1. Which statement is incorrect regarding internal controls in a CIS environment?

a. Manual and computer control procedures comprise the overall controls affecting the CIS environment
(general CIS controls) and the specific controls over the accounting applications (CIS application
controls).
b. The purpose of general CIS controls is to establish a framework of overall control over the CIS
activities and to provide a reasonable level of assurance that the overall objectives of internal control
are achieved.
c. The purpose of CIS application controls is to establish specific control procedures over the
application systems in order to provide reasonable assurance that all transactions are authorized and
recorded, and are processed completely, accurately and on a timely basis.
d. The internal controls over computer processing, which help to achieve the overall objectives of
internal control, include only the procedures designed into computer programs.
2. An on-line access control that checks whether the user’s code number is authorized to initiate a specific
type of transaction or inquiry is referred to as *

a. Password
b. Compatibility test
c. Limit check
d. Reasonableness test
3. A control procedure that could be used in an on-line system to provide an immediate check on whether
an account number has been entered on a terminal accurately is a *

a. Compatibility test
b. Record count

c. Hash total
d. Self-checking digit

4. A control
4. A control designed to catch errors at the point of data entry is *

a. Batch total
b. Self-checking digit
c. Record count
d. Checkpoints

5. Program documentation is a control designed primarily to ensure that *

 a. Programmers have access to the tape library or information on disk files.
b. Programs do not make mathematical errors.
c. Programs are kept up to date and perform as intended.
d. Data have been entered and processed.

6. Which one of the following represents a lack of internal control in a computer-based information
system? *

a. The design and implementation is performed in accordance with management’s specific

authorization.
b. Any and all changes in application programs have the authorization and approval of management.
c. Provisions exist to protect data files from unauthorized access, modification, or destruction.
d. Both computer operators and programmers have unlimited access to the programs and data
files.
7. Which of the following most likely represents a significant deficiency in the internal control structure?
*

a. The systems analyst review applications of data processing and maintains systems documentation.
b. The systems programmer designs systems for computerized applications and maintains output
controls.
c. The control clerk establishes control over data received by the EDP department and reconciles
control totals after processing
d. The accounts payable clerk prepares data for computer processing and enters the data into the
computer.
8. For control purposes, which of the following should be organizationally segregated from the computer
operations function? *

a. Data conversion
b. Systems development
c. Surveillance of CRT messages
d. Minor maintenance according to a schedule
Option 5
9. Compatibility tests are sometimes employed to determine whether an acceptable user is allowed to
proceed. In order to perform compatibility tests, the system must maintain an access control matrix. The
one item that is not part of an access control matrix is a *

a. List of all authorized user code numbers and passwords.

b. List of all files maintained on the system.
 c. Record of the type of access to which each user is entitled.
d. Limit on the number of transaction inquiries that can be made by each user in a specified time
period.
10. an automated payroll system, all employees in the finishing department were paid the rate of P75 per
hour when the authorized rate was P70 per hour. Which of the following controls would have been most
effective in preventing such an error? *

a. Access controls which would restrict the personnel department’s access to the payroll master file
data.
b. A review of all authorized pay rate changes by the personnel department.

c. The use of batch control totals by department.

d. A limit test that compares the pay rates per department with the maximum rate for all
employees.
11. To obtain evidence that online access controls are properly functioning, an auditor most likely would
*

a. Create checkpoints at periodic intervals after live data processing to test for unauthorized use of the
system.
b. Examine the transaction log to discover whether any transactions were lost or entered twice due to a
system malfunction
c. Enter invalid identification numbers or passwords to ascertain whether the system rejects
them.
d. Vouch a random sample of processed transactions to assure proper authorization
Option 5
12. An auditor most likely would introduce test data into a computerized payroll system to test internal
controls related to the *

a. Existence of unclaimed payroll checks held by supervisors.

b. Early cashing of payroll checks by employees.
c. Discovery of invalid employee I.D. numbers.
d. Proper approval of overtime by supervisors.
13. Internal
13. Internal control is ineffective when computer department personnel *

a. Participate in computer software acquisition decisions.

b. Design documentation for computerized systems.

c. Originate changes in master file.

 d. Provide physical security for program files.
Option 5
14. From an audit viewpoint, which of the following represents a potential disadvantage associated with
the widespread use of microcomputers? *

a. Their portability.
b. Their ease of access by novice users.
c. Their easily developed programs using spreadsheets which do not have to be documented.
d. All of the above.
Option 5
15. Internal control is ineffective when computer department personnel *

a. Participate in computer software acquisition decisions.

b. Design documentation for computerized systems.

c. Originate changes in master file.

d. Provide physical security for program files.

