S'FloorcMFFIBUiding ReSA 8:3.Cor R Papa and'S Loyola Sis , Sormpaloe, Mania The Review School of Accountancy $9 735-9807 / 734-3989 / (0910) 439-1320 resareview@hotmail com ‘AUDITING THEORY TMI- FDY - MBN + FCT AT-14: INFORMATION TECHNOLOGY REQUIRED READINGS + Undergraduate school prescribed textbook in Computer Auclt ‘PSA 315 Reale): Menttying and Assessing Te Risks ‘of Material Misstatement Through Understanding The Entity ‘and Its Environment ‘+ PSA330 (Redrafted): The Auditor's Responses to Assessed Risks 2 piiippine Auciting Practice ‘Statement: (PAPS) 1013: Electronic Commerce - effect on the Audit of Financal Statements PSA 402 (Revised and Redrafted): Audit Considerabons Relating to an Entty Using @ Service Organization Philippine Standard on Assurance Engagements (PSAE) 3402: Assurance Reports on Controls at a Service Organization PSA Glossary of Terms 1. Si A computer information systems (CIS) environment exists when a computer of any type or size is involved in the processing by the entity of financial information of significance to the audit, whether that computer 1s operated by the entity or by a third party, such as a service organization. '§2 Accounting information systems (AIS) pracess financial transactions and non-financial transactions that directly affect the processing of financial transactions. 53 The major subsystems of AIS are transaction processing system (TPS), general ledger/financial reporting system (GL/FRS), and management reporting system (MRS). A. True, true, true C. True, false, false B. True, false, true D. True, true, false 2. Which of the following statements 1s incorrect? ‘A. The components of IT system include hardware, software, telecommunications, databases, and human resources. B. Keyboards, external disk drives, and routers are examples of hardware C._ A software can either be a system software or an application software. B.A point-of-sale device is an example of processing hardware. 3. St. The primary difference between a system software and an application software is that the former manages hardware’s operation while the latter handles specific tasks such as spreadsheets and documents. ‘$2 The most important component of an IT system is the human resources. $3 An operating system is a set of software programs that helps a computer, file server, Or network run itself and also the application prograrns designed for it. A. True, true, true GC. False, true, false B. True, false, true D. false, false, true 4. $1 If computers are more geographically dispersed, it 1s more appropriate to employ local area network (LAN) than wide area network (WAN). $2 Data marts store larger files than data warehouses. 3 Cloud computing refers to a range of computing services on the Internet such as access Te tomputer software programs, backup and recovery file services, and Web page development and hosting A. True, true, true C. False, true, false B. True, false, false D. False, false, true 5. In contrast to a batch processing system, in a real-time system en lag occurs between the time of the economic event and when the transaction = recorded. B. telatively fewer hardware, programming, and training resources are required. Ca lesser resource commitment per unit of outout 1s required. D. processing takes place when the economic event occurs. 6. Which of the following types of transactions are suitable for batch processing? A B Cc oO + Airline reservations Yes No Yes No «Payroll processing No Yes Yes No 7. Which of the following characteristics distinguishes computer processing from manuat processing? A. Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing. B. Errors or irregularities in computer processing will be detected soon after their ReSA ~The Review School of Accountancy Page 1 of 6Res: The Review School of Account ‘sang Tear: lformation Tecnology. AT-14 occurrences, C. The potential for systematic error is ordinarily greater in manual processing than in computerized processing, D. Most computer systems are designed so that transaction, trails useful for audit purposes do not exist 8. Which of the following statements best describes a fundamental control weakness often associated with computer systems? A. Computer equipment is more subject to systems error than manual processing 1s subject to human error, 8. Computer equipment processes and records similar transactions in a similar manner. C. Control procedures for detection of invalid and unusual transactions are less effective than manual control procedures. D. Functions that would normally be separated in a manual system are combined in a computer system. 9. Which of the following activities would mest likely be performed in the IT department? A. Initiation of changes to master records. 8. Conversion of information to machine-readable form. C. Correction of transactional errors. D. Initiation of changes to existing application. 10. Preventing someone with sufficient technical skill trom circumventing security procedures and making changes to production programs is bst accomplished by ‘A. Reviewing reports of jobs completed B. Comparing production programs with inde C. Running test data periodically D. Providing suitable segregation of duties. yendently controlled copies. 11.1n a computer-based information system, which of the following duties needs to be separated? ‘A. program coding from program operations B. program operations from program maintenance CC. program maintenance from program coding D. Allof the above duties should be separated. 