bAUDITING AND ASSURANCE PRINCIPLES

Term 2 | Semester 2 | SY 2020-2021

Week 4 Module: Review on Internal Control | Audit in a Computerized

Environment

CREATE

Assessment Manual

Search for your names for your assigned questions. Provide, in the blue box,
your ANSWER and EXPLANATION why such is your answer. Indicate your initials
after the question to signify that you are done answering. You may cite
reference/s to support your answer or simply explain your choice.

1. The procedures performed to obtain an understanding of the internal control system provide an auditor
with
A. Sufficient appropriate evidence to use in forming an overall opinion on the entity’s
financial statements
B. Enough understanding to design procedures to gather sufficient appropriate audit
evidence
C. Enough understanding to express an opinion on the effectiveness of the entity’s internal
control system
D. Audit evidence to use in forming an over-all opinion on the entity

Garcia, Prince
B. Enough understanding to design procedures to gather sufficient appropriate audit
evidence.
All other choices, except for letter B, share the same thought - opinion. If we trace the ARM,
the last step always ends with substantive testing. Here internal control is under ARM's third
step. We assess the entity's control risk in order for us to come up with test design and
procedures, resulting in an audit evidence. A, and D are incorrect because opinion is always
done after gathering sufficient evidences through tests (if assertions correspond to
established criteria or not). Letter C is incorrect because we do not express our opinion on the
effectiveness of control (which was discussed). -pag

Correct Answer / Teacher’s Comments

Kerek. I think by this time it should already be quite an obvious invalidation whenever
the statement basis for opinion is shown (unless you are talking about SAE being the
basis for opinion). The opinion should never be used as a leverage for anything. Good
and direct explanations specially for the disqualification of letter C. We do not provide
opinion on the IC per se even on review of IC more so in an audit engagement

2. This internal control component is the foundation for all other components. It sets the tone of the
organization, provides discipline and structure, and influences the control consciousness of
employees.
A. Control activities C. Control environment
B. Monitoring of controls D. The entity’s risk assessment process

Cruz, Neil Patrick

C. Control Environment. PSA 315 states that the control environment includes the
governance and management functions and the attitudes, awareness, and actions of those
charged with governance and management concerning the entity’s internal control and its
importance in the entity. The control environment also sets the tone of the organization,
influencing the control and consciousness of its people - NPLC

Correct Answer / Teacher’s Comments

CE sets the tone for the IC specially in terms of implementation. IC would be a waste if
not implemented and where else should the implementation start but with management
supposed to be. Answer is kerek

3. An internal control system that is working efficiently

A. Eliminates risk and potential loss to the entity
B. Cannot be circumvented by management
C. Reduces the cost of an external audit
D. Is unaffected by changing circumstances and conditions encountered by the entity

Silva, Lynold

A. Eliminates risk and potential loss to the entity, having an effective internal control will
help to avoid inherent risks wherein the company. cannot detect errors and
misstatements due to failure of the internal control. Effective internal control reduces
the risk of asset loss, and helps that the information is complete and accurate, financial
statements are reliable.--LTS
Correct Answer / Teacher’s Comments
Hmm. Inherent risks are innate to the entity based on its nature and form of business.
Most of it cannot be eliminated unless you change your business. The correct answer
is letter C. Good IC would reduce the need for additional procedures and further testing
rendering engagement extensions useless.

4. Because of inherent limitations, internal control cannot be designed to provide reasonable assurance
regarding the achievement of objectives concerning
A. Effectiveness and efficiency of operations
B. Elimination of all fraud
C. Reliability of financial reporting
D. Compliance with applicable laws and regulations

Fordan, Shanelle

B. Elimination of all fraud. COSO defined internal control as a process designed to provide
reasonable assurance regarding the achievement of the entity’s objectives. It can provide
reasonable assurance regarding letters a.) operations c.) reporting & d.) complance. However,
there is no system can be designed to eliminate all fraud because of inherent limitations. -SLF

Correct Answer / Teacher’s Comments

Kerek. No matter how good the IC is 100% assurance of elimination of ALL fraud is
impossible

5. In obtaining an understanding of an entity’s internal control in a financial statement audit, an auditor is

not required to
A. Determine whether the controls have been implemented
B. Perform procedures to evaluate the design of controls
C. Document the understanding of the entity’s internal control components
D. Search for significant deficiencies in the operation of internal control

Alfanta, Jezza
Answer: D. Search for significant deficiencies in the operation of internal control
In obtaining an understanding of an entity’s internal control the auditor must have a sufficient
knowledge of the design of the internal control and whether it has been implemented. The
auditor can be aware of internal control deficiencies but he/she is not required to search for it.
Furthermore, a financial statement auditor does determine internal control adequacy for the
management. -JMA
Correct Answer / Teacher’s Comments
Kerek. Understanding of IC at this level is for the assessment of the risk of MM.
Weaknesses are expected to be encountered but it is not required to search for them.

