You are on page 1of 11

Part 1 : 03/11/17 11:54:46

Question 1 - CMA 695 4.30 - Computerized Audit Tools and Techniques

In auditing computer-based systems, the integrated test facility (ITF)

A. Is a set of specialized software routines that are designed to perform specialized audit tests and store audit
evidence.
B. Allows the auditor to assemble test transactions and run them through the computer system to test the integrity of
controls on a sample data base.
C. Uses an audit log to record transactions and data having special audit significance during regular processing runs.
D. Is a concurrent audit technique that establishes a special set of dummy master files and enters transactions to test
the programs using the dummy files during regular processing runs.

A. An integrated test facility is not a set of specialized software routines.

B. An integrated test facility involves more than just test data.

C. An integrated test facility does not use an audit log to record transactions and data having special audit significance
during regular processing runs.

D. An integrated test facility (ITF) involves the use of test data but also the creation of fictitious entities, such
as fictitious employees, fictitious vendors, fictitious products, and fictitious accounts, within the master files
of the computer system. Or alternatively, a separate, fictitious company may be used. The major difference
between test data and an ITF is that the test data in an ITF are processed along with real data, which makes it
a concurrent audit technique. No one knows that the data being processed includes these fictitious entries to
fictitious records. In this way, the auditor can be sure that the programs being checked are the same
programs as those that are being used to process the real data. The difficulty with using the ITF approach is
that the fictitious transactions have to be excluded from the normal outputs of the system in some way.
Careful planning is required to make sure that the ITF data do not become mixed in with the real data,
corrupting the real data.

Question 2 - CIA 1194 1.40 - Computerized Audit Tools and Techniques

Which of the following information systems auditing techniques processes real transaction data (or a copy of the real
data) through auditor-developed test programs?

A. Integrated test facility.


B. Mapping.
C. Parallel simulation.
D. Tracing.

A. Integrated test facility involves the use of test data and also the creation of fictitious entities (e.g., vendors,
employees) on master files.

B. Mapping is a procedure for reporting code usage within a program.

C. Parallel simulation processes real transaction data through auditor-developed test programs.

D. Tracing provides a detailed listing of the sequence of program statement execution.

Question 3 - CIA 598 1.34 - Computerized Audit Tools and Techniques

An auditor suspects that a human resources computer system contains erroneous data, such as invalid job

(c) HOCK international, page 1


Part 1 : 03/11/17 11:54:46

classifications, ages in excess of retirement age, and invalid ethnic classifications. The best approach to determine the
extent of the potential problem would be to

A. Use generalized audit software to identify all data that is not within specified parameters.
B. Use generalized audit software to select a sample of employee records. Use the sample to determine the validity of
data items and project the result to the entire system.
C. Submit test data to test the effectiveness of edit controls over the input of data.
D. Review and test access controls to ensure that access is limited to authorized individuals.

A. This is both the most effective and most efficient procedure as it provides a comprehensive analysis of the
extent that obviously incorrect data is included in the database.

B. This is a valid procedure, but given the auditors more limited objective, the correct answer provides more
comprehensive and efficient evidence.

C. Test data would provide evidence on whether the edit controls are currently working. The concern, however, is that
data may have entered the system earlier and may be corrupted.

D. Access controls are important, but they do not address the auditors major concern which is to determine the extent
of the potential problem as a precursor for planning the extent to which additional audit work is necessary.

Question 4 - CIA 597 1.11 - Computerized Audit Tools and Techniques

An internal auditor becomes concerned that fraud, in the form of payments to bogus entities, may exist. Buyers, who
are responsible for all purchases for specific product lines, are able to approve expenditures up to $50,000 without any
other approval. Which of the following procedures would be most effective in addressing the internal auditor's
concerns?

A. Use generalized audit software to list all purchases over $50,000 to determine whether they were properly approved.
B. Use generalized audit software to list all major vendors by product line; select a sample of paid invoices to new
vendors and examine information indicating that services or goods were received.
C. Use generalized audit software to take a random sample of all expenditures under $50,000 to determine whether
they were properly approved.
D. Develop a "snapshot" technique to trace all transactions by suspected buyers.

