II-B Conduct Specific Engagements Answers

Powers CIA Review

1. CIA May 90 I.5Correct Answer is (A) Answer (a) is correct. According to the Standards, the purpose from reviewing the effectiveness of the system of internal control is to ascertain whether the system is functioning as intended.

Not (b).

Not (c).

Not (d).

2. CIA May 87 I.17Correct Answer is (A) Answer (a) is correct. By definition, an operational audit is an audit to test whether the functions within the organization are effective in achieving their objectives, and are operating efficiently and economically. Therefore, the auditors must understand the auditee's departmental objectives in order to establish the objectives for an operational audit.

Not (b) because the most recent financial data is more relevant to a financial audit than to an operational audit.

Not (c) because activity reports showing rental information is more relevant to a financial audit than to an operational audit.

Not (d) because a complete listing of the perpetual inventory is more relevant to a financial audit than to an operational audit.

3. CIA Nov 84 I.14Correct Answer is (B) Not (a) because the reliability and integrity of financial information are important in operational auditing. Information systems provide data for decision making, control, and compliance with external requirements.

Answer (b) is correct. Financial auditing is primarily concerned with providing an opinion on the fairness of the financial statements while operational auditing evaluates the accomplishment of established goals and objectives, and the economical and efficient use of resources in accomplishing the established goals and objectives.

Not (c) because financial statements are the starting point in financial auditing rather than operational auditing.

Not (d) because analytical skills and tools are necessary in all types of audits.

4. CIA May 87 I.26Correct Answer is (B) Not (a) because determining that employees are paid in accordance with union wages would be an objective for a compliance audit.

Answer (b) is correct. Determining that employees are assigned to work situations equivalent to their training and skill level relates to minimizing labor costs because the assignment of employees to tasks not commensurate with their skills, specifically far less than their abilities/skills, may result in excess labor costs.

Not (c) because determining that the quality of performance by labor meets the company standards would be an objective for effectiveness of the company’s use of labor resources.

Not (d) because determining that only authorized employees are paid relates to the objective of existence of employees on the payroll.

© 2004 Powers Resources Corporation®. All rights reserved

HW B-64

Powers CIA Review

5. CIA Nov 94 I.6Correct Answer is (A) Answer (a) is correct. A compliance audit of overtime policy is likely to be the most objective audit because the audit is comparing actual operations against specific management policies and procedures, which are likely to be well defined and documented.

Not (b) because an operational audit of the personnel function hiring and firing procedures is relatively subjective since there is often more than one way to establish operational procedures.

Not (c) because a performance audit of the marketing department is relatively subjective since the criteria to evaluate performance must be agreed upon.

Not (d) because a financial control audit over payroll procedures is relatively subjective since there is often more than one way to establish operational procedures.

6. CIA Nov 88 I.21Correct Answer is (C) Not (a).

Not (b).

Answer (c) is correct. By definition, an operational audit is an audit to test whether the functions within the organization are effective in achieving their objectives, and are operating efficiently and economically. Determining that the marketing department has the organizational status needed to accomplish its objectives and operates in a manner that is cost-beneficial to the company would be objectives of an operational audit of the marketing department.

Not (d).

7. CIA May 89 I.21Correct Answer is (C) Not (a).

Not (b).

Answer (c) is correct. Internal auditors review information systems to test the security and integrity of data processing systems in addition to the data generated by those systems. This includes determining that financial and operating records and reports contain accurate, reliable, timely, complete, and useful information.

Not (d).

8. CIA Nov 90 I.17Correct Answer is (A) Answer (a) is correct. Program-results audits examine effectiveness (outputs/results) by analyzing how the inputs are converted.

Not (b) because seeking cost savings is in audits of economy and efficiency.

Not (c) because including only historical data is in financial and compliance audits.

Not (d) because expressing an opinion on the fairness of financial presentation is an objective of a financial audit.

9. CIA May 90 I.1Correct Answer is (B) Not (a) because approving objectives or goals

HW B-65 © 2004 Powers Resources Corporation®. All rights reserved

Powers CIA Review

to be met is a managerial function.

Answer (b) is correct. Internal auditors can provide assistance to managers who are developing objectives and goals by determining if the underlying assumptions are appropriate. Determination whether the underlying assumptions are appropriate provides for an opinion and not an actual executive or decision function and thus an internal audit function.

Not (c) because developing and implementing control procedures is management’s responsibility.

Not (d) because accomplishing desired operating program results is management’s responsibility.

10. CIA May 91 I.1Correct Answer is (A) Answer (a) is correct. By definition, "Internal auditing is an independent, objective assurance and consulting activity designed to

add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes". Therefore, internal auditing assists members of the organization in the effective discharge of their responsibilities.

Not (b) because internal auditing usually gives an opinion on designs and implementation of accounting and control systems, but does not directly assist in the process. Although performed in some cases, assisting in the design and implementation of accounting and control systems would impair the objectivity of internal auditing. In any case, this would only be a limited scope of internal auditing. Internal auditing has a far broader scope.

Not (c) because the scope of internal auditing is much broader than examining and evaluating an organization's accounting system.

Not (d) because the objective of internal auditing is to serve the organization rather than the external auditors.

11. CIA Nov 91 I.10Correct Answer is (B) Not (a).

Answer (b) is correct. The goal of an operational audit is to assess current performance and make appropriate recommendations for improvement.

Not (c).

Not (d).

12. CIA May 92 I.9Correct Answer is (A) Answer (a) is correct. Internal auditors are more familiar with the organization, including systems, people, and objectives. Standard 340, Scope of work, Economical and efficient Use of Resources.

Not (b) because both internal and external


HW B-66

Powers CIA Review

auditors are required to be objective.

Not (c) because internal and external Auditors use the same techniques.

Not (d) because internal auditors will be concerned with fraud and waste.

13. CIA Nov 96 I.7Correct Answer is (A) Answer (a) is correct. The auditor is determining whether the participants are in compliance with the program’s eligibility requirements.

Not (b).

Not (c).

Not (d).

14. CIA Nov 96 I.8Correct Answer is (B) Not (a) because the internal auditor should determine whether the budget was reviewed and approved by supervisory personnel within the city as this relates to the objectives established in the regulation.

Answer (b) is correct. The regulation set by the granting agency states that the city should establish a budget in a manner consistent with

the objectives of the program. There is no such requirement for the granting agency to review and approve the budget.

Not (c) because this procedure would help determine whether the budget is adhered to, i.e. all expenses were charged to the appropriate accounts, and the accounts are all in accordance with the budgets.

Not (d) because this procedure determines whether the budget is adhered too in accordance with the approved budget.

15. CIA Nov 96 I.9Correct Answer is (D) Not (a) Because these individuals should be familiar with the applicable laws and regulations and would provide the auditor with relevant information.

Not (b) because reviewing prior year’s working papers and inquiring about changes would allow the auditor to benefit from prior audit’s research.

Not (c) because the grant agreements will often contain references to the applicable laws and regulations.

Answer (d) is correct. Discussing the matter with the audit committee would be least effective because the audit committee would not be responsible for understanding all the underlying laws and regulations. Further, the audit committee’s objectives for the audit do not help the auditor understand the applicable laws and regulations.

16. CIA Nov 88 II.3Correct Answer is (A)Answer (a) is correct. Management is responsible for setting operating standards. Internal auditors are responsible for determining that (1) such standards have been established, (2) the standards are being met, (3) deviations are being identified and communicated, and (4) corrective action has been taken.

Not (b) because verifying existence relates to


Powers CIA Review

the safeguarding of assets.

Not (c) because the reliability of operating information and the accuracy of asset valuation concern the reliability and integrity of information.

Not (d) because the reliability of operating information and the accuracy of asset valuation concern the reliability and integrity of information.

17. CIA May 92 II.1Correct Answer is (D) Not (a) because a program results auditing addresses accomplishment of program objectives.

Not (b) because financial auditing addresses accuracy of financial records.

Not (c) because compliance auditing addresses compliance with requirements, including legal and regulatory requirement.

Answer (d) is correct. Operational auditing is most likely to address a determination of cost savings by focusing on economy and efficiency.

18. CIA Nov 96 III.30Correct Answer is (D) Not (a).

Not (b).

Not (c).

Answer (d) is correct. By definition, "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve

the effectiveness of risk management, control, and governance processes".

19. CIA May 90 III.37Correct Answer is (A)Answer (a) is correct. Since each PC in the network can send or receive electronic mail to or from any other PC via the minicomputer (which is the central controller), such network is called start network. In a star network (also called star topology), all stations are directly connected to a centralized controller. Transmissions go through the central controller and then diverted to the related station.

Not (b) because in a ring topology (also called ring network) the stations are connected to each other to form a loop. Transmissions are received by each station and then transmitted to the next station in the ring. There is no central computer that diverts transmissions to the stations in this type of network.

Not (c) because an irregular network has the properties of both star and ring networks.

Not (d) because there is no network configuration called loop network. The appropriate terminology is ring network.

20. CIA May 97 III.69Correct Answer is (B)Not (a) because there is no limitation on the number of access ports.

Answer (b) is correct. The most difficult aspect of using Internet resources is locating the best information given the large number of information sources on the world wide web.

Not (c) because the only equipment required for accessing Internet resources is a computer, a modem, a telephone line, and basic communication software.


HW B-68

Powers CIA Review

Not (d) because organizations routinely provide Internet access to their employees, and individuals can obtain access through individual subscriptions to commercial information service providers.

21. CIA May 90 III.39Correct Answer is (B)Not (a) because system I is an example of a centralized facility.

Answer (b) is correct. A minicomputer tied to 16 intelligent workstations is an example of a distributed system. A distributed system combines the features of centralized and decentralized facilities: users have their own computers that perform some processing; in addition, some computers are tied to a remote terminal that performs other processing functions. It is beneficial to distinguish between a decentralized and a distributed facility. In a decentralized facility, a separate computer facility is established to service the needs of each major department or unit in an organization. In a distributed facility, these computer facilities are interconnected as in the given example.

Not (c) because system I is an example of a centralized facility while system II is an example of a distributed facility.

Not (d) because system I is an example of a centralized facility while system II is an example of a distributed facility.

22. CIA Nov 90 III.20Correct Answer is (A)Answer (a) is correct. Electronic mail system has those features that the other systems do not have. An electronic mail system enables the user to use features as Answer, Edit, Forward, Send, Read, and Print among many other features.

Not (b) because a voice store-and-forward system lacks Read and Print capability.

Not (c) because, a desktop publishing system provides only Edit and Print features.

Not (d) because a digital communications system refers to a method of transmission (digital transmission).

23. CIA May 92 III.26Correct Answer is (A)Answer (a) is correct. A local area network (LAN) is the appropriate type of network. Local area networks connect computers with other computers, peripherals (e.g. printers, plotters) and workstations that are fairly close in proximity such as in a building or multiple buildings within a campus.

Not (b) because Wide area networks (WANs) provide communication over long distance.

Not (c) because, this is a distracter. The term "end user" is not a type of network.

Not (d) because Baseband network is a term used to describe the communication between terminals in most local area networks. Basebands are used only for data communications; such types of networks are very slow in data transmission.

24. CIA Nov 93 III.23Correct Answer is (A)Answer (a) is correct. In a star network (also called star topology), all stations (nodes) are directly connected to a centralized controller. The centralized controller controls the network and all nodes and all transmissions go through the central controller and then diverted to the related station.

Not (b) because in a ring network (also called ring topology) the stations are connected to each other to form a loop. Transmissions are received by each station and then transmitted to the next station in the ring. There is no central computer that diverts transmissions to the stations in this type of network.

Not (c) because in a bus network (also called bus topology), all stations are connected to one communications channel. Each station gets a copy of the transmission that will be processed (if addressed to the particular station) or


Powers CIA Review

ignored (if addressed to another station).

Not (d) because synchronous is a communications protocol (type of data transmission) where characters are sent at a fixed rate by synchronizing the transmitting and receiving devices.

25. CIA Nov 93 III.29Correct Answer is (D)Not (a) because a self-contained minicomputer with terminals would be unable to communicate with the corporate computer for file inquiry and downloading.

Not (b) because personal computers with a terminal emulator would be unable to access other departments' machines.

Not (c) because personal computers in a stand-alone LAN would be unable to access corporate files.

Answer (d) is correct. Personal computers in a LAN with a gateway would be able to access to departmental laser printers (via the LAN), electronic mail with each other (via the LAN) and employees in other departments and other plants (via the LAN through the gateway to the corporate computer), and file inquiry and downloading of corporate files (through the gateway to the corporate computer). A gateway is a device that acts as a protocol converter, e.g. connecting LAN to mainframe or a LAN to the internet.

26. CIA May 94 III.23Correct Answer is (A)Answer (a) is correct. A network interface card links microcomputers and printers together in a local area network that is connected by coaxial cable, twisted pair, or optical fiber. The card creates an address for the microcomputer, transmits data, and monitors incoming messages (e.g. Ethernet card).

Not (b) because modems are used to connect microcomputers to regular telephone lines.

Not (c) because modems are used to connect microcomputers to regular telephone lines.

Not (d) because modems are used to connect microcomputers to regular telephone lines.

27. CIA Nov 94 III.20Correct Answer is (D)Not (a) because long-range business plans is a central aspect of strategic decisions.

Not (b) because support of daily business operations is an important aspect of strategic decisions.

Not (c) because measurement of plan fulfillment is essential to management's evaluation of the system.

Answer (d) is correct. Cutting operating costs, by itself, is the least important issue concerning the expansion of its existing local area network (LAN). The payoff that would result from the expansion i.e. the company’s return on its investment is a more relevant strategic consideration.

28. CIA Nov 94 III.21Correct Answer is (B)Not (a) because cabling (the telecommunications link) is the medium through which the terminals are linked in a LAN.

Answer (b) is correct. A server manages the LAN’s resources. A file server is the device that


HW B-70

Powers CIA Review

stores program and data files for users of the LAN; it is one type of server.

Not (c) because a network gateway connects the LAN to other networks. A gateway is a device that acts as a protocol converter, e.g. connecting LAN to mainframe or a LAN to the internet.

Not (d) because a workstation that is dedicated to a single user is a client.

29. CIA Nov 95 III.62Correct Answer is (D)Not (a) because VANs normally act as a clearinghouse and storage house for communications between different organizations.

Not (b) because VANs provide a common communication interface, thus eliminating the need for each company to establish independent communication with each of its trading partners.

Not (c) because VANs establish logs of transactions as a basis for record keeping and audit trail.

Answer (d) is correct. Companies must purchase their own software to translate to a national standard protocol (either ANSI X.12 in the U.S. or EDIFACT in Europe and most of the rest of the world). Once the data are in the standard format, the VAN handles all aspects of the communication. Value-Added Network (VAN) is a private owned type of network that provides services such as data storage and access to specialized databases for a fee. Organizations implementing EDI would utilize VANs.

30. CIA Nov 96 III.56Correct Answer is (A)Answer (a) is correct. Gateways connect Internet computers of dissimilar networks. A

gateway is a device that acts as a protocol converter, e.g. connecting LAN to mainframe or a LAN to the internet.

Not (b) because bridges are devices that connect physically two independent LAN's.

Not (c) because repeaters are devices that regenerate and transmit signals between segments of a network to strengthen data signals between distant computers.

Not (d) because routers are devices that route information packets in accordance with the address and the intended destinations of the packs by determining the best path for data.

31. CIA Nov 96 III.59Correct Answer is (D)Not (a) because dedicated phone lines would not be cost effective or available to field agents.

Not (b) because, field agents would not always be located at the same phone line to permit dialup call back usage. In addition, callback features are a type of access controls and are not controls for securing data transmission.

Not (c) because passwords are a type of access controls and are not controls for securing data transmission. In addition, passwords may be compromised by computer software.

Answer (d) is correct. Encryption of data to be transmitted through the network would best secure data while being transmitted. Encryption is the encoding of sensitive data using mathematical algorithms so that data becomes incomprehensible. Decryption will retrieve the data to its comprehensible form.

32. CIA Nov 96 III.71Correct Answer is (D)Not (a) because private Wide Area Network is one that an individual business firm maintains for its own use.

Not (b) because Integrated Services Digital Network (ISDN) is an international standard for transmitting voice, video, and data over phone


Powers CIA Review

lines.

Not (c) because a Value-Added Network is a data-only, multi-path, third-party managed network.

Answer (d) is correct. A Virtual Private Network (VPN) is a carrier-provided service in which the public switched network provides capabilities similar to those of dedicated private lines but at a lower cost.

33. CIA Nov 96 III.72Correct Answer is (A)Answer (a) is correct. A number of bottlenecks (e.g. in-house analog technology) may limit the benefits that can be derived from the external network. To prepare the company for changes resulting from the enhanced external network services management should optimize in-house networks to avoid such bottlenecks.

Not (b) because resistance to change, inflexible organizational structures, and skepticism of the technology should be expected and must be successfully managed if the company is to reap the benefits of the technology.

Not (c) because as individuals rely more on communications to perform their daily tasks, it becomes imperative for a network to be essentially 100% available. The company should enhance its disaster recovery plan to recognize this fact.

Not (d) because since network management may now be primarily a function within the company, it will become more of a partnership arrangement with the communications carrier.

34. CIA Nov 96 III.74Correct Answer is (B)Not (a) because, value-added networks provide protocol conversion, message storing, and message forwarding for specific transactions such as EDI.

Answer (b) is correct. A MAN (metro-area network) connects multiple sites with multiple

workstations for shared use of common resources. Thus, the company can share inventory and special diagnostic skills.

Not (c) because electronic data interchange supports the transfer of business information between application systems on different computers.

Not (d) because TCP/IP is a network protocol that implements the OSI transport layer for managing end-to-end network transmissions.

35. CIA May 97 I.20Correct Answer is (C)Not (a) because a major concern with LANs is that users are responsible for building and maintaining procedures for capturing and processing data. One of the major problems associated with this form of end-user computing is that users often do not do a good job of documenting procedures.

Not (b) because security is a major concern for sensitive data residing on a PC and/or a LAN.

Answer (c) is correct. Hardware used for processing data is not considered a major risk since PCs have similar hardware components to mainframe computers. If a hardware failure is to occur, it would be for various factors that both PCs and mainframes are exposed to.

Not (d) because, data communications are always a high risk factor on LANs because they do not happen automatically. The auditor will need to gain assurance that the company has mechanisms, including reconciliations, to ensure completeness of data communications.

36. CIA May 97 III.41Correct Answer is (C)Not (a) because both statements I and III are correct.

Not (b) because Item II is incorrect. A confidential mail message should not be retained on the server once the user has downloaded it to a personal computer.