6. Which of the following determines the extent of the auditor’s tests of controls?
A. Auditor’s knowledge
B. Auditor’s initial/planned assessment of control risk
C. Resources available to the auditor
D. Management’s desire to help the auditor

Gulles, Fe
B. Auditor’s initial/planned assessment of control risk

Because control risk is the probability that a material misstatement exists in an assertion
because that misstatement was not either prevented from entering the entity's financial
information or it was not detected and corrected by the internal control system of the
entity. And its therefore the auditor's responsibility to assess whether the said FS was
effectively and efficiently in line with standards. Mfg

Correct Answer / Teacher’s Comments

Hmmm…. Answer is kerek but im confused with the explanation. The definition
provided for CR is correct but it doesnt explain to me how it will dictate the level of ToC
that will be implemented.
Based on our discussion and hopefully in your reading, ToC will actually not even be
done as much if the CR is assessed to be high. If the CR is less than high, then
documentation of the basis (which is the results of the ToC) is expected to be
presented. This would warrant more ToC.

7. An auditor intends to perform tests of control on a client’s cash disbursement procedures. If the control
procedures leave no audit trail of documentary evidence, the auditor most likely will test the
procedures by
A. Inquiry and analytical procedures
B. Inquiry and observation
C. Analytical procedures and confirmation
 D. Confirmation and observation

Mancao, Camelle

B. Inquiry and observation. Since there is no trail of documentary evidence, it will be hard
for the auditor to make an examination of evidence. So, the audit will most likely to do an
inquiry and observation since its an effective way to gain evidence and to test reliability. By
observing client's personnel in performing their duties, security measures in force and making
an inquiry and observation around the computer, the auditor can test the effectiveness and
reliability of its internal control.- CMM

Correct Answer / Teacher’s Comments

Kerek. If there is no evidence on the controls present in the procedures then have them
do the procedure in front of you and see if it really exists and is really implemented.

8. After gaining an understanding of internal control and assessing the risks of material misstatement, an
auditor decided to perform tests of controls. The auditor most likely decided that
A. Additional evidence to support a further reduction in control risk is not available
B. It Is not possible or practicable to reduce the risks of material misstatement at the
assertion level to an acceptably low level with audit evidence obtained only from
substantive test procedures
C. There were many internal control weaknesses that could allow misstatements to enter
the accounting system
D. An increase in the assessed level of control risk is justified for certain financial statement
assertions

Lesaca, Jayvi
D. An increase in the assessed level of control risk is justified for certain financial statement assertions
The auditor uses the assessed level of control risk to determine the acceptable level of detection
risk. The auditor will evaluate whether the internal controls are designed and operating as intended.
-JRL

Correct Answer / Teacher’s Comments

Kerek answer is letter B. A-TOC is performed to obtain SAE to support further reduction of CR. If
additional evidence is unavailable, then why do the TOC?/ C-if CR is too high and there are many IC
weaknesses, there is no need to do TOC, just proceed straight to ST. D- decrease the CR not increase
it.

9. Which of the following controls most likely would provide reasonable assurance that all credit sales
transactions of an entity are recorded?
A. The accounting department supervisor controls the mailing of monthly statements to
customers and investigates any differences reported by customers
B. The accounting department superviBecandently reconciles on a onthly basis, the
accounts receivable subsidiary ledger to the accounts receivabe control account
C. The billing department supervisor matches pre-numbered shipping documents with
entries in the sales journal
D. The billing department supervisor sends copies of approved sales orders to the credit
department for comparison to authorized credit limits and customer account balances

Navales, Edemson
C. Because credit sales transactions is normally recorded on a sales journal so that is
where internal control should focus - ENN

Correct Answer / Teacher’s Comments

Kerek!

10. The following are appropriate questions on an internal control questionnaire concerning purchase
transactions, except
A. Are all goods received in a centralized receiving department counted, inspected, and
compared with purchase orders on receipt?
B. Are intact cash receipts deposited daily in the bank?
C. Are pre-numbered purchase orders and receiving reports used and accounted for?
D. Are an approved purchase requisition and a signed purchase order required for each
purchase?

Alonzo, Ann

Answer; B. Are intact cash receipts deposited daily in the bank? Because it is not concerned about
the purchase transactions. If you question it independently, you can’t say that it concerns purchase
transactions compared to the three (3) choices. -AMCA

Correct Answer / Teacher’s Comments

Answer is kerek. So what type of transaction is it about, if its not about purchases????
This should be the deciding reason why B is the answer.
 11. In response to risk, test of controls are concerned primarily with each of the following questions except
A. By whom were the controls applied?
B. Were the controls consistently performed?
C. How were the controls applied?
D. Why were the controls applied?

