When companies use information technology (IT) extensively, evidence may be available only in electronic form. What is an auditor's best course of action in such situations?
A. Assess the control risk as high
B. Use audit software to perform analytical procedures
C. Use generalized audit software to extract evidence from client databases
D. Perform limited tests of controls over electronic data
Generalized audit software (GAS) makes it possible for an auditor to access data in electronic form; typically GAS will analyze data and present results in a meaningful and convenient form. Assessing control risk as high may result in unnecessary additional audit procedures; an IT system may have strong internal control, and consequently, low control risk. Analytics cannot be performed if the information is available only in electronic form and there is no means to access it. If data is available only in electronic form, tests of controls over that data likely should be extensive, rather than limited.
An auditor would most likely be concerned with which of the following controls in a distributed data processing system?
A. Hardware controls
B. Systems documentation controls
C. Access controls
D. Disaster recovery controls
A distributed data processing system is one in which many different users have access to the main computer through various computer locations. Thus, access controls, which restrict access to the main computer, are necessary to maintain a strong internal control structure, because those with access to the computer are in a position to perform incompatible functions. Hardware controls, systems documentation controls, and disaster recovery controls would not be as important in assessing control risk and would not likely present unusual problems in a distributed system.
Which of the following controls is a processing control designed to ensure the reliability and accuracy of data processing?
Validity check test
Computers can be programmed to perform a wide range of edit tasks on records as they are being inputted into the system. If a particular record does not meet the test, it would not be processed. Edit tests include limit tests, validity check tests, check digit tests, etc. This is an example of a specific question you shouldn’t hang your head over if it appears on the exam. While all topics covered on the exam are important, a question like this that probably was covered in one or two sentences does not carry the amount of weight as some of the clearly more pressing topics do.
Which of the following statements is correct concerning internal control in an electronic data interchange (EDI) system?
A. Preventive controls generally are more important than detective controls in EDI systems.
B. Control objectives for EDI systems generally are different from the objectives for other information systems.
C. Internal controls in EDI systems rarely permit control risk to be assessed at below the maximum.
D. Internal controls related to the segregation of duties generally are the most important controls in EDI systems.
Preventive controls are generally more important than detective controls in EDI systems because of the speed with which goods and services are delivered. Objectives remain the same as for other information systems. Internal controls in EDI systems must be strong to minimize losses. Segregation of duties is not as important as protection of assets in an EDI system.
Which of the following controls most likely would assure that an entity can reconstruct its financial records?
A. Hardware controls are built into the computer by the computer manufacturer.
B. Backup diskettes or tapes of files are stored away from originals.
C. Personnel who are independent of data input perform parallel simulations.
D. System flowcharts provide accurate descriptions of input and output operations.
Backup files stored off-site are an effective means of preserving data in the event of a catastrophe or other loss of information requiring the reconstruction of the material. Hardware controls are built into the computer to detect and report hardware malfunctions. Parallel simulation refers to internal controls practiced within the company. System flowcharts that provide an accurate description of input and output operations refer to internal controls directed at the flow of processing information through the company.
An auditor anticipates assessing control risk at a low level in a computerized environment. Under these circumstances, on which of the following procedures would the auditor initially focus?
A. Programmed control procedures
B. Application control procedures
C. Output control procedures
D. General control procedures
When an auditor anticipates assessing control risk at a low level in a computerized environment, generally, the auditor would initially focus on general control procedures, which are those controls that relate to all or many computerized accounting activities and often include control over the development, modification, and maintenance of computer programs and control over the use of and changes to data maintained on computer files.
To obtain evidence that online access controls are properly functioning, an auditor most likely would
A. Create checkpoints at periodic intervals after live data processing to test for unauthorized use of the system
B. Examine the transaction log to discover whether any transactions were lost or entered twice due to a system malfunction
C. Enter invalid identification numbers or passwords to ascertain whether the system rejects them
D. Vouch a random sample of processed transactions to assure proper authorization
Password controls, used in restricting access to computers, are designed to preclude access capabilities of those employees whose regular functions are incompatible with computer use. To obtain evidence that user identification and password controls are functioning as designed, an auditor would most likely examine a sample of invalid passwords or numbers to determine whether the computer is recognizing the invalid passwords and rejecting access.
Answer (A) checks the level of authorization an employee has once within the system rather than access to the online system.
Answer (B) is a procedure for determining the completeness of transaction processing.
Answer (D) does not address whether the online access is being limited or circumvented.
Which of the following statements most likely represents a disadvantage for an entity that keeps microcomputer-prepared data files rather than manually prepared files?