Answer (c) is correct. Statements I and III are correct and item II is incorrect. A confidential mail message should not be retained on the


HW B-72

Powers CIA Review

server once the user has downloaded it to a personal computer. Since electronic mail is operated and stored on the computer system, control features present in the network will secure it. In addition, large organizations usually have several electronic mail administrators and locations with varying levels of security.

37. CIA May 97 III.43Correct Answer is (A)Answer (a) is correct. Only item I is correct. Companies who wish to maintain adequate security must use firewalls to protect data from being accessed by unauthorized users. Firewalls separate an internal secure network from an external network by controlling traffic flow of information. Item II is incorrect. Anyone can establish a Home Page on the Internet. Item III is incorrect. There are no security standards for connecting to the Internet, nor is there a coalition of Internet providers which dictate such standards. The lack of such standards is a major problem with the Internet.

Not (b) because item II is incorrect. Anyone can establish a Home Page on the Internet.

Not (c) because item III is incorrect. There are no security standards for connecting to the Internet, nor is there a coalition of Internet providers which dictate such standards. The lack of such standards is a major problem with the Internet.

Not (d) because item III is incorrect. There are no security standards for connecting to the Internet, nor is there a coalition of Internet providers which dictate such standards. The lack of such standards is a major problem with the Internet.

38. CIA May 93 III.40Correct Answer is (C)Not (a) because management oversight controls for the growth in end-user development by selecting and authorizing users who will develop the system. Not (b) because competitive pressures for enhanced functions in systems may affect the efficiency and effectiveness of the developed functions but does not essentially weaken access controls in the system.

Answer (c) is correct. Greater on-line access to information systems creates the risk of increased unauthorized access to systems, which can be mitigated by authenticating transactions for authorized users.

Not (d) because growing organizational reliance on information systems is controlled by increased attention to validating development phases.

39. CIA May 94 I.65Correct Answer is (C) Not (a) because, data file backups are critical to reconstructing lost files.

Not (b) because the controls over hardware and software failures may prevent or minimize the effects of a system failure.

Answer (c) is correct. Encryption is the process of coding data before transmission and decoding it after transmission. Thus, encryption is a communication control for security. It is not related to backup and recovery.

Not (d) because responsibilities for backup and recovery should be fully described in updated documents and manuals.


Powers CIA Review

40. CIA May 95 III.76Correct Answer is (C)Not (a) because parallel testing is done when using parallel conversion method in systems development. New and existing systems run concurrently for a period of time. The results of both systems are then compared.

Not (b) because, integrated test facility (ITF) is a computer-aided audit technique by which fictitious entities are integrated on the company’s master files and data is tested to validate processing..

Answer (c) is correct. Performance monitoring is the systematic measurement and evaluation of operating results such as transaction rates, response times, and incidence of error conditions. Performance monitoring will reveal trends in Capacity usage so that capacity can be upgraded before response deteriorates to the point that users behave in unintended or undesirable ways.

Not (d) because program code comparison software enables detection of unauthorized changes in programs, but such software cannot detect deteriorating response time.

41. CIA May 95 III.78Correct Answer is (C)Not (a) because, to the extent the system incorporates components from external parties, the company is dependent on them.

Not (b) because, having an accurate inventory of hardware, software, and communications components and an accurate account of changes in the components would make timely installation of new components easier but would not guarantee timely installation of new components.

Answer (c) is correct. Lack of adequate inventories of network, hardware, and software components and lack of records of changes in components increase the difficulty of isolating faults in any part of the system. There may be subtle differences in components or successive versions of the same components, which lead to incompatibilities that cause failures.

Not (d) because having an accurate inventory of hardware, software, and communications components and an accurate account of changes in the components may be helpful in maintaining system availability; but availability depends on the appropriateness of the configuration and the ability of service personnel to keep the system running.

42. CIA May 96 III.52Correct Answer is (A)Answer (a) is correct. The pressure for the department store company to be competitive is so great that there may be a significant risk that


HW B-74

Powers CIA Review

applications software could be incomplete, inadequately tested, or unauthorized.

Not (b) because, on the contrary, management has stated its intention to install the network, salespeople have been asking for features that the network could provide, and the planning committee has identified many potential applications.

Not (c) because these types of violations do not occur with in-house development.

Not (d) because given the standard nature of the network, it is unlikely that the company would not be able to obtain needed components from vendors as usage increases.

43. CIA May 96 III.53Correct Answer is (D)Not (a) because reserving all system functions for salespeople would restrict access more than is required for adequate security and would hinder use of the system for maximum benefit

Not (b) because customers should not have update privileges to prevent them from corrupting data files, intentionally or accidentally.

Not (c) because customers should not have update privileges to prevent them from corrupting data files, intentionally or accidentally.

Answer (d) is correct. Customers with read privileges can examine the gift registry lists to make their selections, and salespeople can update the gift registry with actual purchases.

44. CIA May 96 III.54Correct Answer is (D)Not (a) because salespeople are already asking for network features to help them do their jobs so they are unlikely to be reluctant to use the system.

Not (b) because, the required features are typical of networks and its overall size makes it a mid-range system, the network should not

require expensive non-standard components.

Not (c) because customers are used to companies managing inventory using computer systems with the best supply practices.

Answer (d) is correct. Given the company's lack of experience with networks, a significant risk is that the network operating costs may not be fully projected. The result is that the company may incur unanticipated costs after the network is installed.

45. CIA May 96 III.55Correct Answer is (B)Not (a) because a local area network (LAN) is generally limited to short distances, e.g., 2,000 feet radius of the servers.

Answer (b) is correct. Wide area networks (WANs) are a type of networks that connect system users who are geographically dispersed through public telecommunication facilities. A wide area network (WAN) is the best kind of network because it can connect many sites located across a broad geographical distance.

Not (c) because a value-added network (VAN) is, in general, more expensive than a private network such as a WAN for high-volume communications.

Not (d) because, a private branch exchange (PBX) is an electronic switch that transfers voice and data within a local site and it does not have the network capabilities needed by the company.

46. CIA May 96 III.56Correct Answer is (C)Not (a) because in a leased-line network there are no phone numbers.

Not (b) because in a leased-line network there are no phone numbers and hence no ports with tone devices for incoming calls.

Answer (c) is correct. If the company installs a leased-line network, it should ensure that transmission facilities on its premises are


Powers CIA Review

secure. A leased line is more secure than a public switched line and security issues should be dealt with to physically secure the transmission facilities.

Not (d) because to reduce the time during which unauthorized people could potentially gain access to the system by limiting network availability to certain times of the day is often associated with public switched lines, not leased lines.

47. CIA May 96 III.60Correct Answer is (A)Answer (a) is correct. The company should have access to the business-related E-mail that is left behind. Access to E-Mail can also be critical in business or possible criminal investigations. The privacy concerns of the individual may be mitigated by compelling business interests.

Not (b) because encryption helps prevent eavesdropping of unauthorized persons trying to compromise E-Mail messages.

Not (c) because limiting the number of electronic mail packages adopted by the organization is an appropriate element of the new policy on electronic mail. Such standards simplify the job of managing email messages and reduce the number of administrators who can access them.

Not (d) because this is an appropriate privacy control technique because of the inherent weaknesses in E-Mail security.

48. CIA May 97 III.39Correct Answer is (B)Not (a) because messages on the Internet are not encrypted. The sender and receiver are responsible for encrypting confidential information.

Answer (b) is correct. Access should be limited to those whose activities necessitate access to the computer system. Moreover, the degree of access allowed should be consistent with an individual's responsibilities. Restricting

access to particular individuals rather than groups or departments clearly establishes specific accountability. Not everyone in a group will need access or the same degree of access. Thus, passwords assigned to individuals should be required for identification of users by the system. Passwords are especially effective against the casual intruder.

Not (c) because if someone gains access to the server, he or she can download the file of messages and gain access to them without working with a security log.

Not (d) because the statements, "All messages on the Internet are encrypted thereby providing enhanced security" and "If someone gains supervisory-level access to the file server containing electronic messages, he or she could still not gain access to the file containing electronic mail messages without decrypting the security control log" are false.


HW B-76

Powers CIA Review

49. CIA Nov 93 III.17 Correct Answer is (D)Not (a) because, improvements in automated control techniques follow from the development of information technology.

Not (b) because, improvements in automated control techniques follow from the development of information technology.

Not (c) because data encryption standards are a response to the increase in the use of telecommunications technology as a whole.

Answer (d) is correct. 1. Correct - Competition has been a

strong motivator in the financial services industry in the development of EFT systems.

2. Correct - Maintaining costs in a highly competitive industry can be aided by leveraging information technology.

3. Correct - Advances in information technology, especially telecommunications technology have made EFT systems possible.

4. Incorrect - Improvements in automated control techniques have been the result of industry taking advantage of the trends that have influenced the development of information technology.

5. 5. Incorrect - Data encryption standards have been in response to the increase in the use of telecommunications technology.

50. CIA May 96 III.64Correct Answer is (C)Not (a) because unauthorized access and activity is a major risk factor, inherent to electronic funds transfer (EFT).

Not (b) because duplicate transaction processing is another inherent risk factor in EFT.

Answer (c) is correct. Electronic Funds Transfer (EFT) is the exchange of funds via telecommunication devices. Funds are transferred electronically between two accounts without the actual exchange or manual deposit. Due to the nature of transactions described, EFT systems require high level of security and control. In addition, per transaction costs are lower with electronic funds transfer since the electronic process of transferring funds replaces the manual process.

Not (d) because inadequate backup and recovery capabilities is a critical risk factor in EFT.

51. CIA May 93 III.31Correct Answer is (D)Not (a) because physical access controls over the data center are important to restrict physical access to authorized people; however, poor physical access controls are secondary exposure for compromise of remote data communications lines.

Not (b) because, exposures from network viruses can be minimized through the implementation of "safe computing practices" such as where to buy software or have logical access controls on the system.

Not (c) because poor system documentation is a secondary exposure thus causing


Powers CIA Review

inconvenience to system users and maintainers.

Answer (d) is correct. Leased telephone circuits represent a direct exposure to breaching data integrity since it represents the use of public lines that can be easily identified and tapped and thus requires that adequate security measures be adopted.

52. CIA Nov 96 III.63Correct Answer is (B)Not (a) because, improper change controls procedures, insufficient online edit checks procedures, and inadequate backups and disaster recovery procedures are all risks that are common to all types of Information Technology environments.

Answer (b) is correct. Unauthorized access is a risk that is higher in an EFT environment than in other Information Technology environments. If unauthorized people were able to access EFT systems they could cause serious financial losses to institutions that use the EFT system.

Not (c) because improper change controls procedures, insufficient online edit checks procedures, and inadequate backups and disaster recovery procedures are all risks that are common to all types of Information Technology environments.

Not (d) because improper change controls procedures, insufficient online edit checks

procedures, and inadequate backups and disaster recovery procedures are all risks that are common to all types of Information Technology environments.

53. CIA Nov 93 III.50Correct Answer is (C)Not (a) because, this cycle time (21 days) does not include reductions possible by using electronic data interchange (EDI) to eliminate mail time (3 days) and supplier process time (14 days).

Not (b) because this cycle time (18 days) does not include reductions possible by using EDI to eliminate supplier process time (14 days).

Answer (c) is correct. Four days is the minimum cycle time because physical delivery requires 4 days. The other periods of time described for the manual purchase cycle time would be eliminated when the company fully implements electronic data interchange (EDI). In EDI, documents are electronically exchanged between the company (purchaser) and the supplier and data entry is eliminated.

Not (d) because the cycle time cannot be reduced below the delivery time of 4 days with implementation of EDI alone.– Transportation that is more efficient would be required.


HW B-78

Powers CIA Review

54. CIA Nov 92 III.30Correct Answer is (D)Not (a) because a request for an airline reservation requires an on-line, real-time reservations system.

Not (b) because withdrawal of cash from an automated teller is accomplished via on-line transactions to copies of master files.

Not (c) because the transfer of summary data to headquarters may be accomplished with point-to-point communications, known as distributed computing.

Answer (d) is correct. Placement of order entry transactions from a customer to its supplier is an accepted use of electronic data interchange between trading partners. In EDI, documents are electronically exchanged between the purchaser and the supplier and data entry is eliminated and inventory ordering and carrying costs will be reduced.

55. CIA May 93 III.38Correct Answer is (A)Answer (a) is correct. Electronic data interchange (EDI) for business documents between unrelated parties has the potential to increase the risk of unauthorized third-party access to systems because more outsiders will have access to internal systems.

Not (b) because systematic programming errors are the result of mis-specification of requirements or lack of correspondence between specifications and programs.

Not (c) because inadequate knowledge bases are a function of lack of care in building them.

Not (d) because one of the benefits of EDI is to improve the efficiency and effectiveness of system use.

56. CIA May 93 III.59Correct Answer is (D)Not (a) because the first is not EDI since it is not computer-to-computer.

Not (b) because the second is not OLRT since processing does not take place, only communication.

Not (c) because the first is OLRT, the second EDI.

Answer (d) is correct. OLRT systems are used when time is of the essence. Inventory availability and good credit status are important to process a customer's order at the catalog sales firm where orders are made by phone. Once inventory and credit are checked, the order can be processed (if inventory is available and the customer still has credit available to use).

In EDI, documents are electronically exchanged between the purchaser and the supplier and data entry is eliminated. The second application uses EDI since the production schedule and parts orders are sent electronically to the supplier by the manufacturer’s (purchaser) computer.

57. CIA Nov 93 III.45Correct Answer is (A)Answer (a) is correct. Before sending or receiving electronic data interchange (EDI) messages with its customers and suppliers, the company should execute a trading partner agreement with its customers and suppliers so that all parties understand their responsibilities, the messages each will initiate, and how they will interpret the messages.

Not (b) because the company may intend to reduce inventory levels, but that is unrelated to the timing of sending or receiving electronic data interchange (EDI) messages.

Not (c) because the company may want to demand or encourage all its customers and suppliers to implement electronic data interchange (EDI) capabilities, but that is independent to sending and receiving messages to customers and suppliers.

Not (d) because, it is not possible to evaluate the effectiveness of electronic data interchange (EDI) transmissions until after they occur.


Powers CIA Review

58. CIA Nov 93 III.46Correct Answer is (B)Not (a) because the company and its customers may get their EDI-related software from the same vendor but still have software incompatibility problems if they do not synchronize their installation of updated versions.

Answer (b) is correct. If the company and its customers will agree to synchronize their updating of electronic data interchange (EDI)-related software, then they will minimize the likelihood of unrecognizable or unintelligible messages due to software incompatibilities. In fact, one of the major features of an EDI is to have data transmitted between the parties in a standard format to facilitate processing and make the use of EDI effective. The data is then translated by using an EDI-related software to make it in an intelligible form for other parties. Thus, the best approach for minimizing the likelihood of software incompatibilities is to have the company and its customers agree to synchronize their updating of EDI-related software.

Not (c) because as business requirements change, it may not be possible to use the same software in the same ways indefinitely.

Not (d) because even if the company and its customers each write their own version of the electronic data interchange (EDI)-related

software, there will be synchronization problems with updates.

59. CIA Nov 93 III.47Correct Answer is (D)Not (a) because, if the company developed its own software, internal audit would be responsible for evaluating that the software was developed in a controlled environment.

Not (b) because if the company developed and maintained its own software, internal audit would be responsible for evaluating that the software is backed up adequately to permit recovery in the event of a system failure.

Not (c) because, if the company purchased, leased, or paid for the use of the software, internal audit would be responsible for evaluating that the software was acquired with legal counsel review of contract terms.

Answer (d) is correct. Regardless of whether the company develops, buys, leases, or pays for the use of the software for electronic data interchange (EDI), internal audit should be responsible for evaluating that the applications meet business objectives.


HW B-80

Powers CIA Review

60. CIA Nov 93 III.49Correct Answer is (A)Answer (a) is correct. If the company gave the supplier more information about use of the materials, the supplier could plan its production better so that it could reduce its inventory of the materials and then reduce the price of the materials to be able to charge a lower price.

Not (b) because the company could demand that the supplier reduce the prices of the materials, but the supplier could then decline to supply them.

Not (c) because, the company could attempt to find another supplier to replace the one charging higher prices, but since the materials are special, other suppliers would probably charge higher prices for the same reasons the original supplier did.

Not (d) because if the special materials are needed in the primary product line, it is unlikely that the company would discontinue it before investigating other alternative, e.g., working with the supplier to help the supplier manage its inventory.

61. CIA Nov 93 III.51Correct Answer is (A)Answer (a) is correct. If implementing electronic data interchange (EDI) with suppliers permitted more frequent orders and more frequent communication about them, the company could reduce ordering and carrying costs of inventory. For example, inventory carrying costs would be reduced by reducing raw materials inventory.

Not (b) because the company could ensure that it always maintained the 25-day buffer stock, but there would be no reason to do so if it could ensure more reliable deliveries by ordering more frequently.

Not (c) because tracking materials through production is not an example of electronic data interchange (EDI), which is inter-company exchange of business information.

Not (d) because scheduling production is not an example of electronic data interchange (EDI), which is inter-company exchange of business information.

62. CIA Nov 93 III.53Correct Answer is (A)Answer (a) is correct. Sending the supplier the requested data daily via EDI would permit the supplier to smooth its production and thus


Powers CIA Review

let it hold down its costs.

Not (b) because sending the supplier usage data via weekly reports is not the most effective response. Making daily data available is more effective since it allows for updates that are more frequent.

Not (c) because sending the supplier usage data via monthly production reports is not the most effective response. Making daily data available is more effective since it allows for updates that are more frequent.

Not (d) because sending the supplier no data at all (since it is confidential) will probably lead to the supplier increasing its prices to the company in order for the supplier to assume the increased risk entailed by having to be more responsive to the company's orders, i.e., the supplier assumes the cost of the inventory the company no longer maintains.

63. CIA May 94 III.26Correct Answer is (C)Not (a) because E-mail can send text or document files, but the term encompasses a wide range of transfers. Electronic Data Interchange (EDI) specifically applies to the system described in the question.

Not (b) because electronic Funds Transfer (EFT) refers to the transfer of money. Electronic Data Interchange (EDI) specifically applies to the system described in the question

Answer (c) is correct. Electronic data interchange (EDI) refers to the electronic transfer of documents between businesses and between customers and suppliers. In EDI, documents are electronically exchanged between the purchaser and the supplier and data entry is eliminated and inventory ordering and carrying costs will be reduced.

Not (d) because Electronic Data Processing (EDP) is a generic term that refers to computerized processing of transaction data within organizations.

64. CIA May 96 III.57Correct Answer is (B)Not (a) because EDI transmits document data, not the actual document.

Answer (b) is correct. In EDI documents are electronically exchanged between the purchaser and the supplier and data entry is eliminated and inventory ordering and carrying costs will be reduced. In addition, improved business relationships with trading partners is also a benefit of EDI because of increased communication, reduction in costs (for both supplier and customer), shorter lead time etc.

