Auditing in a CIS Environment

Midterms Exam
May 8, 2021
Name:
Score:

GENERAL INSTRUCTIONS:
a. Answer each question correctly
b. Write your answers on a sheet of paper or you can also answer it via computer
c. This exam is good for 1.5 hours so make sure to send your answers via email 1.5 hours
from the time you received this exam
d. No cheating

IDENTIFICATION

1. This determines if a value in one field is reasonable when considered along with data in
other fields of the record.

2. A method of detecting data coding errors such as transcription and transposition errors.

3. An input control check would detect a payment made to a nonexistent vendor.

4. This is defined as the risk that a material misstatement will get through the internal
control structure and into the financial statements.

5. When an auditor makes sure that the checks issued by the client are arranged in a
chronological order is called __________________.

TRUE OR FALSE

1. Data integrity would be of most concern to an auditor relating to an organization's

internet security.

2. Aging accounts receivable cannot be performed by an auditor using computer assisted

audit techniques (CAATS) software.

3. Purpose-written program may be written while its purposes and users are being defined.

4. An auditor is least likely to use computer software to prepare spreadsheets.

5. When the IT auditor is involved in the design phase of the system, he/she no longer needs
to test controls during regular IT audits.

6. Auditing involves the use of established criteria to evaluate evidence.

 7. Identifying missing check numbers cannot be performed by an auditor using computer
assisted audit techniques (CAATs) software.

8. Purpose-written program is written to interface with many different client systems.

9. One limitation on the use of a generalized computer program is that it has limited
application without significant modification.

10. Identifying unusual amount of sales on a monthly sales report can be performed using
CAATs.

MULTIPLE CHOICE

1. Which type of audit involves a review of general and applications controls, with a focus
on determining if there is compliance with policies and adequate safeguarding of assets?
a. Information systems audit
b. Financial audit
c. Operational audit
d. Compliance audit

2. Data access security related to applications may be enforced through all the following
except
a. User identification and authentication functions incorporated in the application.
b. Utility software functions.
c. User identification and authentication functions in access control software.
d. Security functions provided by a database management system.

3. An IT auditor is conducting substantive audit tests of a new accounts receivable module.

The IT auditor has a tight schedule and limited computer expertise. Which would be the
BEST audit technique to use in this situation?
a. Test data
b. Parallel simulation
c. Integrated test facility
d. Embedded audit module

4. The primary objective of security software is to

a. Control access to information system resources.
b. Restrict access to prevent installation of unauthorized utility software.
c. Detect the presence of viruses.
d. Monitor the separation of duties within applications.

5. Which of the following procedures is NOT used to detect unauthorized program changes?
a. Source code comparison (is used to detect unauthorized program changes by
thoroughly testing a newly developed program and keeping a copy of its source code)
 b. Parallel simulation (an auditor writes a version of the program, reprocesses the
company data, compares the results to the company's results, and investigates any
differences)
c. Reprocessing (the auditor verifies the integrity of an application program, saves it,
and on a surprise basis uses the program to reprocess data and compare that output
with the company's output)
d. Reprogramming code

6. A controller became aware that a competitor appeared to have access to the company's
pricing information. The internal auditor determined that the leak of information was
occurring during the electronic transmittal of data from branch offices to the head office.
Which of the following controls would be most effective in preventing the leak of
information?
a. Asynchronous transmission.
b. Encryption.
c. Use of fiber-optic transmission lines.
d. Use of passwords.

7. Which of the following is not a characteristic of auditing?

a. Auditing is a systematic, step by step, process.
b. Auditing involves the collection and review of evidence.
c. Auditing involves the use of established criteria to evaluate evidence.
d. Auditing's primary objective is to identify fraud and their perpetrators.

8. Which of the following is not a reason an internal auditor should participate in internal
control reviews during the design of a new system?
a. It is more economical to design controls during the design stage than to do so later.
b. It eliminates the need for testing controls during regular audits.
c. It minimizes the need for expensive modifications after the system is implemented.
d. It permits the design of audit trails while they are economical.

9. In a small organization, where segregation of duties is not practical, an employee

performs the function of computer operator and application programmer. Which of the
following controls should the IT auditor recommend?
a. Automated logging of changes to development libraries
b. Additional staff to provide segregation of duties
c. Procedures that verify that only approved program changes are implemented
d. Access controls to prevent the operator from making program modifications

10. An IT auditor, auditing hardware monitoring procedures should review

a. system availability reports.
b. cost-benefit reports.
c. response time reports.
d. database utilization reports.
11. Which of the following BEST provides access control to payroll data being processed on
a local server?
a. Logging of access to personal information
b. Separate password for sensitive transactions
c. Software restricts access rules only to authorized staff
d. System access restricted to business hours

12. All administrative and professional staff in a corporate legal department prepares
documents on terminals connected to a host LAN file server. The best control over
unauthorized access to sensitive documents in the systems is
a. Required entry of passwords for access to the system.
b. Physical security for all disks containing document files.
c. Periodic server backup and storage in a secure area.
d. Required entry of passwords for access to individual documents.

13. Which of the following tests confirm that the new system can operate in its target
environment?
a. Sociability testing
b. Regression testing
c. Validation testing
d. Black box testing

14. The PRIMARY purpose of undertaking a parallel run of a new system is to:
a. verify that the system provides required business functionality.
b. validate the operation of the new system against its predecessor.
c. resolve any errors in the program and file interfaces.
d. verify that the system can process the production load.

15. An auditor has just completed a physical security audit of a data center. Because the
center engages in top-secret defense contract work, the auditor has chosen to recommend
biometric authentication for workers entering the building. The recommendation might
include devices that verify all of the following except
a. Fingerprints.
b. Retina patterns.
c. Speech patterns.
d. Password patterns.