A. Attention is focused on the accuracy of the programming process rather than errors in individual transactions.
B. It is usually easier for unauthorized persons to access and alter the files.
C. Random error associated with processing similar transactions in different ways is usually greater.
D. It is usually more difficult to compare recorded accountability with physical count of assets.
Many internal control procedures once performed by separate individuals in manual systems may be concentrated in systems that use computer processing. Therefore, an individual who has access to the computer may be in a position to perform incompatible functions. Answers (a) and (c) are false statements. Detailed ledger accounts may be maintained as easily with microcomputer data files as with manually prepared files.
Which of the following characteristics distinguishes computer processing from manual processing?
A. Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing
B. The potential for systematic error is ordinarily greater in manual processing than in computerized processing
C. Errors or fraud in computer processing will be detected soon after their occurrences
D. Most computer systems are designed so that transaction trails useful for audit purposes do not exist
An advantage of computer processing is that it virtually eliminates computational errors. Errors or fraud are not detected more quickly when computer processing is used. The potential for systematic errors is greater in computer processing than in manual processing. Transaction trails useful for audit purposes are created but the data may be available for only a short period of time.
An auditor would least likely use computer software to
A. Construct parallel simulations
B. Access client data files
C. Prepare spreadsheets
D. Assess IT control risk
After obtaining an understanding of the client’s IT controls, the auditor must assess control risk for the IT portion of the client’s internal control. Assessing control risk is the process of evaluating the effectiveness of an entity’s internal control policies and procedures in preventing or detecting material misstatements in the financial statements. Procedures to judge the effectiveness of internal control design would include inquiries, observations, and inspections. One would not need computer software to accomplish this task. Gaining access to client data files, preparing spreadsheets, and constructing parallel simulations would all make use of computer software.
Editor’s note: Remember the keyword in the question, least likely.
An IT input control is designed to ensure that
A. Only authorized personnel have access to the computer area.
B. Machine processing is accurate.
C. Data received for processing are properly authorized and converted to machine readable form.
D. Electronic data processing has been performed as intended for the particular application.
Input controls are designed to provide reasonable assurance that data received by IT have been properly authorized, converted into machine readable form and identified as well as that data has not been lost, added, duplicated, or otherwise improperly changed.
Answer (A) describes an access control.
Answer (B) describes an output control.
Answer (D) describes a processing control.
Internal control is ineffective when computer department personnel
A. Design documentation for computerized systems
B. Participate in computer software acquisition decisions
C. Originate(开始，开创；起源，开端) changes in master files
D. Provide physical security for program files
Internal control is considered ineffective when computer department personnel can: (1) originate or correct transactions, (2) authorize transactions, (3) prepare the initial data, (4) maintain custody or control over non-EDP assets, (5) authorize a change in controls, or (6) originate master file changes.
Which of the following is a general control that would most likely assist an entity whose systems analyst left the entity in the middle of a major project?
A. Grandfather-father-son record retention
B. Input and output validation routines
C. Systems documentation
D. Check digit verification
When an entity's systems analyst leaves the entity in the middle of a major project, the greatest assistance in continuing the project could be obtained from systems documentation that adequately describes the systems operations and procedures up to that point in time. Given good documentation, a new systems analyst could immediately begin to understand the systems operations.
Which of the following input controls is a numeric value computed to provide assurance that the original value has not been altered in construction or transmission?
A. Hash total
B. Parity check
D. Check digit
A check digit is a digit that is appended to a piece of numeric data following a pre-specified routine. A hash total is a numeric total with meaning only as a control. A parity check is an extra bit attached to the end of a string of bits to detect errors resulting from electronic interference when transmitting the string. Encryption is the conversion of a message into a coded message.
In parallel simulation, actual client data are reprocessed using an auditor software program. An advantage of using parallel simulation, instead of performing tests of controls without a computer, is that
A. The test includes all types of transaction errors and exceptions that may be encountered.
B. The client's computer personnel do not know when the data are being tested.
C. There is no risk of creating potentially material errors in the client's data.
D. The size of the sample can be greatly expanded at relatively little additional cost.
Compared to auditing without a computer, the size of the sample can be greatly expanded at little cost using a computer. Parallel simulation might not include all types of transaction errors and exceptions that may be encountered. Using parallel simulation is no guarantee that the client's personnel are unaware that the data is being tested. As there is little risk of creating material errors in the client's data with a non-computer audit procedure, this hardly can be said to be an advantage of parallel simulation using a computer over not using a computer at all.
When an auditor tests the internal controls of a computerized accounting system, which of the following is true of the test data approach?
A. Test data are coded to a dummy subsidiary so they can be extracted from the system under actual operating conditions.
B. Test data programs need not be tailor-made by the auditor for each client's computer applications.
C. Test data programs usually consist of all possible valid and invalid conditions regarding compliance with internal controls.
