Professional Documents
Culture Documents
Information Accounting Systems
Information Accounting Systems
IT Governance
TRUE/FALSE
1. Corporate management (including the CEO) must certify monthly and annually their organizations internal
controls over financial reporting.
ANS: F PTS: 1
2. Both the SEC and the PCAOB require management to use the COBIT framework for assessing internal
control adequacy.
ANS: F PTS: 1
3. Both the SEC and the PCAOB require management to use the COSO framework for assessing internal
control adequacy.
ANS: F PTS: 1
4. A qualified opinion on managements assessment of internal controls over the financial reporting system
necessitates a qualified opinion on the financial statements?
ANS: F PTS: 1
5. The same internal control objectives apply to manual and computer-based information systems. ANS: T
PTS: 1
6. To fulfill the segregation of duties control objective, computer processing functions (like authorization of
credit and billing) are separated.
ANS: F PTS: 1
7. To ensure sound internal control, program coding and program processing should be separated. ANS: T
PTS: 1
8. Some systems professionals have unrestricted access to the organization's programs and data. ANS: T
PTS: 1
9. Application controls apply to a wide range of exposures that threaten the integrity of all programs
processed within the computer environment.
ANS: F PTS: 1
ANS: T PTS: 1
11. A disaster recovery plan is a comprehensive statement of all actions to be taken after a disaster. ANS: T
PTS: 1
ANS: F PTS: 1
13. Assurance services is an emerging field that goes beyond the auditors traditional attestation function.
ANS: T PTS: 1
ANS: F PTS: 1
15. External auditing is an independent appraisal function established within an organization to examine and
evaluate its activities as a service to the organization.
ANS: F PTS: 1
16. External auditors can cooperate with and use evidence gathered by internal audit departments that are
organizationally independent and that report to the Audit Committee of the Board of Directors.
ANS: T PTS: 1
17. Tests of controls determine whether the database contents fairly reflect the organization's transactions.
ANS: F PTS: 1
18. Audit risk is the probability that the auditor will render an unqualified opinion on financial statements that
are materially misstated.
ANS: T PTS: 1
19. A strong internal control system will reduce the amount of substantive testing that must be performed.
ANS: T PTS: 1
20. Substantive testing techniques provide information about the accuracy and completeness of an
application's processes.
ANS: F PTS: 1
21. The most common access point for perpetrating computer fraud is at the data collection stage. ANS: T
PTS: 1
22. Changing the Hours Worked field in an otherwise legitimate payroll transaction to increase the amount of
the paycheck is an example of data collection fraud.
ANS: T PTS: 1
23. Scavenging is a form of fraud in which the perpetrator uses a computer program to search for key terms
in a database and then steal the data.
ANS: F PTS: 1
24. Transaction cost economics (TCE) theory suggests that firms should outsource specific non core IT assets
ANS: F PTS: 1
25. Commodity IT assets easily acquired in the marketplace and should be outsourced under the core
competency theory.
ANS: F PTS: 1
MULTIPLE CHOICE
1. Which of the following is NOT an implication of section 302 of the Sarbanes-Oxley Act?
a. Auditors must determine, whether changes in internal control has, or is likely to, materially affect internal
control over financial reporting.
b. Auditors must interview management regarding significant changes in the design or operation of internal
control that occurred since the last audit.
c. Corporate management (including the CEO) must certify monthly and annually their organizations internal
controls over financial reporting.
d. Management must disclose any material changes in the companys internal controls that have occurred
during the most recent fiscal quarter.
ANS: C PTS: 1
2. Which of the following is NOT a requirement in managements report on the effectiveness of internal
controls over financial reporting?
a. A statement of managements responsibility for establishing and maintaining adequate internal control
user satisfaction.
b. A statement that the organizations internal auditors has issued an attestation report on managements
assessment of the companies internal controls.
c. A statement identifying the framework used by management to conduct their assessment of internal
controls.
d. An explicit written conclusion as to the effectiveness of internal control over financial reporting.
