Professional Documents
Culture Documents
Chapter 08
Consideration of Internal Control in an Information Technology
Environment
1. Magnetic tape drives have the advantage of direct access to stored data.
True False
3. For good internal control, programmers should not be given access to complete program
documentation for the programs they work on.
True False
6. For auxiliary storage when the computer is operating, personal computers use hard disk
drives.
True False
8-1
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
9. Auditors usually begin their consideration of IT systems with tests of application controls.
True False
10. Generalized audit software may be used for substantive tests or for tests of controls.
True False
11. Which of the following procedures would an entity most likely include in its disaster
recovery plan?
A. Convert all data from external formats to an internal company format.
B. Maintain a program to prevent illegal activity.
C. Develop an auxiliary power supply to provide uninterrupted electricity.
D. Store duplicate copies of files in a location away from the computer center.
8-2
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
A. Option A
B. Option B
C. Option C
D. Option D
16. Which of the following is least likely to be a general control over computer activities?
A. Procedures for developing new programs and systems.
B. Requirements for system documentation.
C. A change request log.
D. A control total.
17. Which of the following computer related employees should not be allowed access to
program listings of application programs?
A. The systems analyst.
B. The programmer.
C. The operator.
D. The librarian.
8-3
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
19. Which of the following is most likely to include user group development and execution of
certain computer applications?
A. Telecommunication transmission systems.
B. Database administration.
C. End user computing.
D. Electronic data interchange systems.
8-4
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
23. Which of the following is least likely to be tested with generalized audit software?
A. An aging of accounts receivable.
B. A schedule of inventory.
C. A depreciation schedule.
D. A computer operations manual.
26. Which of the following testing techniques is more commonly used by internal auditors
than by independent auditors?
A. Integrated test facilities.
B. Test data.
C. Controlled programs.
D. Tagging and tracing transactions.
8-5
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
28. When conducting field work for a physical inventory, an auditor cannot perform which of
the following steps using a generalized audit software package?
A. Observing inventory.
B. Selecting sample items of inventory.
C. Analyzing data resulting from inventory.
D. Recalculating balances in inventory reports.
29. Which of the following personnel is responsible for determining the computer processing
needs of the various users?
A. The application programmer.
B. The computer operator.
C. The systems analyst.
D. The systems programmer.
30. Which of the following testing techniques minimizes the possibility that the auditors will
contaminate a client's financial records?
A. Test data.
B. Integrated test facilities.
C. Controlled programs.
D. Tagging and tracing transactions.
32. The best method of achieving internal control over advanced IT systems is through the use
of:
A. Batch controls.
B. Controls written into the computer system.
C. Equipment controls.
D. Documentation controls.
8-6
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
33. Which of the following personnel is responsible for the proper functioning of the security
features built into the operating system?
A. The systems programmer.
B. The application programmer.
C. The computer operator.
D. The telecommunications specialist.
36. A system in which the end user is responsible for the development and execution of the
computer application that he or she uses is referred to as:
A. Laptop computing.
B. End-user computing.
C. Distributed computing.
D. Decentralized computing.
8-7
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
38. When designing the physical layout of a data processing center, which of the following
would be least likely to be a necessary control that is considered?
A. Design of controls to restrict access.
B. Adequate physical layout space for the operating system.
C. Inclusions of an adequate power supply system with surge protection.
D. Consideration of risks related to other uses of electricity in the area.
8-8
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
43. Which of the following computer system risks would be increased by the installation of a
database system?
A. Programming errors.
B. Data entry errors.
C. Improper data access.
D. Loss of power.
45. Auditing by testing the input and output of a computer system instead of the computer
program itself will:
A. Not detect program errors which do not show up in the output sampled.
B. Detect all program errors, regardless of the nature of the output.
C. Provide the auditors with the same type of evidence.
D. Not provide the auditors with the confidence in the results of the auditing procedures.
46. If a control total were to be computed on each of the following data items, which would
best be identified as a hash total for a payroll computer application?
A. Net pay.
B. Department numbers.
C. Hours worked.
D. Total debits and total credits.
8-9
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
47. Smith Corporation has numerous customers. A customer file is kept on disk storage. Each
account in the customer file contains name, address, credit limit, and account balance. The
auditor wishes to test this file to determine whether credit limits are being exceeded. The best
procedure for the auditor to follow would be to:
A. Develop test data that would cause some account balance to exceed the credit limit and
determine if the system properly detects such situations.
B. Develop a program to compare credit limits with account balances and print out the details
of any account with a balance exceeding its credit limit.
C. Require a printout of all account balances so they can be manually checked against the
credit limits.