D. Test data are processed with the client's computer and the results are compared with the auditor's predetermined results.
In the test data approach to testing a computerized accounting system, test data are processed by the client’s computer programs under the auditor’s control. No dummy subsidiary is involved. Test data must be customized to each audit. The auditor need not include test data for all possible valid and invalid conditions.
Which of the following methods of testing application controls utilizes a generalized audit software package prepared by the auditors?
A. Program code checking
B. Parallel simulation
C. Controlled reprocessing
D. Integrated testing facility
Parallel simulation involves creating a model of the EDP system to be tested. The auditor reviews the application system to gain an understanding of its functioning and then utilizes a generalized audit software package to create a model or simulation of the application processing. In program code checking, the auditor reviews the client's program documentation, including a narrative description and source code. In controlled reprocessing, the auditor maintains control over the reprocessing of previously processed results using a version of the program the auditor has tested, and compares the computer output of the original processing and reprocessing. An integrated test facility includes processing of dummy records with the client's records using the client's program.
When an auditor tests a computerized accounting system, which of the following is true of the test data approach?
A. Several transactions of each type must be tested.
B. Test data are processed by the client's computer programs under the auditor's control.
C. Test data must consist of all possible valid and invalid conditions.
D. The program tested is different from the program used throughout the year by the client.
In the test data approach to testing a computerized accounting system, test data are processed by the client’s computer programs under the auditor’s control. The auditor will determine how many transactions and what types of transactions to test which may or may not include several transactions of each type. The auditor need not include test data for all possible valid and invalid conditions. The object is to test the client’s program that is used throughout the year and the auditor must take steps to make sure that the program being tested is the one that is actually used in routine processing; thus, a different program would not be tested.
Which of the following is usually a benefit of using electronic funds transfer for international cash transactions?
A. Improvement of the audit trail for cash receipts and disbursements
B. Creation of self-monitoring access controls
C. Reduction of the frequency of data entry errors
D. Off-site storage of source documents for cash transactions
With EDI, information is entered into a system once and transmitted to other parties. These other parties do not have to re-enter the information into their systems, eliminating an opportunity for errors to occur. Using EDI, audit trails typically are less clear, if anything. Creation of self-monitoring access controls and off-site storage of source documents for cash transactions could occur with or without EDI.
Which of the following is a computer-assisted audit technique that permits an auditor to insert the auditor’s version of a client's program to process data and compare the output with the client's output?
A. Test data module
B. Frame relay protocol
C. Remote node router
D. Parallel simulation
A parallel simulation is a computer-assisted audit technique that permits an auditor to insert the auditor’s version of a client's program to process data and compare the output with the client's output.
Which of the following would an auditor ordinarily consider the greatest risk regarding an entity's use of electronic data interchange (EDI)?
A. Authorization of EDI transactions
B. Duplication of EDI transmissions
C. Improper distribution of EDI transactions
D. Elimination of paper documents
Improper transactions or disclosure of transactions, regardless of the media, are usually the greatest risk. Appropriate authorization of EDI transactions doesn't present a risk. Duplication of EDI transactions likely would be found by one of the involved parties upon reconciliation. Elimination of paper documents is a goal of EDI.
Which of the following strategies would a CPA most likely consider in auditing an entity that processes most of its financial data only in electronic form, such as a paperless system?
A. Continuous monitoring and analysis of transaction processing with an embedded audit module
B. Increased reliance on internal control activities that emphasize the segregation of duties
C. Verification of encrypted digital certificates used to monitor the authorization of transactions
D. Extensive testing of firewall boundaries that restrict the recording of outside network traffic
When a client processes financial data in electronic form without paper documentation, the auditor may audit on a more continuous basis than a traditional system, as a convenience, and may be required to audit on a more continuous basis to obtain sufficient, competent evidence as documentation for some transactions may be available only for a limited time. An embedded audit module can facilitate this 'continuous' auditing. If anything, an auditor may rely less on internal control activities that emphasize the segregation of duties. Digital certificate verification and testing of firewall boundaries are more concerned with security than internal control.
Able Co. uses an online sales order processing system to process its sales transactions. Able's sales data are electronically sorted and subjected to edit checks. A direct output of the edit checks most likely would be a
A. Report of all missing sales invoices
B. File of all rejected sales transactions
C. List of all voided shipping documents
D. Printout of all user code numbers and passwords
The most likely output from an online sales order processing system is a file of all rejected sales transactions. An edit check occurs when information is entered into the system. A report of all missing sales invoices would be generated by the system, but not as a direct output from an edit check. Answers (c) and (d) are not relevant outputs from the online sales order processing system, but would be outputs of other applications.
