CORDILLERA CAREER DEVELOPMENT COLLEGE
COLLEGE OF ACCOUNTANCY
ICT 301AC: Auditing in CIS Environment
INSTRUCTIONS:
 Answers must be Handwritten. Please write LEGIBLY
 Label answers properly
 Submit answers through messenger or email.
I.
Multiple Choice:
1. An on-line access control that checks whether the user’s code number is authorized to
initiate a specific type of transaction or inquiry is referred to as
a. Password
b. Compatibility test
c. Limit check
d. Reasonableness test
2. Some of the more important controls that relate to automated accounting information
systems are validity checks, limit checks, field checks, and sign tests. These are classified as
a. Control total validation routines
b. Output controls
c. Hash totaling
d. Input validation routines
3. Which one of the following represents a lack of internal control in a computer-based
information system?
a. The design and implementation is performed in accordance with management’s
specific authorization.
b. Any and all changes in application programs have the authorization and approval
of management.
c. Provisions exist to protect data files from unauthorized access, modification, or
destruction.
d. Both computer operators and programmers have unlimited access to the
programs and data files.
4. In an automated payroll processing environment, a department manager substituted the
time card for a terminated employee with a time card for a fictitious employee. The
fictitious employee had the same pay rate and hours worked as the terminated employee.
The best control technique to detect this action using employee identification numbers
would be a
a. Batch total
b. Hash total
c. Record count
d. Subsequent check
5. Which of the following errors would be detected by batch controls?
a. A fictitious employee as added to the processing of the weekly time cards by the
computer operator.
b. An employee who worked only 5 hours in the week was paid for 50 hours.
c. The time card for one employee was not processed because it was lost in transit
between the payroll department and the data entry function.
d. All of the above.
6. Which of the following is a disadvantage of the integrated test facility approach?
a. In establishing fictitious entities, the auditor may be compromising audit
independence.
b. Removing the fictitious transactions from the system is somewhat difficult and, if not
done carefully, may contaminate the client's files.
c. ITF is simply an automated version of auditing "around" the computer.
d. The auditor may not always have a current copy of the authorized version of the
client's program.
7. An employee in the receiving department keyed in a shipment from a remote terminal
and inadvertently omitted the purchase order number. The best systems control to detect
this error would be
a. Batch total
b. Sequence check
c. Completeness test
d. Reasonableness test
8. Which of the following methods of testing application controls utilizes software prepared
by the auditors and applied to the client's data?
a. Parallel simulation.
b. Integrated test facility.
c. Test data.
d. Exception report tests.
9. The test–data method is used by auditors to test the
a. Accuracy of input data.
b. Validity of the output.
c. Procedures contained within the program.
d. Normalcy of distribution of test data.
10. Which of the following statements most likely represents a disadvantage for an entity that
maintains computer data files rather than manual files?
a. It's usually more difficult to detect transposition errors.
b. Transactions are usually authorized before they are executed and recorded.
c. It's usually easier for unauthorized persons to access and alter the files.
d. Random error is more common when similar transactions are processed in different
ways.
11. An integrated test facility (ITF) would be appropriate when the auditor needs to
a. Trace a complex logic path through an application system
b. Verify processing accuracy concurrently with processing
c. Monitor transactions in an application system continuously
d. Verify load module integrity for production programs
12. Computer Integrated System application controls include, except
a. Controls over input.
b. Controls over processing and computer data files.
c. Controls over output.
d. Monitoring controls.
13. The applications of auditing procedures using the computer as an audit tool refer to
a. Integrated test facility
b. Auditing through the computer
c. Data-based management system
d. Computer assisted audit techniques
14. User test and acceptance is part of which phase of the system development life cycle?
a. implementation
b. general systems design
c. program specification and implementation planning
d. detailed systems design
15. Which of the following would strengthen organizational control over a large-scale data
processing center?
a. requiring the user departments to specify the general control standards necessary for
processing transactions
b. requiring that requests and instructions for data processing services be submitted
directly to the computer operator in the data center
c. having the database administrator report to the manager of computer operations.
d. assigning maintenance responsibility to the original system designer who best knows
its logic
16. Which of the following is true?
a. Core competency theory argues that an organization should outsource specific core
assets.
b. Core competency theory argues that an organization should focus exclusively on its
core business competencies.
c. Core competency theory argues that an organization should not outsource specific
commodity assets.
d. Core competency theory argues that an organization should retain certain specific
non -core assets in-house
17. A user’s application may consist of several modules stored in separate memory locations,
each with its own data. One module must not be allowed to destroy or corrupt another
module. This is an objective of
a. operating system controls.
b. data resource controls.
c. computer center and security controls.
d. application controls.