D. Request a printout of a sample of account balances so they can be individually checked
against the credit limits.
48. In their consideration of a client's IT controls, the auditors will encounter general controls
and application controls. Which of the following is an application control?
A. The operations manual.
B. Hash total.
C. Systems documentation.
D. Control over program changes.
49. When erroneous data are detected by computer program controls, such data may be
excluded from processing and printed on an exception report. The exception report should
most probably be reviewed and followed up on by the:
A. Supervisor of computer operations.
B. Systems analyst.
C. Data control group.
D. Computer programmer.
50. The purpose of using generalized computer programs is to test and analyze a client's
computer:
A. Systems.
B. Equipment.
C. Records.
D. Processing logic.
8-10
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
51. An auditor may decide not to perform tests of controls related to the control activities
within the computer portion of the client's internal control. Which of the following would not
be a valid reason for choosing to omit such test?
A. The controls duplicate operative controls existing elsewhere.
B. There appear to be major weaknesses that would preclude reliance on the stated procedure.
C. The time and dollar costs of testing exceed the time and dollar savings in substantive
testing if the tests show the controls to be operative.
D. The controls appear adequate.
52. A control feature in a computer system requires the central processing unit (CPU) to send
signals to the printer to activate the print mechanism for each character. The print mechanism,
just prior to printing, sends a signal back to the CPU verifying that the proper print position
has been activated. This type of data transmission is referred to as:
A. Echo control.
B. Validity control.
C. Signal control.
D. Check digit control.
8-11
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
57. In the weekly computer run to prepare payroll checks, a check was printed for an
employee who had been terminated the previous week. Which of the following controls, if
properly utilized, would have been most effective in preventing the error or ensuing its
prompt detection?
A. A control total for hours worked, prepared from time cards collected by the timekeeping
department.
B. Requiring the treasurer's office to account for the numbers of the prenumbered checks
issued to the computer department for the processing of the payroll.
C. Use of a check digit for employee numbers.
D. Use of a header label for the payroll input sheet.
58. A company's labor distribution report requires extensive corrections each month because
of labor hours charged to inactive jobs. Which of the following data processing input controls
appears to be missing?
A. Completeness test.
B. Validity test.
C. Limit test.
D. Control total.
8-12
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
Essay Questions
8-13
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
62. Many auditors use generalized audit software to assist them in the examination of clients'
computer records.
a. Describe what is meant by generalized audit software.
b. List two advantages of the use of generalized audit software.
c. List three functions that may be performed with this type of software.
63. Auditors are now faced with examining clients that have database systems.
a. Describe a database system, including its major advantage.
b. Identify policies and procedures that may be established to provide control over that aspect
over a database system.
64. Various characteristics of IT systems can present special audit risks. Explain each of the
following characteristics of an IT system and the special audit risks that they present.
a. Data base system.
b. Distributive data processing.
c. End user computing.
8-14
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
1. Magnetic tape drives have the advantage of direct access to stored data.
FALSE
Difficulty: Medium
Difficulty: Medium
3. For good internal control, programmers should not be given access to complete program
documentation for the programs they work on.
FALSE
Difficulty: Medium
Difficulty: Medium
Difficulty: Medium
8-15
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
6. For auxiliary storage when the computer is operating, personal computers use hard disk
drives.
TRUE
Difficulty: Medium
Difficulty: Easy
Difficulty: Medium
9. Auditors usually begin their consideration of IT systems with tests of application controls.
FALSE
Difficulty: Hard
10. Generalized audit software may be used for substantive tests or for tests of controls.
TRUE
Difficulty: Medium
8-16
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
11. Which of the following procedures would an entity most likely include in its disaster
recovery plan?
A. Convert all data from external formats to an internal company format.
B. Maintain a program to prevent illegal activity.
C. Develop an auxiliary power supply to provide uninterrupted electricity.
D. Store duplicate copies of files in a location away from the computer center.
Difficulty: Medium
Source: AICPA
Difficulty: Hard
A. Option A
B. Option B
C. Option C
D. Option D
Difficulty: Hard
8-17
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
Difficulty: Easy
Source: AICPA
Difficulty: Easy
16. Which of the following is least likely to be a general control over computer activities?
A. Procedures for developing new programs and systems.
B. Requirements for system documentation.
C. A change request log.
D. A control total.
Difficulty: Medium
17. Which of the following computer related employees should not be allowed access to
program listings of application programs?
A. The systems analyst.
B. The programmer.
C. The operator.
D. The librarian.
Difficulty: Hard
8-18
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
Difficulty: Medium
19. Which of the following is most likely to include user group development and execution of
certain computer applications?