Which of the following statements is correct concerning the security of messages in an electronic data interchange (EDI) system?
A. When the confidentiality of data is the primary risk, message authentication is the preferred control rather than encryption.
B. Encryption performed by physically secure hardware devices is more secure than encryption performed by software.
C. Message authentication in EDI systems performs the same function as segregation of duties in other information systems.
D. Security at the transaction phase in EDI systems is not necessary because problems at that level will usually be identified by the service provider.
Physically secure hardware devices are less likely to be compromised than software. For example, having a password sent to your phone to authenticate that you are indeed Jane Doe is preferred in ensuring proper authentication and permission(s) to an EDI system. Message authentication provides assurance about messages’ sources. Encryption provides assurance about privacy. Message authentication performs similarly to control duties in non-IT systems, but not the segregation of duties aspect. Service providers usually do not provide security at the transaction level.
An entity has the following invoices in a batch:
Invoice #Product QuantityUnit Price
201 F10 150$ 5.00
202 G15 200$10.00
203 H20 250$25.00
204 K35 300$30.00
Which of the following most likely represents a hash total?
Hash control is used to verify the completeness of the inputted data. Hash totals can be employee numbers, or invoice numbers. Thus, the hash total of invoice numbers is 810 (201 + 202 + 203 + 204).
B. 204 is a specific invoice number.
C. FGHK80 is not a hash total.
D. 4 is a record count.
Which of the following is an example of how specific internal controls in a database environment may differ from controls in a nondatabase environment?
A. Controls should exist to ensure that users have access to and can update only the data elements that they have been authorized to access.
B. Controls over data sharing by diverse users within an entity should be the same for every user.
C. The employee who manages the computer hardware should also develop and debug the computer programs.
D. Controls can provide assurance that all processed transactions are authorized, but cannot verify that all authorized transactions are processed.
Controls in a database environment can be very specific as to which elements of a record can be accessed or changed, resulting in a more detailed set of authorizations. Controls over data sharing should be appropriate for each user, usually resulting in diverse controls. Preferably, hardware management and software development are segregated. The relationship between authorization and processing usually is the same within a database and a non-database environment.
An auditor will most likely use computer-assisted audit techniques, rather than manual techniques when it is necessary to
A. Examine all data in an accounts payable file.
B. Review approval of dividends.
C. Verify unrecorded legal liabilities.
D. Assess compliance with policies and procedures related to information security.
The correct answer is (A).
An auditor will most likely use computer-assisted audit techniques, rather than manual techniques when it is necessary to examine all data in an accounts payable file. This is extensive work that can only be done through computer-assisted audit techniques, as it would take too long to do it manually. Computer-assisted Audit Techniques (CAATs) are most useful in analyzing large volume accounts and transactions.
(B) is incorrect because dividends are approved by the board of directors. To verify approval of dividends, the auditor has to review minutes of the meetings of the board of directors
(C) is incorrect because unrecorded legal liability, also known as contingent liability is disclosed in the notes to accounts. There is no computer processing involved, as these liabilities are still unrecorded.
(D) is incorrect because assessing compliance with policies and procedures related to information security would come under the scope of information security audit
Processing data through the use of simulated files provides an auditor with information about the operating effectiveness of control policies and procedures. One of the techniques involved in this approach makes use of
A. Controlled reprocessing
B. An integrated test facility
C. Input validation
D. Program code checking
Processing data through the use of simulated files makes use of an integrated test facility. Using this method, the auditor creates a fictitious entity within the client's actual data files. The auditor then processes fictitious data for the entity as part of the client's regular data processing. Controlled reprocessing involves the processing of the client's actual data through the auditor's controlled copy of the client's program. Input validation is concerned only that the inputted data is accurate. Program code checking involves analysis of the client's actual program.
An auditor who wishes to capture an entity's data as transactions are processed and continuously test the entity's computerized information system most likely would use which of the following techniques?
A. Snapshot application
B. Embedded audit module
C. Integrated data check
D. Test data generator
Embedded audit modules are coded into a client's application to collect data for the auditor. Integrated data checks and test data generators involve auditor-controlled fictitious data. Snapshot applications capture screen images
Which of the following tasks can be achieved using generalized audit software?
A. Determining acceptable risk levels for substantive testing of account balances.
B. Filtering data based on accounts receivable data recording.
C. Detecting transactions that may be suspicious due to alteration of data input.
D. Assessing likelihood of fraud based on input of fraud risk factors.
The correct answer is (B).
Generalized Audit Software Packages (GASPs) refer to a series of programs that allow the auditor to perform tests of controls and substantive tests directly on the client's system or duplicate the client's system for the auditor to perform a parallel simulation. GASPs may include programs to access client files for purposes of testing, e.g., analytical procedures may be performed on accounts receivable data like calculating ratios or filtering the data according to parameters set by the auditor.