1. The primary responsibility for establishing and maintaining an internal control rests with *

a. The external auditors

b. The internal auditors
c. Management and those charged with governance
d. The controller and the treasurer

2. The fundamental purpose of an internal control is to *

a. Safeguard the resources of the organization

b. Provide reasonable assurance that the objectives of the organization are achived
c. Encourage compliance with organization objectives
d. Ensure the accuracy, reliability, and timeliness of information
3. which of the following internal control objectives would be most relevant to the audit? *

a. Operational objective
b. Compliance objective
c. Financial reporting objective
d. Administrative control objective
4. An auditor would most likely be concerned with internal control policies and procedures that provide
reasonable assurance about the *

a. Efficiency of management's decision-making process

b. Appropriate prices the entity should charge for its products
c. Methods of assigning production tasks to employees
5. Which of the following best
d. Entity's ability to process and summarize financial data
describes an inherent limitation that
should be recognized by an auditor when considering the potential effectiveness of an internal control
structure? *

a. Procedures whose effectiveness depends on segregation of duties can be circumvented by

collision.
b. The competence and integrity of client personnel provide an environment conducive to control and
provides assurance that effective control will be achieved
c. Procedures designed to assure the execution and recording of transactions in accordance with proper
authorizations are effective against fraud perpetrated by management
d. The benefits expected to be derived from effective internal control usually do not exceed the cost of
such control.
6. Internal control is ineffective when computer department personnel *

a. Participate in computer software acquisition decision.

b. Design documentation for computerized systems.

c. Originate changes in master files.

d. Provide physical security for program files.
7. An effective internal control system *

a. Cannot be circumvented by management

b. Can reduce the cost of an external audit

c. Can prevent collusion among employees

d. Eliminates risks and potential loss to the organization
8. The internal control cannot be designed to provide reasonable assurance that *

a. Transactions are executed in accordance with management's authorization.

b. Fraud will be eliminated.

c. Access to assets is permitted only in accordance with management's authorization.

d. The recorded accountability for assets is compared with the existing assets at reasonable intervals
9. Which of the following best describes the interrelated components of internal control? *

a. Organizational structure, management, philosophy, and planning.

b. Control environment, risk assessment, control activities, information and communication
systems, and monitoring.
c. Risk assessment, backup facilities, responsibility accounting, and natural laws.
d. Internal audit and management's philosophy and operating style.

10. Which one of the following is not one of the components of an entity's internal control? *

a. Control risk
b. Control activities
c. Information and communication
d. The control environment

11. The overall attitude and awareness of an entity's board of directors concerning the importance of the
internal control usually is reflected in its *

a. Computer-based controls
b. Systems of segregation of duties
c. Control environment
d. Safeguards over access to assets
12. Basic to a proper control environment are the quality and integrity of personnel who must perform the
prescribed procedures. Which is not a factor in providing for competent personnel? *

a. Segregation of duties
b. Hiring practices

c. Training programs
d. Performance evaluations
13. A proper segregation of duties requires *

a. an individual authorizing a transaction records it.

b. an individual authorizing a transaction maintain a custody of the asset that resulted from the
transaction.
c. An individual maintaining custody of an asset be entitled to access the accounting records for the
asset
d. an individual recording a transaction not compare the accounting record of the asset with the
asset itself
14. Which of the following would contribute most to the safeguarding of assets? *

a. Access to computer facilities and records is limited to authorized personnel.

b. Training programs are conducted to develop competence of newly hired personnel.
c. Control and subsidiary accounts are reconciled on a regularly scheduled basis
d. Blank stock of all purchase orders and sales invoices are prenumbered

15. Proper segregation of functional responsibilities in an effective structure of internal control calls for
separation of the functions of: *

a. Authorization, execution, and payment

b. Authorization, recording, and custody

c. Custody, execution, and reporting

d. Authorization, payment, and recording
16. The policies and procedures that help ensure that management directives are carried out are referred to
as the: *

a. Control environment
b. Control activities
c. Monitoring of controls
d. Information systems

17. Evaluating the design of the entity's internal control would involve *

a. Considering whether the control, individually or in combination with other controls, is capable
of effectively preventing, or detecting and correcting, material misstatements.
b. Determining whether control exists and the entity is using it.

c. Determining whether the control is operating effectively

d. Determining the consistency of application of internal control procedures.
18. Which of the following would an auditor least likely perform when obtaining an understanding or the
entity's accounting and internal control systems? *

a. Inquiries of appropriate personnel.

b. Inspection of documents and record
c. Observation of the entity's activities and operations
d. Reperformance of internal control
19. In studying a client's internal controls, an auditor must be able to distinguish between prevention
controls and detection controls. Of the following data processing controls, which is the best detection
control? *

a. Use of data encryption techniques

b. Review of machine utilization logs
c. Policy requiring password security
d. Backup and recovery procedure

20. Auditing by testing the input and output of a computer-based system instead of the computer program
itself will *

a. Not detect program errors which do not show up in the output sampled
b. Detect all program errors, regardless of the nature of the output

c. Provide the auditor with the same type of evidence

d. Not provide the auditor with confidence in the results of the auditing procedures