12. Systems development is separated from data processing activities because failure to do so ‘A. weakens database access security. B. allows programmers access to make unautivorized changes to applications during execution CC. results in inadequate documentation. D. results in master files being inad 13. Which organizational structure is most likely to result in good documentation procedures? ‘A. separate systems development from systems maintenance B. separate systems analysis from application programming C._ separate systems development from data precessi D. Separate database administrator from dats processing rently erased. 14. These control procedures relate to all computer activities A. General IT controls C. Qverall controls B. Application controls D. Pervasive IT controls 15.The purpose of this category of controls 1s to establish specific control procedures over the application systems in order to provide reasonable assurance that all transactions are authorized and recorded, and are processcc completely, accurately and on a timely basis. ‘A. General IT controls. Ci Laput controls. B. IT Application controls. D. if Processing controls 16. Which of the following is a general IT contro! thet woult most likely assist an entity whose system analysts left the entity in the middie cf a major protect? ‘A. Grandfather-father-son record retention. C. Systems and documentation. B. Input and output validation routines. D. Check digit venfication. 17. Control which are built in by the manufacturer to detect equipment failure are called: ‘A. Input controls CC. Fail-safe controls 8. Hardware controls 1D. Manufacturer's controls 18, Which of the following is the auditor’s concern regarding a distributed data processing set- up? A. Hardware controls. Systems documentation controls. * B. Access controls. Organizational controts ReSAM735-9807 / 734-3989 / (0910) 439-1326 Page 2 of 6ReSA: The Review School of Accot ar Aung Ter formation Tecmology AT-14 19. Adequate control over access to data processing is required to: Deter improper use or manipulation of data files and programs. Ensure that only console operators have access t2 program documentation. Minimize the need for backup data files. Ensure that hardware controls are operating effectively and as designed by the computer manufacturer. onp> 20.A client is concerned that a power outage or disaster could impair the computer hardware’s ability to function as designed. The client desires off-site backup hardware facilities that are fully configured and ready to operate within several hours. The client most likely should consider a A. Cold site B. Cool site C. Warm site D. Hot site 21. Which of the following procedures would an entity most likely include in its computer disaster recovery plan? A. Develop an auxiliary power supply to provide uninterrupted electricity. 8. Store duplicate copies of critical files in a location away from the computer center. C. Maintain a listing of entity passwords with the network manager. D. Translate data for storage purposes with a cryptographic secret code. 22. Which of the following controls most likely would assure that an entity can reconstruct its financial records? ‘A. Hardware controls are built into the computer by the computer manufacturer. B. Backup CDs of critical files which are stored away from originals. C. Personnel who are independent of data input perform parallel simulations. D. System flowcharts provide accurate descriptions of input and output operations. 23. Controls which are designed to assure that the information processed by the computer is valid, complete, and accurate are called ‘A. Input controls C. Output controls B. Processing controls D. General controls 24, Which input control check would detect a payment made to a nonexistent vendor? A. Check digit B. validity check C. Range check. D. Limit check. 25. The employee entered "40" in the “nours worked per day” field. Which check would detect this unintentional error? A. Signcheck 8. Validity check . Range check. D. Limit check, 26. Totals of amounts in computer-recorded data fields, which arenot usually added but are used only for data processing control purposes are called: A. Record totals C. Haas-Larzen Totals B. Hash totals D. Field totals 27. If a control total were to be computed on each of the following data items, which total would best be identified as a hash total for a payroll application processed by computer? ‘A. Net pay C. Total debits 8. Department numbers D. Hours worked 28. Run-to-run control totals can be used for ail of the following except ‘A. to ensure that all'data input is validated B. toensure that only transactions of a similar type are being processed C. to ensure the records are in sequence and are not missing D. to ensure that no transaction is omitted 29. Methods used to maintain an audit trail in a computerized environment include all of th: following except ‘A. transaction logs data encryption B._ transaction listings D. og of automatic transactions 30. One output control is known as bursting control. When output reports are removed from th> printer, they go to the bursting stage to have their pages separated and collated. > Primary control at this stage is/are: A. Collation 8. Distribution C. Supervision D. All of the choices, 31. Risk exposures associated with creating an output file as an intermediate step in the printing process (spooling) include all of the following actions by a computer criminal except gaining access to the output file and changing critical data values using a remote printer and incurring operating inefficiencies making a copy of the output file and using the copy to produce illegal output reports printing an extra hardcopy of the output file go>ReSA; The Review School of Accountancy ‘Avating Theory: Information Technology AT-14 32. The information technology (IT) system may affect: ‘A. The procedures followed by the auditor in obtaining a sufficient understanding of the accounting and internal control system. B. The consideration of inherent risk and control risk C. The auditor's design and performance of tests of contro! and substantive audit procedures. D. All of these. 