(A), (C) and (D) are incorrect because automated software cannot determine acceptable risk levels, nor can it detect transactions that may be suspicious due to alteration. Automated software also cannot assess the likelihood of fraud. These are human tasks.
An auditor most likely would test for the presence of unauthorized IT program changes by running
A. A program with test data
B. A check digit verification program
C. A source code comparison program
D. A program that computes control totals
A source code comparison program could be used to compare the original code written for a specific program to the current code in use for that program. Thus, it would make note of any differences in the program from the time it was originally written. Test data would generally be used to test the output of the program but would provide no evidence as to whether the program code had been changed. A check digit program involves the use of a digit that is added to the end of a piece of numeric data to permit the data to be checked for accuracy during input, processing, or output. Control totals are totals computed at different times in the computer process and are used as input, processing, and output controls. They would not provide evidence as to whether any changes were made to the original program code.
In which of the following circumstances would an auditor expect to find that an entity implemented automated controls to reduce risks of misstatement?
A. When errors are difficult to predict
B. When misstatements are difficult to define
C. When large, unusual, or nonrecurring transactions require judgment
D. When transactions are high-volume and recurring
An auditor would expect to find that an entity implemented automated controls to reduce risks of misstatement when transactions are high-volume and recurring; in situations where errors can be anticipated or predicted; or for control activities where the specific ways to perform the control can be adequately designed and automated. The other answer alternatives describe circumstances where judgment and discretion are required and thus manual controls of systems may be more suitable.
Which of the following would most likely be a weakness in internal control of a client that utilizes microcomputers rather than a larger computer system?
A. Employee collusion possibilities are increased because microcomputers from one vendor can process the programs of a system from a different vendor.
B. The microcomputer operators may be able to remove hardware and software components and modify them at home.
C. Programming errors result in all similar transactions being processed incorrectly when those transactions are processed under the same conditions.
D. Certain transactions may be automatically initiated by the microcomputers and management's authorization of these transactions may be implicit in its acceptance of the system design.
Both large computer systems and microcomputers are vulnerable to employee collusion and programming errors. Microcomputer hardware and software could more readily be removed from a place of business than large computer systems.
Matthews Corp. has changed from a system of recording time worked on clock cards to a computerized payroll system in which employees record time in and out with magnetic cards. The IT system automatically updates all payroll records. Because of this change
A. A generalized computer audit program must be used.
B. Part of the audit trail is altered.
C. Transactions must be processed in batches.
D. The potential for payroll related fraud is diminished.
When time clock cards are used, they constitute a form of physical evidence that can be examined in determining the proper amount of wage expense. By changing to an IT system, part of the audit trail is altered--although not necessarily destroyed. The IT system can be audited in numerous ways that do not require the use of a generalized audit program. The system automatically updates the payroll records whenever anyone punches in or out. Batch processing is eliminated in this system. The potential for payroll fraud may or may not change depending on the internal controls incorporated into the new payroll system.
Which of the following is not a major reason for maintaining an audit trail for a computer system?
A. Deterrent to fraud
B. Monitoring purposes
C. Analytical procedures
D. Query answering
Analytical procedures involve the analysis of plausible relationships among both financial and nonfinancial data. A lack of an accounting audit trail for a computer system would not preclude the auditor from performing analytical procedures. Deterring fraud, monitoring the system, and answering queries are all major reasons for maintaining an audit trail.
Which of the following control procedures most likely could prevent IT personnel from modifying programs to bypass programmed controls?
A. Periodic management review of computer utilization reports and systems documentation
B. Segregation of duties within IT for computer programming and computer operations
C. Participation of user department personnel in designing and approving new systems
D. Physical security of IT facilities in limiting access to IT equipment
A control procedure for preventing employees from modifying programs to bypass programmed controls is to segregate the functions of programming and computer operations. Answers (A), (C), and (D) are all appropriate IT controls, but by themselves would not prevent IT employees from modifying programs.
In auditing an entity's computerized payroll transactions, an auditor would be least likely to use test data to test controls concerning
A. Overpayment of employees for hours not worked
B. Control and distribution of unclaimed checks
C. Withholding of taxes and Social Security contributions
D. Missing employee identification numbers
In auditing an entity's computerized payroll transactions, an auditor would be least likely to use test data to test controls concerning control and distribution of unclaimed checks. The other answer alternatives are examples of data that can be accessed and tested via computer applications while controls over unclaimed checks are more likely to be manual.
