34.

Which of the following is likely to be of least importance to an

auditor in reviewing the internal control in a company with a CBIS?

a. The segregation of duties within the data processing center.

b. The control over source documents. c. The documentation

maintained for accounting applications.

d. The cost/benefit ratio of data processing operations.

ANSWER: D

35. For the accounting system of Acme Company, the amounts of

cash disbursements entered into an CBIS terminal are transmitted
to the computer that immediately transmits the amounts back to
the terminal for display on the terminal screen. This display enables
the operator to

a. Establish the validity of the account number. b. Verify the amount

was entered accurately. c. Verify the authorization of the
disbursement. d. Prevent the overpayment of the account.

ANSWER: B

36. Which of the following audit techniques most likely would

provide an auditor with the most assurance about the effectiveness
of the operation of an internal control procedure?

a. Inquiry of client personnel. b. Recomputation of account balance

amounts. c. Observation of client personnel. d. Confirmation with
outside parties.

ANSWER: C

37. Adequate technical training and proficiency as an auditor

encompasses an ability to understand a CBIS sufficiently to identify
and evaluate

a. The processing and imparting of information. b. Essential

accounting control features. c. All accounting control features. d.
The degree to which programming conforms with application of
generally accepted accounting principles.

ANSWER: B

38. Which of the following is not a major reason why an accounting

audit trail should be maintained for a computer system?

a. Query answering. b. Deterrent to fraud.

c. Monitoring purposes. d. Analytical review.

ANSWER: D

39. Adequate control over access to data processing is required to

a. Prevent improper use or manipulation of data files and programs.

b. Ensure that only console operators have access to program
documentation. c. Minimize the need for backup data files. d.
Ensure that hardware controls are operating effectively and as
designed by the computer manufacturer.

ANSWER: A

40. When testing a computerized accounting system, which of the

following is not true of the test data approach?

a. The test data need consist of only those valid and invalid
conditions in which the auditor is interested. b. Only one transaction
of each type need be tested. c. Test data are processed by the
client's computer programs under the auditor's control. d. The test
data must consist of all possible valid and invalid conditions.

ANSWER: D

41. In studying a client's internal controls, an auditor must be able

to distinguish between prevention controls and detection controls.
Of the following data processing controls, which is the best
detection control?
a. Use of data encryption techniques. b. Review of machine
utilization logs. c. Policy requiring password security. d. Backup and
recovery procedure.

ANSWER: B

42. Which of the following procedures is an example of auditing

"around" the computer?

a. The auditor traces adding machine tapes of sales order

batch totals to a computer printout of the sales

journal.

b. The auditor develops a set of hypothetical sales

transactions and, using the client's computer program,

enters the transactions into the system and observes

the processing flow.

c. The auditor enters hypothetical transactions into the

client's processing system during client processing of

live" data.

d. The auditor observes client personnel as they process the

biweekly payroll. The auditor is primarily concerned with computer
rejection of data that fails to meet reasonableness limits.

ANSWER: A

43. Auditing by testing the input and output of a computer-based

system instead of the computer program itself will

a. Not detect program errors which do not show up in the output

sampled. b. Detect all program errors, regardless of the nature of
the output. c. Provide the auditor with the same type of evidence. d.
Not provide the auditor with confidence in the results of the auditing
procedures.

ANSWER: A

44. Which of the following is an acknowledged risk of using test data

when auditing CBIS records?

a. The test data may not include all possible types of transactions.
b. The computer may not process a simulated transaction in the
same way it would an identical actual transaction. c. The method
cannot be used with simulated master records.

d. Test data may be useful in verifying the correctness of account

balances, but not in determining the presence of processing
controls.