A. Purchases over $50,000 must have someone else's approval other than the buyer's.

B. The auditor wants to know whether services or goods that were paid for, were received. The best method to
test for this is to use generalized audit software, which will allow the auditor to effectively and efficiently
extract sample data. .

C. The issue is whether the purchases were valid, not whether they were properly approved.

D. This "snapshot" technique captures data only at a certain point in time. Thus, it would not be effective in addressing
the internal auditor's concern.

Question 5 - CIA 598 1.36 - Computerized Audit Tools and Techniques

An organization uses electronic data interchange and on-line systems rather than paper-based documents for
purchase orders, receiving reports, and invoices. Which of the following audit procedures would an auditor use to
determine if invoices are paid only for goods received and at approved prices?

(c) HOCK international, page 2


Part 1 : 03/11/17 11:54:46

A. Select a monetary-unit sample of accounts payable and confirm the amounts directly with the vendors.
B. Use generalized audit software to select a sample of payments and match purchase orders, invoices, and receiving
reports stored on the computer using a common reference.
C. Select a statistical sample of major vendors and trace the amounts paid to specific invoices.
D. Use generalized audit software to identify all receipts for a particular day and trace the receiving reports to checks
issued.

A. This only provides data on whether payments agree with invoices. It does not provide data on whether the goods
were actually received.

B. This would help the auditor determine that all three pieces of data were appropriately matched before
payment.

C. This procedure only provides data on whether payments agree with invoices. It does not provide data on whether
the invoiced amounts are correct.

D. This provides data only on one day. While it matches items received with those paid, it does not provide data on
whether the billings were correct.

Question 6 - CIA 593 II.21 - Computerized Audit Tools and Techniques

Which of the following is an appropriate audit procedure that may be used to test the adequacy of application controls
over computer-based accounts payable?

A. Testing purchase transactions using a test data approach.


B. Manually comparing vendor invoice numbers with those listed on computer generated lists of accounts payable to
assess the effectiveness of computer-based sequence checks.
C. Using a computer-generated questionnaire to obtain reliable information about the accuracy and completeness of
input and update of accounts payable data from the organization's computer management personnel.
D. Observing computer library and operations area to obtain evidence to support an opinion about the security of
accounts payable data files.

A. In a test data situation, the auditor is creating a set of artificial information (there should be some items that
are incorrect and invalid in the set) and running this set of information through the system. The results are
then compared with what the results for this test data should actually be. This is a good way to test controls
because the controls should identify the incorrect and inappropriate items.

B. The vendors, not by the purchasing company, generate vendor invoice checks.

C. Using a computer-generated questionnaire to obtain reliable information about the accuracy and completeness of
input and update of accounts payable data from the organization's computer management personnel is not an
appropriate audit procedure.

D. Security of accounts payable data files is a general control, not application control.

Question 7 - CIA 597 III.56 - Computerized Audit Tools and Techniques

Which of the following is one purpose of an embedded audit module?

A. Identify program code that may have been inserted for unauthorized purposes.
B. Enable continuous monitoring of transaction processing.
C. Review the contents of a specific portion of computer memory.

(c) HOCK international, page 3


Part 1 : 03/11/17 11:54:46

D. Verify the correctness of account balances on a master file.

A. Mapping can identify program code that may have been inserted for unauthorized purposes.

B. Embedded audit module is a program that sits within the larger applications that monitors all transactions
for anything that meets a certain criteria (for example, a certain dollar amount, the sale or purchase of a
particular item, transactions with related parties, etc.). Thus, this program enables continuous monitoring of
transaction processing.

C. The snapshot can review the contents of a specific portion of computer memory.

D. Generalized audit software can verify the correctness of account balances on a master file

Question 8 - CIA 595 I.35 - Computerized Audit Tools and Techniques

The auditor wishes to test controls over computer program changes. The specific objective to be addressed in the
following audit step is that only authorized changes have been made to computer programs (i.e., there are no
unauthorized program changes). The organization uses an automated program library system, and the auditor obtains
copies of the table of contents of the program library system at various periods of time. The table of contents indicates
the date a change was last made to the program, the version number of the program, and the length of the program.
Which of the following audit procedures would best address the stated objective?