ANS: B PTS: 1
ANS: D PTS: 1
4.Supervision in a computerized environment is more complex than in a manual environment for all of the
following reasons except
a. rapid turnover of systems professionals complicates management's task of assessing the competence and
honesty of prospective employees
b. many systems professionals have direct and unrestricted access to the organization's programs and data
d. systems professionals and their supervisors work at the same physical location
ANS: D PTS: 1
b. unauthorized access
d. system crashes
ANS: B PTS: 1
6. Which is the most critical segregation of duties in the centralized computer services function?
a. systems development from data processing
ANS: A PTS: 1
ANS: B PTS: 1
9. All of the following are control risks associated with the distributed data processing structure except
b. system incompatibilities
c. system interdependency
ANS: C PTS: 1
10. Which of the following is not an essential feature of a disaster recovery plan?
ANS: B PTS: 1
c. empty shell
ANS: C PTS: 1
12. The major disadvantage of an empty shell solution as a second site backup is
a. the host site may be unwilling to disrupt its processing needs to process the critical applications of the
disaster stricken company
ANS: B PTS: 1
ANS: B PTS: 1
14. For most companies, which of the following is the least critical application for disaster recovery purposes?
a. month-end adjustments
b. accounts receivable
c. accounts payable
d. order entry/billing
ANS: A PTS: 1
ANS: D PTS: 1
16. Some companies separate systems analysis from programming/program maintenance. All of the
following are control weaknesses that may occur with this organizational structure except
a. systems documentation is inadequate because of pressures to begin coding a new program before
documenting the current program
b. illegal lines of code are hidden among legitimate code and a fraud is covered up for a long period of time
c. a new systems analyst has difficulty in understanding the logic of the program
d. inadequate systems documentation is prepared because this provides a sense of job security to the
programmer
ANS: C PTS: 1
17. All of the following are recommended features of a fire protection system for a computer center except
ANS: B PTS: 1
c. expressing an opinion
ANS: B PTS: 1
ANS: C PTS: 1
20. Typically, internal auditors perform all of the following tasks except
a. IT audits
ANS: D PTS: 1
21. The fundamental difference between internal and external auditing is that
a. internal auditors represent the interests of the organization and external auditors represent outsiders
b. internal auditors perform IT audits and external auditors perform financial statement audits
c. internal auditors focus on financial statement audits and external auditors focus on operational audits and
financial statement audits
d. external auditors assist internal auditors but internal auditors cannot assist external auditors
ANS: A PTS: 1
b. ensure independence
d. the statement is not true; internal auditors are not permitted to assist external auditors with financial
audits
ANS: A PTS: 1
b. The most important element in determining the level of materiality is the mathematical formula.
ANS: B PTS: 1
24. All of the following are steps in an IT audit except
a. substantive testing
b. tests of controls
c. post-audit testing
d. audit planning
ANS: C PTS: 1
25. When planning the audit, information is gathered by all of the following methods except
a. completing questionnaires
b. interviewing management
c. observing activities
c. completing questionnaires
d. observation
ANS: A PTS: 1
b. counting inventory
c. completing questionnaires
d. counting cash
ANS: C PTS: 1
a. control risk
b. legal risk
c. detection risk
d. inherent risk
ANS: B PTS: 1
a. the probability that the auditor will render an unqualified opinion on financial statements that are
materially misstated
b. associated with the unique characteristics of the business or industry of the client
c. the likelihood that the control structure is flawed because controls are either absent or inadequate to
prevent or detect errors in the accounts
d. the risk that auditors are willing to take that errors not detected or prevented by the control
ANS: C PTS: 1
30. All of the following tests of controls will provide evidence about the physical security of the computer
center except
ANS: C PTS: 1
31. All of the following tests of controls will provide evidence about the adequacy of the disaster recovery
plan except
ANS: B PTS: 1
a. In the CBIS environment, auditors gather evidence relating only to the contents of databases, not the
reliability of the computer system.
b. Conducting an audit is a systematic and logical process that applies to all forms of information systems.
ANS: B PTS: 1
b. is the likelihood that material misstatements exist in the financial statements of the firm.
c. is associated with the unique characteristics of the business or industry of the client.
d. is the likelihood that the auditor will not find material misstatements.