33. A computer application may be considered comple in which of the following situations? ‘A. The volume of transactions 1s such that users would find it difficult to identify and correct errors in processing. 8. The computer automatically generates material transactions or entries directly to another application C. The computer performs complex computations of: financial information and/or automatically generates material transactions or entries D. Transactions are exchanged electronically with oiher organizations (1.e., EDT systems) without manual review for propriety or reascnableness. E. All of the answers. 34.Which of the following computer docurnentation would an auditor most likely utilize in obtaining an understanding of an entity's internal control structure? ‘A. System flowcharts CC. Program listings B. Record counts BD. Record layouts 35.An auditor anticipates assessing control risk at 2 low level in a computerized environment. Under these circumstances, on which of the following procedures would the auditor initially focus? ‘A. Programmed control procedures. CC. Cutput control procedures. B. Application control procedures, D. General control procedures. 36. Internal control is ineffective when computer department personnel A. Participate in computer software acquisition decisions. B. Design documentation for computerized systems. CC. Originate changes in master files. D. Provide physical security for program files. 37.To obtain evidence that user identification and password controls are functioning as designed, an auditor would most likeiy ‘A. Attempt to sign-on to the system using invalid vser identifications and passwords. B. Write a computer program that simulates the logic of the client’s access control software. C. Extract a random sample of processed transactions and ensure that the transactions were appropriately authorized D. Examine statements signed by employees stating that hey have not divulged their user identifications and password to any other person. 38.An auditor's investigation of a company’s computer control procedures has disclosed the following four circumstances. Indicate which circumstance constitutes a significant deficiency in internal contro! structure. ‘A. Computer operators do not have access to the complete software support documentation. B. Machine operators are closely superv.sed by programmers. C. Programmers do not have the authorization to operate computer equipment D. Only one generation of backup files is stored in an off-premises location 39. When evaluating IT controls, the auditor is faced with the choice of auditing around the computer or auditing through the computer. When auditing around the computer, the processing of computer applications is not itivestigated. This approach is appropriate when: A. inherent risk is assessed to be high B._ the processing logic of the program used is complex C._ the computer system is simple or uses araven commercial software 1D. most of the controls reside within the: computer application itself 40. Auditing by testing the input and output of an IT system instead of the computer program itself: ‘A. Will not detect program errors which do not shew up in the output sampled. B. Will detect all program errors, regardless of the aaiure of the output. CC. Will provide the auditor with the same type of evidence. D. Will not provide the auditor with confidence in the resi its of the auditing procedures. ReSAB735-9807 / 734-3989 / (0910) 439-1520 Page 4 of 6Jew Scho! of Aecountancy _ hurtg Teor: oration Tecnology AT-14 41. Auditing through the computer must be used when ‘A. Input transactions are batched and system logic is straight forward 7 8. Processing primarily consists of sorting the input data and updating the master file sequentially. C. Processing is primarily online and updating is real-time. D. Generalized audit software is not available. 42. An auditor most likely would test for the presence of unauthorized CIS program change by running a A. Program with test data C. Source code comparison program 8. Check digit verification program - D. Program that computes contro! totals. 43. Tests of controls in an advanced computer system A. Can be performed using only actual transactions since testing of simulated transactions is of no consequence. B. Can be performed using actual transactions or simulated transactions. C. Is impractical since many procedures within the computer activity leave no visible evidence of having been performed. D. Is inadvisable because it may distort the evidence in master files. ‘44. The application of auditing procedures using the computer as an audit tool refer to: ‘A. Integrated test facility. C. CAATS 8. Auditing around the computer. D. Information technology auditing. 