Plasabas, Kyle
D. Why were the controls applied? As I understand, the purpose of test of controls is to
assess the effectiveness of operating controls. This particular question statement is
closely inclined to the understanding of internal control rather than assessing the risk
or test of controls. All other choices seek to answer the operating effectiveness which
relates to test of controls and risk assessment. -KIP

Correct Answer / Teacher’s Comments

Kerek. Letter D should have been asked during planning stage when the design and
implementation was assessed

12. On the basis of audit evidence, an auditor decides to increase the assessed level of control risk from
that originally planned. To achieve an overall audit risk level that is substantially the same as the
planned audit risk level, the auditor would
A. Increase inherent risk C. Decrease inherent risk
B. Increase materiality level D. Decrease detection risk

Tampus, Diazzle

D. Decrease detention risk- Is the best way for an auditor to achieve an overall audit
risk level is to conduct additional substantive tests, as well as having an auditors to
have a sufficient knowledge of the CIS to plan. -DMT

Correct Answer / Teacher’s Comments

Answer is kerek. It can be answered more easily by understanding that the relationship
of CR to ADR is inverse. If CR is increased then a decrease in ADR should stabilize the
equation. In contrary to the explanation however, i must state that ST is not used to
achieve an over-all audit risk level but rather to reach the audit risk level that has been
agreed upon and is acceptable to the auditor.

13. When an auditor increases the planned assessed level of control risk because certain controls were
determined to be ineffective, the auditor would most likely increase the
A. Extent of test of details C. Extent of test of controls
B. Level of inherent risk D. Level of detection risk

Garcia, Prince
A. Extent of test of details.
Letter B is incorrect because, as what was discussed, the auditor has no control over inherent
risk; it cannot be decreased or increased. Letter C is incorrect because if the level of control
risk is already assessed as ineffective, why bother increasing the extent of test of controls- it
won't help; the best thing to do is to compensate this risk to keep the overall audit risk low.
Letter D is incorrect because even though detection risk is something the auditor can control,
increasing it would only increase the overall audit risk, which is the other way around. In this
situation, increasing the extent of test of details is the right thing to do. If control is ineffective,
the level material misstatement is increased. So we compensate this increase with a
decrease in detection risk by increasing the extent of test of details. -pag

Correct Answer / Teacher’s Comments

Kerek. Detection risk actually acts as your stabilizer to justify whether ST should be
more extensive or not. If CR increases then the ADR should decrease which would lead
to higher/better ST.

14. Regardless of the assessed level of control risk, an auditor would perform some
A. Test of controls to determine the effectiveness of internal control policies
B. Analytical procedures to verify the design of internal control procedures
C. Substantive tests to restrict detection risk for significant transaction classes
D. Dual-purpose tests to evaluate both the risk of monetary misstatement and preliminary
control risk

Cruz, Neil Patrick

C. Substantive tests to restrict detection risk for significant transaction classes. Regardless of the
assessed level of control risk, an auditor would perform some level of substantive tests to restrict detection
risk for significant transaction classes. Even with the lowest possible assessed level of control risk,
substantive testing cannot be entirely eliminated for significant transaction classes or balances. - NPLC
Correct Answer / Teacher’s Comments
Answer is kerek but im more interested on why it cannot be entirely eliminated???? I
wish this was explained..
A is the worst answer…..it should be the least considered among the choices.

15. Which of the following tests of controls most likely would help assure an auditor that goods shipped are
properly billed?
A. Scan the sales journal for sequential and unusual entries
B. Examine shipping documents for matching sales invoices
C. Compare the accounts receivable ledger to daily sales summaries
D. Inspect unused sales invoices for consecutive pre-numbering

Silva, Lynold
B. Examine shipping documents for matching sales invoices, these will help the auditor to
assure that the goods are properly billed because he can assess if the amount in
documents and invoice are not contradicting. ---LTS

Correct Answer / Teacher’s Comments

Kerek. Actually its quite simple. All the other choices do not provide information with
regards to shipment.

16. An auditor uses the knowledge provided by the understanding of internal control and the final
assessed level of control risk primarily to determine the nature, timing and extent of
A. Attribute tests C. Tests of controls
B. Compliance tests D. Substantive tests

Fordan, Shanelle
D. Substantive tests. Because these are tests of details and analytical procedures
performed to detect material misstatements in the account balance, transaction class, and
disclosure components of financial statements. Letters A, B and C are incorrect because
testing of controls is an application of attribute sampling, compliance tests determine whether
an entity is complying with laws and regulations in governmental audits, while test of controls
must be performed before control risk is assessed below the maximum. -SLF
Correct Answer / Teacher’s Comments
Kerek. Nice elimination specially for letter C.

17. When there are numerous PPE transactions during the year, an auditor who plans to assess control
risk at a low level usually performs
A. Tests of controls and extensive tests of PPE balances at the end of the year
B. Analytical procedures for current year PPE transactions
C. Test of controls and limited tests of current year PPE transactions
D. Analytical procedures for PPE balances at the end of the year

Alfanta, Jezza
Answer: C. Test of controls and limited tests of current year PPE transactions.
When the auditor plans to assess control in a low level this requires low level of audit
procedures. In this case, this includes the test of controls and limited tests of current year
PPE transactions. A low control risk may indicate that controls are reliable and effective.With
this, it is not required to conduct analytical procedures. -JMA

Correct Answer / Teacher’s Comments

“A low control risk may indicate that controls are reliable and effective.With this, it is not
required to conduct analytical procedures” - this one is accurate
“When the auditor plans to assess control in a low level this requires low level of audit
procedures.” - you mean lower substantive testing? If thats what you mean, thats also correct.
If CR is less than high, justification for this is required, which means ToC should be
performed. This already invalidates B and D. Low CR also means low ST, therefore limited
(for Letter C) is chosen over extensive (for Letter A).

