Module 8: Auditing with Technology
497
Multiple-Choice Answers and Explanations
Answers
1.
2.
3.
4.
5.
6.
b
b
b
c
c
b
__
__
__
__
__
__
__
__
__
__
__
__
7.
8.
9.
10.
11.
12.
b
a
c
a
c
c
__
__
__
__
__
__
__
__
__
__
__
__
13.
14.
15.
16.
17.
18.
d
d
a
a
b
d
__
__
__
__
__
__
__
__
__
__
__
__
19.
20.
21.
22.
23.
24.
c
c
b
a
a
a
__
__
__
__
__
__
__
__
__
__
__
__
25.
26.
27.
28.
29.
30.
c
d
c
a
c
b
__
__
__
__
__
__
__
__
__
__
__
__
31. c
32. b
__ __
__ __
1st: __/32 = __%
2nd: __/32 = __%
Explanations
1. (b) The requirement is to identify an advantage of using
systems flowcharts to document information about internal
con­trol instead of using internal control questionnaires.
Answer (b) is correct because flowcharts provide a visual
depiction of clients’ activities which make it possible for
auditors to quickly under­stand the design of the system.
Answer (a) is incorrect because while the flow of operations
is visually depicted, internal control weaknesses are not as
obvious. Answer (c) is incorrect because while a flowchart
describes a system, the flowchart alone does not indicate
whether that system is operating effectively. Answer (d) is
incorrect because auditors still need to determine whether the
system has been placed in operation and therefore the need to
observe employees performing routine tasks remains.
2. (b) The requirement is to determine when a flowchart
is most frequently used by an auditor. Answer (b) is correct
be­cause flowcharts are suggested as being appropriate for
docu­menting the auditor’s consideration of internal control.
An­swer (a) is incorrect because auditors do not frequently
write their own generalized computer audit programs, the most
likely time a flowchart would be used with respect to such
software. Answers (c) and (d) are incorrect because statistical
sampling and analytical procedures do not in general require
the use of flowcharts.
3. (b) The requirement is to identify the correct statement
with respect to a computerized, automatically updating payroll
system in which magnetic cards are used instead of a manual
payroll system with clock cards. Answer (b) is correct because
the automatic updating of payroll records alters the audit
trail which, in the past, included steps pertaining to manual
updating. Answer (a) is incorrect because although an auditor
may choose to use a generalized computer audit program, it is
not required. Answer (c) is incorrect because no information
is presented that would necessarily indicate a change in the
likelihood of fraud. Answer (d) is incorrect because given
automatic updating, a large portion of the transactions are not
processed in batches.
4. (c) The requirement is to identify the correct statement
concerning the batch processing of transactions. Batch pro­
cessing involves processing transactions through the system
in groups of like transactions (batches). Answer (c) is correct
be­cause the similar nature of transactions involved with batch
pro­cessing ordinarily makes it relatively easy to follow the
transac­tions throughout the system. Answer (a) is incorrect
because transactions are processed by type, not in the order
they occur regardless of type. Answer (b) is incorrect because
many batch applications still exist and might be expected to
exist well into the future. Answer (d) is incorrect because
batch processing may be used for database applications.
5. (c) The requirement is to determine when an auditor
would be most likely to assess control risk at the maximum
level in an electronic environment with automated systemgenerated information. Answer (c) is correct because the few
transactions involved in fixed assets make it most likely to be
one in which a substantive approach of restricting detection
risk is most likely to be effective and efficient. Answer (a)
is incorrect because an auditor might be expected to perform
tests of controls to assess control risk below the maximum
when automated decision rules are involved for an account
(sales) which ordinarily has many transactions. Answers (b)
and (d) are incorrect because the numerous transactions in
payables and receivables make it likely that control risk will be
assessed below the maximum.
6. (b) The requirement is to identify the most accurate
statement with respect to tests of controls of a highly
automated information processing system. Answer (b) is
correct because in some such circumstances substantive
tests alone will not be suffi­cient to restrict detection risk to
an acceptable level. Answer (a) is incorrect because tests of
controls need not be performed in all such circumstances.