ANSWER: A

45. When the auditor encounters sophisticated computer-based

systems, he or she may need to modify the audit approach. Of
the following conditions, which one is not a valid reason for
modifying the audit approach?

a. More advanced computer systems produce less

documentation, thus reducing the visibility of the

audit trail.

b. In complex comuter-based systems, computer verification

of data at the point of input replaces the manual
verification found in less sophisticated data processing
systems.

c. Integrated data processing has replaced the more traditional

separation of duties that existed in manual and batch
processing systems.

d. Real-time processing of transactions has enabled the auditor

to concentrate less on the completeness assertion.
ANSWER: D

46. If a control total were to be computed on each of the following

data items, which would best be identified as a hash total for a
payroll CBIS application?

a. Net pay. b. Department numbers. c. Hours worked. d. Total

debits and total credits.

ANSWER: B

47. In a distributed data base (DDB) environment, control tests for

access control administration can be designed which focus on

a. Reconciliation of batch control totals. b. Examination of logged

activity. c. Prohibition of random access. d. Analysis of system
generated core dumps.

ANSWER: B

48. A control to verify that the dollar amounts for all debits and
credits for incoming transactions are posted to a receivables master
file is the:

a. Generation number check. b. Master reference check. c. Hash

total. d. Control total.

ANSWER: D

49. The program flowcharting symbol representing a decision is a

a. Triangle. b. Circle. c. Rectangle. d. Diamond.

ANSWER: D

50. An update program for bank account balances calculates check

digits for account numbers. This is an example of

a. An input control. b. A file management control. c. Access control.

d. An output control.
ANSWER: A

51. CBIS controls are frequently classified as to general controls

and application controls. Which of the following is an example
of an application control?

a. Programmers may access the computer only for testing and

"debugging" programs.

b. All program changes must be fully documented and

approved by the information systems manager and the
user department authorizing the change.

c. A separate data control group is responsible for distributing

output, and also compares input and output on a test
basis.

d. In processing sales orders, the computer compares

customer and product numbers with internally stored
lists.

ANSWER: D

52. After a preliminary phase of the review of a client's CBIS

controls, an auditor may decide not to perform further tests related
to the control procedures within the CBIS portion of the client's
internal control system. Which of the following would not be a valid
reason for choosing to omit further testing?

a. The auditor wishes to further reduce assessed risk. b. The

controls duplicate operative controls existing elsewhere in the
system. c. There appear to be major weaknesses that would
preclude reliance on the stated procedures. d. The time and dollar
costs of testing exceed the time and dollar savings in substantive
testing if the controls are tested for compliance.

ANSWER: A

53. For good internal control over computer program changes, a

policy should be established requiring that
a. The programmer designing the change adequately test the
revised program. b. All program changes be supervised by the
CBIS control group. c. Superseded portions of programs be
deleted from the program run manual to avoid confusion. d. All
proposed changes be approved in writing by a responsible
individual.

ANSWER: D

54. Which of the following is not a technique for testing data

processing controls?

a. The auditor develops a set of payroll test data that contain

numerous errors. The auditor plans to enter these
transactions into the client's system and observe whether
the computer detects and properly responds to the error
conditions.

b. The auditor utilizes the computer to randomly select

customer accounts for confirmation.

c. The auditor creates a set of fictitious customer

accounts and introduces hypothetical sales

transactions, as well as sales returns and allowances,

simultaneously with the client's live data processing.

d. At the auditor's request, the client has modified its payroll

processing program so as to separately record any
weekly payroll entry consisting of 60 hours or more.
These separately recorded ("marked") entries are locked
into the system and are available only to the auditor.

ANSWER: B

55. Which of the following would lessen internal control in a CBIS?

a. The computer librarian maintains custody of computer program

instructions and detailed listings. b. Computer operators have
access to operator instructions and detailed program listings. c. The
control group is solely responsible for the distribution of all
computer output.

d. Computer programmers write and debug programs which

perform routines designed by the systems analyst.

ANSWER: B

56. Access control in an on-line CBIS can best be provided in most

circumstances by

a. An adequate librarianship function controlling access to files. b. A

label affixed to the outside of a file medium holder that identifies
the contents. c. Batch processing of all input through a centralized,
well-guarded facility. d. User and terminal identification controls,
such as passwords.

ANSWER: D