Not (c) because liability issues related to protection of proprietary business data are a major legal implication of EDI.

Not (d) because EDI backup and contingency planning requirements are not diminished.

65. CIA May 96 III.59Correct Answer is (D)Not (a) because Item I is incorrect. Using a third party service provider-does not mean encryption is utilized.

Not (b) because Item I is incorrect. Using a third party service provider-does not mean encryption is utilized.

Not (c) because Item III is incorrect. Public switched data networks are not directly related to EDI applications

Answer (d) is correct. Item II is correct.


HW B-82

Powers CIA Review

Determination whether an independent review of the third party service provider has been performed (and appropriate follow-up) is required. Item IV is correct. Reviewing the third part provider's contract is an appropriate audit step. Item I is incorrect. Using a third party service provider-does not mean encryption is utilized. Item III is incorrect. Public switched data networks are not directly related to EDI applications.

66. CIA May 97 III.51Correct Answer is (A)Answer (a) is correct. Marked benefits come about when EDI is tied to strategic efforts that alter, not mirror, previous practices. Applying EDI to an inefficient process results in the ability to continue doing things incorrectly. Thus, successful EDI implementation must begin with planning and analyzing the work processes and flows that support the organization's goals.

Not (b) because, the prerequisite for EDI success is an understanding of the mission of the business and the processes and flows that support its goals, followed by cooperation with external partners. Hardware concerns come secondly.

Not (c) because before applying EDI technology to the business, EDI must be viewed as part of an overall integrated solution to organizational requirements.

Not (d) because EDI is not a solution by itself.

Instead of thinking about how to send and receive transactions back and forth, a company should first think about the entire process from both ends.

67. CIA May 91 III.50Correct Answer is (D)Not (a) because the procedure described is considered acceptable. Encrypted passwords further decrease the likelihood of unauthorized access.

Not (b) because message sequencing detects unauthorized access by numbering each message and incrementing each message by one more than the last one sent. Such a system detects when a gap or duplicate has occurred.

Not (c) because allowing certain types of transactions (such as payroll transactions) to be made only at specific terminals minimizes the likelihood of unauthorized access.

Answer (d) is correct. The system should employ automatic dial-back to prevent intrusion by unauthorized parties. Such a system accepts an incoming modem call, disconnects, and automatically dials back a prearranged number to establish a permanent connection for data transfer or inquiry.


Powers CIA Review

68. CIA May 94 III.18Correct Answer is (A)Answer (a) is correct. The customer’s account number, name, and unused credit balance should be downloaded to the microcomputer. The name should be displayed when the account number is input to provide a control check. The system then should show the amount available for a credit purchase. The user should not be required to calculate an amount that could be done by the computer.

Not (b) because current customer balance is not needed as the system shows the amount of available for a credit purchase and the sales department can make credit checks before processing an order. Also the customer name is an important control since a wrong, but valid, account number might be entered

Not (c) because the customer name is an important control since a wrong, but valid, account number might be entered.

Not (d) because unused credit balance is more important than the current customer balance for credit checks.

69. CIA May 94 III.19Correct Answer is (C)Not (a) because the sales department is creating an informal system to make up for a system deficiency. There is a risk that it may rely on the previous day's file and the credit information would be outdated.

Not (b) because the sales department is capturing data at the beginning of the day. There is a risk that customers would exceed their credit limit if multiple orders were submitted on the same day.

Answer (c) is correct. Backups of transaction data are necessary for security and to safeguard data and provide control. However, in this situation the user file does not contain transaction data and a backup would likely duplicate data contained elsewhere. It is highly probable that the main system has a history file with the day's beginning balances that could be accessed if needed. There is a higher degree of risk associated with using outdated data or manipulated data.

Not (d) because there is a risk that the sales department could alter the contents of the file and allow customers to exceed their credit limit.


HW B-84

Powers CIA Review

70. CIA Nov 93 III.43Correct answer is (A)Answer (a) is correct. If the company acknowledges messages initiated externally, then the alleged sender would have the opportunity to recognize that it had not sent the message and could notify the company of the potential forgery.

Not (b) because permitting only authorized employees to have access to transmission facilities controls for unauthorized access to the facilities but would not detect forged EDI messages.

Not (c) because delaying action on orders until a second order is received for the same goods defeats the purpose of using EDI, namely, rapid communication followed by rapid response.

Not (d) because writing all incoming messages to a write-once/read -many device is a good practice, but it will not detect forgeries.

71. CIA Nov 96 III.70Correct Answer is (D)Not (a) because the job of end users is to conduct the business of the organization, not to be the interface between the IS group and the rest of the organization.

Not (b) because the application programmer's job is to convert information requirements specifications into new application systems.

Not (c) because the maintenance programmer's job is to modify existing programs in response to authorized changes in program functions.

Answer (d) is correct. The systems analysts are the principal liaison between the IS group and the rest of an organization because the analyst's job is to translate business problems and requirements into information requirements and systems.

72. CIA May 90 III.30Correct Answer is (B)Not (a) because system programs are those that provide the interface with the computer for the execution of application programs.

Answer (b) is correct. Application programs are user programs that perform specific tasks for the users. An example of application programs is inventory control application program.

Not (c) because utility programs are part of system programs which perform common tasks such as sorting, merging, listing, etc.

Not (d) because, an operating program is not a specific program type in IT terminology. System programs however, relate to the operating system whose main purpose is to control and coordinate the running of the computer and its many functions. The O/S directs and assists the execution of application programs.

73. CIA Nov 93 III.31Correct Answer is (A)Answer (a) is correct. Management of the commercial lending department has the ultimate responsibility for data integrity and availability of its applications. Thus, the responsibility of backup/ recovery of data files is that of management of the department.

Not (b) because, the function of a central IS group analyst is to help develop applications for users.

Not (c) because, the function of a central IS group programmer is to help develop applications for users.

Not (d) because the function of an internal auditor is to assess the appropriateness of controls and not to operate those controls.

74. CIA May 94 III.27Correct Answer is (A)Answer (a) is correct. Access must be controlled to ensure integrity of documentation although "read" access should be provided to


Powers CIA Review

other parties, as it is important for applications development and maintenance. The database administrators are responsible for the administration of the organization’s database. Thus, adding and updating data elements into the data dictionary is one of a database administrator’s functions.

Not (b) because a system programmer develops and maintains the system software and should not be able to access data dictionaries to add or update documentation items into them.

Not (c) because a system librarian records, issues, receives, and safeguards all program and data files used by the organization. The librarian should not be authorized or have the skills to add or update documentation items into data dictionaries.

Not (d) because an application programmer develops the application software and should not be able to access data dictionaries to add or update documentation items into them.

75. CIA May 95 III.79Correct Answer is (C)Not (a) because if the only access permitted is read-only, then there could be no updating of database files.

Not (b) because permitting catalog updating from privileged software would be a breach of security, which might permit unauthorized access.

Answer (c) is correct. The database administrator should ensure that database system features are in place to permit access only to authorized logical views. One security feature in database systems is their ability to let the DBA restrict access on a logical view basis for each user.

Not (d) because updating of users' access profiles should be a function of a security officer, not the user.

76. CIA Nov 95 III.33Correct Answer is (A)Answer (a) is correct. Inadequate testing is the most likely cause for the coding errors in the most complex reports. It is difficult to design a test that will satisfy all data criteria in a complex environment.

Not (b) because there may be inadequate change control, but that is not the reason for errors in the most complex reports.

Not (c) because there may be inadequate documentation, but that is not the reason for errors in the most complex reports.

Not (d) because there may be inadequate access control, but that is not the reason for errors in the most complex reports.

77. CIA Nov 95 III.34Correct Answer is (B)Not (a) because, there may be inadequate backups, but that is not the cause of analysts reusing erroneous code.

Answer (b) is correct. The most likely cause of the reappearance of the same coding errors is inadequate change control. Inadequate change control is apt to lead to previously corrected errors recurring because the analysts were reusing erroneous code rather than corrected code. The solution to the problem is


HW B-86

Powers CIA Review

better program change control procedures.

Not (c) because there may be inadequate access control, but that is not the cause of analyst’s reusing erroneous code.

Not (d) because there may be inadequate testing, but that is not the cause of analysts reusing erroneous code.

78. CIA May 96 III.43Correct Answer is (A)Answer (a) is correct. Segregation of incompatible duties in a computer environment is crucial. Users need access to production application data but should not have access to the programs. In addition, application programmers should not have access to production data, systems software, and production application programs. Any update for application programs must be subject to proper control procedures.

Not (b) as per the explanation in (a) above.

Not (c) as per the explanation in (a) above.

Not (d) as per the explanation in (a) above.

79. CIA May 96 III.44Correct Answer is (B)Not (a) because developing an information security policy is a duty properly assigned to an information security officer.

Answer (b) is correct. The information security officer should not even know the user passwords. These are normally stored on a computer in encrypted format, and users change them directly.

Not (c) because commenting on security controls in new applications is a duty properly assigned to an information security officer.

Not (d) because monitoring and investigating unsuccessful access attempts is a duty properly assigned to an information security

officer.

80. CIA May 96 III.45Correct Answer is (D)Not (a) because application audits should be about the same difficulty with or without an adequately staffed help desk.

Not (b) because preparation of documentation is a development function, not a help desk function.

Not (c) because the likelihood of use of unauthorized program code is a function of change control, not a help desk.

Answer (d) is correct. The biggest risk in not having an adequately staffed help desk is that users will unknowingly persist in making errors in their interaction with the information systems.

81. CIA Nov 96 III.49Correct Answer is (B)Not (a) because a security administration deals with adding or deleting user to/from the system.

Answer (b) is correct. Change control is the process of authorizing, developing, testing, and installing coded changes so as to minimize the impact on processing and the risk to the system.

Not (c) because problem tracking is the process of collecting operational data about processes so that it can be analyzed for corrective action.

Not (d) because problem escalation procedures are a means of categorizing problems or unusual circumstances so that the least skilled person can address them.


Powers CIA Review

82. CIA Nov 96 III.55Correct Answer is (C)Not (a) because applications development is responsible for developing systems. After acceptance by users, developers typically cease having day-to-day contact with a system's users.

Not (b) because, the responsibility of systems programming is to implement and maintain system level software such as operating systems, access control software, and database systems software.

Answer (c) is correct. Help desks are usually a responsibility of computer operations because of the operational nature of their functions, e.g., assisting users with systems problems involving prioritization and obtaining technical support/vendor assistance.

Not (d) because User departments typically do not have the expertise necessary to solve their own systems problems.

83. CIA May 97 III.73Correct Answer is (A)Answer (a) is correct. In client/server environments, change control must also ensure synchronization of programs across the network so that each client and each server are running from the same versions of the programs, In mainframe environments, there may be only one copy of the production system that is executed so that synchronization of programs is not required.

Not (b) because emergency move procedures should be documented and followed in both mainframe and client/server environments.

Not (c) because appropriate users should be involved in program change testing in mainframe and in client/server environments.

Not (d) because movement from the test library to the production library should be controlled in both mainframe and client/server environments.

84. CIA Nov 90 III.37Correct Answer is (B)Not (a) because operating systems direct and manage use of computer resources such as the CPU and peripheral devices.

Answer (b) is correct. An application program, such as a payroll program, performs the processing functions that the users in an organizational unit need to complete their tasks.

Not (c) because a report generator is a program that accepts high-level coding statements and creates program code to execute them.

Not (d) because a utility program accepts commands, such as copying and sorting, from users and manipulates the designated files accordingly.

85. CIA May 91 III.31Correct Answer is (A)Answer (a) is correct. Display screen layouts,


HW B-88

Powers CIA Review

interactive dialogues, and processing interact with program generators to generate applications based on specifications included in the layouts, dialogues and processing to be performed.

Not (b) because detailed coding is not required for operation of a program generator to produce an application.

Not (c) because statistical sampling parameters are not required for program generators.

Not (d) because control sensors measure a character or condition as part of a control feedback system and do not pertain to program generators.

86. CIA May 92 I.32Correct Answer is (D)Not (a) because asynchronous modems handle data streams from peripheral devices to a central processor.

Not (b) because, authentication techniques confirm that valid users have access to the system.

Not (c) because, call back techniques are used to ensure incoming calls are from authorized locations.

Answer (d) is correct. Cryptographic devices protect (encrypt) data to be transmitted over communication lines. A key notarization can be used in conjunction with a cryptographic device to provide increased data security. Key management involves the secure generation, distribution, and storage of cryptographic keys.

87. CIA May 94 III.13Correct Answer is (A)Answer (a) is correct. Various factors need to be considered. Encoding is important when confidential data are transmitted between

geographically separated locations that can be electronically monitored. Although LANs may need encryption protection, the type of data and the described communication media make the other options appear more vulnerable.

Not (b) because when wire transfers are made between banks encryption is most likely to be utilized.

Not (c) because, when confidential data are sent by satellite transmission encryption is most likely to be utilized.

Not (d) because when financial data are sent over dedicated leased lines, encryption is most likely to be utilized.

88. CIA May 96 III.47Correct Answer is (A)Answer (a) is correct. Encryption is the best means of ensuring the confidentiality of satellite transmissions because even if an unauthorized individual recorded the transmissions, they would not be intelligible until decoded in the correct way.

Not (b) because access control applies to gaining entrance to the application systems, not to the format of transmissions.

Not (c) because monitoring software is designed to monitor performance (human or machine) for specified functions such as number of tasks performed or capacity utilized.

Not (d) because cyclic redundancy checks are complex computations performed with the data bits and the check bits in data transmissions to ensure the integrity, but not the confidentiality, of the data.

89. CIA May 96 III.48Correct Answer is (C)Not (a) because encrypting transmissions from the stores would increase the difficulty of eavesdropping on the transmissions but would not deter someone from entering bogus transactions.

Not (b) because requiring change control for


Powers CIA Review

programs ensures that program changes are authorized, tested, and documented.

Answer (c) is correct. Enforcing password control procedures would make it more difficult for an unauthorized person, such as a competitor intending to disrupt the distribution patterns, to gain prolonged entry.

Not (d) because encouraging store employees to report suspicious activity is a good practice, but such activity might go undetected.

90. CIA May 96 III.49Correct Answer is (C)Not (a) because access control ensures that only authorized persons have access to specific or categories of information resources, but is not enough by itself to ensure integrity of application software.

Not (b) because, audit trails permit audits of transaction updates to data files, not programs.

Answer (c) is correct. The best way to ensure the integrity of the application software change controls for inventory software. Change control is the set of procedures that ensure that only authorized, tested changes to programs are run in production.

Not (d) because monitoring software is designed to monitor performance (human or machine) for specified functions such as number of tasks performed or capacity utilized.

91. CIA May 93 I.24Correct Answer is (C) Not (a) because a proof calculation is the use of a predefined algorithm to be performed on the information in a telecommunications transmission to verify that no transmission errors occurred.

Not (b) because check-digit verification is used to control the accuracy of input of reference numbers but would not deny access to an inactive but valid account.

Answer (c) is correct. The master file will contain information about the status of bank

accounts (i.e., active or inactive). By looking up the account numbers in the master file, the teller can verify that the account is active.

Not (d) because a duplicate record check ensures that duplicate records are not processed.

92. CIA May 92 II.30Correct Answer is (D) Not (a) because statistical sampling is most useful in estimating the size of a population (variables sampling) or the degree of error (attribute sampling). Specific identification of unreported duplicate payments is the problem here.

Not (b) because desk checking the source code would detect a program error, but not the potential causes of duplicate payments.

Not (c) because an integrated test facility is useful for passing test data through a production system, but it does not address the unreported duplicate payments problem.

Answer (d) is correct. The primary use of generalized audit software is to select and summarize a client's records for additional testing. These packages permit the auditor to audit through the computer, to extract, compare, analyze, and summarize data and generate output for use in the audit. They allow the auditor to exploit the computer to examine many more records than otherwise possible with far greater speed and accuracy. Although generalized audit software requires the auditor to provide certain specifications about the particular client's records, EDP equipment, and file formats, a detailed knowledge of the client's system may be unnecessary because the audit package is designed to be used in many environments.


HW B-90

Powers CIA Review

93. CIA Nov 92 I.36Correct Answer is (A) Answer (a) is correct. Use of audit software to perform parallel simulation is an acceptable audit application. Parallel simulation (the audit model technique) involves duplicate processing of the client's data using a program developed by the auditor. The auditor's program simulates the logic of the client's application program. The auditor may thus enter data and compare simulated test results with those from the auditee's program. Maintenance of parallel simulation programs may prove expensive because they must be updated to match changes in the client's system.

Not (b) because use of an integrated facility usually requires advanced planning before a system is implemented. Installing an integrated test facility after-the-fact can be quite costly and time consuming.

Not (c) because tagging and tracing is more difficult to employ than parallel simulation.

Not (d) because mapping and program analysis requires a strong programming background, something not available on this audit team.

94. CIA Nov 94 I.40Correct Answer is (C) Not (a) because an integrated test facility involves the use of test data and also the creation of fictitious entities on master files.

Not (b) because tracing provides a detailed listing of the sequence of program statement execution.

Answer (c) is correct. Parallel simulation processes live transactions run through an

auditor-developed test program. The purpose is to simulate routine processing and verify the results.

Not (d) because mapping is a procedure for reporting code usage within a program.

95. CIA May 88 II.32Correct Answer is (B) Not (a) because both input and processing controls are types of application controls.

Answer (b) is correct. There are two categories of accounting controls present in a computerized system - general and application controls. General controls apply to the environment of the information system and all information systems actions. Application controls relate to specific jobs executed by the computer. They are designed to supply reasonable assurance that the recording, processing, and reporting functions are properly executed. Application controls are classified as input controls, processing controls, and output controls. Input controls are designed to provide reasonable assurance that data acquired for processing have been properly authorized (approved by management), converted into machine-sensible form (verified and edited as to validity and completeness), and subsequently accounted for (controls to check if data were lost in transmission).

Not (c) because organization controls pertain to segregation of functions within the information systems department.

Not (d) because general controls apply to the environment of the information system and are distinct from application controls.


Powers CIA Review

96. CIA Nov 88 II.35Correct Answer is (A) Answer (a) is correct. Physical security of storage media is much easier and more effective if in a central location. Each location is subject to various problems. Data transfer, format, and location require more control in a distributed system.

Not (b) because access restrictions and custody controls are necessary in any environment.

Not (c) because computer organizational standards are necessary to maintain computer compatibility, security, and efficient operation procedures.

Not (d) because access restrictions are necessary on every computer system irrespective of the configuration.

97. CIA Nov 88 II.36Correct Answer is (B) Not (a) because a check digit is used primarily to catch transpositions.

Answer (b) is correct. All transactions and their record keeping should be authorized. A review should be made of all write-offs: inventory, receivables, final assets, etc. Also, warehouse employees having custody of inventory should not have authority to initiate or process entries to the inventory records.

