Internal Control and Computer Based Information Systems

8/10/2019 Internal Control and Computer Based Information Systems

1/28

Internal Control and Computer BasedInformation Systems (CBIS)

Internal Control and Computer Based Information Systems (CBIS)

MULTIPLE CHOICE:

1. In the weekly computer run to prepare payroll checks, a check was

printed for an employee who had been terminated the previous week. Which

of the following controls, if properly utilized, would have been most effective

in preventing the error or ensuring its prompt detection?

a. A control total for hours worked, prepared from time cards collected bythe timekeeping department. b. Requiring the treasurer's office to account

for the number of the pre-numbered checks issued to the CBIS department

for the processing of the payroll. c. Use of a check digit for employee

numbers. d. Use of a header label for the payroll input sheet.

ANSWER: A

2. An auditor is preparing test data for use in the audit of a computer based

accounts receivable application. Which of the following items would be

appropriate to include as an item in the test data?

a. A transaction record which contains an incorrect master file control total.

b. A master file record which contains an invalid customer identification

number. c. A master file record which contains an incorrect master file

control total. d. A transaction record which contains an invalid customer

identification number.

ANSWER: D

3. Unauthorized alteration of on-line records can be prevented by

employing:


2/28

a. Key verification. b. Computer sequence checks. c. Computer matching. d.

Data base access controls.

ANSWER: D

4. In auditing through a computer, the test data method is used by auditors

to test the

a. Accuracy of input data. b. Validity of the output. c. Procedures contained

within the program. d. Normalcy of distribution of test data.

ANSWER: C

5. In the preliminary survey the auditor learns that a department has

several microcomputers. Which of the following is usually true and should be

considered in planning the audit?

a. Microcomputers, though small, are capable of processing financial

information, and physical security is a control concern. b. Microcomputers

are limited to applications such as worksheet generation and do not present

a significant audit risk. c. Microcomputers are generally under the control of

the data processing department and use the same control features. d.Microcomputers are too small to contain any built-in control features.

Therefore, other controls must be relied upon.

ANSWER: A

6. The primary reason for internal auditing's involvement in the development

of new computer-based sysstems is to:

a. Plan post-implementation reviews. b. Promote adequate controls.

c. Train auditors in CBIS techniques.

d. Reduce overall audit effort.

ANSWER: B


3/28

7. Which of the following is an advantage of generalized computer audit

packages?

a. They are all written in one identical computer language.

b. They can be used for audits of clients that use differing CBIS equipment

and file formats. c. They have reduced the need for the auditor to study

input controls for CBIS related procedures. d. Their use can be substituted

for a relatively large part of the required control testing.

ANSWER: B

8. Processing simulated file data provides the auditor with information about

the reliability of controls from evidence that exists in simulated files. One of

the techniques involved in this approach makes use of

a. Controlled reprocessing. b. Program code checking. c. Printout reviews. d.

Integrated test facility.

ANSWER: D

9. Which of the following statements most likely represents a disadvantage

for an entity that keeps microcomputer-prepared data files rather than

manually prepared files?

a. It is usually more difficult to detect transposition errors. b. Transactions

are usually authorized before they are executed and recorded. c. It is usually

easier for unauthorized persons to access and alter the files. d. Random

error associated with processing similar transactions in different ways is

usually greater.

ANSWER: C

10. The possibility of losing a large amount of information stored in

computer files most likely would be reduced by the use of


4/28

a. Back-up files

b. Check digits

c. Completeness tests

d. Conversion verification.

ANSWER: A

11. An integrated test facility (ITF) would be appropriate when the auditor

needs to

a. Trace a complex logic path through an application system.

b. Verify processing accuracy concurrently with processing.

c. Monitor transactions in an application system continuously. d. Verify load

module integrity for production programs.

ANSWER: B

12. Where computer processing is used in significant accountingapplications, internal accounting control procedures may be defined by

classifying control procedures into two types: general and

a. Administrative. b. Specific. c. Application. d. Authorization.

ANSWER: C

13. The increased presence of the microcomputer in the workplace has

resulted in an increasing number of persons having access to the computer.

A control that is often used to prevent unauthorized access to sensitive

programs is:


5/28

a. Backup copies of the diskettes. b. Passwords for each of the users. c.

