108 Module 41: Information Technology

b. Perform tests several times during the year, rather than 97. The Control Objectives for Information and Related
only at year-end. Technology (COBIT) framework has been established by:
c. Plan to make a 100% count of the entity’s inventory at
a. The American Institute of Certified Public
or near the year-end.
Accountants.
d. Decrease the assessed level of control risk for the
b. The Information Technology Institute.
existence or occurrence assertion.
c. The Information Systems Audit and Control
91. Which of the following is an encryption feature that Association.
can be used to authenticate the originator of a document and d. The Committee of Sponsoring Organizations.
ensure that the message is intact and has not been tampered
with?
a. Heuristic terminal. E. IT Risk and Internal Control
b. Perimeter switch.
c. Default settings. 98. Which of the following procedures would an entity most
d. Digital signatures. likely include in its computer disaster recovery plan?

92. In building an electronic data interchange (EDI) system, a. Develop an auxiliary power supply to provide
what process is used to determine which elements in the entity’s uninterrupted electricity.
computer system correspond to the standard data elements? b. Store duplicate copies of critical files in a location
away from the computer center.
a. Mapping. c. Maintain a listing of entity passwords with the
b. Translation. network manager.
c. Encryption. d. Translate data for storage purposes with a
d. Decoding. cryptographic secret code.
93. Which of the following passwords would be most difficult 99. A company is concerned that a power outage or disaster
to crack? could impair the computer hardware’s ability to function as
designed. The company desires off-site backup hardware
a. OrCa!FlSi
facilities that are fully configured and ready to operate
b. language
within several hours. The company most likely should
c. 12 HOUSE 24
consider a
d. pass56word
a. Cold site.
94. Which of the following is a password security problem?
b. Cool site.
a. Users are assigned passwords when accounts are c. Warm site.
created, but do not change them. d. Hot site.
b. Users have accounts on several systems with different
100. Which of the following procedures would an entity most
passwords.
likely include in its disaster recovery plan?
c. Users copy their passwords on note paper, which is
kept in their wallets. a. Convert all data from EDI format to an internal
d. Users select passwords that are not listed in any company format.
online dictionary. b. Maintain a Trojan horse program to prevent illicit
activity.
95. Many of the Web 2.0 applications rely on an XML-based
c. Develop an auxiliary power supply to provide
application that facilitates the sharing and syndication of web
uninterrupted electricity.
content, by subscription, Which of the applications below
d. Store duplicate copies of files in a location away from
represents this XML application?
the computer center.
a. Wiki.
101. Almost all commercially marketed software is
b. Blog.
c. RSS/Atom Feeds.
d. Twitter. Copyrighted Copy protected
a. Yes Yes
b. Yes No
D. Control Objectives for Information and c. No Yes
Related Technology (COBIT) d. No No
96. Which of the following is not one of the five principles of
COBIT 5? 102. A widely used disaster recovery approach includes

a. Meeting stakeholder needs. a. Encryption.