18. Which of the following procedures concerning AR would an auditor most likely perform to obtain
evidential matter in support of an assessed level of control risk below the maximum level?
A. Observing an entity’s employee prepare the schedule of past due AR
B. Sending confirmation requests to entity’s principal customers to verify existence of
accounts receivable
C. Inspecting an entity’s analysis of AR for unusual balances
D. Comparing an entity’s uncollectible accounts expense to actual uncollectible accounts
receivable

Gulles, Fe
A. Observing an entity’s employee prepare the schedule of past due AR

Because, auditor uses test of control to assessed level of control risk below the
maximum. And among the 4 only A is a test of control, the rest are just substantive test,
because among all the choices, choice A includes client's control in working. Mfg

Correct Answer / Teacher’s Comments

Kerek. This question is actually a little bit difficult because you need to realize that all
the others are already test of details… i hope its face to face so that i can ask how you
were able to determine this and share din to everyone…. hehe

19. Test of controls are least likely to be omitted with regard to

A. Accounts believed to be subject to ineffective controls
B. Accounts representing few transactions
C. Accounts representing many transactions
D. Subsequent events

Mancao, Camelle
C. Accounts representing many transactions. Since these accounts are use and
represent many transactions it is very important to test and review the design controls and
review application control to find out if controls are suitable for such transactions. And if the
designed controls are operating with efficiency, effectivity and has reasonable assurance. This
is less likely to be omitted to ensure that the accounts that represents many transactions is
accurately used and these data are relevant.- CMM

Correct Answer / Teacher’s Comments

Kerek. This is cost effective and efficient.
A could also be considered. Since if CR is high then that means that the IC is
ineffective, why test it with ToC, just proceed straight to ST. but C is still a better
answer since the term used is omitted. Take note that a certain amount of ToC is
always performed regardless of the level of CR

20. An internal control questionnaire indicates that an approved receiving report is required to accompany
every check request for payment of merchandise. Which of the following procedures provides the
greatest assurance that this control is operating effectively?
A. Select and examine the receiving reports and ascertain that the related canceled checks
are dated no earlier than the receiving reports
 B. Select and examine the receiving reports and ascertain that the related canceled checks
are dated no later than the receiving reports
C. Select and examine the canceled checks and ascertain that the related receiving reports
are dated no earlier than the checks
D. Select and examine the canceled checks and ascertain that the related receiving reports
are dated no later than the checks

Lesaca, Jayvie

D. Select and examine the canceled checks and ascertain that the related receiving
reports are dated no later the checks.
In order to trace the individual transactions and documents back and forth. Auditors
will directly examining the computer program of the system to determine the reliability
of the system. -JRL

Correct Answer / Teacher’s Comments

Hmmmm youre talking about the computer system already? What if they only utilize
manual systems? Hehe
This is a practical application of control and should be imagined for you to be able to
answer.. The check is processed for payment of any purchases made and for it to be
approved of course the purchases should already be received already. That is why the
RR should be made and accomplished PRIOR to check preparation. This already
eliminates all the other choices.

21. Tests of controls are designed to obtain evidence to support the auditor’s assessment of control risk
A. At a high level C. At zero level
B. At less than high level D. At the maximum level

Navales, Edemson
B. Because this is to see measure the management's internal controls is effective.
When there is less than high CR, effective yung IC and that is where we conduct test of
controls to measure its effectiveness.. - ENN

Correct Answer / Teacher’s Comments

Kerek. Almost flawless explanation except for the last statement. NOT TO MEASURE
EFFECTIVENESS but to JUSTIFY that indeed the IC is effective.
 22. The primary emphasis by auditors is on controls over
A. Classes of transactions C. Both, they are equally important
B. Account balances D. Both, they vary from client to client

Alonzo, Ann

Answer; A. Classes of transactions. Because the auditor prepares the test data or transactions that
consist of valid and invalid conditions - AMCA

Correct Answer / Teacher’s Comments

Hmmm.. i think this explanation is already related to Test Data CAAT for Audit in CIS…..
this question is still about IC….

Take note that the emphasis of the auditor is more on the assertion level which is on
aggregate class level….

23. When obtaining an understanding of an entity’s control environment, an auditor should concentrate on
the substance of management’s policies and procedures rather than their form because
A. The auditor may believe that the policies and procedures are inappropriate for that
particular entity
B. The BoD may not be aware of management’s attitude toward the control environment
C. Management may establish appropriate policies and procedures but not act on them
D. The policies and procedures may be so ineffective that the auditor may assess control
risk at a high level

Plasabas, Kyle
C. Management may establish appropriate policies and procedures but not act on them.
Obtaining an understanding of an entity's control environment involves evaluating the design of a control and
policies and determining whether it has been implemented. Because these policies and designs will matter
significantly in assessing the operating effectiveness if it has been used or implemented accordingly to the
operation. -KIP

Correct Answer / Teacher’s Comments

Although the form (design) is also important and should be given emphasis,
non-implementation means that the design is busted altogether. Letter C is kerek. This
is actually rather easy question.. Dpat hindi ito kay kyle...