Not (c) because a parity check is a hardware control over the internal transfer of data.

Not (d) because an edit check for validity would not catch an adjustment of a valid part number.

98. CIA May 89 I.24Correct Answer is (D) Not (a) because the batch total check simply assures that items have not been lost.

Not (b) because an edit test at the time of online data entry will detect the problem earlier than a check made during the later batch-processing run.

Not (c) because an edit test at the time of online data entry will detect the problem earlier than a check made during the later batch-processing run.

Answer (d) is correct. If an online data entry is used, edit tests (programmed checks) to detect errors must be applied as each transaction is entered. For example, the vendor number in the transaction file should be matched (matching check) with the number in the vendor file. If the latter file has not yet been updated, this edit test will result in immediate detection of the discrepancy.

99. CIA Nov 89 I.25Correct Answer is (D) Not (a) because personal computer operations are decentralized and therefore customarily combine these functions out of necessity.

Not (b) because these special security measures are more cost-justified in a mainframe system.

Not (c) because programming by users is often necessary and sometimes a purpose of using decentralized, personal computer-based systems.

Answer (d) is correct. In a personal computer environment, user training becomes still more important than in a centralized system because users may have to assume greater responsibilities. Thus, users may have to provide maintenance of the equipment and learn programming skills.


HW B-92

Powers CIA Review

100. CIA Nov 89 I.30Correct Answer is (A) Answer (a) is correct. An overflow test is a programmed control that checks computational results and issues a warning if the result exceeds the capacity of the storage location, which would result in the loss of data. For example, if 5428 were stored as 542, the 8 lost on overflow would be discovered.

Not (b) because a range test determines whether the value of a data field falls outside prescribed limits.

Not (c) because an existence (validity) check determines whether an entered code is one of a set of valid codes.

Not (d) because a parity check adds the bits in a character or message and checks the sum to determine if it is odd or even, depending on whether the computer has odd or even parity. This check verifies that all data have been transferred without loss. For example, if the computer has even parity, a bit will be added to a binary coded character or message that contains an odd number of bits. No bit is added if a character or message in binary form has an even number of bits.

101. CIA Nov 89 I.27Correct Answer is (B) Not (a) because a data transmission check verifies only the accuracy of the communication.

Answer (b) is correct. The use of external, header, and trailer labels should be enforced to ensure the proper access and protection of files. A header label is a machine-readable record at the beginning of a file that identifies the file. Software makes this check. A trailer label is a machine-readable label at the end of a file containing record counts and control totals. An external label is a human-readable identifying label affixed to the outside of a file holder, such as a magnetic tape file.

Not (c) because this control (boundary protection) protects programs or data from interference (unauthorized reading and/or writing) caused by activity related to other programs or data stored on the same medium.

Not (d) because access controls (passwords, etc.) prevent unauthorized access from remote locations, not authorized use by an operator.

102. CIA Nov 89 I.28Correct Answer is (C) Not (a) because the control group has this responsibility.

Not (b) because these are specified in the backup and recovery plan.

Answer (c) is correct. An important operating control is to establish a library to preclude misplacement or theft of storage media, programs, and documentation. A librarian should perform this custodianship function and be appropriately accountable. The schedule of data processing activity provides authorization for release of files to operators and a consequent transfer of accountability.

Not (d) because the control group has this responsibility.


Powers CIA Review

103. CIA Nov 89 I.29Correct Answer is (D) Not (a) because hash totals, document counts, batch sequence checks, and computer matching test for completeness, not for accuracy of data. The term "dependency check" is apparently not meaningful in this context. A matching check compares a field (e.g., a customer number) on the master file with the matching field in a transaction record.

Not (b) because hash totals, document counts, batch sequence checks, and computer matching test for completeness, not for accuracy of data. The term "dependency check" is apparently not meaningful in this context. A matching check compares a field (e.g., a customer number) on the master file with the matching field in a transaction record.

Not (c) because hash totals, document counts, batch sequence checks, and computer matching test for completeness, not for accuracy of data. The term "dependency check" is apparently not meaningful in this context. A matching check compares a field (e.g., a customer number) on the master file with the matching field in a transaction record.

Answer (d) is correct. A limit or reasonableness (range) check tests whether the value of a data field falls outside a prescribed range. The range may be stated in terms of an upper limit, lower limit, or both. For example, a payroll record might be tested to determine if the number of hours worked exceeds 50 per week. A check digit (self-checking number) tests an identification number by recomputing a check digit in accordance with an established algorithm. Key verification involves rekeying data (usually only critical fields) and comparing the results with the first keying operation. Hence, all these techniques control for data accuracy.

104. CIA Nov 89 I.31Correct Answer is (C) Not (a) because posting batch control totals is a means of accounting for (recording) all batches of transactions.

Not (b) because source documents are used for input, not output.

Answer (c) is correct. Critical output data should be physically isolated, e.g., in locked output bins. Moreover, the distribution of output should be in accordance with distribution registers that list designated users. The data control group should distribute output in a prompt manner to these users, and the distribution should be noted in the control log.

Not (d) because destruction is not helpful if the company desires to retain the output.


HW B-94

Powers CIA Review

105. CIA Nov 89 I.37Correct Answer is (D) Not (a) because the limited capacity of main memory is not a risk.

Not (b) because some personal computer manufacturers provide operating systems that can be used with any machine.

Not (c) because purchase procedures do not relate to the use of personal computers.

Answer (d) is correct. Security problems are intensified in a personal computer environment. The computers themselves are often small, portable, and located in areas of maximum accessibility. Hence, they are prone to theft, damage, and unauthorized use. They tend to use the main power supply, with the consequent potential for loss of data and harm to the equipment. A personal computer system may also not provide for the elaborate hardware and software controls found in larger systems, and organizational control through segregation of duties may not be feasible. For example, the same person may be able to access data, modify programs, and operate the equipment. Consequently, security issues of all kinds may arise when personal computers are used, whether as stand-alones or as intelligent terminals.

106. CIA May 90 I.21Correct Answer is (C) Not (a) because redundant calculation is a processing, not an input, control.

Not (b) because the input itself was valid, so validity checking would not have detected the error.

Answer (c) is correct. Explicit checking for data values with error messages for unknown values would have detected the biweekly employee pay requests and generated error messages rather than erroneous checks.

Not (d) because checkpoint-restart processing permits the operator to restart a failed program without repeating the entire process.

107. CIA Nov 89 II.25Correct Answer is (D) Not (a) because systems development controls concern systems analysis, design, and implementation.

Not (b) because hardware controls are incorporated into the equipment.

Not (c) because applications controls pertain to specific programs. They include input, processing, and output controls.

Answer (d) is correct. Organizational control concerns the proper segregation of duties and responsibilities within the information systems department. For example, programmers should not have access to the equipment, and operators should not have programming ability. Although proper segregation is desirable, functions that would be considered incompatible if performed by a single individual in a manual activity are often performed through the use of an information systems program or series of programs. Therefore, compensating controls may be necessary, such as library controls, effective supervision, and rotation of personnel.

108. CIA Nov 89 II.29Correct Answer is (D) Not (a) because access controls perform this function.

Not (b) because access controls perform this function.

Not (c) because processing controls perform this function.

Answer (d) is correct. Input controls are designed to provide reasonable assurance that data received for information systems processing have been properly authorized and are in a form suitable for processing, i.e., complete, accurate, and valid. Input controls also include those that relate to rejection, correction, and resubmission of data that were initially incorrect.


Powers CIA Review

109. CIA Nov 89 II.30Correct Answer is (B) Not (a) because an access control does not affect the validity, accuracy, and completeness of processing.

Answer (b) is correct. A suspense file contains input records in which errors have been detected. The transaction file incorporates transactions flagged during the edit or master file updating run. This file is run against the suspense file so that the latter will include the new erroneous items. A listing of errors is printed out and corrections are made. The corrected transactions are then re-entered. When the transaction file is next run against the suspense file, the corrected items are removed. Reconciling the suspense file items is necessary to arrive at an accurate inventory balance.

Not (c) because failing a reasonableness check is but one basis for including an item in the suspense file.

Not (d) because this control concerns whether only timely data are processed.

110. CIA Nov 90 I.32Correct Answer is (A) Answer (a) is correct. Online systems require

physical controls over terminals and password protection. The latter is effected through the operating system or security software. Actual use of the system may require a hierarchy of passwords permitting only specified persons to access the system or specified programs and files. For example, certain persons may have read-only access to certain files, whereas other parties may have updating authority.

Not (b) because sign-on sequences do not provide physical security.

Not (c) because context-dependent security is access control based on the content of a sequence of database inquiries.

Not (d) because write-protection security is provided by the absence of a write-enable ring on tapes and the presence of a write-protect tab on floppy disks.

111. CIA May 90 I.20Correct Answer is (A) Answer (a) is correct. This separation is an organizational control. Organizational controls concern the proper segregation of duties and responsibilities within the information systems department. Although proper segregation is


HW B-96

Powers CIA Review

desirable, functions that would be considered incompatible if performed by a single individual in a manual activity are often performed through the use of an information systems program or series of programs. Thus, compensating controls may be necessary, such as library controls, effective supervision, and rotation of personnel. Segregating test programs makes concealment of unauthorized changes in production programs more difficult.

Not (b) because physical security (e.g., climate control and restrictions on physical access) is another aspect of organizational control.

Not (c) because input controls validate the completeness, accuracy, and appropriateness of input.

Not (d) because concurrency controls manage situations in which two or more programs attempt to use a file or database at the same time.

112. CIA Nov 89 II.33Correct Answer is (D) Not (a) because a limit or reasonableness test checks the values of data items against established limits.

Not (b) because a limit or reasonableness test checks the values of data items against established limits.

Not (c) because a check digit in a number is determined by applying an algorithm to the number. If the number has been miskeyed, the digit generated will differ from the check digit.

Answer (d) is correct. A record count is simply a control total of the physical records (documents) involved in the run. A hash total is a control total generated by adding the values found in a given field of each record in the batch. The total is a "hash" because the field chosen contains an identification number or other item that is otherwise not meaningful. Missing transactions can be detected by either control.

113. CIA May 90 I.22Correct Answer is (D) Not (a) because check digit processing and master file lookups verify that employee numbers are valid.

Not (b) because validity tests verify that only authorized employees are paid.

Not (c) because hash totals are independent of calculations of payroll amounts.

Answer (d) is correct. Calculation of a hash total is an input control. It assures that all the transactions that should have been applied to the master file were processed once but only once.

114. CIA May 90 II.20 Correct Answer is (B)Not (a) because memory protection prohibits programs from accessing memory outside their designated ranges.

Answer (b) is correct. Parity checking adds the bits in a character or message and checks the sum to determine if it is odd or even, depending on whether the computer has odd or even parity. This check verifies that all data have been transferred without loss. For example, if the computer has even parity, a bit


Powers CIA Review

will be added to a binary coded character or message that contains an odd number of bits. No bit is added if a character or message in binary form has an even number of bits.

Not (c) because, for hardware, validity checking verifies that a machine-level instruction is a valid instruction, for applications, validity checking verifies that transaction data is complete, authorized, and reasonable.

Not (d) because range checking verifies that input data values are within pre-determined ranges.

115. CIA Nov 90 I.33Correct Answer is (D) Not (a) because agreement of a batch register or total gives assurance that the batch totals agree but does not identify the specific missing or duplicate transactions.

Not (b) because agreement of a batch register or total gives assurance that the batch totals agree but does not identify the specific missing or duplicate transactions.

Not (c) because batch sequence checks perform sequence checks within single batches only.

Answer (d) is correct. In a cumulative sequence check, transaction table entries are flagged by sequence number when

transactions are processed so that a record is created of the transactions processed. This record permits detection of attempted duplicate transactions and missing transactions.

116. CIA Nov 90 I.34Correct Answer is (D) Not (a) because password security for access to the system permits all departmental employees access to all documents in the system.

Not (b) because there are no floppy disks in this system.

Not (c) because periodic server backup and storage in a secure area is a good security/backup procedure, but it would not prevent access to sensitive documents online.

Answer (d) is correct. Different passwords may be required to access the system, to read certain files, and to perform certain other functions. Required entry of passwords for access to individual documents is the best single control over unauthorized access to sensitive documents in the system.

117. CIA Nov 90 I.35Correct Answer is (A) Answer (a) is correct. Source code written in a higher-level language must be translated (compiled) into machine language statements that can be executed by the computer. Updating of executable program modules must be controlled by requiring proper authorization of changes in the source code. . Only the authorized source code should then be used for updating the executable modules.

Not (b) because enforcing the use of separate development and production libraries is good practice, but it does not ensure that source code and executable modules correspond.

Not (c) because requiring management authorization for source code change ensures that source code changes are authorized but does not ensure correspondence between source versions and executable forms.


HW B-98

Powers CIA Review

Not (d) because installing access control procedures ensures control of source code libraries but does not ensure control over access to executable libraries.

118. CIA Nov 90 I.36Correct Answer is (C) Not (a) because performing data matching of transactions and master file records ensures that the proper master file record is selected for updating but does not ensure that the record is actually updated.

Not (b) because a self-checking number is a control over the accuracy of data transmission.

Answer (c) is correct. A processing control that reconciles counts of sequence flags set and records updated would detect situations in which records were not updated.

Not (d) because this procedure permits detection of duplicate updates but does not ensure that updates occur.

119. CIA Nov 90 II.31Correct Answer is (B)Not (a) because hardware controls have nothing to do with correct programming of operating system functions.

Answer (b) is correct. Hardware Controls such as parity checks, read-after-write checks, and echo checks, are manufacturer-built-in controls to detect and control errors that arise from the use of automated equipment. The significance of hardware controls to internal auditors is that they assure the correct execution of machine instructions representing application systems. Without hardware controls, internal auditors would have no way of knowing whether hardware operated correctly.

Not (c) because input controls, rather than hardware controls, reduce the incidence of user input errors in online systems.

Not (d) because control totals, rather than hardware controls, ensure that run-to-run totals in application systems are consistent.

120. CIA Nov 91 I.26Correct Answer is (C) Not (a) because determining the competence of information systems operating personnel is not the major purpose of the evaluation

Not (b) because due professional care should be exercised in all audits.

Answer (c) is correct. Internal auditors should review the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information. Information systems provide data for decision-making, control, and compliance with external requirements. Thus, internal auditors should examine information systems and, as appropriate, ascertain whether financial and operating records and reports contain accurate, reliable, timely, complete, and useful information, and controls over record keeping and reporting are adequate and effective.

Not (d) because becoming familiar with the company's information system is a means to an end.


Powers CIA Review

121. CIA May 91 I.36Correct Answer is (C) Not (a) because programmed checks determine the potential accuracy of input data (e.g., a range check).

Not (b) because batch control is used to ensure the completeness and accuracy of input and updating.

Answer (c) is correct. General information system controls include organizational controls, such as a policy (an implementation control) that requires new programs and changes in programs (after adequate testing) to be formally approved before being put into operation (implemented). This policy is reflected in the maintenance of approval and change sheets with appropriate authorizations.

Not (d) because one-for-one checking is a technique used to check individual documents for accuracy and completeness of data input or update.

122. CIA May 91 I.38Correct Answer is (D) Not (a) because key verification ensures the accuracy of selected fields by requiring a different individual to re-key them.

Not (b) because sequence checks are used to ensure the completeness of input or update data by checking the use of preassigned document serial numbers.

Not (c) because computer matching entails checking selected fields on input data with information held in a suspense or master file.

Answer (d) is correct. To prevent unauthorized access to computer files, lists of authorized persons can be maintained in the computer. The entry of passwords or identification numbers, a prearranged set of personal questions, and the use of badges, magnetic cards, or optically scanned cards may be combined to avoid unauthorized access. Moreover, a device authorization table may restrict file access to those physical devices that should logically need access even when a valid password is used.

123. CIA May 91 I.39Correct Answer is (B) Not (a) because the system log is a file showing details of all activity during processing that can be used to investigate unusual activity, such as hardware malfunctions, reruns, and abnormal endings.

Answer (b) is correct. The advent of cheaper, smaller, and more powerful computers has permitted the development of a somewhat different alternative to centralization or decentralization: distributed data processing. In a distributed data processing system, the organization's processing needs are examined in their totality. The decision is not whether an application should be done centrally or locally, but rather which parts of the application are better performed by small local computers as intelligent terminals, and which parts are better performed at some other, possibly centralized, site. In essence, the best distribution of processing tasks within application areas is sought. The key distinction between decentralized and distributed systems is the interconnection among the nodes (sites) in the latter kind of network. The capability to continue processing at all sites except a nonfunctioning one is called fail-soft protection, an advantage of distributed systems.


HW B-100

Powers CIA Review

Not (c) because backup procedures are intended to prevent the recovery process from introducing any erroneous changes into the system after computer failure.

Not (d) because data file security procedures are intended to prevent unauthorized changes to data files.

124. CIA May 91 I.41Correct Answer is (A) Answer (a) is correct. A computer matching of fields, such as product code, supplier code, and quantity, assures agreement between goods received and goods invoiced.

Not (b) because control totals do not identify specific item-by-item differences.

Not (c) because batch totals only provide a total value for a field and do not allow for detailed matching.

Not (d) because check digits only provide for validation of predefined account numbers.

125. CIA Nov 91 I.28Correct Answer is (C) Not (a) because review of the use of restricted utilities is an important control over the activities of systems programmers, who have access to utility programs that is denied to others.

Not (b) because reviewing attempted accesses is an important step in ensuring that access control is effective.

Answer (c) is correct. Changes in the

computer system should be subject to strict control procedures. For example, a written request for an applications program change should be made by a user department and authorized by a designated manager or committee. The program should then be redesigned using a working copy, not the version currently in use. Also, the systems documentation must be revised. The user, the internal auditor, and a systems employee who was not involved in designing the change will be testing changes in the program. Approval of the documented change and the results of testing should be given by a systems manager. The user may then accept the change and test results.

Not (d) because maintenance of backup master files is important in any system to ensure data integrity.

126. CIA Nov 91 I.30Correct Answer is (D) Not (a) because, in this case, the batch totals would have agreed, and the error would not have been prevented.

Not (b) because, in this case, the batch totals would have agreed, and the error would not have been prevented.

Not (c) because in a batch sequence check, only specific ranges are checked for duplicates within the batch. Thus, a batch sequence check would not have prevented this error.

Answer (d) is correct. Testing for paid invoices, which assumes that invoice records are marked paid as checks are produced, would have detected the duplicate check requests and thus prevented the second set of checks from being produced.