b. Business processes. b. Firewalls.
c. Covering the enterprise end-to-end. c. Regular backups.
d. Applying a single integrated framework. d. Surge protectors.
 Module 41: Information Technology
103. A “hot site” is most frequently associated with
a. Disaster recovery.
b. Online relational database design.
c. Source programs.
d. Temperature control for computer.
104. Output controls ensure that the results of computer
processing are accurate, complete, and properly distributed.
Which of the following is not a typical output control?
a. Reviewing the computer processing logs to determine
that all of the correct computer jobs executed
properly.
b. Matching input data with information on master files
and placing unmatched items in a suspense file.
c. Periodically reconciling output reports to make sure
that totals, formats, and critical details are correct and
agree with input.
d. Maintaining formal procedures and documentation
specifying authorized recipients of output reports,
checks, or other critical documents.
105. Minimizing the likelihood of unauthorized editing of
production programs, job control language, and operating
system software can best be accomplished by
a. Database access reviews.
b. Compliance reviews.
c. Good change-control procedures.
d. Effective network security software.
106. Some companies have replaced mainframe
computers with microcomputers and networks because
the smaller computers could do the same work at less
cost. Assuming that management of a company decided
to launch a downsizing project, what should be done with
respect to mainframe applications such as the general ledger
system?
a. Plan for rapid conversion of all mainframe
applications to run on a microcomputer
network.
b. Consider the general ledger system as an initial
candidate for conversion.
c. Defer any modification of the general ledger system
until it is clearly inadequate.
d. Integrate downsized applications with stable
mainframe applications.
107. A corporation receives the majority of its revenue
from top-secret military contracts with the government.
Which of the following would be of greatest concern to an
auditor reviewing a policy about selling the company’s used
microcomputers to outside parties?
a. Whether deleted files on the hard disk drive have been
completely erased.
b. Whether the computer has viruses.
c. Whether all software on the computer is properly
licensed.
d. Whether the computer has terminal emulation
software on it.
109
108. A manufacturer is considering using bar-code
identification for recording information on parts used by the
manufacturer. A reason to use bar codes rather than other
means of identification is to ensure that
a. The movement of all parts is recorded.
b. The movement of parts is easily and quickly recorded.
c. Vendors use the same part numbers.
d. Vendors use the same identification methods.
109. A company often revises its production processes. The
changes may entail revisions to processing programs. Ensuring
that changes have a minimal impact on processing and result
in minimal risk to the system is a function of
a. Security administration.
b. Change control.
c. Problem tracking.
d. Problem-escalation procedures.
110. Pirated software obtained through the Internet may lead
to civil lawsuits or criminal prosecution. Of the following,
which would reduce an organization’s risk in this area?
I. Maintain a log of all software purchases.
II. Audit individual computers to identify software on the
computers.
III. Establish a corporate software policy.
IV. Provide original software diskettes to each user.
a. I and IV only.
b. I, II, and III only.
c. II and IV only.
d. II and III only.
111. Good planning will help an organization restore
computer operations after a processing outage. Good recovery
planning should ensure that
a. Backup/restart procedures have been built into job
streams and programs.
b. Change control procedures cannot be bypassed by
operating personnel.
c. Planned changes in equipment capacities are
compatible with projected workloads.
d. Service level agreements with owners of applications
are documented.
112. In a large organization, the biggest risk in not having an
adequately staffed information center help desk is
a. Increased difficulty in performing application audits.
b. Inadequate documentation for application systems.
c. Increased likelihood of use of unauthorized program
code.
d. Persistent errors in user interaction with systems.
113. To properly control the improper access to accounting
database files, the database administrator should ensure that
database system features are in place to permit
a. Read-only access to the database files.
b. Updating from privileged utilities.
c. Access only to authorized logical views.
d. User updates of their access profiles.
110 Module 41: Information Technology

