Professional Documents
Culture Documents
Auditing in A CIS Envinronment Mid Term With Solution
Auditing in A CIS Envinronment Mid Term With Solution
Auditing in A CIS Envinronment Mid Term With Solution
I. At all cases, accounting firms could not provide advisory services or non-audit services upon the passage of SOX.
II. An internal audit is typically conducted by auditors who work for the organization, but this task may not be outsourced
to other organizations.
a. Both I and II
b. I only
c. II only
d. Both statements are false.
a. Both I and II
b. I only
c. II only
d. Both statements are false.
a. Both I and II
b. I only
c. II only
d. Both statements are false.
a. Both I and II
b. I only
c. II only
d. Both statements are false.
a. Both I and II
b. I only
c. II only
d. Both statements are false.
a. Both I and II
b. I only
c. II only
d. Both statements are false.
a. Both I and II
b. I only
c. II only
d. Both statements are false.
a. Both I and II
b. I only
c. II only
d. Both statements are false.
a. Both I and II
b. I only
c. II only
d. Both statements are false.
10. Which of the following statements are true?
I. In small organizations that lack sufficient personnel, management must compensate for the absence of segregation
controls with close supervision.
II. Segregation of incompatible tasks should be physical as well as organizational.
a. Both I and II
b. I only
c. II only
d. Both statements are false.
11. Auditing standards differ from auditing procedures in that procedures relate to
a. Measure of performance.
b. Audit principles.
c. Acts to be performed.
d. Audit judgments.
12. The first general standard of generally accepted auditing standards which states, in part, that the examination is to be performed
by a person or persons having adequate technical training, requires that an auditor have
a. Education and experience in the field of auditing.
b. Ability in the planning and supervision of the audit work.
c. Proficiency in business and financial matters.
d. Knowledge in the areas of financial accounting.
13. The first standard of field work, which states that the work is to be adequately planned, and assistants, if any, are to be properly
supervised, recognizes that
a. Early appointment of the auditor is advantageous to the auditor and the client.
b. Acceptance of an audit engagement after the close of the client's fiscal year is generally not permissible.
c. Appointment of the auditor subsequent to the physical count of inventories requires a disclaimer of opinion.
d. Performance of substantial parts of the examination is necessary at interim dates.
14. Which of the following best describes the reason why an independent auditor reports on financial statements?
a. A management fraud may exist and is more likely to be detected by independent auditors.
b. Different interests may exist between the company preparing the statements and the persons using the state -
ments.
c. A misstatement of account balances may exist and is generally corrected as the result of the independent auditor's work.
d. Poorly designed internal control may exist.
15. What is the general character of the three generally accepted auditing standard classified as general standards?
a. Criteria for content of the F/S and the auditor's report.
b. Criteria of audit planning and supervision and evidence gathering.
c. The need to maintain an independence in mental attitude in all matters relating to the assignments.
d. Criteria for competence, independence and professional care of individuals performing the audit.
17. The definition of internal control developed by the Committee of Sponsoring Organizations (COSO) and included in the profes -
sional standards includes the reliability of financial reporting, the effectiveness and efficiency of operations and
a. Compliance with applicable laws and regulations.
b. Effectiveness of prevention of fraudulent occurrences.
c. Safeguarding of entity assets.
d. Incorporation of ethical business practice standards.
18. Which of the following is not a factor included in the control environment?
a. Integrity and ethical values.
b. Risk assessment.
c. Commitment to competence.
d. Organizational structure.
20. Which statement is correct concerning the definition of internal control developed by the Committee of Sponsoring Organizations
(COSO)?
a. Its applicability is largely limited to internal auditing applications.
b. It is recognized in the Statement on Auditing Standards.
c. It emphasizes the effectiveness and efficiency of operations rather than the reliability of financial reporting.
d. It suggests that it is important to view internal control as an end product as contrasted to a process or means to obtain an
end.
21. The independent auditor selects several transactions in each functional area and traces them through the entire system, paying
special attention to evidence about whether or not the control features are in operation. This is an example of a
a. Control test.
b. Tests of controls
c. Substantive test
d. Functional test.
22. Which of the following most likely would give the most assurance concerning the valuation assertion of accounts receivable?
a. Tracing amounts in the subsidiary ledger to details on shipping documents.
b. Comparing receivable turnover ratios to industry statistics for reasonableness.
c. Inquiring about receivables pledged under loan agreements.
d. Assessing the reasonableness of the allowance for doubtful accounts.