ANS: C PTS: 1
ANS: B PTS: 1
35. The financial statements of an organization reflect a set of management assertions about the financial
health of the business. All of the following describe types of assertions except
a. that all of the assets and equities on the balance sheet exist
b. that all employees are properly trained to carry out their assigned duties
d. that all allocated amounts such as depreciation are calculated on a systematic and rational basis ANS: B
36. PTS: 1
ANS: B PTS: 1
d. creating illegal programs that can access data files to alter, delete, or insert values
ANS: B PTS: 1
38.Segregation of duties in the computer-based information system includes
ANS: A PTS: 1
39.Computer fraud can take on many forms, including each of the following except
ANS: D
a. network management
b. systems operations
c. systems development
d. server maintenance
ANS: C
a.
b.
c.
ANS: D
a. Core competency theory argues that an organization should outsource specific core assets.
b. Core competency theory argues that an organization should focus exclusively on its core business
competencies
c. Core competency theory argues that an organization should not outsource specific commodity assets.
d. Core competency theory argues that an organization should retain certain specific non core assets in-
house.
ANS: B
b. Specific assets, while valuable to the client, are of little value to the vendor
c. Once an organization outsources its specific assets, it may not be able to return to its pre-outsource state.
d. Specific assets are of value to vendors because, once acquired, vendors can achieve economies of scale
by employing them with other clients
ANS: D
a. When management outsources their organizations IT functions, they also outsource responsibility for
internal control.
b. Once a client firm has outsourced specific IT assets, its performance becomes linked to the vendors
performance.
c. IT outsourcing may affect incongruence between a firms IT strategic planning and its business planning
functions.
d. The financial justification for IT outsourcing depends upon the vendor achieving economies of scale.
ANS: A
a. Management may outsource their organizations IT functions, but they cannot outsource their management
responsibilities for internal control.
c. The SAS 70 report, which is prepared by the outsourcers auditor, attests to the adequacy of the vendors
internal controls.
d. Auditors issue two types of SAS 70 reports: SAS 70 Type I report and SAS 70 Type II report.
ANS: C
Chap5/6?? CIS
Information Accounting Systems, 7eTest Bank, Chapter 17
Chapter 17IT Controls Part III: Systems Development, Program Changes, and Application Controls
TRUE/FALSE
1. Programs in their compiled state are very susceptible to the threat of unauthorized modification. ANS: F
2. Maintenance access to systems increases the risk that logic will be corrupted either by the accident or
intent to defraud. ANS: T
3. Source program library controls should prevent and detect unauthorized access to application programs.
ANS: T
5. Input controls are intended to detect errors in transaction data after processing. ANS: F
6. The black box approach to testing computer applications allows the auditor to explicitly review program
logic. ANS: F
7. The user test and acceptance procedure is the last point at which the user can determine the systems
acceptability prior to it going into service. ANS: T
10. In a computerized environment, all input controls are implemented after data is input. ANS: F
11. Achieving batch control objectives requires grouping similar types of input transactions (such as sales
orders) together in batches and then controlling the batches throughout data processing. ANS: T