24. Internal controls can never be regarded as completely effective. Even if company personnel could
design an ideal system, its effectiveness depends on the
 A. Adequacy of the computer system C. Ability of the internal audit staff to
maintain it
B. Proper implementation by management D. Competency & dependability of the
people using it

Tampus, Diazzle

D. Competency & dependability of the people using it - In using the system there are proper
segregation of duties that are assigned to each personnel, and they have different task to
perform, but having a competent and dependable employees, the effectiveness really
depends on this, since the internal control are better to ensure if the programs are functioning
as designed and the controls are working effectively as planned. -DMT

Correct Answer / Teacher’s Comments

Kerek. Letter B is the first step to effectiveness but ultimately it will depend on who is
doing the work.

25. Internal controls are not designed to provide reasonable assurance that
A. All frauds will be detected
B. Transactions are executed in accordance with management’s authorization
C. Access to assets is permitted only in accordance with management’s authorization
D. Company personnel comply with applicable rules and regulations

Garcia, Prince
A. All frauds will be detected
Internal controls do not provide reasonable assurance that all fraud will be detected. Its more
on provision of reasonable assurance that the company achieves its objectives with regards
to operation effectiveness and effeciency, financial reports reliability, compliance with policies/
laws. My take would be internal control minimizes fraud but it does not assures that there's no
fraud at all. -pag

Correct Answer / Teacher’s Comments

Hmmm i think it minimizes error and DISCOURAGES fraud from happening.. But over
all it still cannot assure the total elimination of it. Meron pa ding matitigas ang muka at
malalakas ang loob na subukin ang IC. hehe
Letter A is correct.

Just as a note. I hope that people can already see a pattern. The word ALL is actually a
red flag in multiple choice questions specially in theory. Most of the times, it
invalidates a statement because it is so absolute.
 26. Inherent limitations in an internal control must be considered in evaluating its effectiveness in
preventing and detecting errors and fraud. Inherent limitations do not include
A. Misunderstanding of instructions, mistakes of judgement, personal carelessness,
distraction or fatigue
B. Incompatible functions performed by the same person
C. Collusion among employees
D. Management override of certain policies or procedures

Cruz, Neil Patrick

B. Incompatible functions performed by the same person. Through reading I’ve found that almost all of
the above are all inherent limitations in internal control. There are 4 inherent limitations, however, through
deduction I’ve come up with the last choice, B, and since B doesn’t apply to the definition of human error, it is
my answer. Somehow it could match, but human error deals more with the understanding of a person about
the control system and not how a person deals with a few incompatible work for him/her. - NPLC

Correct Answer / Teacher’s Comments

Thats actually good deduction and i have never thought about summarizing inherent
limitations in the category of human error, but somehow if you think about it, it
somehow applies.
Letter B is the answer because segregation of duties could always be applied. Non-
application of it is not because its natural but because its a choice.

27. An act of two or more employees to steal assets or misstate records is frequently referred to as
A. Collusion C. A control deficiency
B. A material weakness D. Any of the above

a. collusion , because it is a non competitive act of employees which is not good or

simply considered illegal.- LTS

Correct Answer / Teacher’s Comments

Kerek answer. Very easy. Madaya si lynold. Minus 2

28. In an audit of FS, an auditor’s primary consideration regarding an internal control activity is whether
control
A. Reflects management’s philosophy and operating style
B. Affects management’s FS assertions
 C. Provides adequate safeguards over access to assets
D. Enhances management’s decision making process

Fordan, Shanelle
B. Affects management's FS assertions. Assessing control risk is the process of
evaluating the effectiveness of an entity's internal control in preventing or detecting material
misstatements in the financial statements is the primary consideration the auditors. Answer A
is considered a part of the control environment while answer C is a type of control activity
however they are not the primary consideration in evaluating internal control. On the other
hand, answer D is not relevant to the auditor's consideration of internal control. -SLF

Correct Answer / Teacher’s Comments

Kerek. And again good deduction specially for letter D. take note that audit is done at
assertion level…...