Disaster-recovery procedures. d. Record counts of the number of input

transactions in a batch being processed.

ANSWER: B

14. Checklists, systems development methodology, and staff hiring are

examples of what type of controls?

a. Detective. b. Preventive. c. Subjective. d. Corrective.

ANSWER: B

15. When an on-line, real-time (OLRT) computer-based processing system is

in use, internal control can be strengthened by

a. Providing for the separation of duties between keypunching and error

listing operations. b. Attaching plastic file protection rings to reels of

magnetic tape before new data can be entered on the file. c. Making a

validity check of an identification number before a user can obtain access to

the computer files. d. Preparing batch totals to provide assurance that file

updates are made for the entire input.

ANSWER: C

16. When auditing "around" the computer, the independent auditor focuses

solely upon the source documents and

a. Test data. b. CBIS processing. c. Control techniques. d. CBIS output.

ANSWER: D

17. One of the features that distinguishes computer processing from manual

processing is

a. Computer processing virtually eliminates the occurrence of computational

error normally associated with manual processing. b. Errors or fraud in


6/28

computer processing will be detected soon after their occurrences. c. The

potential for systematic error is ordinarily greater in manual processing than

in computerized processing.

d. Most computer systems are designed so that transaction trails useful for

audit purposes do not exist.

ANSWER: A

18. Given the increasing use of microcomputers as a means for accessing

data bases, along with on-line real-time processing, companies face a

serious challenge relating to data security. Which of the following

isnot

an appropriate means for meeting this challenge?

a. Institute a policy of strict identification and password controls

housed in the computer software that permit only specified

individuals to access the computer files and perform a given

function.

b. Limit terminals to perform only certain transactions.

c. Program software to produce a log of transactions showing date,time, type of transaction, and operator.

d. Prohibit the networking of microcomputers and do not permit users

to access centralized data bases.

ANSWER: D

19. What type of computer-based system is characterized by data that are

assembled from more than one location and records that are updated

immediately?

a. Microcomputer system. b. Minicomputer system. c. Batch processing

system. d. Online real-time system.


7/28

ANSWER: D

20. Company A has recently converted its manual payroll to a computer-

based system. Under the old system, employees who had resigned or

been terminated were occasionally kept on the payroll and their checks

were claimed and cashed by other employees, in collusion with shop

foremen. The controller is concerned that this practice not be allowed

to continue under the new system. Thebestcontrol for preventing

this form of "payroll padding" would be to

a. Conduct exit interviews withallemployees leaving the company,

regardless of reason.

b. Require foremen to obtain a signed receipt from each employee

claiming a payroll check.

c. Require the human resources department to authorize all hires and

terminations, and to forward a current computerized list of active

employee numbers to payroll prior to processing. Program the

computer to reject inactive employee numbers.

d. Install time clocks for use by all hourly employees.

ANSWER: C

21. Compared to a manual system, a CBIS generally

1. Reduces segregation of duties. 2. Increases segregation of duties. 3.

Decreases manual inspection of processing results. 4. Increases manual

inspection of processing results.

a. 1 and 3. b. 1 and 4 c. 2 and 3 d. 2 and 4.

ANSWER: A


8/28

22. One of the major problems in a CBIS is that incompatible functions may

be performed by the same individual. One compensating control for this is

the use of

a. Echo checks. b. A self-checking digit system. c. Computer generated hash

totals. d. A computer log.

ANSWER: D

23. Which of the following processing controls would be most effective in

assisting a store manager to ascertain whether the payroll transaction data

were processed in their entirety?

a. Payroll file header record. b. Transaction identification codes. c.

Processing control totals. d. Programmed exception reporting.

ANSWER: C

24. An organizational control over CBIS operations is

a. Run-to-run balancing of control totals. b. Check digit verification of unique

identifiers. c. Separation of operating and programming functions. d.

Maintenance of output distribution logs.

ANSWER: C

25. Which of the following methods of testing application controls utilizes a

generalized audit software package prepared by the auditors?

a. Parallel simulation. b. Integrated testing facility approach. c. Test data

approach. d. Exception report tests.

ANSWER: A

26. An unauthorized employee took computer printouts from output bins

accessible to all employees. A control which would have prevented this

occurrence is


9/28

a. A storage/retention control. b. A spooler file control. c. An output review

control. d. A report distribution control.