12. The white box tests of program controls are also known as auditing through the computer. ANS: T
14. When using the test data method, the presence of multiple error messages indicates a flaw in the
preparation of test transactions. ANS: F
15. The base case system evaluation is a variation of the test data method. ANS: T
16. Tracing is a method used to verify the logical operations executed by a computer application. ANS: T
17. Generalized audit software packages are used to assist the auditor in performing substantive tests. ANS:
T
18. The results of a parallel simulation are compared to the results of a production run in order to judge the
quality of the application processes and controls. ANS: T
19. Firms with an independent internal audit staff may conduct tests of the system development life cycle on
an ongoing basis. ANS: T
20. The programmers authority table will specify the libraries a programmer may access. ANS: T
21. Use of the integrated test facility poses no threat to organizational data files. ANS: F
23. A salami fraud affects a large number of victims, but the harm to each appears to be very small. ANS: T
24. An input control that tests time card records to verify than no employee has worked more 50 hours in a
pay period is an example of a range test. ANS: F
25. The black box approach to testing computer program controls is also known as auditing around the
computer. ANS: T
MULTIPLE CHOICE
1. Which statement is not correct? The audit trail in a computerized environment
a. consists of records that are stored sequentially in an audit file
b. traces transactions from their source to their final disposition
c. is a function of the quality and integrity of the application programs
d. may take the form of pointers, indexes, and embedded keys
ANS: A
5. Which control is not a part of the source program library management system?
a. using passwords to limit access to application programs
b. assigning a test name to all programs undergoing maintenance
c. combining access to the development and maintenance test libraries
d. assigning version numbers to programs to record program modifications
ANS: C
6. Which control ensures that production files cannot be accessed without specific permission?
a. Database Management System
b. Recovery Operations Function
c. Source Program Library Management System
d. Computer Services Function
ANS: C
7. Program testing
a. involves individual modules only, not the full system
b. requires creation of meaningful test data
c. need not be repeated once the system is implemented
d. is primarily concerned with usability
ANS: B
8. The correct purchase order number,is123456. All of the following are transcription errors except
a. 1234567
b. 12345
c. 124356
d. 123454
ANS: C
10. Which statement is not correct? The goal of batch controls is to ensure that during processing
a. transactions are not omitted
b. transactions are not added
c. transactions are free from clerical errors
d. an audit trail is created
ANS: C
15. Which input control check would detect a payment made to a nonexistent vendor?
a. missing data check
b. numeric/alphabetic check
c. range check
d. validity check
ANS: D
16. Which input control check would detect a posting to the wrong customer account?
a. missing data check
b. check digit
c. reasonableness check
d. validity check
ANS: B
17. The employee entered "40" in the "hours worked per day" field. Which check would detect this
unintentional error?
a. numeric/alphabetic data check
b. sign check
c. limit check
d. missing data check
ANS: C
18. An inventory record indicates that 12 items of a specific product are on hand. A customer purchased two
of the items, but when recording the order, the data entry clerk mistakenly entered 20 items sold. Which
check could detect this error?
a. numeric/alphabetic data checks
b. limit check
c. range check
d. reasonableness check
ANS: B
20. A computer operator was in a hurry and accidentally used the wrong master file to process a transaction
file. As a result, the accounts receivable master file was erased. Which control would prevent this from
happening?
a. header label check
b. expiration date check
c. version check
d. validity check
ANS: A
21. Run-to-run control totals can be used for all of the following except
a. to ensure that all data input is validated
b. to ensure that only transactions of a similar type are being processed
c. to ensure the records are in sequence and are not missing
d. to ensure that no transaction is omitted
ANS: A
22. Methods used to maintain an audit trail in a computerized environment include all of the following except
a. transaction logs
b. Transaction Listings.
c. data encryption
d. log of automatic transactions
ANS: C
23. Risk exposures associated with creating an output file as an intermediate step in the printing process
(spooling) include all of the following actions by a computer criminal except
a. gaining access to the output file and changing critical data values
b. using a remote printer and incurring operating inefficiencies
c. making a copy of the output file and using the copy to produce illegal output reports
d. printing an extra hardcopy of the output file
ANS: B
27. Which test of controls will provide evidence that the system as originally implemented was free from
material errors and free from fraud? Review of the documentation indicates that
a. a cost-benefit analysis was conducted
b. the detailed design was an appropriate solution to the user's problem
c. tests were conducted at the individual module and total system levels prior to implementation d. problems
