access to program listings of application programs.
8. The posting of a transaction, as it occurs, to several Rlechs, without intermediate printouts is a characteristic of a bat processed computer system.
9. Controls which are built in by the
~anufacturer
to detect
equipment failure are called input controls.
, data 10. Echo checks, data encryption, and parity checks are transmission controls. .
.
auditor'
11. When applying the test data approach, auditors use the di· controlled software to do the same operations that ent's software does, using the same data files. sterns is
12.
A problem f~r a ~P~ associated with advanced rr.~Ymachine that the audit trail 1s sometimes generated onlY 1 readable form.
6 Auditing in a CIS or IT Environment
443
ctiAp'fEFt
C ntrols which are designed to assure that the information 0 13· 0 cessed by the computer is authorized, complete, and ac~~rate are called input controls. A system in which the end user is responsible for the devel14· oprnent and execution of t~e computer .application that he or she uses is called decentralized computing. 15
In an IT-intensive environment, most processing controls are · programmed controls.
16. 17
An example of an access control is a check digit.
. output controls are designed to assure that data generated by the computer are used appropriately by management.
lB. An internal control deficiency occurs when computer personnel originate changes in customer master files. 19. Auditing through the computer is generally used when processing is primarily on line and updating is real-time. 20. General controls have a pervasive effect on the operating effectiveness of application controls. 21. Random errors are more likely in a batch system than in an online system. 22. Auditing by testing the input and output of a computer system instead of the computer program itself will detect all program errors, regardless of the nature of the output. 23. In an IT system, automated equipment controls or hardware controls are designed to detect and control errors arising from the use of equipment.
444
CPA EXAMINATION REVIEWER: AUDITING THEORY
. 24. Logging in to the company's information systems via a .password is an application control. 25. Controls that relate to a specific use of the IT system, such as the processing of sales or cash receipts, are called gen· eral controls.
cHApTER
f(EY
6 Auditing in a CIS or IT Environment
445
ANSWERS
c
c
1. D
25. B
49. B
73.
2. B 3. B
26. A
50. B
74. B
98. B
27. D
51. D
75. A
99. A
4. B
28. B
52.
c
100. D
c
29. B
53. A
77. D
101.
c c
54. B
78. B
102. A ·
55. D
79. A
103. B
5.
c
76.
97.
c
6. B
30.
7. D
31.
8. B
32. D
56. A
80. B
104.
9. D
33.
57. A
81. A
105. B
c
34.
106. D
35.
59.
83. B
107.
12. D
36. B
60.
c c c
82. D
11. B
c c c
84. B
108. A
13. D
37. A
61. A
85. A
109. D
14. A
38. A
62. B
86. A
110. B
15. D
39. D
63. B
87.
111. B
16. A
40. B
64. A
88.
c c
17. A
41. A
65. D
89. A
113. D
18. B
42.
c
66. A
90.
c
114. B
19. A
43. B
67. A
91. B
115. A
c
44. B
68.
c
92. D
116.
21. D
45. B
69. A
93. A
117.
c c
22.
c
'16. A
70.
c
94. A
118.
c
23.
c
47. D
71. D
95. B
119. B
c
72. A
96. D
120.
10.
20.
24. B
48.
58.
c
c
112.· A
c
CPA EXAMINATION REVIEWER: AUD\T\NG THEOR.'t'
446 TRUE OR fALSE 1. fa\se
6. fa\se
11. Fa\se
16. Fa\se
2. fa\se
7. false
12. True
17. False
3. True
8. false
13. True
18. True
9. false
14. Fa\se
19. True
24. False
4. false
s.
15. True
20. True
25. fa\se
10. True
True
21. fa\se 22. fa\se 23.
true
Related Documents
Roque Quick Auditing Theory Chapter 6.pdf
January 2021 0
Auditing Chapter-wise Notes
March 2021 0
Auditing Theory - Prtc
March 2021 0
Auditing Theory Test Bank
February 2021 0
Roque Cpa Reviewer Auditing Ch4 Final.pdf
February 2021 0
Auditing Theory Salosagcol Summary
January 2021 0More Documents from "Patricia"
Roque Cpa Reviewer Auditing Ch4 Final.pdf
February 2021 0
Roque Quick Auditing Theory Chapter 6.pdf
January 2021 0
Competitive Bidding
January 2021 1
Ascension Through Orbs _ Cooper & Crosswell
January 2021 0