ANSWER: D

27. Which of the following is a disadvantage of the integrated test facility

approach?

a. In establishing fictitious entities, the auditor may be compromising

audit independence.

b. Removing the fictitious transactions from the system is somewhat

difficult and, if not done carefully, may contaminate the client's

files.

c. ITF is simply an automated version of auditing "around" the

computer.

d. The auditor may not always have a current copy of the authorized

version of the client's program.

ANSWER: B

28. Totals of amounts in computer-record data fields which are not usually

added for other purposes but are used only for data processing control

purposes are called

a. Record totals. b. Hash totals. c. Processing data totals. d. Field totals.

ANSWER: B

29. A hash total of employee numbers is part of the input to a payroll master

file update program. The program compares the hash total to the total

computed for transactions applied to the master file. The purpose of this

procedure is to:


10/28

a. Verify that employee numbers are valid. b. Verify that only authorized

employees are paid. c. Detect errors in payroll calculations. d. Detect the

omission of transaction processing.

ANSWER: D

30. Matthews Corp. has changed from a system of recording time worked on

clock cards to a computerized payroll system in which employees

record time in and out with magnetic cards. The CBIS automatically

updates all payroll records. Because of this change

a. A generalized computer audit program must be used. b. Part of the audit

trail is altered. c. The potential for payroll related fraud is diminished. d.Transactions must be processed in batches.

ANSWER: B

31. Generalized audit software is of primary interest to the auditor in terms

of its capability to

a. Access information stored on computer files. b. Select a sample of items

for testing. c. Evaluate sample test results. d. Test the accuracy of theclient's calculations.

ANSWER: A

32. An accounts payable program posted a payable to a vendor not included

in the on-line vendor master file. A control which would prevent this error is

a

a. Validity check. b. Range check. c. Reasonableness test. d. Parity check.

ANSWER: A

33. In a computerized sales processing system, which of the following

controls is most effective in preventing sales invoice pricing errors?


11/28

a. Sales invoices are reviewed by the product managers before being

mailed to customers.

b. Current sales prices are stored in the computer, and, as stock

numbers are entered from sales orders, the computer

automatically prices the orders.

c. Sales prices, as well as product numbers, are entered as sales

orders are entered at remote terminal locations.

d. Sales prices are reviewed and updated on a quarterly basis.

ANSWER: B

34. Which of the following is likely to be of least importance to an auditor in

reviewing the internal control in a company with a CBIS?

a.The segregation of duties within the data processing center.

b. The control over source documents. c. The documentation

maintained for accounting applications.

d. The cost/benefit ratio of data processing operations.

ANSWER: D

35. For the accounting system of Acme Company, the amounts of cash

disbursements entered into an CBIS terminal are transmitted to the

computer that immediately transmits the amounts back to the terminal for

display on the terminal screen. This display enables the operator to

a. Establish the validity of the account number. b. Verify the amount was

entered accurately. c. Verify the authorization of the disbursement. d.

Prevent the overpayment of the account.

ANSWER: B


12/28


13/28

40. When testing a computerized accounting system, which of the following

is not true of the test data approach?

a. The test data need consist of only those valid and invalid conditions in

which the auditor is interested. b. Only one transaction of each type need be

tested. c. Test data are processed by the client's computer programs under

the auditor's control. d. The test data must consist of all possible valid and

invalid conditions.

ANSWER: D

41. In studying a client's internal controls, an auditor must be able to

distinguish between prevention controls and detection controls. Of thefollowing data processing controls, which is the best detection control?

a. Use of data encryption techniques. b. Review of machine utilization logs.

c. Policy requiring password security. d. Backup and recovery procedure.

ANSWER: B

42. Which of the following procedures is an example of auditing "around" the

computer?

a. The auditor traces adding machine tapes of sales order

batch totals to a computer printout of the sales

journal.

b. The auditor develops a set of hypothetical sales

transactions and, using the client's computer program,

enters the transactions into the system and observes

the processing flow.


14/28

c. The auditor enters hypothetical transactions into the

client's processing system during client processing of

live" data.

d. The auditor observes client personnel as they process the biweekly

payroll. The auditor is primarily concerned with computer rejection of data

that fails to meet reasonableness limits.