When using a computer to gather evidence, the auditor need not have working knowledge of the client's programming language. However, it is necessary that the auditor understand the
A. Audit specifications
B. Database retrieval system
C. Programming techniques
D. Manual testing techniques
Independent of the type of system used (manual or IT), an auditor must understand the audit specifications applicable to any given area of field work in order to be able to collect and analyze supporting evidence. An auditor who uses a computer to gather evidence does not have to understand programming techniques, the database retrieval system, or manual testing techniques.
One of the major problems in an IT system is that incompatible functions may be performed by the same individual. One compensating control for this is the use of
A. Echo checks
B. A self-checking digit system
C. Computer-generated hash totals
D. A computer log
A computer log provides evidence as to which employees used the computer system and the operations performed by them. As a result, the computer log will protect against unauthorized use of the IT system, and it will provide an audit trail with respect to incompatible operations performed by the same individual. Incompatible functions are the concern of general controls, i.e., controls that relate to all IT activities. An echo check is a hardware control aimed at determining whether the computer is operating properly. It has no effect on the control over incompatible functions. A self-checking digit system and computergenerated hash totals are input controls, i.e., they relate to application controls.
Which of the following is an essential element of the audit trail in an electronic data interchange (EDI) system?
A. Disaster recovery plans that ensure proper back-up of files
B. Encrypted hash totals that authenticate messages
C. Activity logs that indicate failed transactions
D. Hardware security modules that store sensitive data
Logs with failed transactions are examined to determine whether the corrected transactions were eventually executed and to detect attempts of unauthorized system use. Proper file backup is a recovery issue. Message authentication and hardware security modules are security issues.
Which of the following outcomes is a likely benefit of information technology used for internal control?
A. Processing of unusual or nonrecurring transactions
B. Enhanced timeliness of information
C. Potential loss of data
D. Recording of unauthorized transactions
A likely benefit of IT used for internal control is enhanced timeliness, availability, and accuracy of information. Processing of large, unusual, or nonrecurring transactions is an example of a circumstance where manual controls of systems may be more suitable. Potential loss of data or inability to access data as required as well as recording of unauthorized or nonexistent transactions or inaccurate recording of transactions are examples of specific risks that IT poses to an entity’s internal control.
When an accounting application is processed by computer, an auditor cannot verify the reliable operation of programmed control procedures by
A. Constructing a processing system for accounting applications and processing actual data from throughout the period through both the client's program and the auditor's program
B. Manually comparing detail transaction files used by an edit program to the program's generated error listings to determine that errors were properly identified by the edit program
C. Manually reperforming, as of a point in time, the processing of input data and comparing the simulated results to the actual results
D. Periodically submitting auditor-prepared test data to the same computer process and evaluating the results
The auditor would not be able to verify the reliable operation of programmed control procedures by the reperformance of the processing of the client's input data through the client's computer program as it would produce the same output as that created by the client. The auditor would be able to verify the reliable operation of control procedures when he or she is submitting auditorprepared test data to the client's computer process, submitting actual data to the auditor's computer program, or utilizing an edit program, as these would allow the auditor to make comparisons between the client's expected output, using the client's data and computer program, and the auditor's expected results using auditor-prepared data, the auditor's computer program, and the auditor's edit program.
Which of the following is the primary reason that many auditors hesitate to use embedded audit modules?
A. Embedded audit modules cannot be protected from computer viruses.
B. Auditors are required to monitor embedded audit modules continuously to obtain valid results.
C. Embedded audit modules can easily be modified through management tampering.
D. Auditors are required to be involved in the system design of the application to be monitored.
Embedded audit modules can be difficult to install once the application program is operational, but efficiently included during system design. Embedded audit modules can be protected from viruses as well as other applications. Sporadic or occasional monitoring of embedded audit modules can produce valid results. Management tampering can modify other applications as easily as embedded audit modules.
When conducting fieldwork for a physical inventory, an auditor cannot perform which of the following steps using a generalized audit software package?
A. Observing inventory
B. Selecting sample items of inventory
C. Analyzing data resulting from inventory
D. Recalculating balances in inventory reports
Observation of inventory cannot be done exclusively by computer. While the exact procedures performed will vary among software packages, generalized audit software is used to accomplish six basic types of audit tasks: (1) examining records for quality, completeness, consistency and correctness; (2) testing calculations and making computations; (3) comparing data on separate files; (4) selecting, printing and analyzing audit samples; (5) summarizing or resequencing data and performing analyses; and (6) comparing data obtained through other audit procedures with company records.
Which of the following computer-assisted auditing techniques processes client input data on a controlled program under the auditor's control to test controls in the computer system?