Answer (c) is incorrect because such tests are sometimes
required. Answer (d) is incorrect because tests of controls are
not in such circumstances in all first year audits.
7. (b) The requirement is to identify the least likely
circumstance in which an auditor would consider engagements
of an IT specialist on an audit. Answer (b) is correct because
the requirement to assess going concern status remains the
same on all audits, and thus does not directly affect engagement
of an IT specialist. Answers (a), (c), and (d) are all incorrect
because complexity, the use of emerging technologies, and
participation in electronic commerce are all factors which make
it more likely that an IT specialist will be engaged.
8. (a) The requirement is to identify a strategy that a CPA
most likely would consider in auditing an entity that processes
most of its financial data only in electronic form. Answer
(a) is correct because continuous monitoring and analysis
of transac­tion processing with an embedded audit module
498
Module 8: Auditing with Technology
might provide an effective way of auditing these processes—
although some question exists as to how many embedded audit
modules CPAs have actually used in practice. Answer (b) is
incorrect because there may well be a decrease in reliance on
internal control activi­ties that emphasize this segregation of
duties since so many con­trols are in the hardware and software
of the application. Answer (c) is incorrect because digital
certificates deal with electronic commerce between companies,
a topic not directly addressed by this question, and because
such certificates provide limited evi­dence on authorization.
Answer (d) is incorrect because while firewalls do control
network traffic, this is not the most significant factor in the
audit of electronic form financial data.
9. (c) The requirement is to identify the reply that is not
a major reason for maintaining an audit trail for a computer
sys­tem. Answer (c) is correct because analytical procedures
use the outputs of the system, and therefore the audit trail is of
limited importance. Answer (a) is incorrect because an audit
trail may deter fraud since the perpetrator may realize that his
or her act may be detected. Answer (b) is incorrect because
an audit trail will help management to monitor the computer
system. An­swer (d) is incorrect because an audit trail will
make it much easier to answer queries.
10. (a) The requirement is to identify a reason that utility
software packages are important to an auditor. Answer (a)
is correct because client use of such packages requires that
the audi­tor include tests to determine that no unplanned
interventions using utility routines have taken place during
processing (Audit and Accounting Guide, Computer Assisted
Audit Techniques). Answer (b) is incorrect because a client’s
use of such programs implies that they are useful on his/her
computer hardware, and therefore any flexibility is not of
immediate relevance to the audi­tor. Answer (c) is incorrect
because the primary purpose of util­ity programs is to support
the computer user’s applications (Computer Assisted Audit
Techniques). Answer (d) is incorrect because utility software
programs have a variety of uses in addi­tion to enabling
auditors to extract and sort data (Computer As­sisted Audit
Techniques).
11. (c) The requirement is to identify the types of controls
with which an auditor would be most likely to be concerned
in a distributed data processing system. A distributed data
processing system is one in which there is a network of remote
computer sites, each having a computer connected to the main
computer system, thus allowing access to the computers by
various levels of users. Accordingly, answer (c) is correct
because numerous individuals may access the system, thereby
making such controls of extreme importance. Answers (a), (b),
and (d), while requir­ing concern, are normally considered less
critical than proper access controls for this situation.
12. (c) The requirement is to identify the type of evidence
an auditor would examine to determine whether internal
control is operating as designed. Answer (c) is correct because
the in­spection of documents and records such as those related
to com­puter programs represents an approach for obtaining
an under­standing of internal control. Answer (a) is incorrect
because examining gross margin information is more likely to
be per­formed during the performance of analytical procedures.
An­swer (b) is incorrect because confirming of receivables is a
sub­stantive test. Answer (d) is incorrect because anticipated
results documented in budgets or forecasts are much more
frequently used in the performance of analytical procedures.
