Module 8: Auditing with Technology 497 Multiple-Choice Answers and Explanations Answers 1. 2. 3. 4. 5. 6. b b b c c b __ __ __ __ __ __ __ __ __ __ __ __ 7. 8. 9. 10. 11. 12. b a c a c c __ __ __ __ __ __ __ __ __ __ __ __ 13. 14. 15. 16. 17. 18. d d a a b d __ __ __ __ __ __ __ __ __ __ __ __ 19. 20. 21. 22. 23. 24. c c b a a a __ __ __ __ __ __ __ __ __ __ __ __ 25. 26. 27. 28. 29. 30. c d c a c b __ __ __ __ __ __ __ __ __ __ __ __ 31. c 32. b __ __ __ __ 1st: __/32 = __% 2nd: __/32 = __% Explanations 1. (b) The requirement is to identify an advantage of using systems flowcharts to document information about internal con­trol instead of using internal control questionnaires. Answer (b) is correct because flowcharts provide a visual depiction of clients’ activities which make it possible for auditors to quickly under­stand the design of the system. Answer (a) is incorrect because while the flow of operations is visually depicted, internal control weaknesses are not as obvious. Answer (c) is incorrect because while a flowchart describes a system, the flowchart alone does not indicate whether that system is operating effectively. Answer (d) is incorrect because auditors still need to determine whether the system has been placed in operation and therefore the need to observe employees performing routine tasks remains. 2. (b) The requirement is to determine when a flowchart is most frequently used by an auditor. Answer (b) is correct be­cause flowcharts are suggested as being appropriate for docu­menting the auditor’s consideration of internal control. An­swer (a) is incorrect because auditors do not frequently write their own generalized computer audit programs, the most likely time a flowchart would be used with respect to such software. Answers (c) and (d) are incorrect because statistical sampling and analytical procedures do not in general require the use of flowcharts. 3. (b) The requirement is to identify the correct statement with respect to a computerized, automatically updating payroll system in which magnetic cards are used instead of a manual payroll system with clock cards. Answer (b) is correct because the automatic updating of payroll records alters the audit trail which, in the past, included steps pertaining to manual updating. Answer (a) is incorrect because although an auditor may choose to use a generalized computer audit program, it is not required. Answer (c) is incorrect because no information is presented that would necessarily indicate a change in the likelihood of fraud. Answer (d) is incorrect because given automatic updating, a large portion of the transactions are not processed in batches. 4. (c) The requirement is to identify the correct statement concerning the batch processing of transactions. Batch pro­ cessing involves processing transactions through the system in groups of like transactions (batches). Answer (c) is correct be­cause the similar nature of transactions involved with batch pro­cessing ordinarily makes it relatively easy to follow the transac­tions throughout the system. Answer (a) is incorrect because transactions are processed by type, not in the order they occur regardless of type. Answer (b) is incorrect because many batch applications still exist and might be expected to exist well into the future. Answer (d) is incorrect because batch processing may be used for database applications. 5. (c) The requirement is to determine when an auditor would be most likely to assess control risk at the maximum level in an electronic environment with automated systemgenerated information. Answer (c) is correct because the few transactions involved in fixed assets make it most likely to be one in which a substantive approach of restricting detection risk is most likely to be effective and efficient. Answer (a) is incorrect because an auditor might be expected to perform tests of controls to assess control risk below the maximum when automated decision rules are involved for an account (sales) which ordinarily has many transactions. Answers (b) and (d) are incorrect because the numerous transactions in payables and receivables make it likely that control risk will be assessed below the maximum. 6. (b) The requirement is to identify the most accurate statement with respect to tests of controls of a highly automated information processing system. Answer (b) is correct because in some such circumstances substantive tests alone will not be suffi­cient to restrict detection risk to an acceptable level. Answer (a) is incorrect because tests of controls need not be performed in all such circumstances. Answer (c) is incorrect because such tests are sometimes required. Answer (d) is incorrect because tests of controls are not in such circumstances in all first year audits. 7. (b) The requirement is to identify the least likely circumstance in which an auditor would consider engagements of an IT specialist on an audit. Answer (b) is correct because the requirement to assess going concern status remains the same on all audits, and thus does not directly affect engagement of an IT specialist. Answers (a), (c), and (d) are all incorrect because complexity, the use of emerging technologies, and participation in electronic commerce are all factors which make it more likely that an IT specialist will be engaged. 8. (a) The requirement is to identify a strategy that a CPA most likely would consider in auditing an entity that processes most of its financial data only in electronic form. Answer (a) is correct because continuous monitoring and analysis of transac­tion processing with an embedded audit module 498 Module 8: Auditing with Technology might provide an effective way of auditing these processes— although some question exists as to how many embedded audit modules CPAs have actually used in practice. Answer (b) is incorrect because there may well be a decrease in reliance on internal control activi­ties that emphasize this segregation of duties since so many con­trols are in the hardware and software of the application. Answer (c) is incorrect because digital certificates deal with electronic commerce between companies, a topic not directly addressed by this question, and because such certificates provide limited evi­dence on authorization. Answer (d) is incorrect because while firewalls do control network traffic, this is not the most significant factor in the audit of electronic form financial data. 9. (c) The requirement is to identify the reply that is not a major reason for maintaining an audit trail for a computer sys­tem. Answer (c) is correct because analytical procedures use the outputs of the system, and therefore the audit trail is of limited importance. Answer (a) is incorrect because an audit trail may deter fraud since the perpetrator may realize that his or her act may be detected. Answer (b) is incorrect because an audit trail will help management to monitor the computer system. An­swer (d) is incorrect because an audit trail will make it much easier to answer queries. 