A. Use generalized audit software to compare the table of contents of the program library currently with an auditor copy
made previously. Compare and identify differences. Select a sample of the differences for further investigation.
B. Obtain a list of programming projects implemented by the data processing manager during the last six months. Take
a sample from the list and trace to program change authorization forms.
C. Take a sample of all program change requests. Trace the requests to proper authorization and to changes in the
program library.
D. Use generalized audit software to randomly select a sample of current applications. Trace those selected to
program change authorization forms.

A. The auditor is looking for unauthorized program changes. Thus, comparing the table of contents of the
program library with an auditor copy would identify all changes made. The auditor can then verify that all
changes made were authorized.

B. The auditor is looking for unauthorized program changes. Thus, this audit procedure would not address the stated
objective.

C. The auditor is looking for unauthorized program changes. Thus, this audit procedure would not address the stated
objective.

D. The auditor is looking for unauthorized program changes. Thus, this audit procedure would not address the stated
objective.

Question 9 - CIA 594 I.33 - Computerized Audit Tools and Techniques

Which of the tests provides the least significant information when testing for suspected fraudulent sales?

A. Tracing a sample of inventory removal slips from inventory through billing to the sales journal.
B. Confirming sales transactions with customers and investigating nonresponses.
C. Performing analytical tests of sales by comparing sales and gross margins over time.
D. Performing analysis of write-offs and sales returns, and comparing the amounts over the past several years.

(c) HOCK international, page 4


Part 1 : 03/11/17 11:54:46

A. Tracing a sample of inventory removal slips from inventory is not likely to provide evidence to fraud. It's
possible that the inventory could have been used for display or for some other purpose.

B. Confirming sales transactions with customers could detect fictitious sales.

C. Performing analytical tests of sales by comparing sales and gross margins over time could indicate fraudulent
activity.

D. Performing analysis of write-offs and sales returns could be used to detect fraudulent activity. Write-offs could be
used as a cover to commit fraud.

Question 10 - CIA 594 H8 - Computerized Audit Tools and Techniques

The greatest impact information technology has had on the audit process is

A. It is used to track personnel performance and development of audit staff.


B. It is used in the audit reporting process such as automated working paper packages.
C. It is used as a strategic tool to develop the audit plan.
D. It is used to conduct audits utilizing various computer assisted techniques.

A. See correct answer for explanation.

B. While it has changed audit documentation, it has not impacted the audit scope or test procedures.

C. Whether using information technology or not, the audit risk is the same.

D. Computer assisted techniques have had the greatest impact on the audit process. It has changed the audit
scope and test procedures, etc.

Question 11 - CMA 687 5.3 - Computerized Audit Tools and Techniques

Whether or not a real-time program contains adequate controls is most effectively determined by the use of

A. Audit software.
B. An integrated test facility.
C. A tagging routine.
D. A tracing routine.

A. Audit software enables auditors to access client data. It can select sample data from data files, check computations,
and search the data files for unusual items. It does not, however, determine whether or not a real-time program
contains adequate controls.

B. An Integrated Test Facility (ITF) is normally used to audit large computer systems that use real-time
processing. ITF involves the use of test data and the creation of fictitious entities, such as fictitious
employees, fictitious vendors, fictitious products, and fictitious accounts, either within the master files of the
computer system or as a separate, fictitious company. The test data are used to determine whether control
procedures in a particular computer application are working properly; whether the computer is processing
transactions correctly; whether all transaction files and master files are fully and correctly being updated; and
whether program changes have been made correctly. In an ITF, the test data are processed along with real
data. No one knows that the data being processed includes these fictitious entries to fictitious records. In this
way, the auditor can be sure that the programs being checked are the same programs as those that are being
used to process the real data.

(c) HOCK international, page 5


Part 1 : 03/11/17 11:54:46

C. A tagging routine is used in auditing computer systems. Through use of an embedded program routine, certain
transactions are "tagged." This tagging creates an audit data file that documents the processing of the tagged
transactions, as well as control checks on the tagged transactions. However, this would not be the most effective way
to determine whether or not a real-time program contains adequate controls.

D. A tracing routine is used in auditing computer systems. Through use of an embedded program routine, certain
transactions are electronically tagged with a tagging routine and then those transactions are traced through the system
by means of a tracing routine. However, this would not be the most effective way to determine whether or not a
real-time program contains adequate controls.