A. Test data
B. Review of program logic
C. Integrated test facility
D. Parallel simulation
Test data is fictitious data run through the client's programs under the auditor's control; the purpose is to test controls in the computer system. A review of program logic does not test any data. Integrated test facilities are programs run with the client's programs. Parallel simulation processes actual client data through an auditor-controlled program.
Which of the following computer documentations would an auditor most likely utilize in obtaining an understanding of internal control?
A. Systems flowcharts
B. Record counts
C. Program listings
D. Record layouts
An auditor is likely to use systems flowcharts in obtaining an understanding of internal control. Systems flowcharts show the flow of data through the system and the interrelationships between the processing steps and computer runs. A record count is an input control technique. Program listings are the source statements or language of the client’s programs. Record layouts are the input and output formats.
A system that provides vendor and customer access to each other's internal computer data to facilitate service, deliveries, and payment is called
A. Distributed processing
B. Electronic data interchange
C. Electronic mail
Electronic data interchange is a method of conducting routine business transactions, such as inventory purchases. It relies on standardized guidelines that everyone can use. Distributed processing is an allocation of various processing tasks to various business divisions, with some tasks centralized and some decentralized. Electronic mail (email) refers to the electronic transmission of messages, including attached files from programs unrelated to the email software. A time-sharing center rents time on a central computer to several entities, with each entity having remote input and output devices. To each entity, it seems as if it is the only one using the system.
Which of the following activities most likely would detect whether payroll data were altered during processing?
A. Monitor authorized distribution of data control sheets
B. Use test data to verify the performance of edit routines
C. Examine source documents for approval by supervisors
D. Segregate duties between approval of hardware and software specifications
With test data, the auditor can readily compare actual results to anticipated results. Monitoring distribution wouldn’t detect data alteration. Source documents could be correctly approved and data could be later altered in processing without impact on the source documents. Segregation of duties discourages fraud, but not unintentional mistakes. Further, approval of hardware and software specifications are not necessarily the most critical functions to segregate in the IT area.
In an environment that is highly automated, an auditor determines that it is not possible to reduce detection risk solely by substantive tests of transactions. Under these circumstances, the auditor most likely would
A. Perform tests of controls to support a lower level of assessed control risk
B. Increase the sample size to reduce sampling risk and detection risk
C. Adjust the materiality level and consider the effect on inherent risk
D. Apply analytical procedures and consider the effect on control risk
When the auditor has determined that it is not possible or practicable to reduce the detection risks at the relevant assertion level to an acceptably low level with audit evidence obtained only from substantive procedures, s/he should perform tests of controls to obtain audit evidence about their operating effectiveness. The auditor may find it impossible to design effective substantive procedures that by themselves provide sufficient appropriate audit evidence at the relevant assertion level when an entity conducts its business using information technology (IT) and no documentation of transactions is produced or maintained, other than through the IT system. Increasing the sample size for substantive tests in this circumstance would be ineffective as the question states that it is not possible to reduce detection risk solely by substantive tests of transactions. Changing the materiality level would be inappropriate. Further, changing the materiality level does not have an effect on inherent risk, which is the susceptibility of an assertion to misstatement without any internal controls. Analytics performed by the auditor do not have an effect on control risk, which is the risk that the entity's internal controls will not detect material misstatements in the financial statements.
Which of the following is an engagement attribute for an audit of an entity that processes most of its financial data in electronic form without any paper documentation?
A. Discrete phases of planning, interim, and year-end fieldwork
B. Increased effort to search for evidence of management fraud
C. Performance of audit tests on a continuous basis
D. Increased emphasis on the completeness assertion
When a client processes financial data in electronic form without paper documentation, the auditor may audit on a more continuous basis than a traditional system, as a convenience, and may be required to audit on a more continuous basis to obtain sufficient, competent evidence as documentation for some transactions may only be available for a limited time. This is the opposite of discreet phases of planning, interim, and year-end fieldwork. The level of effort to search for management fraud and emphasis on the completeness assertion likely would not be affected significantly.
Which of the following activities would most likely be performed in the IT department?
A. Initiation of changes to master records
B. Initiation of changes to existing applications
C. Correction of transactional errors
D. Conversion of information to machine-readable form
The IT department normally converts data (which is initially prepared elsewhere) into machine-readable form. The following duties are considered incompatible in the case of IT personnel: (1) transaction origination or correction, (2) transaction authorization, (3) initial data preparation, (4) custody or control over non-IT assets, (5) authorization or change of controls, and (6) origination of master file changes.
Mill Co. uses a batch processing method to process its sales transactions. Data on Mill's sales transaction tape are electronically sorted by customer number and are subjected to programmed edit checks in preparing its invoices, sales journals, and updated customer account balances. One of the direct outputs of the creation of this tape most likely would be a
A. Report showing exceptions and control totals
B. Printout of the updated inventory records
C. Report showing overdue accounts receivable
D. Printout of the sales price master file
The correct answer is (A).
