AT 100-20 AUDIT IN CIS ENVIRONMENT

ALDIN L. PANTALEON, CPA

Characteristics of CIS/IT Environment

1. IT has several significant effects on an organization. Which of the following would not be important from an auditing
perspective?
a. Organizational changes.
b. The visibility of information.
c. The potential for material misstatement.
d. None of the above; i.e., they are all important.

2. Which of the following would most likely be a concern for the auditors if their client moved to an electronic data
interchange (EDI) system?
a. Involvement of a computer service bureau
b. Loss of audit trail
c. Management override
d. Less accurate records

3. Which of the following is not a risk to IT systems?

a. Need for IT experienced staff
b. Separation of IT duties from accounting functions
c. Improved audit trail
d. Hardware and data vulnerability

4. Which of the following is not a risk specific to IT environments?

a. Reliance on the functioning capabilities of hardware and software.
b. Increased human involvement.
c. Loss of data due to insufficient backup.
d. Reduced segregation of duties.

5. When would manual controls likely be more effective than computer-based controls?
a. When there is a high volume of similar transactions
b. When there are large or unusual transactions
c. When monitoring the effectiveness of automated controls
d. When errors are difficult to define or anticipate

6. ______ involves implementing a new system in one part of the organization, while other locations continue to use the
current system.
a. Parallel testing c. Control testing
b. Online testing d. Pilot testing

7. Old and new systems operating simultaneously in all locations is a test approach known as:
a. Pilot testing. c. Integrative testing.
b. Horizontal testing. d. Parallel testing.

Organizational Structure in CIS/IT Environment

The typical personnel found in an IT environment are:
• EDP Manager – is responsible for overall management and administration of the IT department.
• Data Administrator – ascertains the data requirements of various users of information system in the organization.
• Database Administrator – is responsible for operational efficiency and security of the organizational database.
• System Analyst – takes care of the information requirement of the users for new as well as existing applications;
designs information system architecture to meet these requirements; facilitates implementation of information systems
and maintains documentation.
• System Programmer – is responsible for the maintenance of operating system (OS) software, network and hardware
requirements.
• Application Programmer – designs new programs and modifies existing to meet the data processing needs; remove
errors and improves efficiency of the existing application software.
• Operation Specialist – plans and controls the day-to-day issues, which emerge during normal course of work, of the
users of information.
• Librarian – maintains library of magnetic media and documentation.

8. Which of the following elements is not an example of an organization and management control in an information
technology (IT) environment?
a. Separation of systems analysis from computer operations
b. Separation of physical access to assets from access to related accounting records
c. Separation of initiation of a transaction from authorization of the transaction
d. Separation of storage of systems documentation from the area housing computer hardware

9. Programmers should be allowed access to:

a. User controls c. Systems controls
b. General controls d. Applications controls

10. Programmers should do all but which of the following?

a. Test programs for proper performance.
b. Evaluate legitimacy of transaction data input.
c. Develop flowcharts for new applications.
d. Programmers should perform each of the above.

11. Internal control is ineffective when computer personnel:

a. participates in computer software acquisition decisions.
b. design flowcharts and narratives for computerized systems.
c. originates changes in customer master files.
d. provides physical security over program files.

12. An auditor's consideration of a company's computer control activities has disclosed the following four circumstances.
Indicate which circumstance constitutes a significant deficiency in internal control.
a. Computer operators do not have access to the complete software support documentation.
b. Computer operators are closely supervised by programmers.
c. Programmers are not authorized to operate computers.
d. Only one generation of backup files is stored in an off-premise location.

Understanding the Entity’s IT Controls

13. Which of the following is least likely to be used in obtaining an understanding of client general controls?
a. Examination of system documentation
b. Inquiry of client personnel (e.g., key users)
c. Observation of transaction processing
d. Reviews of questionnaires completed by client IT personnel

14. Auditors usually obtain information about general and application controls through:
a. Interviews with IT personnel.
b. Examination of systems documentation.
c. Reading program change requests.
d. All of the above methods.

15. Adequate technical training and proficiency as an auditor encompasses an ability to understand a computer system
sufficiently to identify and evaluate
a. The processing and imparting of information.
b. Essential accounting control features.
c. All control procedures.
d. The degree to which programming conforms to the application of generally accepted accounting principles.

16. Which of the following is not a purpose of an auditor's attempt to understand internal control when a client
processes accounting information by computer?
a. Determine the extent to which the computer is used in significant accounting applications.
b. Understand the flow of transactions in the system.
c. Comprehend the basic structure of accounting control.
d. Identify the controls that can be relied on when designing substantive tests of details.

General IT Controls
17. Controls that relate to all parts of the IT system and have a pervasive effect on the operating effectiveness of
application controls are called:
a. General control c. Universal control
b. Systems control d. Applications control

18. Auditors usually evaluate the effectiveness of:

a. hardware controls before general controls.
b. sales-cycle controls before application controls.
c. general controls before applications controls.
d. applications controls before the control environment.