Question 12 - CIA 597 1.16 - Computerized Audit Tools and Techniques

The internal auditors for a large manufacturing company have been requested to conduct a review of the companys
production planning system. Production data, collected on personal computers (PCs) connected by a local area
network (LAN), are used for generating automatic purchases via electronic data interchange. Purchases are made
from authorized vendors based on production plans for the next month and on an authorized materials requirement
plan (MRP) which identifies the parts needed per unit of production.

The production line has experienced shutdowns because needed production parts were not on hand. Management
wants to know the cause of this problem. Which of the following audit procedures best addresses this objective?

A. Determine if access controls are sufficient to restrict the input of incorrect data into the production database.
B. Use generalized audit software to develop a complete list of the parts shortages that caused each of the production
shutdowns, and analyze this data.
C. Take a random sample of parts on hand per the personal computer databases and compare with actual parts on
hand.
D. Take a random sample of production information for selected days and trace input into the production database
maintained on the LAN.

A. Access controls are tangential to the issue. Authorized, but incorrect data, could also be the problem.

B. This procedure would establish the cause of the problem.

C. This would provide useful information, but it is not as comprehensive as the correct answer.

D. This tests only one source of the data inaccuracy, i.e., the input of production data; other sources of potential error
are ignored.

Question 13 - CIA 595 I.33 - Computerized Audit Tools and Techniques

The auditor wants to determine that the program is approving items for payment only when the purchase order,
receiving report, and vendor invoice match within the tolerable 0.5%. Assume all the following suggested audit
procedures would have been implemented to function over the proper time period. Which of the following computerized
audit procedures would provide the most persuasive evidence as to the proper operation of the program?

A. Using a test data approach at year-end by submitting mock purchase orders, vendor invoices, and receiving
quantities.
B. Using generalized audit software to take a random sample of purchase orders and tracing the selected items to the
vendor invoice and receiving document.
C. Implementing a Systems Control and Audit Review File (SCARF) audit technique, which will automatically select all
transactions when the purchase order exceeds a specific dollar limit.
D. Implementing an integrated test facility with auditor-submitted test items throughout the period under analysis.

(c) HOCK international, page 6


Part 1 : 03/11/17 11:54:46

A. Using a test data approach at year-end would only test the system at a moment in time.

B. GAS would a proper audit procedure if the random sample also included paid vendor invoices.

C. SCARF audit technique would not provide the most persuasive evidence as to the proper operation of the program
since it incorporates a specific dollar limit, which may, or may not be within the 0.5% tolerable limit.

D. ITF is similar to the test data method, but it includes the auditor creating a false company in the records of
the client and then throughout the period creating different transactions for that company that is processed
along with the real information of the client. Thus, this procedure would provide the most persuasive evidence
as to the proper operation of the program.

Question 14 - CIA 594 3.10 - Computerized Audit Tools and Techniques

Generalized Audit Software (GAS) is designed to allow auditors to

A. Insert special audit routines into regular application programs.


B. Process test data against master files that contain real and fictitious entities.
C. Monitor the execution of application programs.
D. Select sample data from files and check computations.

A. This is an Embedded Audit Routine.

B. This is an Integrated Test Facility.

C. This is Mapping.

D. This is a function of generalized audit software.

Question 15 - CIA 595 1.64 - Computerized Audit Tools and Techniques

Auditors have learned that increased computerization has created more opportunities for computer fraud, but has also
led to the development of computer audit techniques to detect frauds. A type of fraud that has occurred in the banking
industry is a programming fraud where the programmer designs a program to calculate daily interest on savings
accounts to four decimal points. The programmer then truncates the last two digits and adds it to his or her account
balance. Which of the following computer audit techniques would be most effective in detecting this type of fraud?

A. SCARF (Systems Control and Audit Review File).


B. Parallel Simulation.
C. Snapshot.
D. Generalized audit software which selects account balances for confirmation with the depositor.

A. SCARF is an audit technique that captures unusual transactions (or transactions in excess of edit checks) that have
been submitted for processing. The auditor can later evaluate the items. It is not applicable here.

B. This method would work best because the amounts credited to each account would be compared to that
calculated by the auditor's parallel program.