114. When evaluating internal control of an entity that 120. Preventing someone with sufficient technical skill from
processes sales transactions on the Internet, an auditor would circumventing security procedures and making changes to
be most concerned about the production programs is best accomplished by
a. Lack of sales invoice documents as an audit trail. a. Reviewing reports of jobs completed.
b. Potential for computer disruptions in recording sales. b. Comparing production programs with independently
c. Inability to establish an integrated test facility. controlled copies.
d. Frequency of archiving and data retention. c. Running test data periodically.
d. Providing suitable segregation of duties.
115. Which of the following statements is correct concerning
internal control in an electronic data interchange (EDI) system? 121. Computer program libraries can best be kept secure by
a. Preventive controls generally are more important than a. Installing a logging system for program access.
detective controls in EDI systems. b. Monitoring physical access to program library
b. Control objectives for EDI systems generally are media.
different from the objectives for other information c. Restricting physical and logical access.
systems. d. Denying access from remote terminals.
c. Internal controls in EDI systems rarely permit control
122. Which of the following security controls would best
risk to be assessed at below the maximum.
prevent unauthorized access to sensitive data through
d. Internal controls related to the segregation of duties
an unattended data terminal directly connected to a
generally are the most important controls in EDI systems.
mainframe?
116. Which of the following statements is correct concerning
a. Use of a screen saver with a password.
the security of messages in an electronic data interchange
b. Use of workstation scripts.
(EDI) system?
c. Encryption of data files.
a. When the confidentiality of data is the primary risk, d. Automatic log-off of inactive users.
message authentication is the preferred control rather
123. An entity has the following invoices in a batch:
than encryption.
b. Encryption performed by physically secure hardware Invoice # Product Quantity Unit price
devices is more secure than encryption performed by 201 F10 150 $5.00
software. 202 G15 200 $10.00
c. Message authentication in EDI systems performs
203 H20 250 $25.00
the same function as segregation of duties in other
information systems. 204 K35 300 $30.00
d. Security at the transaction phase in EDI systems is not
necessary because problems at that level will usually Which of the following mostt likely represents a hash total?
be identified by the service provider. a. FGHK80
117. Which of the following is an essential element of the b. 4
audit trail in an electronic data interchange (EDI) system? c. 204
d. 810
a. Disaster recovery plans that ensure proper backup of
files. 124. A customer intended to order 100 units of product
b. Encrypted hash totals that authenticate messages. Z96014, but incorrectly ordered nonexistent product Z96015.
c. Activity logs that indicate failed transactions. Which of the following controls most likely would detect this
d. Hardware security modules that store sensitive error?
data. a. Check digit verification.
118. Which of the following are essential elements of the b. Record count.
audit trail in an electronic data interchange (EDI) system? c. Hash total.
d. Redundant data check.
a. Network and sender/recipient acknowledgments.
b. Message directories and header segments. 125. In entering the billing address for a new client in Emil
c. Contingency and disaster recovery plans. Company’s computerized database, a clerk erroneously entered
d. Trading partner security and mailbox codes. a nonexistent zip code. As a result, the first month’s bill mailed
to the new client was returned to Emil Company. Which one of
119. To avoid invalid data input, a bank added an extra the following would most likely have led to discovery of the
number at the end of each account number and subjected the error at the time of entry into Emil Company’s computerized
new number to an algorithm. This technique is known as database?
a. Optical character recognition. a. Limit test.
b. A check digit. b. Validity test.
c. A dependency check. c. Parity test.
d. A format check. d. Record count test.
 Module 41: Information Technology 111