23. In auditing accounts payable, an auditor's procedures most likely would focus primarily on management's assertion of
a. Existence or occurrence.
b. Presentation and disclosure.
c. Completeness.
d. Valuation or allocation.
24. Which of the following is an inherent limitation in internal control?
a. Incompatible duties.
b. Lack of segregation of duties.
c. Faulty human judgment.
d. Lack of an audit committee.
28. Which recent federal law was developed and passed by U.S. lawmakers in reaction to the recent financial frauds such as Enron,
World-Com, and others:
a. Foreign Corrupt Practices Act
b. Security and Exchange Commission Act
c. Sarbanes–Oxley Act
d. Computer Fraud and Abuse Act
32. Which of the following disaster recovery techniques may be least optimal in the case of a disaster?
a. Empty shell
b. Mutual aid pact
c. Internally provided backup
d. They are all equally beneficial
34. Which of the following disaster recovery techniques is has the least risk associated with it?
a. Empty shell
b. Internally provided backup
c. ROC
d. They are all equally risky
35. Which of the following is not a potential threat to computer hardware and peripherals?
a. Carbon dioxide fire extinguishers
b. Low humidity
c. Water sprinkler fire extinguishers
d. High humidity
39. Which of the following would strengthen organizational control over a large-scale data processing center?
a. Having the database administrator report to the manager of computer operations
b. Assigning maintenance responsibility to the original system designer who best knows its logic
c. Require systems development group to run the applications and enter data.
d. Require corporate group to establish and distribute to user areas appropriate standards.
40. Which of the following organizational functions is not included in data processing?
a. Conversion
b. Computer operation
c. Data library
d. Data dictionary
41. To determine that user ID and password controls are functioning, an auditor would most likely:
a. Attempt to sign on to the system invalid user identification and passwords.
b. Write a computer program that simulates the logic of the client’s access control software.
c. Extract a random sample of processed transactions and ensure that the transactions were appropriately authorized.
d. Examine statements signed by employees stating they have not divulged their user identifications and password to any
other person.
42. Which of the following is a computer program that appears to be legitimate but performs some illicit activity when it is run?
a. Hoax virus.
b. Logic bomb.
c. Worm.
d. Trojan horse.
44. Which of the following is a malicious program, the purpose of which is to reproduce itself throughout the network and produce a
denial of service attack by excesiively utilizing system resources?
a. Worm.
b. Logic bomb.
c. Trojan horse.
d. Virus.
45. Which of the following risks is not greater in an EDI environment than in a manual system using paper transactions?
a. Inadequate backup and recovery capabilities.
b. Duplicate transaction processing.
c. Unauthorized access and activity.
d. Higher cost per transaction.
46. An overall description of a database, including the names of data elements, their characteristics, and their relationship to each
other would be defined by using a:
a. Data command interpreter language.
b. Data manipulation language.
c. Data definition language
d. Data control language
49. Which of the following statements are correct regarding the internet as a commercially viable network?
I. Organizations must use firewalls if they wish to maintain security over internal data.
II. Companies must apply to the Internet to gain permission to create a Home Page to engage in electronic commerce.
III. Companies that wish to engage in electronic commerce on the Internet must meet required security standards estab-
lished by the coalition of Internet providers.
a. I and III.
b. II only.
c. III only.
d. I only.
50. Encryption protection is least likely to be used in which of the following situations:
a. When transactions are transmitted over local area networks.
b. When wire transfers are made between banks.
c. When financial data are send over dedicate, leased lines.
d. When confidential data are sent by satellite transmission.
51. Passwords for personal computer software programs are designed to prevent
a. Incomplete updating of data files.
b. Unauthorized use of software.
c. Inaccurate processing of data.
d. Unauthorized access to the computer.
a. I only.
b. I and II only.
c. I, II, and III.
d. I and III only.
53. There are several kinds of hardware and software for connecting devices within a network and for connecting different networks
to each other. The kind of connection often used to connect similar networks is a:
a. Wiring concentrator.
b. Router.
c. Bridge.
d. Gateway.