29. Which of the following characteristics distinguishes computer processing from manual processing?
A. Computer processing virtually eliminates the occurrence of computational error normally
associated with manual
B. Errors of fraud in computer processing will be detected soon after their occurrence
C. The potential for systematic error is ordinarily greater in manual processing than in
computerized
D. Most computer systems are designed so that transaction trails useful for audit purposes
do not exist

Alfanta, Jezza
Answer: A. Computer processing virtually eliminates the occurrence of computational
error normally associated with manual
Computational errors are virtually eliminated in computer processing because of its ability to
uniformly process like transactions with the same processing instructions.
B is wrong because errors and fraud in a computer processing may remain undetected for a
long period of time or not be detected at all. One of the reasons for this is the decreased
human handling of transactions.
C is incorrect because the risk of systematic errors are greater in automated processing. The
ability of the computer to uniformly process transactions can result in all transactions being
wrong when the program’s logic itself is defective.
D is also wrong because CIS are designed to provide audit trails but some of these could only
be present for a short period of time or in another form.- JMA
Correct Answer / Teacher’s Comments
Kerek! Cant add anything anymore actually :)

30. Which of the following employees in a company’s electronic data processing department should be
responsible for designing a new or improved set of data processing procedures?
A. Flowchart editor C. Systems analyst
B. Programmer D. Control-group supervisor

Gulles, Fe
B. System analyst

System analyst job is to examine the current system whether the system fits the business
needs of their employer and employees. And are responsible for maintaining, designing
and improving computer systems. Mfg

Correct Answer / Teacher’s Comments

Im confused.. Is the answer B or Systems analyst? Hehe

C Systems Analyst is correct. After the systems analyst does this, the programmer can
then create this new set of procedures.

31. An auditor would most likely be concerned with which of the following controls in a data processing
system?
A. Hardware controls C. Access controls
B. Systems documentation controls D. Disaster recovery controls

Mancao, Camelle
C. Access Controls. Access control will most likely be the concern of an auditor to limit the
access of the files from unauthorised persons and prevent any alteration of the data files
which are the subject of the audit.- CMM

Correct Answer / Teacher’s Comments

Kerek. Preventive controls are always priority because if MM is prevented in the first
place then there is no need to monitor its effect in the FS.
 32. Totals of amounts in computer-record data fields which are not usually added but are used only for
data processing control purposes are called
A. Record totals C. Processing data controls
B. Hash totals D. Field totals

Lesaca, Jayvie
B. Hash Totals
because it involves non dollar totals while letters ACD suggest dollar amounts-JRL

Correct Answer / Teacher’s Comments

Kerek. This is a trivial question but kind of important especially when you meet the
term hash total again in the future. The key is that its a value thats not really supposed
to be added and totalled in the first place anyway but its a good control for monitoring
accuracy

33. What is the computer process called when data processing is performed concurrently with a particular
activity and the results are available soon enough to influence the particular course of action being
taken or the decision being made?
A. Batch processing C. Integrated data processing
B. Real-time processing D. Random access processing

Navales, Edemson

B. Because the computer processing is concurrent - ENN

Correct Answer / Teacher’s Comments

Kerek. Again terminology relevance. As always in, in conceptual subjects and tests, a
wider vocabulary is already an advantage. So exposure is important

34. To obtain evidence that user identification and password controls are functioning as designed, an
auditor would most likely
A. Attempt to sign on to the system using invalid user identifications and passwords
B. Write a computer program that simulate the logic of the client’s access control software
C. Extract a random sample of processed transactions and ensure that transactions were
appropriately authorized
D. Examine statements signed by employees stating that they had not divulged their user
identifications and passwords
Alonzo, Ann

Answer; A. Attempt to sign on to the system using invalid user identifications and passwords. To
observe security measures - AMCA

Correct Answer / Teacher’s Comments

Kerek. The control being tested is preventive. The test performed therefore should
allow prevention. Letter B is extreme and is not necessary.

35. Which of the following is a general control that most likely would assist an entity whose systems
analyst left the entity in the middle of a major project?
A. Grandfather-father-son record retention C. Systems documentation
B. Input and output validation routines D. Check digit verification

Plasabas, Kyle
C. Systems Documentation describes the systems procedures and operation up to the
point in time. It serves as a reference for future maintenance and updates. Therefore
when the analyst leaves the entity in the middle of a major project, the new analyst can
immediately understand the system operations. -KIP

Correct Answer / Teacher’s Comments

Kerek! The more detailed the documentation is, the easier for anyone to follow it even
without assistance. Letter A is a data retrieval/storage tool, letter B is more of an
access control and D is more of a processing control

36. An auditor anticipates assessing control risk at a low level in a computerized environment. Under these
circumstances, on which of the following procedures would the auditor initially focus?
A. Input control procedures C. Output control procedures
B. Processing control procedures D. General control procedures

Tampus, Diazzle

D. General control procedure - General control procedure is correct because auditors

usually begin by considering general control procedures. Since the effectiveness of
specific application controls is often dependent on the existence of effective general
controls over all computer activities, this is usually an efficient approach. Choices a,b,
and c are all incorrect because they represent controls that are usually tested
subsequent to the general controls. -DMT

Correct Answer / Teacher’s Comments

Answer is kerek. ABC are all application controls. It should also be noted that CR is
anticipated to be low so that means IR is GENERALLY effective. Focus therefore on
this general controls.