A. Telecommunication transmission systems.
B. Database administration.
C. End user computing.
D. Electronic data interchange systems.
Difficulty: Medium
Difficulty: Medium
Difficulty: Medium
8-19
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
Difficulty: Medium
23. Which of the following is least likely to be tested with generalized audit software?
A. An aging of accounts receivable.
B. A schedule of inventory.
C. A depreciation schedule.
D. A computer operations manual.
Difficulty: Easy
Difficulty: Medium
Difficulty: Easy
8-20
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
26. Which of the following testing techniques is more commonly used by internal auditors
than by independent auditors?
A. Integrated test facilities.
B. Test data.
C. Controlled programs.
D. Tagging and tracing transactions.
Difficulty: Medium
Difficulty: Medium
28. When conducting field work for a physical inventory, an auditor cannot perform which of
the following steps using a generalized audit software package?
A. Observing inventory.
B. Selecting sample items of inventory.
C. Analyzing data resulting from inventory.
D. Recalculating balances in inventory reports.
Difficulty: Medium
Source: AICPA
29. Which of the following personnel is responsible for determining the computer processing
needs of the various users?
A. The application programmer.
B. The computer operator.
C. The systems analyst.
D. The systems programmer.
Difficulty: Medium
8-21
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
30. Which of the following testing techniques minimizes the possibility that the auditors will
contaminate a client's financial records?
A. Test data.
B. Integrated test facilities.
C. Controlled programs.
D. Tagging and tracing transactions.
Difficulty: Hard
Difficulty: Medium
32. The best method of achieving internal control over advanced IT systems is through the use
of:
A. Batch controls.
B. Controls written into the computer system.
C. Equipment controls.
D. Documentation controls.
Difficulty: Hard
33. Which of the following personnel is responsible for the proper functioning of the security
features built into the operating system?
A. The systems programmer.
B. The application programmer.
C. The computer operator.
D. The telecommunications specialist.
Difficulty: Hard
8-22
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
Difficulty: Medium
Difficulty: Medium
36. A system in which the end user is responsible for the development and execution of the
computer application that he or she uses is referred to as:
A. Laptop computing.
B. End-user computing.
C. Distributed computing.
D. Decentralized computing.
Difficulty: Easy
Difficulty: Medium
8-23
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
38. When designing the physical layout of a data processing center, which of the following
would be least likely to be a necessary control that is considered?
A. Design of controls to restrict access.
B. Adequate physical layout space for the operating system.
C. Inclusions of an adequate power supply system with surge protection.
D. Consideration of risks related to other uses of electricity in the area.
Difficulty: Medium
Difficulty: Hard
Difficulty: Medium
Difficulty: Medium
8-24
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
Difficulty: Medium
Source: IIA
43. Which of the following computer system risks would be increased by the installation of a
database system?
A. Programming errors.
B. Data entry errors.
C. Improper data access.
D. Loss of power.
Difficulty: Hard
Source: IIA
Difficulty: Medium
Source: IIA
45. Auditing by testing the input and output of a computer system instead of the computer
program itself will:
A. Not detect program errors which do not show up in the output sampled.
B. Detect all program errors, regardless of the nature of the output.
C. Provide the auditors with the same type of evidence.
D. Not provide the auditors with the confidence in the results of the auditing procedures.
Difficulty: Medium
Source: AICPA
8-25
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
46. If a control total were to be computed on each of the following data items, which would
best be identified as a hash total for a payroll computer application?
A. Net pay.
B. Department numbers.
C. Hours worked.
D. Total debits and total credits.
Difficulty: Medium
Source: AICPA
47. Smith Corporation has numerous customers. A customer file is kept on disk storage. Each
account in the customer file contains name, address, credit limit, and account balance. The
auditor wishes to test this file to determine whether credit limits are being exceeded. The best
procedure for the auditor to follow would be to:
A. Develop test data that would cause some account balance to exceed the credit limit and
determine if the system properly detects such situations.
B. Develop a program to compare credit limits with account balances and print out the details
of any account with a balance exceeding its credit limit.
C. Require a printout of all account balances so they can be manually checked against the
credit limits.
D. Request a printout of a sample of account balances so they can be individually checked
against the credit limits.
Difficulty: Medium
Source: AICPA
48. In their consideration of a client's IT controls, the auditors will encounter general controls
and application controls. Which of the following is an application control?