54. Query facilities for a database system would most likely include all of the following, except:
a. a data validity checker
b. a query by-example interface.
c. Data dictionary access.
d. Graphical output capability
55. A company with several hundred stores has a network for the stores to transmit sales data to headquarters. In order to accom -
modate the large volume of transmission, large stores have their own satellite receiving/transmitting stations. Small stores use
leased lines. The information systems and audit directors agreed on the need to maintain security and integrity of transmissions
and the data they represent. The best means to ensuring the confidentiality of satellite transmission of satellite transmissions
would be:
a. Cyclic redundancy checks.
b. Virtual private network.
c. Encryption.
d. Firewall.
56. A department store company with stores in 11 cities is planning to install a network so that stores can transmit daily sales by item
to headquarters and store salespeople can fill customer orders from merchandise held at the nearest store. Management be -
lieves that having daily sales statistics will permit better inventory management than is the case now with weekly deliveries of
sales report on paper. Salespeople have been asking about online inventory availability as a way to retain the customers that
now go to another company’s stores when merchandise is not available. The planning committee anticipates many more applica -
tions so that in a short time the network would be used at or near its capacity.
The best kind of network for this application is:
58. An insurance firm uses a WAN to allow agents away from the home to home office to obtain current rates and client information
and to submit approved claims using notebook computers and dial-in modems. In this situation, which of the following methods
would provide best security?
a. Dedicated phone lines.
b. Call-back features.
c. Frequent changes of user IDs and passwords.
d. End-to-end data encryption.
59. In addition to controls over access, processing, program changes and other functions, a computerized system needs to establish
an audit trail of information. Which of the following would generally not be included in an audit trail log designed to summarize
unauthorized system access attempts?
a. A list of authorized users.
b. The terminal used to make the attempt.
c. The data in the program sought.
d. The type of event or transaction attempted.
60. A company uses a local area network (LAN) to connect its four city area sales offices to the headquarters to the office. Sales in -
formation such as credit approval and other customer information, prices, account information, etc. is maintained at headquar-
ters. This office also houses the inventory and shipping functions. Each area office is connected to the headquarters’ office com-
puter, and messages/information between the area offices pass through the headquarters’ computer. This communication config-
uration allows for real-time confirmations of shipments as well as billing and account status. The LAN described above is an ex-
ample of which of the following LAN topology?
a. Ring.
b. Hierarchical.
c. Fully interconnected.
d. Star
61. Which of the following operating procedures increases an organization’s exposure to computer viruses?
a. Frequent backup of files.
b. Encryption of data files.
c. Downloading public-domain software from websites.
d. Installing original copies of purchased software on hard disk drives.
62. An assault on Web server to prevent it from servicing to its legitimate users is particularly devastating. Which of the following are
the most difficult to counter?
a. DDos
b. Dos
c. Smurf attack
d. SYN flood attack
63. Involves the receiver of the message returning the message of returning the message to the sender.
a. Request-response technique
b. Call-back devices
c. Echo check
d. None of the above.
64. Hackers can disguise their message packets to look as if they came from an authorized user and gain access to the host’s net-
work using a technique called
a. Spoofing
b. Dual-homed
c. IP spooling
d. Screening
66. This is the lowest level of the database and the only level that exists in physical form.
a. Physical view
b. Database table
c. Physical database
d. Schema
71. Which of the following should not be the responsibility of a database administrator?
a. Develop applications to access the database.
b. Monitor and improve the efficiency of the database.
c. Protect the database and its software.
d. Design the content and organization of the database.
72. What language interface would a database administrator use to establish the structure of database tables?
a. Data control language.
b. Data manipulation language.
c. Data query language.
d. Data definition language.
73. To trace data through several application programs, an auditor needs to know what programs use the data, which files contain
the data, and which printed reports display the data. If data exist only in a database system, the auditor could probably find all of
this information in a
a. Database authorization table.
b. Data dictionary.
c. Data encryptor.
d. Database schema.
75. For those instances, where individual users may be granted summary and statistical query access to confidential data to which
they normally are denied access, which type of control is most suitable?
a. User-defined procedure.
b. Inference controls.
c. Data encryption.
d. Biometric devices.
77. Data can be corrupted and destroyed by malicious acts from external hackers, disk failure, program error and among others. To
recover from such, organizations’ must provide backup copies of critical files. Which of the following is not a flat-file backup con -
trol?
a. GPC backup technique.
b. Checkpoint feature.
c. Direct access file backup
d. Off-site storage.
79. A database language concerned with the definition of the whole database structure and schema is:
a. Data control language
b. Data manipulation language
c. Data definition language
d. Data dictionary