detected during the conversion period were corrected in the maintenance phase
ANS: C
29. When the auditor reconciles the program version numbers, which audit objective is being tested?
a. protect applications from unauthorized changes
b. ensure applications are free from error
c. protect production libraries from unauthorized access
d. ensure incompatible functions have been identified and segregated
ANS: A
30. When auditors do not rely on a detailed knowledge of the application's internal logic, they are performing
a. black box tests of program controls
b. white box tests of program controls
c. substantive testing
d. intuitive testing
ANS: A
31. All of the following concepts are associated with the black box approach to auditing computer
applications except
a. the application need not be removed from service and tested directly
b. auditors do not rely on a detailed knowledge of the application's internal logic
c. the auditor reconciles previously produced output results with production input transactions
d. this approach is used for complex transactions that receive input from many sources
ANS: D
33. When analyzing the results of the test data method, the auditor would spend the least amount of time
reviewing
a. the test transactions
b. error reports
c. updated master files
d. output reports
ANS: A
34. All of the following are advantages of the test data technique except
a. auditors need minimal computer expertise to use this method
b. this method causes minimal disruption to the firm's operations
c. the test data is easily compiled
d. the auditor obtains explicit evidence concerning application functions
ANS: C
35. All of the following are disadvantages of the test data technique except
a. the test data technique requires extensive computer expertise on the part of the auditor
b. the auditor cannot be sure that the application being tested is a copy of the current application used by
computer services personnel
c. the auditor cannot be sure that the application being tested is the same application used throughout the
entire year
d. preparation of the test data is time-consuming
ANS: A
36. All of the following statements are true about the integrated test facility (ITF) except
a. production reports are affected by ITF transactions
b. ITF databases contain "dummy" records integrated with legitimate records
c. ITF permits ongoing application auditing
d. ITF does not disrupt operations or require the intervention of computer services personnel ANS: A
38. Generalized audit software packages perform all of the following tasks except
a. recalculate data fields
b. compare files and identify differences
c. stratify statistical samples
d. analyze results and form opinions
ANS: D
TRUE/FALSE
1. In a computerized environment, the audit trail log must be printed onto paper documents. ANS: F
2. Disguising message packets to look as if they came from another user and to gain access to the hosts
network is called spooling. ANS: F
3. A formal log-on procedure is the operating systems last line of defense against unauthorized access. ANS:
F
4. Computer viruses usually spread throughout the system before being detected. ANS: T
5. A worm is software program that replicates itself in areas of idle memory until the system fails. ANS: T
7. Subschemas are used to authorize user access privileges to specific data elements. ANS: F
8. A recovery module suspends all data processing while the system reconciles its journal files against the
database. ANS: F
10. Operating system controls are of interest to system professionals but should not concern accountants
and auditors. ANS: F
11. The most frequent victims of program viruses are microcomputers. ANS: T
12. Access controls protect databases against destruction, loss or misuse through unauthorized access. ANS:
T
13. Operating system integrity is not of concern to accountants because only hardware risks are involved.
ANS: F
14. Audit trails in computerized systems are comprised of two types of audit logs: detailed logs of individual
keystrokes and event-oriented logs. ANS: T
15. In a telecommunications environment, line errors can be detected by using an echo check. ANS: T
16. Firewalls are special materials used to insulate computer facilities ANS: F
17. The message authentication code is calculated by the sender and the receiver of a data transmission.
ANS: T
18. The request-response technique should detect if a data communication transmission has been diverted.
ANS: T
19. Electronic data interchange translation software interfaces with the sending firm and the value added
network. ANS: F
20. A value added network can detect and reject transactions by unauthorized trading partners. ANS: T
21. Electronic data interchange customers may be given access to the vendor's data files. ANS: T
22. The audit trail for electronic data interchange transactions is stored on magnetic media. ANS: T
23. A firewall is a hardware partition designed to protect networks from power surges. ANS: F
24. To preserve audit trails in a computerized environment, transaction logs are permanent records of
transactions. ANS: T
25. Examining programmer authority tables for information about who has access to Data Definition
Language commands will provide evidence about who is responsible for creating subschemas. ANS: T
MULTIPLE CHOICE
2. Which of the following is considered an unintentional threat to the integrity of the operating system?
a. a hacker gaining access to the system because of a security flaw
b. a hardware flaw that causes the system to crash
c. a virus that formats the hard drive
d. the systems programmer accessing individual user files
ANS: B
3. A software program that replicates itself in areas of idle memory until the system fails is called a
a. Trojan horse
b. worm
c. logic bomb
d. none of the above
ANS: B
4. A software program that allows access to a system without going through the normal logon procedures is
called a
a. logic bomb
b. Trojan horse
c. worm
d. back door
ANS: D
5. All of the following will reduce the exposure to computer viruses except
a. install antivirus software
b. install factory-sealed application software
c. assign and control user passwords
d. install public-domain software from reputable bulletin boards
ANS: D
8. Hackers can disguise their message packets to look as if they came from an authorized user and gain
access to the hosts network using a technique called
a. spoofing.
b. spooling.
c. dual-homed.
d. screening.