127. CIA Nov 91 I.31Correct Answer is (C) Not (a) because preassignment of authorization times for job execution is appropriate for production jobs run on a fixed schedule, but it would not have prevented this unauthorized


Powers CIA Review

access.

Not (b) because periodic comparison of production program execution with authorized production schedules would neither prevent this unauthorized access nor detect it after the fact.

Answer (c) is correct. Programmers design, write, test, and document the specific programs required by the system. To prevent wrongdoing, these functions should be segregated from production activities. Hence, programmers should have no access to production programs and data or to the equipment used in operations.

Not (d) because logging does not prevent the copying of a program.

128. CIA Nov 91 I.29Correct Answer is (C) Not (a) because the use of internal labels is intended to prevent misidentification of programs.

Not (b) because control totals are used to assure that all transactions are processed.

Answer (c) is correct. Library security controls include the organization and operation of a library to preclude misplacement, misuse, or theft of storage media, programs, and documentation. The librarian should maintain control over and accountability for these items.

Not (d) because maintaining a duplicate set of programs insures against loss or destruction of original programs.

129. CIA Nov 91 I.34Correct Answer is (A) Answer (a) is correct. Application controls relate to specific tasks performed by personnel or programs. Their function is to provide reasonable assurance that the recording, processing, and reporting of data are performed properly. Application controls are of three types: input, processing, and output. An

input control is designed to provide reasonable assurance that data received for processing have been properly authorized and converted to machine-sensible form. Self-checking digits may be used to detect incorrect identification numbers. The digit is generated by applying an algorithm to the ID number. During the input process, the check digit is recomputed by applying the same algorithm to the code actually entered.

Not (b) because a check digit is an input control, not a file management control.

Not (c) because a check digit is an input control, not an access control.

Not (d) because a check digit is an input control, not an output control.

130. CIA May 92 I.31Correct Answer is (D) Not (a) because the review of jobs processed will disclose access but not prevent it.

Not (b) because comparison of production programs and controlled copies will detect changes but not prevent them.

Not (c) because periodic running of test data will detect changes but not prevent them.

Answer (d) is correct. When duties are separated, users cannot obtain a detailed knowledge of programs, and those developing or maintaining programs cannot gain unsupervised access to production programs. Organizational control is achieved in part through proper segregation of duties and responsibilities within the information systems function. For example, programmers should not have access to the equipment, and operators should not have programming ability. Although proper segregation is desirable, functions that would be considered incompatible if performed by a single individual in a manual activity are often performed through the use of a computer program or series of programs. Thus, compensating controls may be necessary, such as library controls, effective supervision, and rotation of personnel.


HW B-102

Powers CIA Review

131. CIA May 92 I.33Correct Answer is (B) Not (a) because batch totals require numerical control.

Answer (b) is correct. Review of processing results by users is an important output control. One-for-one checking of input documents against a list of transactions processed is one aspect of the comparison of output with data input.

Not (c) because computer sequence checks require that transactions be numbered.

Not (d) because computer matching is performed under program control and not by the user.

132. CIA May 92 I.34Correct Answer is (B) Not (a) because, although user submission of test data may detect invalid transactions and failure to process valid transactions, this technique would not be used consistently.

Answer (b) is correct. An important detective control is user review of output. Users should be able to determine when output is incomplete or not reasonable, particularly when the user prepared the input. Thus, users as well as information systems personnel have a quality assurance function.

Not (c) because controlled output distribution will not prevent or detect incorrect output.

Not (d) because decollation of output is simply the separation of output copies.

133. CIA May 92 I.35Correct Answer is (B) Not (a) because applications programmers are responsible for installing and customizing software and usually perform their duties outside the computer center. They should not have access to output.

Answer (b) is correct. The information

systems control group acts as liaison between the users and the processing center. This group records input data in a control log, follows the progress of processing, distributes output, and establishes control totals. It is also responsible for following up error reports and assuring that erroneous records are reprocessed.

Not (c) because computer operators should not have access to output.

Not (d) because review of output is performed by the control section and not directly by the data processing manager.

134. CIA May 92 I.36Correct Answer is (C) Not (a) because supervisor-only authorization for transfers between the bank's customers would interfere with normal bank operations.

Not (b) because overnight balancing of all accounts by the online teller system ensures that all parts of all transactions are accounted for but does not ensure that all transactions are authorized.

Answer (c) is correct. Periodic examination of accounts of employees with access to automated teller functions may detect unusual activity to and from employees' accounts.

Not (d) because required vacations for employees with access to teller functions might expose a teller's actions to others' scrutiny but would not ensure detection, especially if the teller remedied any overdrafts before going on vacation.

135. CIA May 92 I.38Correct Answer is (A) Answer (a) is correct. A logic error occurs in the fundamental interrelationships among the program's instructions. The spreadsheet logic was flawed in that it failed to apply discounts to all complementary product lines.

Not (b) because the error is independent of the


Powers CIA Review

operation of hardware.

Not (c) because there was no misentry of keystrokes in spreadsheet cells.

Not (d) because cross footing is the independent summing of rows and columns and comparison of results. No cross footing error occurred in the spreadsheet model.

136. CIA May 92 I.39Correct Answer is (B) Not (a) because, although trained systems professionals are less likely to make logic errors, all significant spreadsheet models should be independently reviewed. Spreadsheet models are useful precisely because they can be prepared by users. Systems specialists may not be available to develop all the spreadsheet models that organizations need.

Answer (b) is correct. Independent audit and testing of spreadsheet models by knowledgeable persons is the best approach for validating model logic and thus the integrity of a spreadsheet. Development of new programs or program changes should be initiated by users and authorized by an appropriate manager or committee. If changes are authorized, they should be made in a copy of the program. Programmers should not have access to the programs used in actual processing (production). The user, the internal auditor, and a systems employee independent of the programmer should then test the changes. The documentation must be amended to reflect the changes and the test results, a manager in the systems department should give formal approval, and the users should make a formal acceptance.

Not (c) because specifying cross footing for all spreadsheet models would detect some spreadsheet logic errors, but not all of them. Cross footing would not have detected this error.

Not (d) because enforcing documentation standards for multi-use spreadsheet models is a good practice for promoting correct use of spreadsheet models used repetitively but is unlikely to detect logic errors like this one.

137. CIA Nov 92 I.33Correct Answer is (C) Not (a) because installing a logging system for program access would permit detection of unauthorized access but not prevent it.

Not (b) because monitoring physical access to program library media would control only unauthorized physical access.

Answer (c) is correct. An important operating control is to establish a library to preclude misplacement, misuse, or theft of data files, programs, and documentation. A librarian should perform this custodianship function and be appropriately accountable. Restricting physical and logical access secures programs from unauthorized use, whether in person or remotely via terminals.

Not (d) because denying all remote access via terminals would likely be inefficient and would not secure program libraries against physical access.


HW B-104

Powers CIA Review

138. CIA May 92 III.27Correct Answer is (D) Not (a) because use of an integrated test facility (ITF) is a technique by which an auditor selects transactions and processing functions and applies the transactions to a fictitious entity during a normal processing cycle along with regular transactions. This technique cannot determine whether the data themselves are legitimate.

Not (b) because tracing follows the path of a transaction during processing but is inadequate to determine whether a transaction is legitimate.

Not (c) because transaction selection uses an independent computer program to monitor and select transactions for internal audit review. Like tracing, it fails to determine whether a transaction is legitimate. It would be an appropriate technique to apply to transactions suspected to be illegitimate.

Answer (d) is correct. An access log should be used to record all attempts to use the system. The date and time, codes used, mode of access, and data involved are recorded. The system should monitor unsuccessful attempts because repeated attempts could suggest that someone is trying random or patterned character sequences in order to identify a password.

139. CIA Nov 92 I.31Correct Answer is (B) Not (a) because verifying that the account number corresponds to an existing account in the master file is a master file reference check.

Answer (b) is correct. A major control used to guard against errors made in transcribing or keying data is a check digit. A check digit is a detective control designed to establish the validity and appropriateness of numerical data elements, such as account numbers. The check-digit within the code is a mathematical function of the other digits. Recalculation of the digit tests the accuracy of the other characters in the code. Check digit verification prevents single-digit errors from leading to erroneous updates.

Not (c) because ensuring that supporting documentation exists for update transactions is a document reconciliation control.

Not (d) because requiring a field to have the correct logical relationship with other fields is a dependency check.

140. CIA Nov 92 II.31Correct Answer is (A)Answer (a) is correct. An echo check provides a feedback loop by transmitting data received (by peripheral devices) back to the source unit (CPU) for validation with the original data. It is a hardware control.

Not (b) because a protection ring prevents accidental writing on a tape file for mostly batch systems. A real time system would not utilize tape files.

Not (c) because hash totals are utilized to control data sent to a batch system not a real-time system.

Not (d) because integrated test facilities are useful in testing real-time systems but cannot be utilized to ensure completeness of data


Powers CIA Review

transmissions.

141. CIA Nov 92 I.34Correct Answer is (B) Not (a) because sequence checking provides a reasonably good test for completeness of input but does not test accuracy.

Answer (b) is correct. A batch total is an application control. This total controls the movement and processing of data in groups. The batch total (a record count or financial total) tests completeness and accuracy.

Not (c) because limit checks are useful to determine whether an entry is within acceptable limits only. Such limitation makes the limit check unusable to test the accuracy of input.

Not (d) because a check digit allows the computer to automatically reject incorrect entries. The cumbersome computation required to establish the check digit, however, tends to limit its use to a few key entries. It is never used to test accuracy of input for an entire working document.

142. CIA Nov 92 I.35Correct Answer is (D) Not (a) because increased capacity has led to further proliferation of personal computers but is not a risk.

Not (b) because rapid changes or new versions of software usually include enhanced features; some changes may reflect exposure but change is not the major exposure.

Not (c) because rapid expansion in usage tended to decrease centralization; moreover, such centralization would not tend to represent an exposure.

Answer (d) is correct. Widespread use of personal computers means that more and often less well-trained individuals are involved in computing and that assuring the security of data, programs, and hardware is increasingly difficult. Accordingly, end-user processing with personal computers potentially exposes the organization to loss or corruption of data, unreliable processing, and alteration of programs and data.

143. CIA Nov 92 I.37Correct Answer is (C) Not (a) because vendor payees were not changed; the check register would show that the checks were issued to authorized vendors.

Not (b) because total dollars were not altered; there is no out-of-balance condition.

Answer (c) is correct. All application changes must be documented and subject to testing and approval. A program change control group is responsible for determining that proper procedures are carried out relative to controlling programming changes. This includes assuring that written authorizations are received for changes. To avoid fraud and to ensure compatibility with other programs, programmers should not be able to make unauthorized changes.

Not (d) because the programmer did not need access to the system given his/her access to


HW B-106

Powers CIA Review

the program.

144. CIA Nov 92 I.32Correct Answer is (C) Not (a) because, although validation at sign-on to the system will limit access, it will not effectively prevent data from being removed without permission.

Not (b) because data could be taken electronically from the network file server or the mainframe.

Answer (c) is correct. Data access control software on the network and mainframe will limit access to the data to authorized users only. For example, this software may execute compatibility tests. Compatibility tests restrict access to the computer system by determining whether access by a given user (or device) is compatible with the nature of the attempted use. A series of passwords or identification numbers may be required to gain access to the system, to examine data files, and to perform processing using particular programs. Thus, a clerk might be authorized only to read the data in a given file while using a specified terminal, but his/her superior might be able to update the file. Compatibility tests require online storage of authorization tables or matrices that specify the access permitted to specified codes and devices.

Not (d) because key locks will limit access to the PC and thus to the data, but they will not effectively prevent data being removed without permission.

145. CIA Nov 92 III.33Correct Answer is (B) Not (a) because an integrated test facility is an audit approach to validating processing.

Answer (b) is correct. An operating system is a set of programs routines used by the processor to control the operations of the computer and its peripheral equipment, such as input-output devices and communications channels. Functions performed by the operating system include scheduling of program execution, debugging, input-output control, compilation, storage assignment, data management, and related services. Initial login to a system is a function of access control software at the operating system level.

Not (c) because database subschema authorizations control access to specific views of fields in a database.

Not (d) because access to applications and their data is a function of application level software.

146. CIA May 93 I.9Correct Answer is (B)Not (a) because completeness tests are used to ensure that the input has the prescribed amount of data in all data fields.

Answer (b) is correct. Validity tests are used to ensure that transactions contain valid transaction codes, valid characters, and valid field size. Checking jobs for validity would prevent assigning labour hours to inactive jobs.

Not (c) because limit tests are used to determine whether the data exceeds certain predetermined limits.

Not (d) because control totals are used to reconcile EDP input to the source document totals.


Powers CIA Review

147. CIA May 93 I.21Correct Answer is (D)Not (a) because top management is charged with the overall control of computer based information systems. Operational control is defined as residing in the users.

Not (b) because external auditing is an independent appraisal function, whose principle objective is the expression of an opinion about an organization's financial statements.

Not (c) because internal auditing is an independent appraisal function, whose principle objective is to assist the organization in the accomplishment of its objectives.

Answer (d) is correct. Module 2 of the IIA's Systems Auditability and Control (SAC 1991) report places the operational responsibility for the accuracy and completeness of computer based information systems on the users.

148. CIA May 93 I.25Correct Answer is (B)Not (a) because ensuring that the database design is relational facilitates the use of views, but would not by itself prevent clerks from having read access to confidential information.

Answer (b) is correct. The clerk was able to access the online system with his/her own access code. Restricting access to authorized individuals would prevent the use of unauthorized user numbers for unauthorized access. This could be achieved by maintaining a list of the authorized people to access the system in the computer/server including a device authorization table. In addition, passwords, access codes, the use of badges and magnetic cards may be combined to avoid unauthorized access to the information systems files.

Not (c) because requiring before and after images of transactions is a good backup/recovery practice but would not prevent unauthorized read access.

Not (d) because reconciling monetary totals for input sessions helps maintain data integrity but would not prevent unauthorized read access.


HW B-108

Powers CIA Review

149. CIA May 93 I.30Correct Answer is (B) Not (a) because controlled disposal of documents is not limited to computer files.

Answer (b) is correct. Encryption is a typical security measure. A program encodes data so that it is more difficult for an intruder to understand or use the data. Also, frequent changing of passwords limits unauthorized access to files.

Not (c) because key integrity checks are not access controls. Key integrity checks prevent the updating process from creating inaccuracies in keys.

Not (d) because key integrity checks are not access controls. Key integrity checks prevent the updating process from creating inaccuracies in keys.

150. CIA May 93 I.42Correct Answer is (B)Not (a) because a "hot site" has all needed assets in place and is not vendor dependent.

Answer (b) is correct. Organizations should maintain contingency plans for operations e.g.: plans for off-site storage of important backup data and a plan for the continuation of operations at another location in the case of a disaster. A "cold site" has all needed assets in place except the needed computer equipment and is vendor dependent for timely delivery of equipment.

Not (c) because a "cold and hot site" combination allows the "hot site" to be used until the "cold site" is prepared and is thus not too vendor dependent".

Not (d) because excess capacity would ensure that needed assets are available and would not be vendor dependent.

151. CIA May 93 II.23Correct Answer is (B)Not (a) because, although there is a migration of control of this type away from applications to other software, the large bulk of these controls still reside in application software.

Answer (b) is correct. Utility programs perform functions such as sorting and copying. Those programs are available to all users and in many applications, which makes them one of the more serious "holes" in data access security since some of them can actually bypass normal access controls.

Not (c) because access control software has as one of its primary objectives improving data access security for all data on the system.

Not (d) because most data base management systems provide for improved data access security while they are running.

152. CIA May 93 II.24Correct Answer is (A) Answer (a) is correct. Processing controls provide reasonable assurance that processing has been performed as intended for the particular application, i.e., that all transactions are processed as authorized, that no authorized transactions are omitted, and that no unauthorized transactions are added.

Not (b) because proof calculations mitigate the risk of transmission errors.

Not (c) because restart and recovery controls mitigate the risk of lost transactions when processing is interrupted.

Not (d) because programmed cutoff controls prevent an improper cutoff and mitigate the risk of transactions being recorded in the wrong period.


Powers CIA Review

153. CIA May 93 I.23Correct Answer is (A)Answer (a) is correct. Check digit verification is an example of an input control. Input controls are application controls designed to provide reasonable assurance that data received for processing have been properly authorized (approved by management) and converted to machine-readable form (verified and edited as to validity and completeness). The completeness of the input process can be determined by accumulating and comparing appropriate control totals (controls to check if data were lost in transmission).

Not (b) because check digit verification is not a file management control. Internal label check is an example of a file management control.

Not (c) because check digit verification is not an access control. Password is an example of access control.

Not (d) because check digit verification is not an output control. Report balancing is an example of an output control.

154. CIA May 93 II.28Correct Answer is (D) Not (a) because lack of enforcement of program change procedures is irrelevant to this impropriety.

Not (b) because lack of a password is irrelevant to this impropriety.

Not (c) because lack of appropriate ownership is irrelevant to this impropriety.

Answer (d) is correct. Individuals should have only the access privileges required for their job functions. Production employees typically do not need access to pricing information. Access controls, such as passwords, ID numbers, access logs, and device authorization tables, prevent unauthorized use of data files. They ensure that only persons with a bona fide purpose and authorization have access to databases.

155. CIA May 93 II.41Correct Answer is (A)Answer (a) is correct. The primary reason for organizations to develop contingency plans for their EDP operations is to ensure that they will be able to properly process vital transactions in the event of any type of disaster. The continuity of operations depends on these vital transactions. Fast and efficient application of the contingency plan is also a crucial factor in such a case.

Not (b) because it is not the best answer. This is a secondary reason.

Not (c) because it is not the best answer. This is a secondary reason.

Not (d) because it is not the best answer; sources of capital are seldom included.

156. CIA May 93 III.35Correct Answer is (B) Not (a) because ensuring compatibility of information systems with organizational objectives will not ensure adequate security and recovery controls in end-user developed systems.

Answer (b) is correct. The technology trend of increasing end-user development of systems has the risk of lack of necessary security and recovery controls. This can be mitigated by management oversight to ensure adequate procedures.

Not (c) because validation of the knowledge base will not ensure adequate security and recovery controls in end-user developed systems.

Not (d) because testing of controls in development and production will not ensure adequate security and recovery controls in end-user developed systems.


HW B-110

Powers CIA Review

157. CIA May 93 II.25Correct Answer is (C) Not (a) because restart and recovery controls mitigate the risk of lost transactions when processing is interrupted.

Not (b) because cycle processing controls mitigate the risk of missing or improper transactions.

Answer (c) is correct. Programmed balancing controls ensure the accuracy and completeness of file updating by verifying consistency of opening and closing balances and thus ensuring that the right file is processed.

Not (d) because programmed cutoff controls prevent an improper cutoff and mitigate the risk of transactions being recorded in the wrong period.