13. (d) The requirement is to determine the procedures on
which the auditor would initially focus when anticipating
as­sessing control risk at a low level. Answer (d) is correct
because auditors usually begin by considering general control
procedures. Since the effectiveness of specific application
controls is often dependent on the existence of effective
general controls over all computer activities, this is usually an
efficient approach. An­swers (a), (b), and (c) are all incorrect
because they represent controls that are usually tested
subsequent to the general con­trols.
14. (d) The requirement is to determine an inappropriate
reason for omitting tests of controls related to computer
control procedures. Answer (d) is correct because the fact that
the con­trols appear adequate is not sufficient justification for
reliance; tests of controls must be performed before the auditor
can actu­ally rely upon a control procedure to reduce control
risk. An­swer (a) is incorrect because when controls duplicate
other con­trols the auditor who wishes to rely upon internal
control need not test both sets. Answer (b) is incorrect because
if weak con­trols are not to be relied upon, the auditor need not
test their effectiveness. Answer (c) is incorrect because tests
of controls may be omitted if their cost exceeds the savings
from reduced substantive testing resulting from reliance upon
the controls.
15. (a) The requirement is to determine the correct state­
ment with respect to testing inputs and outputs of a computer
system instead of testing the actual computer program itself.
Answer (a) is correct because portions of the program which
have errors not reflected on the output will be missed. Thus,
if a “loop” in a program is not used in one application, it is
not tested. Answer (b) is incorrect because the lack of an
understanding of the entire program precludes the detection
of all errors. An­swer (c) is incorrect because while auditing
inputs and outputs can provide valuable evidence, it will often
be different than the evidence obtained by testing the program
itself. Answer (d) is incorrect because such auditing of inputs
and outputs may well satisfy the auditor.
16. (a) The requirement is to identify the type of computer
system that can be audited without examining or directly
testing computer programs (i.e., auditing around the system).
Auditing around the system is possible if the system performs
uncompli­cated processes and produces detailed output (i.e.,
is a fancy bookkeeping machine). Answers (b), (c), and (d)
all describe more complicated computer systems that produce
only limited output. In these more complicated systems, the
data and related controls are within the system, and thus the
auditor must exam­ine the system itself. Auditors must identify
and evaluate the accounting controls in all computer systems.
Further, complex computer systems require auditor specialized
expertise to per­form the necessary procedures.
17. (b) The requirement is to determine an audit technique
to determine whether an entity’s transactions are processed
and to continuously test the computerized information system.
Module 8: Auditing with Technology
499
An­swer (b) is correct because an embedded audit module is
in­serted within the client’s information system to continuously
test the processing of transactions. Answer (a) is incorrect
because a snapshot application analyzes the information
system at one point in time. Answer (c) is incorrect because
an integrated data check simply tests data at one point in time.
Answer (d) is incor­rect because a test data generator provides
a sample of possible circumstances in which data might be
improperly processed.
dummy transactions on the client’s computer system. The
test data ap­proach is used to test the operating effectiveness of
controls the auditor intends to rely upon to assess control risk
at a level lower than the maximum. Answer (a) is incorrect
because only one transaction of each type is generally tested.
Answer (c) is incor­rect because it is not possible to include all
possible valid and invalid conditions. Answer (d) is incorrect
because the program that should be tested is the client’s
program which is used throughout the year.
18. (d) The requirement is to identify the computer-assisted
audit technique that processes client input data on a controlled
program under the auditor’s control to test controls in a com­
puter system Answer (d) is correct because parallel simulation
processes actual client data through an auditor’s generalized
audit software program. Answer (a) is incorrect because test
data is a set of dummy transactions developed by the auditor
and pro­cessed by the client’s programs to determine whether
the con­trols which the auditor intends to test are operating
effectively. Answer (b) is incorrect because a review of
program logic is an approach in which an auditor reviews the
steps by which the client’s program processes data. Answer
(c) is incorrect because an integrated test facility introduces
dummy transactions into a client’s system in the midst of live
transactions.