10. (a) The requirement is to identify a reason that utility software packages are important to an auditor. Answer (a) is correct because client use of such packages requires that the audi­tor include tests to determine that no unplanned interventions using utility routines have taken place during processing (Audit and Accounting Guide, Computer Assisted Audit Techniques). Answer (b) is incorrect because a client’s use of such programs implies that they are useful on his/her computer hardware, and therefore any flexibility is not of immediate relevance to the audi­tor. Answer (c) is incorrect because the primary purpose of util­ity programs is to support the computer user’s applications (Computer Assisted Audit Techniques). Answer (d) is incorrect because utility software programs have a variety of uses in addi­tion to enabling auditors to extract and sort data (Computer As­sisted Audit Techniques). 11. (c) The requirement is to identify the types of controls with which an auditor would be most likely to be concerned in a distributed data processing system. A distributed data processing system is one in which there is a network of remote computer sites, each having a computer connected to the main computer system, thus allowing access to the computers by various levels of users. Accordingly, answer (c) is correct because numerous individuals may access the system, thereby making such controls of extreme importance. Answers (a), (b), and (d), while requir­ing concern, are normally considered less critical than proper access controls for this situation. 12. (c) The requirement is to identify the type of evidence an auditor would examine to determine whether internal control is operating as designed. Answer (c) is correct because the in­spection of documents and records such as those related to com­puter programs represents an approach for obtaining an under­standing of internal control. Answer (a) is incorrect because examining gross margin information is more likely to be per­formed during the performance of analytical procedures. An­swer (b) is incorrect because confirming of receivables is a sub­stantive test. Answer (d) is incorrect because anticipated results documented in budgets or forecasts are much more frequently used in the performance of analytical procedures. 13. (d) The requirement is to determine the procedures on which the auditor would initially focus when anticipating as­sessing control risk at a low level. Answer (d) is correct because auditors usually begin by considering general control procedures. Since the effectiveness of specific application controls is often dependent on the existence of effective general controls over all computer activities, this is usually an efficient approach. An­swers (a), (b), and (c) are all incorrect because they represent controls that are usually tested subsequent to the general con­trols. 14. (d) The requirement is to determine an inappropriate reason for omitting tests of controls related to computer control procedures. Answer (d) is correct because the fact that the con­trols appear adequate is not sufficient justification for reliance; tests of controls must be performed before the auditor can actu­ally rely upon a control procedure to reduce control risk. An­swer (a) is incorrect because when controls duplicate other con­trols the auditor who wishes to rely upon internal control need not test both sets. Answer (b) is incorrect because if weak con­trols are not to be relied upon, the auditor need not test their effectiveness. Answer (c) is incorrect because tests of controls may be omitted if their cost exceeds the savings from reduced substantive testing resulting from reliance upon the controls. 15. (a) The requirement is to determine the correct state­ ment with respect to testing inputs and outputs of a computer system instead of testing the actual computer program itself. Answer (a) is correct because portions of the program which have errors not reflected on the output will be missed. Thus, if a “loop” in a program is not used in one application, it is not tested. Answer (b) is incorrect because the lack of an understanding of the entire program precludes the detection of all errors. An­swer (c) is incorrect because while auditing inputs and outputs can provide valuable evidence, it will often be different than the evidence obtained by testing the program itself. Answer (d) is incorrect because such auditing of inputs and outputs may well satisfy the auditor. 16. (a) The requirement is to identify the type of computer system that can be audited without examining or directly testing computer programs (i.e., auditing around the system). Auditing around the system is possible if the system performs uncompli­cated processes and produces detailed output (i.e., is a fancy bookkeeping machine). Answers (b), (c), and (d) all describe more complicated computer systems that produce only limited output. In these more complicated systems, the data and related controls are within the system, and thus the auditor must exam­ine the system itself. Auditors must identify and evaluate the accounting controls in all computer systems. Further, complex computer systems require auditor specialized expertise to per­form the necessary procedures. 