158. CIA May 93 III.43Correct Answer is (A)Answer (a) is correct. Preventive controls are controls designed to prevent errors from occurring. The error in this case is overspending the budget. The control prevented this from occurring.

Not (b) because detection occurs after-the-fact. An error is detected after it happens.

Not (c) because correction fixes the error and comes after the error is detected (after-the-fact).

Not (d) because relates to automated detection of error conditions and attempts by the software (usually vendor software such as a database) to recover from an error condition.

159. CIA May 93 III.41Correct Answer is (D)Not (a) because systematic and rigorous testing of programmed controls does not reduce the risk of misplaced reliance on management oversight since the supervision of management is an essential element of every control structure in an organization.

Not (b) because proliferation of knowledge-based systems increases the risk of inadequate knowledge bases.

Not (c) because closer linkage between organizational strategy and information is a strength, not a weakness.

Answer (d) is correct. Systematic and rigorous testing of programmed controls reduces the risk of misplaced reliance on automated controls. More pervasive use of automated controls increases the need for testing those controls in their development, implementation and functioning since there are fewer compensating manual controls.

160. CIA May 93 III.54Correct Answer is (D)Not (a) because system development standards for the organization are an element of management control, they are not part of a disaster recovery plan.

Not (b) because the history of modifications to the operating system is an element of management control through documentation, it is not part of the disaster recovery plan.

Not (c) because the applications planned for new development are part of management planning and control, they are not part of a disaster recovery plan.

Answer (d) is correct. An essential element of a disaster recovery plan is a statement of the responsibilities of each organizational unit.


Powers CIA Review

161. CIA May 93 III.56Correct Answer is (A)Answer (a) is correct. Password control systems are used to prevent unauthorized access to system program and data files.

Not (b) because physical locks and other such devices are used to prevent unauthorized physical availability of remote terminals.

Not (c) because organizational controls for security and protection are necessary to prevent physical destruction of system program and data files.

Not (d) because organizational controls for security and protection are necessary to prevent physical destruction of remote terminals.

162. CIA May 93 III.58Correct Answer is (D)Not (a) because policy dissemination is too vague a response in this case.

Not (b) because training cannot cover all contingencies.

Not (c) because the customer did not wish to effect a change

Answer (d) is correct. Limiting access to the database to authorized users only will prevent inaccurate file changes by unauthorized users, such as an accounts receivable clerk.

163. CIA May 93 III.49Correct Answer is (A)Answer (a) is correct. A dependency check

would test whether the data elements for a loan application are logically consistent.

Not (b) because a reasonableness check tests whether the data contents entered fall within predetermined limits.

Not (c) because a format check ensures that all required data are present in the prescribed form.

Not (d) because an existence check tests whether the entered data codes are valid codes held on the file or in the program.

164. CIA May 93 III.61Correct Answer is (C)Not (a) because both types of data are sensitive and need protection

Not (b) because it would not identify the user.

Answer (c) is correct. Access limited to users with valid passwords to prevent unauthorized access to data files and programs.

Not (d) because use of separate passwords for customer data and product data is excessive and burdensome.


HW B-112

Powers CIA Review

165. CIA Nov 93 I.25Correct Answer is (A) Answer (a) is correct. Code comparison is the process of comparing two versions of the same program to determine whether the two correspond. It is an efficient technique because it is performed by software.

Not (b) because code review is the process of reading program source code listings to determine whether the code contains potential errors or inefficient statements. Code review can be used as a means of code comparison but is inefficient.

Not (c) because test data runs permit the auditor to verify the processing of preselected transactions. It gives no evidence about unexercised portions of the program.

Not (d) because analytical review is the process of creating and evaluating ratios between numbers, often in the context of financial statements.

166. CIA Nov 93 I.27Correct Answer is (B) Not (a) because an existence check is a test of accuracy.

Answer (b) is correct. Application controls relate to specific tasks performed by personnel or programs. Input controls are application controls designed to provide reasonable assurance that data received for processing have been properly authorized and converted to machine-readable form. The completeness of the input process can be determined by accumulating and comparing appropriate control totals.

Not (c) because a limit check is a test of accuracy which determines whether a data value falls within certain limits.

Not (d) because a reasonableness check is based on limits for given information.

167. CIA Nov 93 I.28Correct Answer is (C) Not (a) because individuals external to the organization may need to have limited access privileges to participate in inter-organization information systems, e.g., electronic data interchange.

Not (b) because a weekly cycle may be too long to wait to cancel privileges for employees with changed job responsibilities or for terminated employees.

Answer (c) is correct. Proper addition/deletion of authorizations includes prompt activation of access privileges after they are authorized. Too much delay may tempt users to bypass access control procedures.

Not (d) because security officers, not systems programmers, are responsible for maintaining records of access changes.

168. CIA Nov 93 I.29Correct Answer is (B) Not (a) because having customers specify the name for each item they order would let the company correct erroneous order codes once they had been detected, but would not, in general, detect erroneous codes.

Answer (b) is correct. Self-checking digits may be used to detect incorrect codes. By applying an algorithm to the code, the digit is generated. During the input process, the check digit is recomputed by applying the same algorithm to the code actually entered.

Not (c) because separating the parts of the order code with hyphens would make the characters easier to read, but would not cure the problem of transposed characters.

Not (d) because using a master file reference for all order codes would verify the existence of items, but would not detect erroneous order codes in which transposed characters in an order code match other items.


Powers CIA Review

169. CIA Nov 93 I.30Correct Answer is (D) Not (a) because moving the program code that computes sales taxes to a single program is a good system design approach, but it does not guarantee that sales tax processing is complete.

Not (b) because changing the operator input screens does not ensure correct application of sales taxes. The operator may not know what the appropriate computation is.

Not (c) because customers may not know the proper rates or may deny that their areas impose the taxes.

Answer (d) is correct. Sales taxes vary from one jurisdiction to another. Hence, the program must include a code that sorts orders by area. Verification of the accuracy of the tax charges can then be obtained by calculating the total taxes for each area in two ways: applying the tax rate to the aggregate sales and summing the taxes charged on individual sales.

170. CIA May 93 III.62Correct Answer is (D)Not (a) because a firm can control the application risks resulting from bad system design and implementation. It is a class of risk and is very pertinent to an EUC application.

Not (b) because a firm can control environmental risks such as interfaces of an EUC system and people with others. It is a class of risk and is very pertinent to an EUC application.

Not (c) because a firm can control the risks inherent in the application's software and hardware combination. The company’s technical support staff and/or computer vendor support staff can resolve problems resulting from these risks. It is a class of risk and is very pertinent to an EUC application.

Answer (d) is correct. A single firm cannot control the technological obsolescence risks resulting from advancements in computer hardware and software.

171. CIA Nov 93 I.31Correct Answer is (C) Not (a) because placing output in bins does not ensure that unauthorized persons are denied access.

Not (b) because output loaded in a file is available to anyone with access to the file.

Answer (c) is correct. An independent data control group should receive user input, log it, transfer it to the computer center, monitor processing, review error messages, compare control totals, log and distribute output, and determine whether error corrections have been made. This group is therefore responsible for maintaining lists of authorized recipients in a distribution log and holding the output in a secure area until it is picked up.

Not (d) because making printouts available at specified times does not control access.


HW B-114

Powers CIA Review

172. CIA Nov 93 I.32Correct Answer is (B) Not (a) because the practice of not retaining daily transaction data is unsound in that the bank loses a day's transactions for each backup that is unreadable.

Answer (b) is correct. Backups should always be made to ensure that any lost information can be restored. However, not retaining each day's transaction files is risky because information received since the last backup file was created will be lost.

Not (c) because the practice of not retaining daily transaction data certainly minimizes complexity but at the expense of losing transaction data if the online file must be restored from the backup.

Not (d) because checkpoint/restart information is not needed. The backups are created after all processing is finished for the day.

173. CIA Nov 93 I.34Correct Answer is (A) Answer (a) is correct. Validation of the model can be accomplished using historical data if circumstances have not changed. If they have, the results produced by varying the input should be evaluated to determine that they are consistent with what is known about the behavior of tax revenue given various economic conditions, changes in tax law, etc.

Not (b) because there is no forecast technique that would always forecast all the different kinds of revenue this precisely; the overall behavior of the model is more important than the forecasting of individual revenue components.

Not (c) because there is no reason to believe that the programs used for this year's forecast should be identical to those used in the previous year, given continually evolving circumstances.

Not (d) because there is no reason to require that the model predict the previous year's actual revenue. Economic conditions and tax laws change.


Powers CIA Review

174. CIA Nov 93 I.37Correct Answer is (A) Answer (a) is correct. System development procedures and controls that are well established in the centralized information systems environment do not exist in user departments. End-user computing may result in elimination of the function of the systems analyst, omission of documentation, inadequate consideration of control procedures, poor integration with existing systems, etc.

Not (b) because this is a principle motivation for developing end-user systems.

Not (c) because end-user systems can be developed to serve departmental needs without understanding mainframe architecture.

Not (d) because the inability to accommodate computer-assisted auditing techniques is not a control weakness.

175. CIA Nov 93 II.25Correct Answer is (A) Answer (a) is correct. During each program run in a series, the computer accumulates the totals of transactions that have been processed. The run-to-run check reconciles them with the totals forwarded from the previous program run. Run-to-run totals thus ensure completeness of update.

Not (b) because computer matching compares transaction data with referenced fields or records.

Not (c) because computer sequence checks identify changes or breaks in a numerical sequence.

Not (d) because one-for-one checking usually requires manual comparisons of input data elements with processing results.

176. CIA Nov 93 I.35Correct Answer is (A) Answer (a) is correct. A DBMS is an integrated set of computer programs that create the database, maintain the elements, safeguard the data from loss or destruction, and make the data available to application programs and inquiries. Because the DBMS handles data retrieval and storage, applications programs need not specify data locations but can simply ask for data by name. The results are data independence and avoidance of data redundancy. Data journaling procedures require making appropriate copies of any changes to a database to enable recovery from database failures.

Not (b) because edit and validation are controls over data integrity.

Not (c) because data ownership and accountability policies identify who knows how data are to be used and who is responsible for determining levels of control over access to data.

Not (d) because data integrity procedures test input of data, not recovery of data.

177. CIA Nov 93 II.29Correct Answer is (A) Answer (a) is correct. An online inquiry capability permits the order-taker to retrieve the ZIP code from a master file of ZIP codes. The operator can then verify the state abbreviation while talking with the customer.

Not (b) because looking up the state abbreviation is insufficient to permit the operator to verify the ZIP code. Each state has more than one ZIP code.

Not (c) because permitting operators to enter the ZIP code only makes it impossible to detect incorrect ZIP codes.

Not (d) because, in general, it is not feasible to determine ZIP codes from street, city, and state addresses that can be entered in multiple ways.


HW B-116

Powers CIA Review

178. CIA Nov 93 II.32Correct Answer is (D) Not (a) because analyzing job activity with a queuing model to determine workload characteristics gives information about resource usage but does not verify that the system actually functioned as intended.

Not (b) because a simulation helps management characterize the workload but does not verify that the system actually functioned as intended.

Not (c) because using library management software to track changes to successive versions of application programs permits control of production and test versions but does not verify that the system actually functioned as intended.

Answer (d) is correct. Job accounting data analysis permits programmatic examination of job initiation and termination, record counts, and processing times. Auditing job accounting data for file accesses and job initiation/termination messages will reveal whether the right data files were loaded/dismounted at the right times and the right programs were initiated/terminated at the right times.

179. CIA Nov 93 II.34Correct Answer is (C) Not (a) because protecting all cells except those specifically intended for data entry guards against data entry mistakes, but it does not ensure that model calculations are correct.

Not (b) because inspecting the documentation provides evidence on how usable and maintainable the model is but does not ensure that model calculations are correct.

Answer (c) is correct. Performing sensitivity analysis, i.e., varying input values and determining whether the output varies accordingly, on the major output results gives assurance that calculations are performed correctly.

Not (d) because mapping the spreadsheet model with spreadsheet analysis software provides output useful for documenting the structure and surface consistency of the model but does not ensure that model calculations are correct.

180. CIA Nov 93 III.26Correct Answer is (D)Answer (d) is correct. As explained below:


Powers CIA Review

1. Correct - Microcomputer users may be unaware of the need to make frequent file back-ups.

2. Incorrect - Reduced application development costs are one of the benefits of microcomputers.

3. Incorrect - Batch update is a characteristic of mainframes.

4. Correct - Microcomputer software packages typically do not have appropriate access control capabilities.

5. Correct - Making unauthorized copies of software is fairly easy and sometimes may be an informally accepted method of reducing software costs for microcomputer systems.

Answers (a, b, and c) are incorrect. Due to answer (d).

181. CIA Nov 93 III.30Correct Answer is (D)Not (a) because restricting access on the basis of the type of resource would not permit selective access based on values in a record.

Not (b) because restricting access on the basis of statistical summaries would not be helpful in preparing bids.

Not (c) because restricting access on the basis of the age of the stored records would not enable the selective access the company wants because some needed data would be new and some would be old.

Answer (d) is correct. Restricting access on the basis of data values within a record, e.g., bid identity, would enable the selective access the company wants.

182. CIA Nov 94 I.42Correct Answer is (B) Not (a) because data ownership standards are a direct departmental-level responsibility.

Answer (b) is correct. In an end-user computing environment, an individual user is directly responsible for backup and recovery of data and for physical security.

Not (c) because most end users do not have the knowledge to read technical manuals.

Not (d) because the end user has custody of equipment but should not be responsible for the inventory of equipment.

183. CIA Nov 94 I.28Correct Answer is (C) Not (a) because discussing the password removal process does not determine whether ex-employees are still using or are able to use their passwords to access the databases.

Not (b) because the computer logs should be compared with current payroll lists.

Answer (c) is correct. To determine if ex-employees are accessing the company's automated database, the auditor should obtain the log showing database accesses. This log should be compared with current payroll lists to see if anyone not on the payroll is still accessing or is able to access the databases.

Not (d) because reviewing the access control software does not indicate whether ex-employees can access or are accessing the databases.

184. CIA Nov 93 III.55Correct Answer is (A)Answer (a) is correct. Restricting updating to one position would protect the libraries from unauthorized updating, and permitting all IS employees read access to source code would


HW B-118

Powers CIA Review

let them continue to obtain the efficiencies of being able to read others' code.

Not (b) because permitting updating for everyone is the current situation, which is risky; restricting read access to source code to one position creates more inefficiency than existed before.

Not (c) because restricting updating and read access to one position protects the libraries but creates the inefficiency of no others being able to read the source code.

Not (d) because permitting updating and read access for everyone in the information systems department is the current situation, which created the risk.

185. CIA Nov 93 III.75Correct Answer is (A) Answer (a) is correct. A software agreement usually allows one backup copy to be made. Installing the software on multiple computers and making additional copies are copyright violations.

Not (b) because installing the spreadsheet software on a multi-user network would make it available to multiple users.

Not (c) because not all vendors allow use on different machines.

Not (d) because some agreements require relicensing when a machine change occurs.

186. CIA May 95 I.27Correct Answer is (C) Not (a) because oral verification also would address the problem.

Not (b) because assigning a sequential number to the customer's order helps build an audit trail but does not address the product identification

issue.

Answer (c) is correct. A self-checking digit detects incorrect codes. Applying an algorithm to the code generates the digit. During input, the digit is recomputed by applying the algorithm to the code actually entered. Oral verification also addresses the problem of incorrectly identifying the product number.

Not (d) because assigning a sequential number to the customer's order helps build an audit trail but does not address the product identification issue.

187. CIA Nov 94 I.27Correct Answer is (B) Not (a) because the built-in access controls should be retained until replaced with a more comprehensive and cost-effective system.

Answer (b) is correct. Access control software provides comprehensive and coordinated security. It permits authorized users to gain access only for purposes of performing their assigned duties and restricts employees from performing incompatible functions. A comprehensive system is more cost-effective than programming access controls into each application.

Not (c) because utility software does not usually perform security functions.

Not (d) because a comprehensive system is more cost-effective than programming access controls into each application.

188. CIA Nov 94 I.37Correct Answer is (D) Not (a) because the acquisition of hardware and software is an organizational- and departmental-level responsibility.

Not (b) because taking equipment inventories is an organizational-level responsibility.


Powers CIA Review

Not (c) because strategic planning is an organizational- and departmental-level responsibility.

Answer (d) is correct. End-user computing involves user-created or - acquired systems that are maintained and operated outside of traditional information systems controls. In this environment, an individual user is ordinarily responsible for the physical security of the equipment he or she uses.

189. CIA Nov 94 I.39Correct Answer is (B) Not (a) because backup/restart procedures are relevant to abnormal interruptions of processing. They do not cause bottlenecks.

Answer (b) is correct. Scheduling jobs to optimize computer resources is essential. Poor scheduling can result in bottlenecks at peak hours and inadequate usage at other times. The results are increased costs and inefficient operation.

Not (c) because console logs provide indications of problems and are not the cause of bottlenecks.

Not (d) because program documentation does not show why the bottlenecks are occurring.

190. CIA Nov 95 I.32Correct Answer is (C) Not (a) because effective control requires that programmers not be able to make undetected, unrecorded changes in data or programs. Thus, programmers should not have access to the production library.

Not (b) because programmers should be responsible for making program changes, and users should be responsible for testing the

changes. Hence, users should not have access to the test library. Accountability for changes would be diminished. Moreover, users may lack the competence to make appropriate changes.

Answer (c) is correct. The program librarian is accountable for, and has custody of, the programs in the production library.

Not (d) because, if the operator has access to both program libraries, he or she may be able to make unauthorized and undetected changes to the computer programs.

191. CIA Nov 94 I.38Correct Answer is (D) Not (a) because copyright violations are common risks in a stand-alone personal computer environment.

Not (b) because unauthorized access is a common risk in a stand-alone microcomputer environment.

Not (c) because lack of data availability is a common risk in a stand-alone microcomputer environment.

Answer (d) is correct. Environmental control risks more likely in a stand-alone microcomputer environment include copyright


HW B-120

Powers CIA Review

violations that occur when unauthorized copies of software are made or software is installed on multiple computers. Access to application programs and related data by unauthorized persons is another concern because of lack of physical access controls, application-level controls, and other controls found in mainframe environments. Moreover, a stand-alone personal computer environment may be characterized by inadequate backup, recovery, and contingency planning that may result in an inability to re-create the system or its data.

192. CIA Nov 95 I.33Correct Answer is (C) Not (a) because self-checking digits detect incorrect product identification numbers.

Not (b) because verbally verifying the product and the price helps to ensure that the system captures the transaction accurately.