37. Which of the following is likely to be of least importance to an auditor when obtaining an understanding
of the computer control procedures in a company with a computerized accounting system?
A. The segregation of duties within the computer function
B. The control procedures over source documents
C. The documentation maintained for accounting applications
D. The cost/benefit ratio of computer operations

Garcia, Prince
D. The cost/benefit ratio of computer operations.
Letters A,B,C are of importance with regards to understanding computer control produces:
segregation of duties, control over input, application controls and documentation. Letter D
would be unlikely because this is a management concern and it plays no role in an auditor's
attempt on gaining understanding about an entity's internal control. -pag

Correct Answer / Teacher’s Comments

Kerek. This is actually a trick question since cost/benefit factor should actually be
considered in the gaining an understanding of IC procedures (even in planning).
However take note that this is cost/benefit ratio of computer operations. This is trivial
knowledge and is not really necessary to understanding the IC. So what if the
automated system of the company is expensive? Does that help you understand it? If
this is cost/benefit of procedures to be done to gain understanding of IC, then it would
be a different story and it should be considered.

38. When an auditor tests a computerized accounting system, which of the following is true of the test data
approach?
A. Test data must consist of all possible valid and invalid conditions
B. The program tested is different from the program used throughout the year by the client
C. Several transactions of each type must be tested
D. Test data are processed by the client’s computer programs under the auditor’s control
Cruz, Neil Patrick
D. Test data are processed by the client’s computer programs under the auditor’s control. When an
auditor tests the internal controls, He/she usually starts from creating the purchase requisition to the end of
the payment cycle. He/she also checks the impact of each transaction on the general ledger and compares it
with predetermined results to check the internal controls of the computerized accounting system. NPLC

Correct Answer / Teacher’s Comments

Hmmm why are we mentioning PR and payment cycle? Im confused….

The only way to answer this is to invalidate all the other options and ensure that they
will not apply to test data CAAT. A is wrong (again the word ALL). B is SO wrong
because heller, why are you testing a different program from what was used during on
the scope of the audit. Letter C need not necessarily be true as long as they are both a
mix of valid and invalid transactions

I dont quite get your explanation…...

39. The most important segregation of duties in the organization of the information systems function is
A. Using different programming personnel to maintain utility programs from those who
maintain the application programs
B. Having separate information officer at the top level of the organization outside of the
accounting function
C. Assuring that those responsible for programming the system do not have access to data
processing operations
D. Not allowing the data librarian to assist in data processing operations

Silva, Lynold

C. Assuring that those responsible for programming the system do not have access to
data processing operations, it is the most important segregation because by doing this
personnel from other departments which are not responsible for the design or system
cannot make changes in the program or system. LTS

Correct Answer / Teacher’s Comments

Kerek. But its not just on the the people responsible to design the program (systems
analyst) the programmer, who ACTUALLY CREATED the program should be not have
access in using it since he or she knows how and where to change and tweek it to their
advantage.

40. An entity updates its accounts receivable master file weekly and retains the master files and
corresponding update transactions for the most recent two-week period. The purpose of this periodic
retention of master files and transaction data is to
A. Validate groups of update transactions for each version
B. Permit reconstruction of the master file if needed
C. Verify run-to-run control totals for receivables
D. Match internal labels to avoid writing on the wrong volume

Fordan, Shanelle
B. Permit reconstruction of the master file if needed. It is the primary purpose of the periodic retention
of master files and data. Reconstruction of files can be achieved by updating the most recent back-up with
subsequent transaction data. -SLF

Correct Answer / Teacher’s Comments

Kerek. The main purpose of a backup is not for file retrieval but to maintain data in
case of systems failure or worse data loss.

41. Which of the following assurances is not provided by an application control?

A. Review and approval procedures for new systems are set by policy and adhered to
B. Authorized transactions are completely processed once and only once
C. Transaction data are complete and accurate
D. Processing results are received by the intended user

Alfanta, Jezza
Answer: A. Review and approval procedures for new systems are set by policy and
adhered to
Review and approval procedures for new systems are not provided by application controls
because these are under general controls specifically controls over system development and
documentation
Letter B,C, & D are incorrect because these are application controls -JMAThis

Correct Answer / Teacher’s Comments

Answer is kerek. i think that if letter A (general control) is more on the systems
documentation function because it is about new systems but if the review and approval
being done is on the transactions itself then it is more of a monitoring control.
Regardless, both are still under general control

42. When erroneous data are detected by computer program controls, such data may be excluded from
processing and printed on an error report. Who should review and follow up this error report?
A. Systems analyst C. Computer programmer
B. Data control group D. Computer operator

Gulles, Fe
B. Data Control Group

Because they are the one who process, verify and control data entry operations in an
organization and handles reprocessing of exemptions, and reviews and distribute all
computer output. Mfg

Correct Answer / Teacher’s Comments

Kerek. B is the only one independent from computer operations. A designed it. C
created it. D used it.