22. (a) The requirement is to determine which reply is not
among the errors which are generally detected by test data. An
auditor uses test data to determine whether purported controls
are actually functioning. Answer (a) is correct because one
would not use test data to test numeric characters in alphanu­
meric fields; numeric characters are accepted in alphanumeric
fields and thus do not represent error conditions. Answer (b)
is incorrect because authorization codes may be tested by
inputting inappropriate codes. Answer (c) is incorrect because
differing descriptions of units of measure may be inputted
to test whether they are accepted. Answer (d) is incorrect
because illogical com­binations may be inputted to test whether
they are detected by the system.
19. (c) The requirement is to determine the best way to
obtain evidence that on-line access controls are properly
func­tioning. Answer (c) is correct because entering invalid
identifica­tion numbers or passwords will provide the auditor
with evidence on whether controls are operating as designed.
Answer (a) is incorrect because directly testing access
controls is more direct than testing data through checkpoints
at intervals. Answer (b) is incorrect because a transaction log
will not in general, by itself, identify whether transactions
were lost or entered twice. An­swer (d) is incorrect because
vouching proper authorization is only one measure of whether
controls are properly functioning.
20. (c) The requirement is to identify the situation in which
it is most likely that an auditor would introduce test data into
a computerized payroll system. Test data is a set of dummy
trans­actions developed by the auditor and processed by the
client’s computer programs. These dummy transactions are
used to determine whether the controls which the auditor tests
are oper­ating effectively. Answer (c) is correct because test
data with invalid employee I.D. numbers could be processed
to test whether the program detects them. Answer (a) is
incorrect be­cause the unclaimed payroll checks are held
by the supervisors and no testing of the computer program
is involved. Answer (b) is incorrect because no computer
processing is generally involved when payroll checks are
“cashed early” by employees. An­swer (d) is incorrect because
to test whether the approval of overtime is proper, one must
determine what criteria are used for the decision and must then
determine whether supervisors are following those criteria;
it is less likely that this will all be in­cluded in a computer
program than a test for invalid employee ID numbers.
21. (b) The requirement is to identify the correct statement
regarding the test data approach. Answer (b) is correct
because the test data approach consists of processing a set of
23. (a) The requirement is to identify the computer-assisted
auditing technique which allows fictitious and real transactions
to be processed together without client operating personnel
being aware of the testing process. Answer (a) is correct
because the integrated test facility approach introduces dummy
transactions into a system in the midst of live transactions.
Accordingly, client operating personnel may not be aware of
the testing process. Answer (b) is incorrect because an input
control matrix would simply indicate various controls in the
form of a matrix. An­swer (c) is incorrect because the parallel
simulation technique requires the processing of actual client
data through an auditor’s software program. In this case, the
client would be aware of the testing process since the auditor
would need to request copies of data run on the actual system
so that the data could then be run on the auditor’s software
program. Additionally, only valid trans­actions would be tested
under parallel simulation. Answer (d) is incorrect because
the client would generally be aware of an audi­tor using a data
entry monitor (screen) to input transactions.
24. (a) The requirement is to determine the auditing tech­
nique which utilizes generalized audit software. Answer (a) is
correct because the parallel simulation method processes the
client’s data using the CPA’s software. Answers (b) and (c) are
incorrect because the client’s hardware and software are tested
using test data designed by the CPA. Answer (d) is incorrect
because although a CPA may test a client’s exception reports
in various manners, generalized software is unlikely to be
used. Exception reports are generally tested via CPA-prepared
test data containing all the possible error conditions. The
test data are then run on the client’s hardware and software to
ascertain whether the exception reports are “picking up” the
CPA’s test data.
25. (c) The requirement is to identify the information
that must be available to begin creating automated lead
schedules. A lead schedule is used to summarize like
accounts (e.g., if a client has five cash accounts those
500
Module 8: Auditing with Technology
accounts may be summarized on a lead schedule). Answer
(c) is correct because lead schedules include information
such as account numbers, prior year account balances, and
current year unadjusted information. Answer (a) is incorrect
because interim information is not necessary. Answer (b) is
incorrect because invoice and purchase order numbers are not
summarized on lead schedules. Answer (d) is incorrect be­
cause adjusting entry information is identified subsequent to
the creation of lead schedules.