ANSWER: A

43. Auditing by testing the input and output of a computer-based system

instead of the computer program itself will

a. Not detect program errors which do not show up in the output sampled. b.

Detect all program errors, regardless of the nature of the output. c. Provide

the auditor with the same type of evidence. d. Not provide the auditor with

confidence in the results of the auditing procedures.

ANSWER: A

44. Which of the following is an acknowledged risk of using test data when

auditing CBIS records?

a. The test data may not include all possible types of transactions. b. The

computer may not process a simulated transaction in the same way it would

an identical actual transaction. c. The method cannot be used with simulated

master records.

d. Test data may be useful in verifying the correctness of account balances,but not in determining the presence of processing controls.

ANSWER: A

45. When the auditor encounters sophisticated computer-based systems, he

or she may need to modify the audit approach. Of the following


15/28

conditions, which one isnota valid reason for modifying the audit

approach?

a. More advanced computer systems produce less

documentation, thus reducing the visibility of the

audit trail.

b. In complex comuter-based systems, computer verification of data at

the point of input replaces the manual verification found in less

sophisticated data processing systems.

c. Integrated data processing has replaced the more traditional

separation of duties that existed in manual and batch processing

systems.

d. Real-time processing of transactions has enabled the auditor to

concentrate less on the completeness assertion.

ANSWER: D

46. If a control total were to be computed on each of the following data

items, which would best be identified as a hash total for a payroll CBIS

application?

a. Net pay. b. Department numbers. c. Hours worked. d. Total debits and

total credits.

ANSWER: B

47. In a distributed data base (DDB) environment, control tests for access

control administration can be designed which focus on

a. Reconciliation of batch control totals. b. Examination of logged activity. c.

Prohibition of random access. d. Analysis of system generated core dumps.


16/28

ANSWER: B

48. A control to verify that the dollar amounts for all debits and credits for

incoming transactions are posted to a receivables master file is the:

a. Generation number check. b. Master reference check. c. Hash total. d.

Control total.

ANSWER: D

49. The program flowcharting symbol representing a decision is a

a. Triangle. b. Circle. c. Rectangle. d. Diamond.

ANSWER: D

50. An update program for bank account balances calculates check digits for

account numbers. This is an example of

a. An input control. b. A file management control. c. Access control. d. An

output control.

ANSWER: A

51. CBIS controls are frequently classified as togeneralcontrols

andapplicationcontrols. Which of the following is an example of an

application control?

a. Programmers may access the computer only for testing and

"debugging" programs.

b. All program changes must be fully documented and approved by the

information systems manager and the user department

authorizing the change.

c. A separate data control group is responsible for distributing output,

and also compares input and output on a test basis.


17/28

d. In processing sales orders, the computer compares customer and

product numbers with internally stored lists.

ANSWER: D

52. After a preliminary phase of the review of a client's CBIS controls, an

auditor may decide not to perform further tests related to the control

procedures within the CBIS portion of the client's internal control system.

Which of the following would not be a valid reason for choosing to omit

further testing?

a. The auditor wishes to further reduce assessed risk. b. The controls

duplicate operative controls existing elsewhere in the system. c. Thereappear to be major weaknesses that would preclude reliance on the stated

procedures. d. The time and dollar costs of testing exceed the time and

dollar savings in substantive testing if the controls are tested for compliance.

ANSWER: A

53. For good internal control over computer program changes, a policy

should be established requiring that

a. The programmer designing the change adequately test the revised

program. b. All program changes be supervised by the CBIS control

group. c. Superseded portions of programs be deleted from the

program run manual to avoid confusion. d. All proposed changes be

approved in writing by a responsible individual.

ANSWER: D

54. Which of the following isnota technique for testing data processing

controls?

a. The auditor develops a set of payroll test data that contain

numerous errors. The auditor plans to enter these transactions


18/28


19/28

a. An adequate librarianship function controlling access to files. b. A label

affixed to the outside of a file medium holder that identifies the contents. c.

Batch processing of all input through a centralized, well-guarded facility. d.

User and terminal identification controls, such as passwords.

ANSWER: D

57. While entering data into a cash receipts transaction file, an employee

transposed two numbers in a customer code. Which of the following controls

could prevent input of this type of error?

a. Sequence check. b. Record check. c. Self-checking digit. d. Field-size

check.