Answer (c) is correct. Batch totals are useful for ensuring that orders are not lost once they have been captured. They do not ensure that orders are recorded correctly or that shipments are accurately priced.

Not (d) because the ability to make price changes should be tightly restricted.

193. CIA May 95 I.32Correct Answer is (C) Not (a) because generating price tags based on the electronic receiving reports is appropriate, given that one purchase order may generate more than one shipment. The correct number received should be properly recorded, and this reconciliation accomplishes that task.

Not (b) because prenumbered receiving documents are not necessary given that they are replaced by a required reference to the purchase order.

Answer (c) is correct. Goods should be inspected in the receiving department for quantity and quality at the time of receipt, and receiving information should be documented at that time.

Not (d) because not all of the answers are incorrect.

194. CIA May 95 I.34Correct Answer is (A) Answer (a) is correct. As organizations move to EDI and other forms of automated processing, a comprehensive data access and security program becomes crucial. Access to hardware, software, and data files should be restricted to authorized persons, activities, and devices.

Not (b) because program changes should always be reviewed and tested by the user. The changes should be implemented only by the program librarian, not the programmer.

Not (c) because initiation of changes in the vendor database by the purchasing agent would allow the purchasing agent to establish fictitious vendors.

Not (d) because the receiving department needs access to purchase order information to determine whether a shipment of goods ought to be received.

195. CIA Nov 94 I.43Correct Answer is (B) Not (a) because input validation for transactions is available in both environments.

Answer (b) is correct. In general, mainframe software and procedures for installing programs and maintaining change histories ensure centralized control. In an end-user environment, individual users are held accountable for ensuring that changes follow established procedures. Decentralizing this responsibility may result in inadequate software and hardware facilities.

Not (c) because encryption of sensitive data is available in both environments.

Not (d) because software for relational database queries is available in both environments.


Powers CIA Review

196. CIA Nov 95 I.28Correct Answer is (A) Answer (a) is correct. Access should be limited to those whose activities necessitate access to the computer system. Moreover, the degree of access allowed should be consistent with an individual's responsibilities. Restricting access to particular individuals rather than groups or departments clearly establishes specific accountability. Not everyone in a group will need access or the same degree of access. Thus, passwords assigned to individuals should be required for identification of users by the system. Furthermore, data should be restricted at the field level, not the workstation level. It may be possible to limit access to a workstation, but most workstations are connected to larger mainframe databases. Thus, the security at the workstation level only would be insufficient.

Not (b) because access should be restricted to particular individuals on a need-to-know basis, data should be restricted at the field level, and

use should be limited to necessary functions performed by the accountable individual.

Not (c) because access should be restricted to particular individuals on a need-to-know basis, data should be restricted at the field level, and use should be limited to necessary functions performed by the accountable individual.

Not (d) because access should be restricted to particular individuals on a need-to-know basis, data should be restricted at the field level, and use should be limited to necessary functions performed by the accountable individual.

197. CIA Nov 95 I.36Correct Answer is (C) Not (a) because users often choose passwords that are easily guessed.

Not (b) because a program to test passwords is useful but less effective than see-through authentication.Answer (c) is correct. See-through authentication techniques, such as the one described, require the user to have two of the three important elements to authenticate oneself to the system, i.e., a possession (the card used to generate the password), knowledge (the new password), or a personal characteristic (e.g., fingerprints).

Not (d) because limiting access to times and a location is helpful in certain environments but not when the system allows dial-up access.

198. CIA May 96 I.10Correct Answer is (A) Answer (a) is correct. Comparing variances and the related documentation is the only test that samples from the appropriate population


HW B-122

Powers CIA Review

(project variances) and verifies that needed approvals and explanations were given and documented.

Not (b) because recomputing variances is not relevant to whether variances were explained and approved.

Not (c) because the direction of testing should be from the variances to both explanations and approvals. Testing explanations by tracing to subsequent approvals and project reports does not determine whether some variances were not explained.

Not (d) because the direction of testing should be from the variances to both explanations and approvals. Testing explanations by tracing to subsequent approvals and project reports does not determine whether some variances were not explained.

199. CIA Nov 95 I.37Correct Answer is (D) Not (a) because physical access to the LAN is relevant. Risk exposures exist if the components are not physically protected.

Not (b) because data access security is within the audit scope.

Not (c) because interviews with users are often effective in identifying potential security breaches or other problems that should be addressed.

Answer (d) is correct. The level of computer security at other LANs in the company may be interesting for comparative purposes, but it has no effect on the security at this location or the scope of the examination needed.

200. CIA May 96 I.9Correct Answer is (C) Not (a) because reviewing JCL and report end-of-job indicators concern processing, not output distribution.

Not (b) because verifying that a correct transaction file was used concerns input, not output.

Answer (c) is correct. Someone on the approved distribution list should sign for reports upon delivery. This procedure is the only one of those listed that will provide information about access to reports.

Not (d) because review of end-of-job indicators would not provide information on report access.

201. CIA May 96 I.11Correct Answer is (C) Not (a) because error listings relate to application controls.

Not (b) because record counts relate to application controls.

Answer (c) is correct. General controls are pervasive because they apply to most applications and facilities. For example, proper segregation of duties, systems development methods, access and other security controls, administrative controls, and disaster-recovery planning are examples. Reviewing the fire suppression capabilities located at the production facility is a test of the disaster-recovery plan. Reviewing position descriptions for production personnel assigned to computer-related duties is a test of an administrative control.

Not (d) because error listings relate to application controls.


Powers CIA Review

202. CIA Nov 95 I.31Correct Answer is (D) Not (a) because potential loss, the probability thereof, and the cost and effectiveness of security measures are important elements of the analysis.

Not (b) because potential loss, the probability thereof, and the cost and effectiveness of security measures are important elements of the analysis.

Not (c) because potential loss, the probability thereof, and the cost and effectiveness of security measures are important elements of the analysis.

Answer (d) is correct. Potential loss is the amount of dollar damages associated with a security problem or loss of assets. Potential loss times the probability of occurrence is an estimate (expected value) of the exposure associated with lack of security. It represents a potential benefit associated with the implementation of security measures. To perform a cost-benefit analysis, the costs should be considered. Thus, all three items need to be addressed.

203. CIA May 96 I.27Correct Answer is (B) Not (a) because testing may detect missing or erroneous logic, but it does not address flaws

in the conceptual design of the system.

Answer (b) is correct. A traditional system employs systems analysts to review all aspects of a problem and to devise a solution given all relevant factors. However, EUC applications lack such an independent review.

Not (c) because proper documentation does not rectify design flaws.

Not (d) because lack of segregation of duties is a risk associated with concealment of errors or fraud, not failure to meet business requirements.

204. CIA May 96 I.28Correct Answer is (D) Not (a) because a standard method for uploading data may not include the controls necessary to detect errors in the uploading process.

Not (b) because edit and validation checks are typically designed to identify errors in data entry rather than in processing.

Not (c) because a record or log of rejected items is a control for monitoring the subsequent correction and processing of the items.

Answer (d) is correct. Balancing totals should be used to ensure completeness and accuracy of processing. For example, comparing totals of critical fields generated before processing with output totals for those fields tests for missing or improper transactions.

205. CIA May 96 I.29Correct Answer is (C) Not (a) because lack of documentation may not affect the reliability of the information processed.

Not (b) because an appropriate level of management authorized the changes.

Answer (c) is correct. One of the increased risks in an EUC environment is that program change procedures may not be followed. Users may take action without adherence to controls over initiation, authorization, testing,


HW B-124

Powers CIA Review

documentation, coordination, and communication of the changes.

Not (d) because the consultants may have properly tested the changes.

206. CIA May 96 I.30Correct Answer is (D) Not (a) because application controls are dependent on the general controls.

Not (b) because, in an EUC environment, responsibility for general controls may be shared by several individuals in different departments or locations.

Not (c) because the need for specific general controls varies with the complexity and importance of the application.

Answer (d) is correct. General controls concern data and program security, program changes, system development, computer operations, and disaster recovery. Application controls depend on the general controls. The former will be ineffective if the latter are not functioning properly. Furthermore, application controls in an EUC environment may be inadequate, so the general controls may be the auditor's primary emphasis.

207. CIA May 96 I.31Correct Answer is (B) Not (a) because restricting access to LAN workstations is a control to prevent unauthorized persons from gaining access to the network.

Answer (b) is correct. Sophisticated software packages may inadvertently threaten data security by allowing users to bypass existing system-level security. Fourth-generation languages have update, retrieval, and reporting functions that may be used inappropriately in

the absence of strong controls.

Not (c) because requiring a password to log on to the LAN may not prevent authorized users from performing unauthorized functions.

Not (d) because a security policy may establish responsibility but will not prevent inappropriate update of information.

208. CIA May 96 I.32Correct Answer is (A) Answer (a) is correct. Edit or validation routines are application controls over data entry. For example, they test whether data fields have the appropriate types and numbers of characters, data fields are complete, data are consistent with information in a master file or table, transactions balance, and amounts fall within a reasonableness interval.

Not (b) because rejected and suspense item controls are relevant only if the data are first subject to edit and validation checks.

Not (c) because controls over update access to the database are general controls rather than application controls.

Not (d) because control totals are designed to identify errors in the processing of data rather than in the data itself.

209. CIA May 93 II.20Correct Answer is (C)Not (a) because hiring policies can provide assurance of qualified personnel for operation of the system, but cannot prevent introduction of viruses from bulletin boards or from outside sources.

Not (b) because software programs can identify and neutralize known viruses but may not recognize and properly neutralize new strains of a computer virus.

Answer (c) is correct. Acceptably safe computing can be achieved by carefully crafted policies and procedures used in conjunction with antivirus and access control software.

Not (d) because physical protection devices


Powers CIA Review

can reduce access but cannot prevent introduction of viruses by errant employees or from outside sources.

210. CIA Nov 96 I.55Correct Answer is (C) Not (a) because continuous audit involvement does not minimize the audit cost. Actually, it has the highest cost of the alternatives.

Not (b) because, when the audit department is continuously involved in development, there are no clearly defined points for comments.

Answer (c) is correct. The scope of internal auditing work includes recommending standards of control and reviewing procedures before implementation. Continuous involvement of the internal auditing department in systems development should minimize the costs of reworking the system. Continuous audit involvement allows for adjustments to be made during the course of development.

Not (d) because the potential for lack of audit independence can be minimized with audit involvement only after implementation.

211. CIA May 96 I.44Correct Answer is (C) Not (a) because terminal access restrictions limit access to data input sites.

Not (b) because passwords requirements help restrict input access.

Answer (c) is correct. Hash totals do not have defined meanings. Examples are totals of employee numbers or invoice numbers. They are used to verify the completeness of data, not to limit access.

Not (d) because validity tests for user identification and product codes help to determine whether input is authorized.

212. CIA May 96 I.45Correct Answer is (C) Not (a) because open purchase orders have not yet been invoiced or paid.

Not (b) because an EDI system is unlikely to offer cash discounts. In addition, the auditor was involved in the design and testing of the EDI system and presumably has knowledge of the EDI system's procedures.

Answer (c) is correct. Manual input and processing increase the risk of delayed payments and loss of purchase discounts. Furthermore, an EDI system is unlikely to offer cash discounts. Thus, the proper population from which to sample consists of paid invoices not processed through the EDI system.

Not (d) because an EDI system is unlikely to offer cash discounts. In addition, the auditor was involved in the design and testing of the EDI system and presumably has knowledge of the EDI system's procedures.

213. CIA May 96 I.46Correct Answer is (A) Answer (a) is correct. An exception report (error listing) should be issued so that company personnel can investigate the discrepancy, determine its cause, and take appropriate corrective action.

Not (b) because the company should not pay for goods not received.

Not (c) because the company should first determine the cause of the discrepancy.

Not (d) because the company should not pay for goods not received.


HW B-126

Powers CIA Review

214. CIA May 96 I.47Correct Answer is (C) Not (a) because the number of vendors does not indicate the size of the purchases.

Not (b) because the amount of purchases is equally divided between the EDI and non-EDI systems and does not provide a basis for prioritizing risks.

Answer (c) is correct. Sound controls mitigate the risks associated with EDI. The question states that the internal auditing department's prior involvement consisted of assessing and testing the EDI system. This review found no significant problems. Accordingly, the risk of the EDI system is decreased.

Not (d) because failure to examine EDI purchase controls increases risk.

215. CIA May 96 I.49Correct Answer is (D) Not (a) because identifying and authenticating the requestor provides some assurance that transactions are authorized.

Not (b) because information should be authenticated before transfer.

Not (c) because exception processing provides assurance about validity. All error conditions should be logged, reported, and reviewed on a timely basis.

Answer (d) is correct. Encryption protects data from unauthorized interception. However, this process does not ensure that the underlying transactions are genuine.

216. CIA May 96 I.58Correct Answer is (B) Not (a) because reasonableness, limit, and range checks are based upon known limits for given information. For example, the hours worked per week is not likely to be greater than 45.

Answer (b) is correct. Validity checks are tests of identification numbers or transaction codes for validity by comparison with items already known to be correct or authorized. For example, Social Security numbers on payroll input records can be compared with Social Security numbers authorized by the personnel department.

Not (c) because a record count is a control total of the number of records processed during the operation of a program. Financial totals summarize dollar amounts in an information field in a group of records.

Not (d) because a hash total is the number obtained from totaling the same field value for each transaction in a batch. The total has no meaning or value other than as a comparison with another hash total.

217. CIA Nov 96 I.5Correct Answer is (D) Not (a) because information technology allows more data to be reviewed and reduces audit risk.

Not (b) because information technology can expedite the audit.

Not (c) because information technology can be used to implement a new approach to the audit of an application or function.

Answer (d) is correct. Judgment is the fruit of an auditor's formal education, professional experience, and personal qualities. Information technology is merely a tool for achieving audit objectives. It does not improve the auditor's judgment.


Powers CIA Review

218. CIA Nov 96 I.11Correct Answer is (A) Answer (a) is correct. The number of systems personnel employed may reflect differences in operating philosophy (outsourcing vs. in-house development of applications). However, the compatibility of personnel is a less serious concern than the compatibility of hardware and software.

Not (b) because company A has little EDI experience. Hence, the greater the number of vendors that must be connected with Company A, the greater the risk exposure.

Not (c) because the difficulty and expense of conversion will be increased if the computer systems have significant compatibility problems.

Not (d) because the greater the complexity of the systems to be integrated, the greater the risk exposure.

219. CIA May 97 I.4Correct Answer is (B) Not (a) because backup/restart procedures concern abnormally aborted processing of jobs.

Answer (b) is correct. Job scheduling is an obvious starting point for the investigation. Ineffective controls over scheduling result not only in processing bottlenecks at peak hours but also in inefficient usage at other times and increased costs. Scheduling problems may arise when, for example, the job mix changes daily, users are allowed to submit unscheduled jobs, or manual overrides of an automated schedule are permitted. Controls include using automated scheduling software, limiting manual overrides, obtaining supervisory approval of manual overrides, documenting complete and current operations, verifying that all jobs are completed, and submitting unscheduled jobs to a different processor or partition of the processor from that used for production processing of scheduled jobs.

Not (c) because console logs would give only indications of problems. Console logs might be examined later in the process, but they would not be the initial focus.

Not (d) because program documentation is not the correct place to start, but it might help later to determine why a given program was delaying processing.

220. CIA May 97 I.5Correct Answer is (B) Not (a) because asynchronous transmission is


HW B-128

Powers CIA Review

a method of data transmission, not a means of safeguarding data. It is used for slow, irregular transmissions, such as from a keyboard terminal. Each character is marked by a start and stop code.

Answer (b) is correct. Encryption software uses a fixed algorithm to manipulate plain text and an encryption key (a set of random data bits used as a starting point for application of the algorithm) to introduce variation. Although tapping into the transmission line may access data, the encryption key is necessary to understand the data being sent.

Not (c) because, although fiber-optic transmission lines are difficult to tap, their use will not prevent theft of unencrypted data by someone who has access to them.

Not (d) because use of passwords will control access at the sending location and the head-office computer. However, passwords will not prevent someone from tapping the transmission line.

221. CIA May 97 I.19Correct Answer is (B) Not (a) because self-checking digits detect inaccurate identification numbers. They are an

effective control to ensure that the appropriate part has been identified. However, the control objective is to ensure that data transfer is complete.

Answer (b) is correct. Batch control totals for the data transferred can be reconciled with the batch control totals in the existing file. This comparison provides information on the completion of the data transfer. Batch totals may include record counts, totals of certain critical amounts, or hash totals. A hash total is a control total without a defined meaning, such as the total of employee numbers or invoice numbers that is used to verify the completeness of data. Thus, the hash total for the employee listing by the personnel department could be compared with the total generated during the payroll run.

Not (c) because passwords help ensure that only authorized personnel make the transfer, not that data transfer is complete.

Not (d) because field checks are effective input controls, but they do not ensure completeness of data transfer.

222. CIA May 93 I.29Correct Answer is (D) Not (a) because access to sensitive output is a security concern.

Not (b) because backup and disaster recovery is an operational integrity issue.

Not (c) because the change environment is a security and independence concern.

Answer (d) is correct. Efficiency is not achieved when facilities are underused, work is nonproductive, or procedures are uneconomical. Efficiency will be improved by freeing media and disk space for other uses, thus reducing data storage costs.

223. CIA May 97 I.51Correct Answer is (C) Not (a) because restricting specific applications


Powers CIA Review

to specific files is a job-to-data authorization technique.

Not (b) because restricting specific terminals to specific applications is a terminal-to-data authorization technique.

Answer (c) is correct. In a user-to-data access control system, access controls are based on identification and authentication procedures. Identification is the process of uniquely distinguishing one user from all others, and authentication determines that a user is the person he claims to be. Authentication may be by knowledge, possessions, or characteristics. Knowledge may include passwords and identification numbers, possessions may include a security card or badge, and characteristics may include physiological and behavioral traits.

Not (d) because the use of access software alone does not address all security risks.

224. CIA May 97 I.67Correct Answer is (A) Answer (a) is correct. A technical feasibility study determines whether the proposed solution can be implemented. It should be conducted in the systems analysis stage.

Not (b) because the involvement of users in the development process should result in better design and greater acceptance of the system.

Not (c) because software quality assurance is crucial to the development process. Mistakes may be extremely costly.

Not (d) because, without good documentation, an information system may be difficult, if not impossible, to operate, maintain, or use.

225. CIA May 90 III.41Correct Answer is (C)Not (a) because given that the members of the personnel department share one computer, they all have access to that computer. Authorized members need to access the system and retrieve and edit their assigned portion of personnel files to perform their job. If

access and file retrieval for all members were restricted by passwords only, members who are authorized to access the system and retrieve files but not authorized for editing those files will be able to edit personnel records.