19. In considering a client's internal control structure in a computer environment, the auditor will encounter general
controls and application controls. Which of the following is an application control?
a. Organization charts.
b. Hash total.
c. Systems flowcharts.
d. Control over program changes.

20. Which of the following is not a general control?

a. The plan of organization and operation of IT activity.
b. Procedures for documenting, reviewing, and approving systems and programs.
c. Processing controls.
d. Hardware controls.

21. All of the following are pervasive computer controls except:

a. Planning and controlling the data processing function.
b. Controlling access to equipment, data, and programs.
c. Ensuring data is accessible to management on a timely basis.
d. Controlling applications development and changes to programs.

22. General controls include all of the following except:

a. Systems development. c. Input controls.
b. Online security. d. Hardware controls.

Controls that relate to all parts of the IT system and have a pervasive effect on the operating effectiveness of application
controls are called:
a. General control c. Universal control
b. Systems control d. Applications control

Auditors usually evaluate the effectiveness of:

hardware controls before general controls.
sales-cycle controls before application controls.
general controls before applications controls.
applications controls before the control environment.

In considering a client's internal control structure in a computer environment, the auditor will encounter general controls
and application controls. Which of the following is an application control?
Organization charts.
Hash total.
Systems flowcharts.
Control over program changes.

Which of the following is not a general control?

The plan of organization and operation of IT activity.
Procedures for documenting, reviewing, and approving systems and programs.
Processing controls.
Hardware controls.

All of the following are pervasive computer controls except:

Planning and controlling the data processing function.
Controlling access to equipment, data, and programs.
Ensuring data is accessible to management on a timely basis.
Controlling applications development and changes to programs.

General controls include all of the following except:

Systems development. c. Input controls.
Online security. d. Hardware controls

Application Controls
23. Controls which apply to a specific element of the system and help ensure that transactions occurred, are authorized,
and are completely and accurately recorded and processed are called:
a. User controls. c. Applications controls.
b. General controls. d. Systems controls.

24. Which of the following is not a category of an application control?

a. Input controls. c. Output controls.
b. Processing controls. d. Hardware controls.

25. Which of the following would be considered to be an application control in an information system?
a. Controls over system software acquisition
b. Controls pertaining to system access security
c. Controls pertaining to the follow-up of exception reports
d. Controls pertaining to application systems maintenance

26. Which of the following is not an application control?

a. Preprocessing authorization of sales transactions.
b. Reasonableness test for unit selling price of sale.
c. Post-processing review of sales transactions by the sales department.
d. Separation of duties between computer programmer and operators.

27. Which of the following is not an example of an applications control?

a. An equipment failure causes system downtime.
b. There is a preprocessing authorization of the sales transactions.
c. There are reasonableness tests for the unit selling price of a sale.
d. After processing, all sales transactions are reviewed by the sales department.

28. Controls which are designed to assure that the information processed by the computer is authorized, complete, and
accurate are called:
a. Input controls. c. Output controls.
b. Processing controls. d. General controls.

29. A company uses the account code 669 for maintenance expense. However, one of the company clerks often codes
maintenance expense as 996. The highest account code in the system is 750. What internal control in the company’s
computer program would detect this error?
a. Pre-data input check. c. Sequence check.
b. Valid-character test. d. Valid-code test.

30. When software or files can be accessed from on line servers, users should be required to enter
a. A parity check.
b. A personal identification code.
c. A self diagnosis test.
d. An echo check.

31. ______ controls prevent and detect errors while transaction data are processed.
a. Software c. Processing
b. Application d. Transaction

32. Which of the following is not a processing control?

a. Control totals. c. Check digits.
b. Logic tests. d. Computations tests.

33. A control feature requires the computer to send signals to the printer to activate the print mechanism for each
character. The print mechanism, just prior to printing, sends a signal back to the computer verifying that the proper print
position has been activated. This type of hardware control is referred to as a/an
a. Echo check.
b. Validity check.
c. Signal check.
d. Check digit.

34. An entity has the following invoices in a batch:

Invoice # Product Quantity Unit price
201 F10 150 $ 5.00
202 G15 200 $10.00
203 H20 250 $25.00
204 K35 300 $30.00
Which of the following numbers represents the record count?
a. 1 c. 810
b. 4 d. 900

35. Output controls are not designed to assure that data generated by the computer are:
a. accurate.
b. distributed only to authorized people.
c. complete.
d. used appropriately by employees in making decisions.

36. The most important output control is:

a. distribution control, which assures that only authorized personnel receive the reports generated by the system.
b. review of data for reasonableness by someone who knows what the output should look like.
c. control totals, which are used to verify that the computer’s results are correct.
d. logic tests, which verify that no mistakes were made in processing.

37. If a control total were to be computed on each of the following data items, which would best be identified as a hash
total for a payroll IT application?
a. Gross wages earned.
b. Employee numbers.
c. Total hours worked.
d. Total debit amounts and total credit amounts.