126. Which of the following controls is a processing control 133. Which of the following input controls is a numeric value
designed to ensure the reliability and accuracy of data computed to provide assurance that the original value has not
processing? been altered in construction or transmission?
Limit test Validity check test a. Hash total.
a. Yes Yes b. Parity check.
b. No No c. Encryption.
c. No Yes
d. Check digit.
d. Yes No 134. Which of the following is an example of a validity check?
a. The computer ensures that a numerical amount in a
127. Which of the following activities would most likely be
record does not exceed some predetermined amount.
performed in the information systems department?
b. As the computer corrects errors and data are
a. Initiation of changes to master records. successfully resubmitted to the system, the causes of
b. Conversion of information to machine-readable form. the errors are printed out.
c. Correction of transactional errors. c. The computer flags any transmission for which the control
d. Initiation of changes to existing applications. field value did nott match that of an existing file record.
d. After data for a transaction are entered, the computer
128. The use of a header label in conjunction with magnetic sends certain data back to the terminal for comparison
tape is most likely to prevent errors by the with data originally sent.
a. Computer operator. 135. Which of the following is a computer test made to
b. Keypunch operator. ascertain whether a given characteristic belongs to the group?
c. Computer programmer.
d. Maintenance technician. a. Parity check.
b. Validity check.
129. For the accounting system of Acme Company, the c. Echo check.
amounts of cash disbursements entered into a terminal are d. Limit check.
transmitted to the computer that immediately transmits the
amounts back to the terminal for display on the terminal 136. A control feature in an electronic data processing system
screen. This display enables the operator to requires the central processing unit (CPU) to send signals to
the printer to activate the print mechanism for each character.
a. Establish the validity of the account number. The print mechanism, just prior to printing, sends a signal back
b. Verify the amount was entered accurately. to the CPU verifying that the proper print position has been
c. Verify the authorization of the disbursement. activated. This type of hardware control is referred to as
d. Prevent the overpayment of the account.
a. Echo control.
130. When computer programs or files can be accessed from b. Validity control.
terminals, users should be required to enter a(n) c. Signal control.
a. Parity check. d. Check digit control.
b. Personal identification code. 137. Which of the following is an example of a check digit?
c. Self-diagnosis test.
d. Echo check. a. An agreement of the total number of employees to the
total number of checks printed by the computer.
131. The possibility of erasing a large amount of information b. An algebraically determined number produced by the
stored on magnetic tape most likely would be reduced by the other digits of the employee number.
use of c. A logic test that ensures all employee numbers are
a. File protection rings. nine digits.
b. Check digits. d. A limit check that an employee’s hours do not exceed
c. Completeness tests. fifty hours per workweek.
d. Conversion verification. 138. Which of the following most likely represents a
132. Which of the following controls most likely would significant deficiency in internal control?
assure that an entity can reconstruct its financial records? a. The systems analyst reviews applications of data
a. Hardware controls are built into the computer by the processing and maintains systems documentation.
computer manufacturer. b. The systems programmer designs systems for
b. Backup diskettes or tapes of files are stored away from computerized applications and maintains output controls.
originals. c. The control clerk establishes control over data
c. Personnel who are independent of data input perform received by the information systems department and
parallel simulations. reconciles control totals after processing.
d. System flowcharts provide accurate descriptions of d. The accounts payable clerk prepares data for computer
input and output operations. processing and enters the data into the computer.
112 Module 41: Information Technology

139. Internal control is ineffective when computer department Item 144 is based on the following flowchart:
personnel
Trans-
a. Participate in computer software acquisition Action
decisions. File
b. Design documentation for computerized systems.
c. Originate changes in master files.
d. Provide physical security for program files.
Client’s Master
Auditor’s
Program File
Program
F. Flowcharting
140. Which of the following tools would best give a graphical
representation of a sequence of activities and decisions? Output Compare Output

a. Flowchart.
b. Control chart.
c. Histogram. Exceptions
d. Run chart. Report
Items 141 and 142 are based on the following flowchart of a
client’s revenue cycle: 144. The above flowchart depicts
Sales Return a. Program code checking.
Order and Remittance
Shipping Date from Customers
and Write-off
Authorizations
b. Parallel simulation.
c. Integrated test facility.
d. Controlled reprocessing.

Enter Enter Enter

Item 145 is based on the following flowchart:
Date Date Date

Sales Credit
X
APPLICATION PROGRAMS
invoices memos

General Ledger

Cash General Credit Memos General Journal

Sales
Receipts Ledger Input Input
Transaction Sales Journal
Transaction Transaction
File data data
File File
Cash
Receipts
Journal

General B
A Ledger
Master
File
Trans-
actions
141. Symbol A most likely represents the file

a. Remittance advice file.

b. Receiving report file.
Master Computer
c. Accounts receivable master file.
file update
d. Cash disbursements transaction file. run
142. Symbol B most likely represents
a. Customer orders.
b. Receiving reports. Updated Transaction Exception
master register reports
c. Customer checks.
file
d. Sales invoices.
143. An auditor’s flowchart of a client’s accounting system is
a diagrammatic representation that depicts the auditor’s 145. In a credit sales and cash receipts system flowchart,
symbol X could represent
a. Assessment of control risk.
b. Identification of weaknesses in the system. a. Auditor’s test data.
c. Assessment of the control environment’s effectiveness. b. Remittance advices.
d. Understanding of the system. c. Error reports.
d. Credit authorization forms.