ANSWER: C

58. What is the computer process called when data processing is performed

concurrently with a particular activity and the results are available soon

enough to influence the particular course of action being taken or the

decision being made?

a. Batch processing. b. Real time processing. c. Integrated data processing.d. Random access processing.

ANSWER: B

59. Reconciling processing control totals is an example of

a. An input control. b. An output control. c. A processing control. d. A file

management control.

ANSWER: B

60. A disadvantage of auditing around the computer is that it


20/28

a. Permits no assessment of actual processing. b. Requires highly skilled

auditors. c. Demands intensive use of machine resources. d. Interacts

actively with auditee applications.

ANSWER: A

61. The completeness of computer-generated sales figures can be tested by

comparing the number of items listed on the daily sales report with the

number of items billed on the actual invoices. This process uses

a. Check digits. b. Control totals. c. Validity tests. d. Process tracing data.

ANSWER: B

62. Which of the following controls would be most efficient in reducing

common data input errors?

a. Keystroke verification. b. A set of well-designed edit checks. c. Balancing

and reconciliation. d. Batch totals.

ANSWER: B

63. On-line real-time systems and electronic data interchange systems have

the advantages of providing more timely information and reducing the

quantity of documents associated with less automated systems. The

advantages, however, may create some problems for the auditor.

Which of the following characteristics of these systems doesnotcreate

an audit problem?

a. The lack of traditional documentation of transactions creates a need

for greater attention to programmed controls at the point of

transaction input.

b. Hard copy may not be retained by the client for long periods of

time, thereby necessitating more frequent visits by the auditor.


21/28

c. Control testing may be more difficult given the increased

vulnerability of the client's files to destruction during the testing

process.

d. Consistent on-line processing of recurring data increases the

incidence of errors.

ANSWER: D

64. Creating simulated transactions that are processed through a system to

generate results that are compared with predetermined results, is an

auditing procedure referred to as

a. Desk checking. b. Use of test data. c. Completing outstanding jobs.

d. Parallel simulation.

ANSWER: B

65. To obtain evidential matter about control risk, an auditor ordinarily

selects tests from a variety of techniques, including

a. Analysis. b. Confirmations. c. Reprocessing. d. Comparison.

ANSWER: C

66. A major exposure associated with the rapidly expanding use of

microcomputers is the absence of:

a. Adequate size of main memory and disk storage. b. Compatible operating

systems. c. Formalized procedures for purchase justification. d. Physical,

data file, and program security.

ANSWER: D

67. To ensure that goods received are the same as those shown on the

purchase invoice, a computerized system should:


22/28

a. Match selected fields of the purchase invoice to goods received. b.

Maintain control totals of inventory value. c. Calculate batch totals for each

input. d. Use check digits in account numbers.

ANSWER: A

68. Errors in data processed in a batch computer system may not be

detected immediately because

a. Transaction trails in a batch system are available

only for a limited period of time. b. There are time delays in

processing transactions in a batch system.

c. Errors in some transactions cause rejection of other transactions in the

batch.

d. Random errors are more likely in a batch system than in an on-line

system.

ANSWER: B

69. Which of the following is a computer test made to ascertain whether a

given characteristic belongs to the group?

a. Parity check. b. Validity check. c. Echo check. d. Limit check.

ANSWER: B

COMPLETION:

70. Although computerized data processing does not affect audit objectives,

the auditor may need to modify the audit

, given complex CBIS applications.

ANSWER: APPROACH


23/28

71. In a batch processing system transactions are processed in groups,

whereas in a real-time system transactions are entered as theyand

are processed as they are

.

ANSWER: OCCUR, ENTERED

72. Although powerful in terms of, real- time systems are morethan batch

processing systems.

ANSWER: INFORMATION CAPABILITY, COMPLEX

73. A distinguishing feature of integrated data base systems is that many

files are updatedas transactions are processed.

ANSWER: SIMULTANEOUSLY

74.systems, by eliminating the need to reenter data into the accounting

system, reduce the incidence of processing errors; but, by reducing

transaction documentation, these systems also require greater

attention to proper controls over theof transactions.

ANSWER: ELECTRONIC DATA INTERCHANGE, INPUT

75. Input controls, processing controls, and output controls are categories

ofcontrols.