The computer process has built-in edit checks to generate exceptions and control totals.
Edit checks performed on batch processed data verify if each individual entry is appropriate and generates a list of rejected transactions for review by control clerk.
Edit checks ordinarily create an output file of rejected transactions.
The most likely output of edit checks is the creation of a report showing exceptions and control totals.
(B) is incorrect because a printout of the updated inventory records is generated from programs that utilize the information from the sales batch processing system, but is not directly produced from the sales system. (C) is incorrect because a report showing overdue accounts receivable is obtained by preparing an accounts receivable aging schedule.
(D) is incorrect because a printout of the sales price master file represents information that is input into the computer system as a basis for the edit checks.
Which of the following computer-assisted auditing techniques allows fictitious and real transactions to be processed together without client operating personnel being aware of the testing process?
A. Integrated test facility
B. Input controls matrix
C. Parallel simulation
D. Data entry monitor
An integrated test facility (ITF) processes fictitious data with real data in order to test computer controls; client personnel are unaware of the testing. An input control matrix documents controls and their presence. Parallel simulation processes client input data on an auditor-controlled program to test controls; test data is not utilized. The term “data entry monitor” is not commonly used.
The completeness of IT-generated sales figures can be tested by comparing the number of items listed on the daily sales report with the number of items billed on the actual invoices. This process uses
A. Check digits
B. Control totals
C. Process tracing data
D. Validity tests
Control totals are an IT control technique whereby a total is computed at a given stage in the processing cycle and recomputed at a later point. The totals are then compared to ensure that no data was dropped, added, or misprocessed. A check digit is a number that is added within a numerical entry to check its accuracy. Process tracing data apparently refers to 'tagging' of data, a technique used by auditors to follow a transaction through the processing cycle. A validity test is designed to ensure that only data meeting specific criteria are allowed.
In a computerized payroll system environment, an auditor would be least likely to use test data to test controls related to
A. Missing employee numbers
B. Proper approval of overtime by supervisors
C. Time tickets with invalid job numbers
D. Agreement of hours per clock cards with hours on time tickets
Proper approval of overtime most likely would be made by inspection of the related documents and reports to assess whether the authorization policy was applied. The computerized system would be unable to make such a judgment. The computerized payroll system could be utilized to test controls related to missing employee numbers, time tickets with invalid job numbers, and agreement of hours per clock cards with hours on time tickets.
When evaluating internal control of an entity that processes sales transactions on the Internet, an auditor would be most concerned about the
A. Lack of sales invoice documents as an audit trail
B. Potential for computer disruptions in recording sales
C. Inability to establish an integrated test facility
D. Frequency of archiving and data retention
Computer disruptions could destroy the only record of an online transaction. Integrated test facilities, archiving, and data retention are issues that arise whether sales are on the Internet or entered into a computer system by the entity. By their nature, sales transactions processed on the Internet don't involve sales invoice documents.
Which of the following most likely represents a significant deficiency in internal control?
A. The systems programmer designs systems for computerized applications and maintains output controls.
B. The systems analyst reviews applications of data processing and maintains systems documentation.
C. The control clerk establishes control over data received by the IT department and reconciles control totals after processing.
D. The accounts payable clerk prepares data for computer processing and enters the data into the computer.
A weakness in internal control exists where an individual is in a position to both perpetrate and conceal an error or fraud. Hence, a systems programmer should not be given any control over the review or distribution of the output of the IT system. It is part of the systems analyst's job to review applications of data processing and to maintain systems documentation. It is part of the control clerk's job to establish control over data received by the IT department and to reconcile control totals after processing. It is part of the accounts payable clerk's normal duties to prepare data for computer processing and to enter the data into the computer.
A primary advantage of using generalized audit software packages to audit the financial statements of a client is that the auditor may
A. Access information stored on computer files while having a limited understanding of the client's hardware and software features
B. Consider increasing the use of substantive tests of transactions in place of analytical procedures
C. Substantiate the accuracy of data through self-checking digits and hash totals
D. Reduce the level of required tests of controls to a relatively small amount
One of the reasons for using generalized audit software (GAS) is that it enables the auditor to gain access and test information stored in the client's files without having to acquire a complete understanding of the client's IT system. Although the use of GAS enables the auditor to deal more effectively with large quantities of data and produces economies in the audit while increasing the quality of the audit, it cannot replace analytical procedures. Self-checking digits and hash totals are controls in the client system. Reducing the level of required tests of controls to a relatively small amount is the result of assessing control risk and applying preliminary tests of controls, not a result of using a GAS package.