C. Snapshot is a technique for tracing the processing of transactions through a system. It would not be applicable here.

D. It is doubtful that confirmation of an account balance would detect errors less than 1 cent made on a daily basis.

(c) HOCK international, page 7


Part 1 : 03/11/17 11:54:46

Question 16 - CIA 1195 1.29 - Computerized Audit Tools and Techniques

A retail company uses electronic data interchange (EDI) to order all of its merchandise. The goods are received at a
central warehouse where they are electronically scanned into the computer to determine that a purchase order had
been issued and to record the goods. The goods are price-marked at the warehouse and shipped to individual stores
within 24 to 48 hours. Inventory and accounts payable are updated when the goods are received. The company
receives an invoice electronically from the vendor. A computer program matches the invoice with the applicable
purchase order and receiving information. If the items match, the invoice is scheduled for payment and a report is
made to the treasurer. If the invoice does not match the other items within predefined ranges, a report is generated and
sent to accounts payable for further investigation. All the applicable documents are electronically marked,
cross-referenced, and retained in open files.

The auditor wants to determine whether or not the computer program is appropriately matching the purchase receipts,
and vendor invoices throughout the year. Which one of the following computerized audit techniques would be the most
efficient and effective in accomplishing this objective?

A. Use an integrated test facility throughout the year.


B. Use the SCARF (Systems Control Audit Review File) on a daily basis.
C. Use the test data method during the last quarter.
D. Use parallel simulation and apply on a monthly basis.

A. The integrated test facility would allow the auditor to submit data periodically during the year to determine
how well the program worked throughout the year.

B. The SCARF method is used to identify outliers (transactions with unusual characteristics or transactions that are
processed when they do not pass normal edit controls). It simply writes these transactions out to a file for further audit
investigation. It would not be a good technique for addressing the audit objective.

C. The test data method is limited to a point in time in which the testing is accomplished. Using it only during the last
quarter of the year would not be effective unless there was also a test of program changes.

D. Parallel simulation would not be an efficient technique because it would cause the auditor to develop a massive
parallel system.

Question 17 - CIA 1195 1.57 - Computerized Audit Tools and Techniques

Governmental auditors have been increasingly called upon to perform audits to determine whether or not individuals
are getting extra social welfare payments. One common type of welfare fraud is individuals receiving more than one
social welfare payment. This is often accomplished by filing multiple claims under multiple names, but using the same
address. Which of the following computer audit tools and techniques would be most helpful in identifying the existence
of this type of fraud?

A. Generalized audit software.


B. Tagging and tracing.
C. Integrated test facility.
D. Spreadsheet analysis.

A. Generalized audit software could be used to develop a list of multiple recipients at one address. The list
could then be investigated further to determine the possibility of fraud.

B. Tagging and tracing is most effective to determine that items properly submitted are processed correctly.

C. The ITF is most effective to determine that items properly submitted are processed correctly.

(c) HOCK international, page 8


Part 1 : 03/11/17 11:54:46

D. This would not be the most effective technique.

Question 18 - CIA 597 3.66 - Computerized Audit Tools and Techniques

Which of the following is a disadvantage of using an integrated test facility (ITF) when auditing a computer application?

A. The ITF technique cannot be used with simulated master file records, during application testing.
B. The ITF may be useful in verifying the correctness of account balances, but not in determining the presence of
processing controls.
C. The test data must be processed by information technology staff with substantial technical skills.
D. The test transactions could enter the live data environment.

A. The ITF technique can be used for both system development and application testing.

B. The ITF is utilized to test programs in operation, including the presence of processing controls.

C. Minimal technical skill is required to process test data when using an ITF.

D. An acknowledged risk of using the ITF is the contamination of live master files.

Question 19 - CIA 597 1.35 - Computerized Audit Tools and Techniques

An auditor wants to determine the extent to which invalid data could be contained in a human-resources computer
system. Examples would be an invalid job classification, age in excess of retirement age, or an invalid ethnic
classification. The best approach to determine the extent of the potential problem would be to

A. Use generalized audit software to develop a detailed report of all data outside specified parameters.
B. Review and test access controls to ensure that access is limited to authorized individuals.
C. Submit test data to test the effectiveness of edit controls over the input of data.
D. Use generalized audit software to select a sample of employees. Use the sample to determine the validity of data
items and project the result to the population as a whole.

A. This is both the most effective and most efficient procedure as it provides a comprehensive analysis of the
extent that obviously incorrect data is included in the database.