Not (b) because given that the members of the personnel department share one computer, they all have access to that computer. Authorized members need to access the system and retrieve and edit their assigned portion of personnel files to perform their job. If access and file retrieval for all members were restricted by passwords only, members who are authorized to access the system and retrieve files but not authorized for editing those files will be able to edit personnel records.

Answer (c) is correct. Given that the members of the personnel department share one computer, they all have access to that computer. Authorized members need to access the system and retrieve and edit their assigned portion of personnel files to perform their job. If access and file retrieval for all members were restricted by passwords only, members who are authorized to access the system and retrieve files but not authorized for editing those files will be able to edit personnel records. Consequently, minimum password protection should be available at the file editing level.

Not (d) because password control is needed.

226. CIA Nov 89 I.24Correct Answer is (C) Not (a) because the "paper trail" is less extensive in an information system. Combining processing and controls within the system reduces documentary evidence.

Not (b) because information assets are more likely to be under the control of the information system function.

Answer (c) is correct. Using a computer does not change the basic concepts and objectives of control. However, the use of computers may modify the control techniques used. The processing of transactions may be combined with control activities previously performed separately, or control functions may be


HW B-130

Powers CIA Review

combined within the information system activity.

Not (d) because documentation is more important in an information system. Information is more likely to be stored in machine-readable form than in hard copy.

227. CIA Nov 90 III.23Correct Answer is (B)Not (a) because password authorization is a general control over access to terminals.

Answer (b) is correct. Check digit verification is used when an algorithm generates a self-checking digit and then associates it with an identification number (e.g. part no.). When the user enters the part number for example, the digit will be regenerated using the same algorithm and compared to the stored check-digit that is related to that part no. This would be an appropriate input-output control since it detects errors in fields, such as account or inventory numbers.

Not (c) because, hash totals are appropriate for batch processing.

Not (d) because backup and recovery procedures are general controls and not application controls.

228. CIA Nov 90 III.33Correct Answer is (A)Answer (a) is correct. The callback technique would prevent unauthorized access to the computer when using a dial up facility. The call back technique is a two-step control. First the connection is broken after the caller has identified himself and given the call number allowing reconnection. The system checks for authorization by the caller, if the authorization is verified the computer is reconnected. If there is no authorization, the computer is not reconnected.

Not (b) because the modem (modulator/demodulator) is a device that allows a connection between a computer and a terminal to be made from a remote location

through the use of telephone lines.

Not (c) because the echo check is a control used to verify that information sent by a sender is identical to the information received by the recipient. The information sent is echoed back by the recipient to the sender, if the message received by the sender is not identical to what was sent the transmission is tried again.

Not (d) because the console log has nothing to do with controlling access to the computer. The log lists all operating system activity, maintains an equipment utilization record, and identifies operator-initiated actions.

229. CIA May 91 III.26Correct Answer is (B)Not (a) because the bank employee obtained account codes/PINs by observing customers at the ATMs. The bank should encourage its customers to keep their account information secret but must take independent steps to detect and prevent use of fraudulent cards.

Answer (b) is correct. Detecting the fraudulent cards allowed the bank to monitor ATM use and catch the individual. Transaction validation of cards allows detecting fraudulent ATM cards in addition to account numbers and PIN codes.

Not (c) because, this individual had, at one time, been authorized to know about ATM operations.

Not (d) because the bank should restrict


Powers CIA Review

access to machines capable of writing magnetic stripes on cards to only those employees who need them for their job. Individuals skilled in electronics can, however, obtain parts they assemble themselves so banks are unable to restrict access to stripe-writing machines.

230. CIA May 91 III.83Correct Answer is (B) Not (a) because prohibiting departmental staff from programming their spreadsheet applications defeats the purpose of using personal computers, that is, to make it possible for users to be more productive with their own computers.

Answer (b) is correct. To assure control over confidential data and programs, a functional separation of computer-based activities should be established. Custody of the data and programs should be in the hands of a librarian responsible for their secure storage and control. Access should be formally authorized to assure accountability for use of the data and programs.

Not (c) because custom-designed menus are ordinarily used to limit access to other application programs, not necessarily to data files. Also, they are unnecessary for skilled users and do not impose control on them.

Not (d) because dividing the duties of application preparation and execution impedes the intended use of the application models. It is

ineffective as a control measure because all the department's staff are skilled spreadsheet users.

231. CIA May 91 III.42Correct Answer is (C)Not (a) because tagging is the practice of marking specific transactions for subsequent investigation.

Not (b) because, callback is a procedure in which the system disconnects the caller and calls the external entity's telephone number of record before letting the terminal session proceed.

Answer (c) is correct. Using passwords would permit supervisors to authenticate themselves to the system as supervisors. Tellers, not knowing the supervisors' passwords, could not invoke supervisor-only functions.

Not (d) because, logs of access and attempted functions by employee would detect teller use of unauthorized functions but would not prevent tellers from using them.

232. CIA May 91 III.89Correct Answer is (A) Answer (a) is correct. During processing, the operating system records in the console log the activities of the computer system and the actions taken by the computer operator. It should therefore contain entries for the work


HW B-132

Powers CIA Review

performed and provide a control over operator intervention.

Not (b) because, the data control log contains entries concerning jobs run and output distribution. However, recording is not concurrent with computer activity, and no entry may appear for some transactions already processed.

Not (c) because the job queue is the list of jobs waiting to be processed, not those that have been executed.

Not (d) because the master run book provides documentation of the system.

233. CIA May 93 III.39Correct Answer is (B)Not (a) because growing organizational reliance on information systems increases the risk of business interruption.

Answer (b) is correct. As competitive pressures for enhanced functions in systems increase, development groups will be under more pressure to implement systems quickly, which increases the risk of hastily developed, ineffective systems.

Not (c) because greater emphasis on internal control reduces the risk of ineffectiveness in the developed system.

Not (d) because the use of knowledge-based systems increases the risk of inadequate knowledge bases.

234. CIA May 94 I.64Correct Answer is (A) Answer (a) is correct. The list of authorized users and their passwords would not be included in an audit trail log but in a file within the computer.

Not (b) because the type of event or transaction attempted would be included in an audit log and is necessary to investigate unauthorized attempted access to the system.

Not (c) because the terminal used to make the attempt would be included in an audit log and

is necessary to investigate unauthorized attempted access to the system.

Not (d) because the data in the program sought would be included in an audit log and is necessary to investigate unauthorized attempted access to the system.

235. CIA May 94 III.31Correct Answer is (A)Answer (a) is correct. A preventive control is designed to prevent errors from occurring. In this case, the computer program will not generate month-end balances to prevent reporting incorrect balances when it notes the missing transactions.

Not (b) because detective controls are designed to detect errors that occurred.Not (c) because corrective controls fix detected and reported errors.

Not (d) because discretionary control is a distracter since there is no such term.

236. CIA Nov 94 III.22Correct Answer is (D) Not (a) because review of insurance coverage is an aspect of risk analysis, and a much narrower concept than contingency planning.

Not (b) because electronic vaulting is a technology which may be used as part of contingency planning. Electronic vaulting is backing up data electronically at a remote location to protect against hardware failures and threats such as natural threats, fire etc.

Not (c) because change control procedures in the development of information systems do not ensure continuity of operations.

Answer (d) is correct. Contingency planning is a management activity that is essential to ensure continuity of operations in the event a disaster impairs information systems processing.


Powers CIA Review

237. CIA Nov 94 III.23Correct Answer is (A)Answer (a) is correct. Risk analysis is necessary to for an organization to assess its exposure to various factors that may hinder the organization’s operations and effect losses. The level of exposure may vary from minimal to disastrous.

Not (b) because system back-up analysis is a contingency planning strategy to react to a disaster.

Not (c) because, vendor supply agreement analysis is a contingency planning strategy to react to a disaster.

Not (d) because contingent facility contract analysis is a contingency planning strategy to react to a disaster.

238. CIA Nov 94 III.39Correct Answer is (A)Answer (a) is correct. Automatic dial back requires reconnection of authorized contact before processing. Automatic dial back or callback is a control procedure in which the system allows only authorized users to access the system. Dial back procedure disconnects the caller and calls the external entity's telephone number of record before letting the terminal session proceed.

Not (b) because message sequencing is to detect gaps or duplicate messages.

Not (c) because encryption scrambles messages for security transmissions.

Not (d) because dedicated lines for a home banking system have a high cost factor.

239. CIA May 95 III.39Correct Answer is (D)Not (a) because. PIN codes are not physiological or behavioral characteristics of a person.

Not (b) because passwords are not physiological or behavioral characteristics of a person.

Not (c) because an employee badge is not a physiological or behavioral characteristic of a person.

Answer (d) is correct. Each person’s voice has different characteristics (sound frequency or signature) that distinguish it from others people’s voices. This personal characteristic is used by biometric systems to authenticate and verify the identity of a person.

240. CIA May 95 III.40Correct Answer is (D)Not (a) because screen savers do not prevent the viewing of data on an unattended data terminal.

Not (b) because passwords do not prevent the viewing of data on an unattended data terminal.

Not (c) because encryption of data files will not prevent the viewing of data on an unattended data terminal.

Answer (d) is correct. Automatic log-off of inactive data terminals may prevent the viewing of sensitive data on an unattended data terminal.

241. CIA May 95 III.71Correct Answer is (C)Not (a) because personnel employed at the site would not be familiar with company operations


HW B-134

Powers CIA Review

because they work for the third party, not the company.

Not (b) because using a cold site may actually increase travel expenses because company personnel would have to travel to the site.

Answer (c) is correct. If the company arranged for a third-party cold site to replace a non-functioning regional center, the company would not have to install additional equipment at the regional centers.

Not (d) because typically, cold sites require more than few hours before being operational in order to permit installation and testing of software and data.

242. CIA May 95 III.72Correct Answer is (A)Answer (a) is correct. The company has decentralized its information processing since the last revision to the plan. The existing plan is likely to be out of date because of changes in equipment, data, and software when shifting to decentralized data processing.

Not (b) because the headquarters has adequate processing capability.

Not (c) because if the company were depending on a cold site as a contingent plan for the centralized headquarters, arrangements for cold site backups would be crucial and included in the plan.

Not (d) because personnel turnover, by itself, is not a reason for a contingency plan to be outdated because new personnel would be trained for their jobs, which would include recovery procedures for processing.

243. CIA May 95 III.73Correct Answer is (B)Not (a) because, headquarters would be no more unaware of processing than is now the case.

Answer (b) is correct. Mirroring the data another regional center would cause the company to incur the cost and complexity of

greater network traffic that would be required to send and synchronize the replicated data.

Not (c) because, the mirrored data would most likely be kept in segregated files, there would be no interference with the data originally kept at each regional center.

Not (d) because agents would not have to change their procedures because they would continue using the system as before.

244. CIA May 96 I.57Correct Answer is (D) Not (a) because a record count determines the number of documents entered into a process.

Not (b) because an echo check tests the reliability of computer hardware. For example, the CPU sends a signal to a printer that is echoed just prior to printing. The signal verifies that the proper print position has been activated.

Not (c) because a self-checking digit is generated by applying an algorithm to an identification number.

Answer (d) is correct. A limit, reasonableness, or range test determines whether an amount is within a predetermined limit for given information. It can only detect certain errors (i.e., those that exceed the acceptable limit).

245. CIA Nov 95 III.38Correct Answer is (D)Not (a) because, a cold site requires significant time to be activated to duplicate regional facilities. The site does not have hardware and equipment ready for use beyond the basic installations required to run an information processing facility (flooring, lighting, air conditioning etc.).

Not (b) because, a hot site is a very expensive option for rerouting calls and it would not provide skilled staff to receive the claims. A hot site however, is a fully configured and equipped location that may be ready to operate within few hours after getting the required staff,


Powers CIA Review

programs, and data files needed.

Not (c) because a third-party service center is not the best option for contingency planning. This option would also be very expensive and may not provide skilled staff to handle customers’ insurance claims.

Answer (d) is correct. Since it is a distributed insurance company and receiving customers’ calls is an essential aspect of the operations of the company, the best contingency plan for restoring capacity in the event of a disaster would be to reroute call traffic to regional centers that would not be affected by the disaster. In addition, choosing this contingency plan would minimize recovery costs during recovery periods and would be more effective since the company’s trained personnel would be receiving customer’s claims.

246. CIA May 96 III.68Correct Answer is (A)Answer (a) is correct. The best way to protect a client-server system from unauthorized access is through a combination of application and general access control techniques.

Not (b) because, only authentication systems are not enough to provide protection for a client-server system from unauthorized access; those systems are only a part of the solution.

Not (c) because this only affects general access control techniques.

Not (d) because testing and evaluation of remote procedure calls may be a small part of an overall security review.

247. CIA Nov 96 III.39Correct Answer is (A)Answer (a) is correct. A crucial aspect of recovery planning for the company is ensuring that organizational and operational changes are incorporated in the plans. If organizational and operational changes were not reflected in the recovery plans, there would be the potential to have the recovery plans inapplicable.

Not (b) because, it is vital that changes to systems be tested thoroughly before being placed into production, but that is not a part of recovery planning.

Not (c) because a good recovery plan would specify how operational staff might be replaced should the need arise, but management personnel would not be used to replace operational staff.

Not (d) because being able to predict workload changes accurately permits a company to minimize its information systems facility costs, but that is not a part of recovery planning.

248. CIA Nov 96 III.43Correct Answer is (C)Not (a) because ensuring that the disaster recovery plans are fully tested would not contribute to avoiding being selected as a terrorist target.

Not (b) because hardening the electrical and communications systems so that they could withstand some kinds of attacks would not contribute to avoiding being selected as a terrorist's target.

Answer (c) is correct. The best approach to avoid having the data center identified as a terrorist's target is to establish as low a profile as possible for the data center, e.g., by refraining from (1) identifying the building on the outside as a data center, (2) showcasing the data center through glass windows, of (3) advertising the important role the data center plays in operations.

Not (d) because monitoring the locations and


HW B-136

Powers CIA Review

activities of known terrorists, even if permitted by law, would not by itself help the company avoid having the data center selected as a terrorist's target.

249. CIA Nov 96 III.48Correct Answer is (C)Not (a) because, the company may or may not maintain the same level of employment after a disaster, e.g., a disaster that destroys productive capacity in one plant may lead to layoffs.

Not (b) because, thorough planning may or may not minimize the cost of facility repair, i.e., the best approach may be to undergo more expensive repair sooner in order to resume operations sooner.

Answer (c) is correct. The more thorough l the recovery plans are, then the more likely the company would be to resume operations quickly and fulfill its obligations to customers.

Not (d) because the maximum benefit from planning is that it prompts action to avoid the most likely or most devastating events with the potential to interrupt business. Management would be delighted if planning ensured that business was never interrupted and thus that the recovery plan was never invoked.

250. CIA Nov 96 III.54Correct Answer is (C)Not (a) because multiple access to data by data owners i.e. access by the individuals responsible for creating and maintaining specific data, is a normal occurrence.

Not (b) because, management authorization of modified access is expected as needs or conditions change and is not an event typically reported.

Answer (c) is correct. The security administrator should report access to data or resources by privileged users so that the access can be monitored for appropriate and authorized usage.

Not (d) because data owner specification of access privileges is normal and need not be monitored by the security administrator.

251. CIA Nov 96 III.62Correct Answer is (D)Not (a) because, fingerprints are a biometrics measure; they involve measuring part of person's physiological or behavioral characteristics.

Not (b) because, a retina pattern is a biometrics measure; they involve measuring part of person's physiological or behavioral characteristics.

Not (c) because, speech patterns are a biometrics measure; they involve measuring part of person's physiological or behavioral characteristics.

Answer (d) is correct. Passwords are not a biometrics authentication. Biometrics systems use personal characteristics to authenticate and verify the identity of a person such as fingerprints, retina patterns, and speech patterns.


Powers CIA Review

252. CIA Nov 96 III.66Correct Answer is (D)Not (a) because password proliferation is a considerable security concern because users will be tempted to write down their password or make them overly simplistic.

Not (b) because, consistent security across varied platforms is often challenging because of the different security features of the various systems and the decentralized nature of those controlling security administration.

Not (c) because under centralized control, management can feel more confidants that backup file storage is being uniformly controlled. Decentralization of this function lead to lack of consistency and difficulty in monitoring compliance.

Answer (d) is correct. This would not cause a control concern. Having data distributed across many computers throughout the organization actually decreases the risk that a single disaster would destroy large portions of the organization's data. It is a potential advantage to distributed systems of various architectures versus centralized data in a single mainframe computer.

253. CIA May 97 III.37Correct Answer is (B)Not (a) because review of the computer processing logs is an output control to ensure

that data are accurate and complete.

Answer (b) is correct. Matching the input data with information held on master or suspense files is a processing control, not an output control, to ensure that data are complete and accurate during updating.

Not (c) because periodic reconciliation of output reports is an output control to ensure that data are accurate and complete.

Not (d) because maintaining formal procedures and documentation specifying authorized recipients is an output control to ensure proper distribution.

254. CIA May 97 III.44Correct Answer is (B)Not (a) because data encryption is an effective security feature for any computer.

Answer (b) is correct. A notebook computer is a portable device smaller than a laptop. Because it may be readily transported anywhere, security concerns for such a device are even greater than for desktop personal computers. For example, password protection for a screensaver program can be easily bypassed.

Not (c) because a removable hard drive provides obvious protection for data and programs stored thereon.

Not (d) because security is promoted by physically locking the notebook computer to an immovable object.

255. CIA May 97 III.62Correct Answer is (A)Answer (a) is correct. Implementation controls are part of general controls. Implementation controls occur in the system development process at various points to ensure that implementation is properly controlled and managed.

Not (b) because, hardware controls ensure that computer hardware is physically secure and check for equipment malfunction.


HW B-138

Powers CIA Review

Not (c) because computer operations controls apply to the work of the computer department and help ensure that programmed procedures are consistently and correctly applied to the storage and processing of data.

Not (d) because data security controls ensure that data files on either disk or tape are not subject to unauthorized access, change, or destruction.

256. CIA May 97 III.64Correct Answer is (C)Not (a) because this practice is a wise control, but it does not address the issue of upload-data integrity. Backups cannot prevent or detect data-upload problems, but can only help correct data errors that a poor upload caused.

Not (b) because this control may be somewhat helpful in preventing fraud in data uploads, but it is of little use in preventing errors.

Answer (c) is correct. To prevent data errors when data would be uploaded from a microcomputer to the company's mainframe system in batch processing, the mainframe computer should subject the data to the same edits and validation routines that online data entry would require.

Not (d) because this control is detective in nature, but the error could have already caused erroneous reports and management decisions. Having users try to find errors in uploaded data would be costly.


II-B Conduct Specific Engagements Answers

Documents

Transcript of II-B Conduct Specific Engagements Answers