43. The following statements relate to the auditor’s assessment of control risk in an entity’s computer
environment. Which is correct?
A. The auditor usually can ignore the computer system if he/she can obtain an
understanding of the controls outside of the CIS.
B. If the general controls are ineffective, the auditor ordinarily can assess control risk at a low
level if the application controls are effective
C. The auditor’s objectives with respect to the assessment of control risk are the same as in
a manual system
D. The auditor must obtain an understanding of the internal control and test controls in
computer environment

Mancao, Camelle
C. The auditor’s objectives with respect to the assessment of control risk are the same
as in a manual system. The overall objective of audit, "to obtain understanding of the entity's
control system to assess control risk and determine nature, timing and extent of tests to be
performed" does not change in CIS.
A is incorrect. The auditor do not ignore the computer system but to understand the CIS to
find out its inherent and control risk.
B is incorrect. If general controls are ineffective, the auditor is unlikely to assess control risk at
a low level, regardless of whether application controls have been designed and implemented
for each significant accounting application.
D is incorrect. The tests of controls should be performed only when the auditor’s risk
assessment includes an expectation of the operating effectiveness of controls (i.e., control risk
is assessed at below the maximum), or when substantive procedures alone do not provide
sufficient appropriate audit evidence at the assertion level.-CMM

Correct Answer / Teacher’s Comments

Kerek. Although others may also argue that letter D can also apply since ToC is always
done just not on the same extent all the time.

44. An important characteristic of CIS is uniformity of processing. Therefore, a risk exists that
A. Auditors will not be able to access data quickly
B. Auditors will not be able to determine if data is processed inconsistently
C. Erroneous processing can result in the accumulation of a great number of misstatements
in a short time
D. All of the above

Lesaca, Jayvie
C.Erroneous processing can result in the accumulation of a great number of misstatements in a
short time

Correct Answer / Teacher’s Comments

Kerek but why?

45. Which of the following is an example of a check digit?

A. An agreement of the total number of employees to the total number of checks printed by
the computer
B. An algebraically determined number produced by the other digits of the employee -umber
C. A logic test that ensures all employee numbers are nine digits
D. A limit check that an employee’s hours do not exceed 50 hours per work wee

Navales, Edemson
C. Because check digits is used to check if all digits are correct its like its ther to
provide verification to guarantee that all numbers are right- ENN
Correct Answer / Teacher’s Comments
Answer should be B. A check digit should not be predetermined (so A is wrong). C and
D are more of a validity check

46. An employee entered “40” in the “hours worked per day” field. Which check would detect this
unintentional error?
● A. Numeric/alphabetic check C. Sign check
B. Limit check D. Missing data check

Alonzo, Ann

Answer; B. Limit check because this check is designed to determine if a value entered into a computer is
within acceptable minimum and maximum values to ensure that the data submitted do not exceed a
predetermined limit. - AMCA

Correct Answer / Teacher’s Comments

Kerek. Again technical knowledge

47. A disadvantage of auditing around the computer is that it

A. Permits no direct assessment of actual processing C. Demands intensive use of
machine resources
B. Requires highly skilled auditors D. Interacts actively with
auditee applications

Plasabas, Kyle
A. Permit no direct assessment of actual processing machine resources. Based on
what I understand, auditing around the computer involves conforming the outputs and
sourced documents selected randomly by the auditor to the inputs in the computer.
This is to test if the source documents were properly reflected in the master files and if
the master files are properly supported by sourced documents then the process of the
computer is done correctly. Therefore, there is no direct assessment of the actual
process or program performed by the machine. -KIP

Correct Answer / Teacher’s Comments

Kerek. Most of the time black box approach would seem like the tasks are
accomplished correctly in a basic sense. However if the transactions become more
complicated and requires more analysis, then it cannot be fully tested. What if your test
is if the items inputted would also still be reflected in the output, then the accuracy of
the data is not really tested. Just the existence and occurrence.. Of course it also
depends on the assertion being tested.

48. A primary reason auditors are reluctant to use an ITF is that it requires them to
A. Reserve specific master file records and process them at regular intervals
B. Collect transaction and master file records in a separate file
C. Notify user personnel so they can make manual adjustments to output
D. Identify and reverse the fictitious entries to avoid contaminations of control totals

Tampus, Diazzle

D. Identify and reverse the fictitious entries to avoid a combination of control totals.

The ITF may use dummy transactions to be processed with live transactions but
requires additional programming to ensure that programs will recognize the specially
coded test data. Also, dummy files must be established even so, the output of the
control totals is affected by the existence of the ITF transactions. One way to avoid the
problem is to use immaterial transactions. However, the resulting differences between
control totals may be troublesome, and the inability to use large numbers may
preclude auditing limit tests. An alternative is to submit reversing entries. However,
reversals would threaten data integrity if they are inaccurate, must be submitted in the
same run, and may allow users to obtain contaminated data before the entries are
made. -DMT

Correct Answer / Teacher’s Comments

Kerek. And what was shared is actually interesting and additional knowledge as an
answer to the disadvantage that letter D introduces. Somehow it doesnt explain the
reason why D is the correct answer :)

D is the correct answer simply because ITF mixes fictitious test data with actual client
data when this CAAT is used. These are all entered in the clients program and tested if
the fictitious data will go through. In case they do, then the procedures presented by
DMT may be done to reverse them andprevent errors.