A. The operations manual.
B. Hash total.
C. Systems documentation.
D. Control over program changes.
Difficulty: Hard
Source: AICPA
8-26
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
49. When erroneous data are detected by computer program controls, such data may be
excluded from processing and printed on an exception report. The exception report should
most probably be reviewed and followed up on by the:
A. Supervisor of computer operations.
B. Systems analyst.
C. Data control group.
D. Computer programmer.
Difficulty: Medium
Source: AICPA
50. The purpose of using generalized computer programs is to test and analyze a client's
computer:
A. Systems.
B. Equipment.
C. Records.
D. Processing logic.
Difficulty: Hard
Source: AICPA
51. An auditor may decide not to perform tests of controls related to the control activities
within the computer portion of the client's internal control. Which of the following would not
be a valid reason for choosing to omit such test?
A. The controls duplicate operative controls existing elsewhere.
B. There appear to be major weaknesses that would preclude reliance on the stated procedure.
C. The time and dollar costs of testing exceed the time and dollar savings in substantive
testing if the tests show the controls to be operative.
D. The controls appear adequate.
Difficulty: Medium
Source: AICPA
8-27
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
52. A control feature in a computer system requires the central processing unit (CPU) to send
signals to the printer to activate the print mechanism for each character. The print mechanism,
just prior to printing, sends a signal back to the CPU verifying that the proper print position
has been activated. This type of data transmission is referred to as:
A. Echo control.
B. Validity control.
C. Signal control.
D. Check digit control.
Difficulty: Easy
Source: AICPA
Difficulty: Medium
Source: AICPA
Difficulty: Medium
Source: AICPA
8-28
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
Difficulty: Medium
Source: AICPA
Difficulty: Easy
Source: AICPA
57. In the weekly computer run to prepare payroll checks, a check was printed for an
employee who had been terminated the previous week. Which of the following controls, if
properly utilized, would have been most effective in preventing the error or ensuing its
prompt detection?
A. A control total for hours worked, prepared from time cards collected by the timekeeping
department.
B. Requiring the treasurer's office to account for the numbers of the prenumbered checks
issued to the computer department for the processing of the payroll.
C. Use of a check digit for employee numbers.
D. Use of a header label for the payroll input sheet.
Difficulty: Medium
Source: AICPA
8-29
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
58. A company's labor distribution report requires extensive corrections each month because
of labor hours charged to inactive jobs. Which of the following data processing input controls
appears to be missing?
A. Completeness test.
B. Validity test.
C. Limit test.
D. Control total.
Difficulty: Medium
Source: IIA
Difficulty: Medium
Source: IIA
Difficulty: Medium
Source: IIA
8-30
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
Difficulty: Medium
Source: IIA
Essay Questions
62. Many auditors use generalized audit software to assist them in the examination of clients'
computer records.
a. Describe what is meant by generalized audit software.
b. List two advantages of the use of generalized audit software.
c. List three functions that may be performed with this type of software.
a. Generalized audit software packages are simple programming languages that assist in the
audit of clients' computer records.
b. Advantages of the use of generalized audit software include (only two required):
Auditors are able to directly test computerized records.
Auditors are able to test items more efficiently than manually.
Auditors do not need extensive training to use the packages.
c. Functions that may be performed by generalized audit software packages include (only
three required):
Examine records for overall quality, completeness, and valid conditions.
Rearrange data and perform analyses.
Select audit samples.
Compare data on separate files.
Compare the results of audit procedures with the client's records.
Difficulty: Hard
8-31
Chapter 08 - Consideration of Internal Control in an Information Technology Environment
63. Auditors are now faced with examining clients that have database systems.
a. Describe a database system, including its major advantage.
b. Identify policies and procedures that may be established to provide control over that aspect
over a database system.
a. In a data-base system separate files are replaced with an integrated data-base that is shared
by many application programs.
b. Controls over data-base systems include:
A system of user identification numbers and passwords should be used to restrict specific
data to authorized personnel.
Terminal activity should be logged by the operating system for subsequent review for
unauthorized access to data.
The responsibility for updating specific data should be assigned to a specific department.
Difficulty: Medium
64. Various characteristics of IT systems can present special audit risks. Explain each of the
following characteristics of an IT system and the special audit risks that they present.
a. Data base system.
b. Distributive data processing.
c. End user computing.
a. A system that eliminates data redundancy by storing data for two or more applications in an
integrated data-base.
Special risks include:
Improper access to data.
Improper alteration of data.
b. A system in which information and programs are shared by a number of users.
Special risks include:
Improper access to data.
Improper alteration of data.
c. A system in which user departments are responsible for developing and executing computer
applications that generate information for the same users.
Special risks include:
Improper access to data.
Unreliable user developed programs.
Difficulty: Medium
8-32