26. (d) The requirement is to identify an effect on audit
work review methods of using laptop computers in auditing.
An­swer (d) is correct because laptops typically produce a
number of the “working papers” in computer disk form and
be­cause many computations, etc. will be performed directly by
the computer with few details of the calculations conveniently
avail­able. Answer (a) is incorrect because the generally
accepted auditing standards remain the same regardless of
whether or not computers are being utilized. Answer (b) is
incorrect because one would not normally expect consulting
services personnel to help with documentation. Answer (c)
is incorrect because su­pervisory personnel must have an
understanding of the capability and limitations of laptops
before they are utilized on audits.
27. (c) The requirement is to determine an auditor’s least
likely use of computer software. Answer (c) is correct because
an auditor will judgmentally assess control risk related to both
the computer and manual systems after having performed
the various tests of controls. Answer (a) is incorrect because
computer soft­ware will be used to access client data files.
Answers (b) and (d) are incorrect because software is used to
prepare spreadsheets and to perform parallel simulations.
28. (a) The requirement is to identify a primary advantage of
using generalized audit software packages to audit the financial
statements of a client that uses a computer system. Answer (a)
is correct because generalized audit software allows an auditor
to perform audits tests on a client’s computer files. Answer (b)
is incorrect because generalized audit software packages may
assist the auditor with either substantive tests of transactions or
ana­lytical procedures. Answer (c) is incorrect because while
gener­alized audit software might be used to perform such
operations, this is not their primary advantage. Answer (d) is
incorrect be­cause generalized audit software packages have no
direct rela­tionship to the performance of tests of controls.
29. (c) The requirement is to determine the type of com­
puter programs which auditors use to assist them in functions
such as sorting and merging. Answer (c) is correct because a
utility program is a standard routine for performing commonly
required processing such as sorting, merging, editing, and
math­ematical routines. Answer (a) is incorrect because
compiler programs translate programming languages such
as COBOL or FORTRAN to machine language. Answer (b)
is incorrect be­cause supervisory programs or “operating
systems” consist of a series of programs that perform functions
such as scheduling and supervising the application programs,
allocating storage, control­ling peripheral devices, and handling
errors and restarts. An­swer (d) is incorrect because user or
“application programs” perform specific data processing tasks
such as general ledger, accounts payable, accounts receivable,
and payroll. Application programs make use of utility
routines.
30. (b) The requirement is to determine the best approach
for determining whether credit limits are being exceeded
when accounts receivable information is stored on disk.
Answer (b) is correct because a program to compare actual
account balances with the predetermined credit limit and
thereby prepare a report on whether any actual credit limits
are being exceeded will ac­complish the stated objective.
Answer (a) is incorrect because while test data will indicate
whether the client’s program allows credit limits to be
exceeded, it will not indicate whether credit limits are actually
being exceeded. Answer (c) is incorrect because a manual
check of all account balances will be very time consuming.
Answer (d) is incorrect because a sample will pro­vide less
complete information than the audit of the entire popu­lation
which is indicated in answer (b).
31. (c) The requirement is to identify how an auditor would
test for the presence of unauthorized computer program
changes. Answer (c) is correct because comparing source
code of the pro­gram with a correct version of the program will
disclose unau­thorized computer program changes. Answer (a)
is incorrect because test data is generally used to test specific
controls and it will generally be less effective for detecting
unauthorized changes than will source code comparison.
Answer (b) is incorrect be­cause check digits are primarily
used as an input control to de­termine that input data is proper.
Answer (d) is incorrect be­cause properly computing control
totals is only one possible unauthorized change that might be
made to a program.
32. (b) The requirement is to identify the number that
represents the record count. Answer (b) is correct because the
record count represents the number of records in a file, in this
case 4.