45. Computer-assisted audit techniques (CAATS) may be utilized to facilitate the tests of controls in an IT system. Which of the following approaches are usually used? co A 8 + Test data approach Yes Yes No Yes * Integrated test facility (ITF) No Yes Yes No * Parallel simulation No Yes Yes Yes 46.Which of the following statements is not true of the test data approach when testing a computerized accounting system? ‘A. The test data needs to consist of only those valid and invalid conditions that interest the auditor. 8. Only one transaction of each type needs to be tested. C. The test data must consist of all possible valid arid invalid conditions. D. Test data are processed by the client's computer software under the auditor's control 47.Which of the following computer-assisted audit techniques allows fictitious and real transactions to be processed together without client-operating personnel being aware of the testing process? A. Parallel simulation. C. Mapping. B. Integrated test facility. D. Test data. 48. Using parallel simulation, __ are processed using _ é ‘A. Live transactions, live programs C. Test transactions, test programs B. Live transactions, test master file D. Live transactions, test programs 49. Lahaira, the auditor, sets an embedded audit module to flag all credit transactions in excess of (P100,000. The flag causes the system state to be recorded before and after cach transaction is processed. Lahaira is using an integrated test facility. the snapshot technique. a system control audit review file (SCARF) audit hooks. poe 50.Marian, the auditor, sets an embedded audit module to record all credit transactions excess of P100,000 and store the data in an audit log. Marian is using an integrated test facility. the snapshot technique. a system control audit review file (SCARF), audit hooks. one> 51- Carlos, the auditor, sets an embedded audit module to flag questionable online transactions Gsplay information about the transaction on the auditor's computer, and send a sect message to the auditor's cell phone. Carlos is using . an integrated test facility. the snapshot technique. 2 system control audit review file (SCARF), audit hooks. one> ReSA®735-9807 / 734-3989 / (0910) 439-1320 Page 5 of 6ReSA: The Review School of Accountancy fat Tory: Information Tecmology” AT-14 '52. An increase in the effectiveness of auditing software will have the effect of ‘A. increasing detection risk. C._ increasing control risk. B. reducing detection risk. ©. reducing control risk. 53. $1 Per PSA 402, both Type I report and Type II report cover the description and design of controls at a service organization. $2 Per PSA 402, both Type I report and Type ! controls at a service organization. A. True, false B. False, true © Ine, tree D. False, false 54. S1 Per PSAE3402, the method of dealing witit the services provided by a subservice organization can either be carve-out method cr inclusive method. S2 Per PSAE3402, a service auditor is & professional accountant in public practice who, at the request of the service organization, provides an assurance report on controls at @ service organization. A. True, false B. False, true C. True, true D. False, false 55. S1 The level of skills and knowledge required to understand the effect of e-commerce on the audit will vary with the complexity of the entity’s e-commerce activities. $2. As an entity becomes more involved with e-ccmmerce, and as its internal systems become more integrated and complex, it becomes more likely that new ways of transacting business will differ from traditional forms of business activity and will introduce new types of risks. 3 Businesses of today face the opportunities and challenges of the Fourth Industrial Revolution (Industry 4.0). A. True, true, true False, true, false B. True, false, false D. False, false, true report cover the operating effectiveness of 56. The following are the business risks relating to the entity's e-commerce activities which management faces. Which is the exception? ‘A. Loss of transaction integrity B. System availability risks C. Loss of information privacy D. Pervasive e-commerce security risks: E. None of the above 57. Per PAPS 1013, this refers to the way various IT systems are integrated with one another and thus operate, in effect, as one system. A. IT integration. C. Process alignment. B. Process integration D. System consistency. 58. It is a communication system that enables computer users to share computer equipment, application software, data and voice and video transmissions. ‘A. Network C. Chent-server system B. Shared documents system D. Electronic data interchange 59. Which of the following best describes encryption? ‘A. The electronic transmission of documents between organizations in a machine-readable form. B. The process of transforming programs and information into a form that cannot be understood without access to specific decoding algorithm: C. A combination of hardware and software that protects a WAN, LAN or PC from unauthorized access through the Internet and from the introduction of unauthorized or harmful software, data or other materia! :n electronic form. D. Acommunications network that serves users within a confined geographical area. 60. Which of the following best describes the Internet? ‘A network created to connect two or more qecgraphically separated local area networks ‘A network where multiple buildings are close enough to create a campus, but the space between the buildings is not under the control of the company A shared public network that enables communication with other entities and individuals around the world All of these properly describe the Internet p> g9 ReSA®735-9807 / 734-3989 / (0910) 439-1320 Page 6 of 6