38. Which of the following would be an appropriate number to be verified by means of a check digit?
a. Vendor number
b. Amount payable to a specific vendor
c. Amount paid to specific vendor in the current year
d. Total assets minus total liabilities

Audit Software
39. Auditors often make use of computer programs that perform routine processing functions such as sorting and
merging. These programs are made available by electronic data processing companies and others and are specifically
referred to as
a. Compiler programs.
b. Supervisory programs.
c. Utility programs.
d. User programs.

40. The audit approach in which the auditor runs his or her own program on a controlled basis to verify the client’s data
recorded in a machine language is:
a. the test data approach.
b. called auditing around the computer.
c. the generalized audit software approach.
d. the microcomputer-aided auditing approach.

Auditing through the Computer (White-box approach)

41. Which of the following would require auditing through the computer rather than auditing around the computer?
a. There are small volumes of input/output data.
b. The internal controls are not embedded in the computer system.
c. The system is complex and includes key parts of the accounting system.
d. The system was audited with computer-assisted audit techniques (CAATs) in the previous year.

42. Which of the following is not an example of a computer-assisted audit technique?

a. Integrated test data.
b. Audit modules.
c. Disk operating systems.
d. Audit hooks (tagging and tracing).

43. The auditor’s objective to determine whether the client’s computer programs can correctly handle valid and invalid
transactions as they arise is accomplished through the:
a. test data approach.
b. generalized audit software approach.
c. microcomputer-aided auditing approach.
d. generally accepted auditing standards.
44. When an auditor tests a computerized accounting system, which of the following is true of the test data approach?
a. Several transactions of each type must be tested.
b. Test data are processed by the client's computer programs under the auditor's control.
c. Test data must consist of all possible valid and invalid conditions.
d. The program tested is different from the program used throughout the year by the client.

45. The test–data method is used by auditors to test the

a. Accuracy of input data.
b. Validity of the output.
c. Procedures contained within the program.
d. Normalcy of distribution of test data.

46. To determine that user ID and password controls are functioning, an auditor would most likely:
a. attempts to sign on to the system using invalid user identifications and passwords.
b. writes a computer program that simulates the logic of the client’s access control software.
c. extracts a random sample of processed transactions and ensure that the transactions were appropriately authorized.
d. examines statements signed by employees stating that they have not divulged their user identifications and passwords
to any other person.

47. Assume that an auditor estimated that 10,000 checks were issued during the accounting period. If an application
control that performs a limit check for each check request is to be subjected to the auditor's test–data approach, the
sample should include:
a. Approximately 1,000 test items.
b. A number of test items determined by the auditor to be sufficient under the circumstances.
c. A number of test items determined by the auditor's reference to the appropriate sampling tables.
d. One transaction.

48. Which of the following computer-assisted auditing techniques allows fictitious and real transactions to be processed
together without client operating personnel being aware of the testing process?
a. Parallel simulation.
b. Generalized audit software programming.
c. Integrated test facility.
d. Test data approach.

49. An auditor who wishes to capture an entity's data as transactions are processed and continuously test the entity's
computerized information system most likely would use which of the following techniques?
a. Snapshot application.
b. Embedded audit module.
c. Integrated data check.
d. Test data generator.

50. Which of the following is an example of a data-oriented computer-assisted audit technique (CAAT)?
a. Integrated test facility
b. Test data
c. Generalized audit software
d. System control audit review file (SCARF)

51. Which of the following task is not performed by Generalized audit software?
a. Footing a file
b. Evaluating statistical sample results
c. Checking for gaps in processing sequences
d. Preparing custom reports
e. All of the above task are performed

52. Which of the following computer-assisted auditing techniques processes client input data on a controlled program
under the auditor's control to test controls in the computer system?
a. Test data.
b. Review of program logic.
c. Integrated test facility.
d. Parallel simulation.

53. Which of the following methods of testing application controls utilizes a generalized audit software package prepared
by the auditors?
a. Parallel simulation.
b. Integrated testing facility approach.
c. Test data approach.
d. Exception report tests.

54. A hacking tool is an example of which of the following?

a. A data-oriented computer-assisted audit technique
b. An access internal control
c. A key component of a systems control audit review file
d. A system-oriented computer-assisted audit technique

Auditing around the Computer (Black-box approach)

55. Auditing by testing the input and output of a computer system--i.e., auditing "around" the computer--instead of the
computer software itself will
a. Not detect program errors that do not appear in the output sampled.
b. Detect all program errors, regardless of the nature of the output.
c. Provide the auditor with the same type of evidence.
d. Not provide the auditor with confidence in the results of the auditing procedures.

56. When auditors consider only non-IT controls in assessing control risk, it is known as:
a. The single-stage audit.
b. The test deck approach.
c. Auditing around the computer.
d. Generalized audit software (GAS).