17. (b) The requirement is to determine an audit technique to determine whether an entity’s transactions are processed and to continuously test the computerized information system. Module 8: Auditing with Technology 499 An­swer (b) is correct because an embedded audit module is in­serted within the client’s information system to continuously test the processing of transactions. Answer (a) is incorrect because a snapshot application analyzes the information system at one point in time. Answer (c) is incorrect because an integrated data check simply tests data at one point in time. Answer (d) is incor­rect because a test data generator provides a sample of possible circumstances in which data might be improperly processed. dummy transactions on the client’s computer system. The test data ap­proach is used to test the operating effectiveness of controls the auditor intends to rely upon to assess control risk at a level lower than the maximum. Answer (a) is incorrect because only one transaction of each type is generally tested. Answer (c) is incor­rect because it is not possible to include all possible valid and invalid conditions. Answer (d) is incorrect because the program that should be tested is the client’s program which is used throughout the year. 18. (d) The requirement is to identify the computer-assisted audit technique that processes client input data on a controlled program under the auditor’s control to test controls in a com­ puter system Answer (d) is correct because parallel simulation processes actual client data through an auditor’s generalized audit software program. Answer (a) is incorrect because test data is a set of dummy transactions developed by the auditor and pro­cessed by the client’s programs to determine whether the con­trols which the auditor intends to test are operating effectively. Answer (b) is incorrect because a review of program logic is an approach in which an auditor reviews the steps by which the client’s program processes data. Answer (c) is incorrect because an integrated test facility introduces dummy transactions into a client’s system in the midst of live transactions. 22. (a) The requirement is to determine which reply is not among the errors which are generally detected by test data. An auditor uses test data to determine whether purported controls are actually functioning. Answer (a) is correct because one would not use test data to test numeric characters in alphanu­ meric fields; numeric characters are accepted in alphanumeric fields and thus do not represent error conditions. Answer (b) is incorrect because authorization codes may be tested by inputting inappropriate codes. Answer (c) is incorrect because differing descriptions of units of measure may be inputted to test whether they are accepted. Answer (d) is incorrect because illogical com­binations may be inputted to test whether they are detected by the system. 19. (c) The requirement is to determine the best way to obtain evidence that on-line access controls are properly func­tioning. Answer (c) is correct because entering invalid identifica­tion numbers or passwords will provide the auditor with evidence on whether controls are operating as designed. Answer (a) is incorrect because directly testing access controls is more direct than testing data through checkpoints at intervals. Answer (b) is incorrect because a transaction log will not in general, by itself, identify whether transactions were lost or entered twice. An­swer (d) is incorrect because vouching proper authorization is only one measure of whether controls are properly functioning. 20. (c) The requirement is to identify the situation in which it is most likely that an auditor would introduce test data into a computerized payroll system. Test data is a set of dummy trans­actions developed by the auditor and processed by the client’s computer programs. These dummy transactions are used to determine whether the controls which the auditor tests are oper­ating effectively. Answer (c) is correct because test data with invalid employee I.D. numbers could be processed to test whether the program detects them. Answer (a) is incorrect be­cause the unclaimed payroll checks are held by the supervisors and no testing of the computer program is involved. Answer (b) is incorrect because no computer processing is generally involved when payroll checks are “cashed early” by employees. An­swer (d) is incorrect because to test whether the approval of overtime is proper, one must determine what criteria are used for the decision and must then determine whether supervisors are following those criteria; it is less likely that this will all be in­cluded in a computer program than a test for invalid employee ID numbers. 21. (b) The requirement is to identify the correct statement regarding the test data approach. Answer (b) is correct because the test data approach consists of processing a set of 23. (a) The requirement is to identify the computer-assisted auditing technique which allows fictitious and real transactions to be processed together without client operating personnel being aware of the testing process. Answer (a) is correct because the integrated test facility approach introduces dummy transactions into a system in the midst of live transactions. Accordingly, client operating personnel may not be aware of the testing process. Answer (b) is incorrect because an input control matrix would simply indicate various controls in the form of a matrix. An­swer (c) is incorrect because the parallel simulation technique requires the processing of actual client data through an auditor’s software program. In this case, the client would be aware of the testing process since the auditor would need to request copies of data run on the actual system so that the data could then be run on the auditor’s software program. Additionally, only valid trans­actions would be tested under parallel simulation. Answer (d) is incorrect because the client would generally be aware of an audi­tor using a data entry monitor (screen) to input transactions. 