ANSWER: APPLICATION

76. Some entities require completing aprior to transaction input, in order to

ensure consistency and completeness of recurring inputs.

ANSWER: TRANSACTION LOG

77.are manual control procedures applied by organizational units whose

data are processed by data processing.


24/28

ANSWER: USER CONTROLS

78. In on-line real-time systems the most effective means for assuring

limited access to data bases is by the use of properly controlled.

ANSWER: PASSWORDS

79. Programmed controls for testing the validity of customer numbers,

product numbers, employee numbers, and vendor numbers, as well as

tests for reasonableness, are collectively referred to ascontrols.

ANSWER: INPUT EDITING

80. In a ____________ __________ system, users own their own

data, whereas in _________ ______ systems, users share a single

operating system housed in a central location.

ANSWER: FLAT FILE, MULTI-USER

MATCHING:

81. Indicate by letter whether each of the listed auditing procedures is a

general control test, an application control test, or a substantive audit test.

G = General control test

A = Application control test

S = Substantive audit test

____1. The auditor utilizes the services of the firms computer

audit specialist assist in testing controls over the electronic

processing of customer remittances.

____2. In testing the sales processing set of controls, the


25/28

auditor has designed a set of transactions that include

unauthorized sales prices, invalid customer numbers, and

lack of credit authorization.

____3. The auditor interviews the clients information systems

manager to clear exceptions detected when the auditor

reviewed data processing job descriptions for

incompatible functions.

____4. The auditor confirmed a sample of customer accounts

receivable to evaluate the correctness of year-end balances in customer

accounts.

____5. Using generalized audit software, the auditor reprocessed

a sample of the clients weekly payroll and compared

the resulting output with the clients payroll summary for the same period.

____6. The auditor attempted to access the clients computerized

data files using the passwords of terminated employees.

____7. By examining vendors invoices supporting debits to the

account Machinery and Equipment, the auditor was able

to gain satisfaction as to the account balance at year end.

____8. The auditor examined authorizations and studied

documentation relating to CBIS modifications made


26/28

by the client during the year under audit.

____9. The auditor examined and tested the clients anti virus

software for effectiveness.

____10. The auditor examined printouts from network monitoring

software and observed data input for proper functioning

of protocol controls and data encryption.

SOLUTION:

1. A

2. A

3. G

4. S

5. A

6. G

7. S

8. G

9. G

10. G

PROBLEM/ESSAY:

82. For each of the followingindependentsituations, identify the control

weakness that permitted the error or fraud, and


27/28

indicate how the weakness should be corrected.

A. In a computerized sales processing system, numerous

pricing errors appeared on customer invoices.

B. Joshua Ness, a computer programmer for a bank, set up

a demand deposit account in his name. He then wrote a

program subroutine that automatically transferred funds from accounts that

had shown no activity for at least three months to the newly-established

account.

C. In a computerized payroll system, foremen, in collusion

with employees, were able to inflate pay rates. In

addition, terminated employees were retained on the

payroll and the fraudulent checks were endorsed by

a foreman or employee and deposited in his or her

personal account.

D. After implementing a newly-designed EDI system with

its vendors, Hilo Enterprises discovered numerous

errors in type, pricing, and quantity of goods received versus goods ordered.

SOLUTION:

A. Computer did not verify selling prices. A master list

of current sales prices should be housed in the computer and updated as

prices change. The computer


28/28

should then be programmed to price the invoices.

B. Ness was able to access data files for the purpose of establishing an

unauthorized account. Programmers should not have access to data files

except for testing

and debugging programs. Moreover, formal authorization

of new accounts should be a part of the internal

control system.

C. The foremen were able to alter pay rates and retain

terminated employees on the payroll. To correct this weakness, all new hires

and terminations, as well as pay rate changes, should require authorization

of the human resources department. A current master list of employee

numbers and pay rates should then be housed in the computer, and the

computer programmed to perform

validity tests of rates and numbers as payrolls are

processed.

D. Controls were not designed to prevent vendor errors.

Protocol controls should be installed to detect and log

errors; and the EDI hardware should include an echo

check that returns messages from the vendors computer to Hilos computer

to verify correctness of orders received by the vendor.

Internal Control and Computer Based Information Systems

Documents

Transcript of Internal Control and Computer Based Information Systems