B. Access controls are important, but they do not address the auditors major concern which is to determine the extent
of the potential problem as a precursor for planning the extent to which additional audit work is necessary.

C. Test data would provide evidence on whether the edit controls are currently working. The concern, however, is that
data may have entered the system earlier and may be corrupted.

D. This is a valid procedure, but given the auditors more limited objective, the correct choice provides more
comprehensive and efficient evidence.

Question 20 - CIA 1191 I.16 - Computerized Audit Tools and Techniques

When testing the year end balance for trade accounts payable, the use of a software package to identify unauthorized
vendors in a vendor database is most valuable in developing tests to determine

(c) HOCK international, page 9


Part 1 : 03/11/17 11:54:46

A. Existence of valid recorded liabilities.


B. Accuracy of the receiving cutoff used.
C. Valuation of recorded transactions.
D. Ownership of the recorded payables.

A. The testing of trade accounts payable would indicate whether purchases were approved and if the recorded
liabilities are valid.

B. The testing the validity of liabilities would not help to determine the accuracy of the receiving cutoff used.

C. The review would not directly test the valuation of the recorded transactions.

D. Assets are owned and liabilities are owed.

Question 21 - CIA 593 II.27 - Computerized Audit Tools and Techniques

The accountant who prepared a spreadsheet model for workload forecasting left the company, and the accountant's
successor was unable to understand how to use the spreadsheet. The best control for preventing such situations from
occurring is to ensure that

A. End-user computing efforts are consistent with strategic plans.


B. Adequate backups are made for spreadsheet models.
C. Documentation standards exist and are followed.
D. Use of end-user computing resources is monitored.

A. Deciding whether end-user computing efforts are consistent with strategic plans would be part of the evaluation
process.

B. Having adequate backup for the spreadsheet models is necessary, but it will not help the accountant understand
how to use the spreadsheets.

C. Program documentation is part of the system design and development. Program documentation is the
process of writing all of the manuals, forms and other materials that will be needed by the users and
maintenance people. Thus, the best way to prevent the situation from occurring is to ensure that
documentation standards exist and are followed.

D. Monitoring the use of end-user computing resources would be part of the control process.

Question 22 - CIA 597 1.36 - Computerized Audit Tools and Techniques

An organization uses electronic data interchange (EDI) and online systems rather than paper-based documents for
purchase orders, receiving reports, and invoices. Which of the following audit procedures would an auditor use to
determine if invoices are paid only for goods received and at approved prices?

A. Take a monetary-unit sample of accounts payable and confirm the amounts directly with the vendors.
B. Use generalized audit software to identify all receipts for a particular day and trace the receiving reports to checks
issued.
C. Use generalized audit software to select a sample of payments and match purchase order, invoice, and receiving
reports stored on the computer using a common reference.
D. Using a statistical sample of major vendors, trace the amounts paid to specific invoices.

A. This procedure would only test whether payments agree with invoices.

(c) HOCK international, page 10


Part 1 : 03/11/17 11:54:46

B. This procedure would provide data only for one day's worth of transaction. But, it would not test whether billings are
actually correct.

C. The audit trail should allow the auditor to verify that payments are supported by purchase orders, vendor
invoices, and receiving reports in manual or electronic form.

D. This procedure would provide data only on whether payments agree with invoices. It would not provided data on
whether the invoiced amounts are correct.

Question 23 - CIA 1194 1.36 - Computerized Audit Tools and Techniques

Many public utility companies operate complex customer service systems (CSS) to manage their customer service
function. CSS operate in an on-line, real-time environment, which allows customer service data to be directly entered
on-line from customer telephone calls. Which of the following EDP auditing techniques provides the auditor with the
capability to continuously monitor customer service data which are collected from telephone calls in a CSS?

A. Generalized audit software.


B. Embedded audit data collection.
C. Integrated test facility (ITF).
D. Control flowcharting.

A. Generalized audit software can be used for data collection, but operates independently -- and thus not continuously
-- from an application.

B. Embedded audit data collection provides the auditor with the capability to continuously monitor the
operation of an application.

C. ITF is used to test programs, not to collect data.

D. Control flowcharting is developed to document and/or review the controls in an application system.

(c) HOCK international, page 11