24. (a) The requirement is to determine the auditing tech­ nique which utilizes generalized audit software. Answer (a) is correct because the parallel simulation method processes the client’s data using the CPA’s software. Answers (b) and (c) are incorrect because the client’s hardware and software are tested using test data designed by the CPA. Answer (d) is incorrect because although a CPA may test a client’s exception reports in various manners, generalized software is unlikely to be used. Exception reports are generally tested via CPA-prepared test data containing all the possible error conditions. The test data are then run on the client’s hardware and software to ascertain whether the exception reports are “picking up” the CPA’s test data. 25. (c) The requirement is to identify the information that must be available to begin creating automated lead schedules. A lead schedule is used to summarize like accounts (e.g., if a client has five cash accounts those 500 Module 8: Auditing with Technology accounts may be summarized on a lead schedule). Answer (c) is correct because lead schedules include information such as account numbers, prior year account balances, and current year unadjusted information. Answer (a) is incorrect because interim information is not necessary. Answer (b) is incorrect because invoice and purchase order numbers are not summarized on lead schedules. Answer (d) is incorrect be­ cause adjusting entry information is identified subsequent to the creation of lead schedules. 26. (d) The requirement is to identify an effect on audit work review methods of using laptop computers in auditing. An­swer (d) is correct because laptops typically produce a number of the “working papers” in computer disk form and be­cause many computations, etc. will be performed directly by the computer with few details of the calculations conveniently avail­able. Answer (a) is incorrect because the generally accepted auditing standards remain the same regardless of whether or not computers are being utilized. Answer (b) is incorrect because one would not normally expect consulting services personnel to help with documentation. Answer (c) is incorrect because su­pervisory personnel must have an understanding of the capability and limitations of laptops before they are utilized on audits. 27. (c) The requirement is to determine an auditor’s least likely use of computer software. Answer (c) is correct because an auditor will judgmentally assess control risk related to both the computer and manual systems after having performed the various tests of controls. Answer (a) is incorrect because computer soft­ware will be used to access client data files. Answers (b) and (d) are incorrect because software is used to prepare spreadsheets and to perform parallel simulations. 28. (a) The requirement is to identify a primary advantage of using generalized audit software packages to audit the financial statements of a client that uses a computer system. Answer (a) is correct because generalized audit software allows an auditor to perform audits tests on a client’s computer files. Answer (b) is incorrect because generalized audit software packages may assist the auditor with either substantive tests of transactions or ana­lytical procedures. Answer (c) is incorrect because while gener­alized audit software might be used to perform such operations, this is not their primary advantage. Answer (d) is incorrect be­cause generalized audit software packages have no direct rela­tionship to the performance of tests of controls. 29. (c) The requirement is to determine the type of com­ puter programs which auditors use to assist them in functions such as sorting and merging. Answer (c) is correct because a utility program is a standard routine for performing commonly required processing such as sorting, merging, editing, and math­ematical routines. Answer (a) is incorrect because compiler programs translate programming languages such as COBOL or FORTRAN to machine language. Answer (b) is incorrect be­cause supervisory programs or “operating systems” consist of a series of programs that perform functions such as scheduling and supervising the application programs, allocating storage, control­ling peripheral devices, and handling errors and restarts. An­swer (d) is incorrect because user or “application programs” perform specific data processing tasks such as general ledger, accounts payable, accounts receivable, and payroll. Application programs make use of utility routines. 30. (b) The requirement is to determine the best approach for determining whether credit limits are being exceeded when accounts receivable information is stored on disk. Answer (b) is correct because a program to compare actual account balances with the predetermined credit limit and thereby prepare a report on whether any actual credit limits are being exceeded will ac­complish the stated objective. Answer (a) is incorrect because while test data will indicate whether the client’s program allows credit limits to be exceeded, it will not indicate whether credit limits are actually being exceeded. Answer (c) is incorrect because a manual check of all account balances will be very time consuming. Answer (d) is incorrect because a sample will pro­vide less complete information than the audit of the entire popu­lation which is indicated in answer (b). 31. (c) The requirement is to identify how an auditor would test for the presence of unauthorized computer program changes. Answer (c) is correct because comparing source code of the pro­gram with a correct version of the program will disclose unau­thorized computer program changes. Answer (a) is incorrect because test data is generally used to test specific controls and it will generally be less effective for detecting unauthorized changes than will source code comparison. Answer (b) is incorrect be­cause check digits are primarily used as an input control to de­termine that input data is proper. Answer (d) is incorrect be­cause properly computing control totals is only one possible unauthorized change that might be made to a program. 32. (b) The requirement is to identify the number that represents the record count. Answer (b) is correct because the record count represents the number of records in a file, in this case 4.