ANS: A
13. All of the following are objectives of operating system control except
a. protecting the OS from users
b. protesting users from each other
c. protecting users from themselves
d. protecting the environment from users
ANS: D
14. Passwords are secret codes that users enter to gain access to systems. Security can be compromised by
all of the following except
a. failure to change passwords on a regular basis
b. using obscure passwords unknown to others
c. recording passwords in obvious places
d. selecting passwords that can be easily detected by computer criminals
ANS: B
16. Which control will not reduce the likelihood of data loss due to a line error?
a. echo check
b. encryption
c. vertical parity bit
d. horizontal parity bit
ANS: B
17. Which method will render useless data captured by unauthorized receivers?
a. echo check
b. parity bit
c. public key encryption
d. message sequencing
ANS: C
18. Which method is most likely to detect unauthorized access to the system?
a. message transaction log
b. data encryption standard
c. vertical parity check
d. request-response technique
ANS: A
19. All of the following techniques are used to validate electronic data interchange transactions except
a. value added networks can compare passwords to a valid customer file before message transmission
b. prior to converting the message, the translation software of the receiving company can compare the
password against a validation file in the firm's database
c. the recipient's application software can validate the password prior to processing
d. the recipient's application software can validate the password after the transaction has been processed
ANS: D
21. All of the following tests of controls will provide evidence that adequate computer virus control
techniques are in place and functioning except
a. verifying that only authorized software is used on company computers
b. reviewing system maintenance records
c. confirming that antivirus software is in use
d. examining the password policy including a review of the authority table
ANS: B
22. Audit objectives for the database management system include all of the following except
a. verifying that the security group monitors and reports on fault tolerance violations
b. confirming that backup procedures are adequate
c. ensuring that authorized users access only those files they need to perform their duties
d. verifying that unauthorized users cannot access data files
ANS: A
23. All of the following tests of controls will provide evidence that access to the data files is limited except
a. inspecting biometric controls
b. reconciling program version numbers
c. comparing job descriptions with access privileges stored in the authority table
d. attempting to retrieve unauthorized data via inference queries
ANS: B
24. Audit objectives for communications controls include all of the following except
a. detection and correction of message loss due to equipment failure
b. prevention and detection of illegal access to communication channels
c. procedures that render intercepted messages useless
d. all of the above
ANS: D
25. When auditors examine and test the call-back feature, they are testing which audit objective?
a. incompatible functions have been segregated
b. application programs are protected from unauthorized access
c. physical security measures are adequate to protect the organization from natural disaster
d. illegal access to the system is prevented and detected
ANS: D
26. In an electronic data interchange (EDI) environment, when the auditor compares the terms of the trading
partner agreement against the access privileges stated in the database authority table, the auditor is testing
which audit objective?
a. all EDI transactions are authorized
b. unauthorized trading partners cannot gain access to database records
c. authorized trading partners have access only to approved data
d. a complete audit trail is maintained
ANS: C
27. Audit objectives in the electronic data interchange (EDI) environment include all of the following except
a. all EDI transactions are authorized
b. unauthorized trading partners cannot gain access to database records
c. a complete audit trail of EDI transactions is maintained
d. backup procedures are in place and functioning properly
ANS: D
28. In determining whether a system is adequately protected from attacks by computer viruses, all of the
following policies are relevant except
a. the policy on the purchase of software only from reputable vendors
b. the policy that all software upgrades are checked for viruses before they are implemented
c. the policy that current versions of antivirus software should be available to all users
d. the policy that permits users to take files home to work on them
ANS: D
32. All of the following are designed to control exposures from subversive threats except
a. firewalls
b. one-time passwords
c. field interrogation
d. data encryption
ANS: C
33. Many techniques exist to reduce the likelihood and effects of data communication hardware failure. One
of these is
a. hardware access procedures
b. antivirus software
c. parity checks
d. data encryption
ANS: C
36. The database attributes that individual users have permission to access are defined in
a. operating system.
b. user manual.
c. database schema.
d. user view.
e. application listing.
ANS: D
37. An integrated group of programs that supports the applications and facilitates their access to specified
resources is called a (an)
a. operating system.
b. database management system.
c. utility system
d. facility system.
e. object system.
ANS: A
38. Transmitting numerous SYN packets to a targeted receiver, but NOT responding to an ACK, is
a. a smurf attack.
b. IP Spoofing.
c. an ACK echo attack
d. a ping attack.
e. none of the above
ANS: E