18. Hackers can disguise their message packets to look as if they came from an authorized
user and gain access to the host’s network using a technique called
a. Spoofing
b. IP Spooling
c. Dual-homed
d. Screening
19. A digital signature
a. is the encrypted mathematical value of the message sender’s name.
b. is derived from the digest of a document that has been encrypted with the
sender’s private key.
c. is derived from the digest of a document that has been encrypted with the
sender’s public key.
d. is the computed digest of the sender’s digital certificate.
e. allows digital messages to be sent over an analog telephone line.
20. Which of the following is the most important factor in planning for a system change?
a. Having an auditor as a member of the design team.
b. Using state-of-the-art techniques.
c. Concentrating on software rather than hardware.
d. Involving top management and people who use the system.
e. Selecting a user to lead the design team.
21. Which of the following steps is NOT considered to be part of this systems survey?
a. Interviews are conducted with operating people and managers.
b. The complete documentation of the system is obtained and reviewed.
c. Measures of processing volume are obtained for each operation.
d. Equipment sold by various computer manufacturers is reviewed in terms of
capability, cost, and availability.
e. Work measurement studies are conducted to determine the time required to
complete various tasks or jobs.
22. The technique that recognizes the time value of money by discounting the after-tax cash
flows for a project over its life to time period zero using the company’s minimum desired
rate of return is called the
a. net present value method.
b. capital rationing method.
c. payback method.
d. accounting rate of return method.
23. Which of the following is not a test for identifying application errors?
a. reconciling the source code
b. reviewing test results
c. retesting the program
d. testing the authority table
24. Which statement is NOT true? A batch control log
a. is prepared by the user department.
b. records the record count.
c. indicates any error codes.
d. is maintained as a part of the audit trail.
25. The reporting of accounting information plays a central role in the regulation of business
operations. Preventive controls are an integral part of virtually all accounting processing
systems, and much of the information generated by the accounting system is used for
preventive control purposes. Which one of the following is not an essential element of a
sound preventive control system?
a. Separation of responsibilities for the recording, custodial, and authorization
functions.
b. Sound personnel policies.
c. Documentation of policies and procedures.
d. Implementation of state-of-the-art software and hardware.
26. Which of the following is true?
a. Core competency theory argues that an organization should outsource specific
core assets.
b. Core competency theory argues that an organization should focus exclusively on
its core business competencies.
c. Core competency theory argues that an organization should not outsource
specific commodity assets.
d. Core competency theory argues that an organization should retain certain
specific non -core assets in-house.
27. Database currency is achieved by
a. implementing partitioned databases at remote sites.
b. employing data-cleansing techniques.
c. ensuring that the database is secure from accidental entry.
d. an external auditor’s reconciliation of reports from multiple sites.
e. a database lockout that prevents multiple simultaneous access.
28. The TELOS acronym is often used for determining the need for system changes. Which of
the following types of feasibility studies are elements of TELOS?
a. legal, environmental, and economic
b. environmental, operational, and economic
c. technical, economic, legal, and practical
d. practical, technical, and operational
e. technical, operational, and economic
29. Computer systems that enable users to access data and programs directly through
workstations are referred to as
a. On-line computer systems
b. Database management systems (DBMS)
c. Personal computer systems
d. Database systems
30. A device that works to control the flow of data between two or more network segments
a. Bridge
b. Router
c. Repeater
d. Switch
31. The following matters are of particular importance to the auditor in an on-line computer
system, except
a. Authorization, completeness and accuracy of on-line transactions.
b. Integrity of records and processing, due to on-line access to the system by many
users and programmers.
c. Changes in the performance of audit procedures including the use of CAAT's.
d. Cost-benefit ratio of installing on-line computer system.
32. A type of network that multiple buildings are close enough to create a campus, but the
space between the buildings is not under the control of the company is
a. Local Area Network (LAN)
b. Wide Area Network (WAN)
c. Metropolitan Area Network (MAN)
d. World Wide Web (WWW)
33. Which statement is incorrect?
a. Only successful transactions are recorded on a transaction log.
b. Unsuccessful transactions are recorded in an error file.
c. A transaction log is a temporary file.
d. A hard copy transaction listing is provided to users
34. Which statement is not correct?
a. The purpose of file interrogation is to ensure that the correct file is being
processed by the system.
b. File interrogation checks are particularly important for master files.
c. Header labels are prepared manually and affixed to the outside of the tape or
disk.
d. An expiration date check prevents a file from being deleted before it expires.
35. Which statement is NOT correct? The goal of batch controls is to ensure that during
processing
a. transactions are not omitted.
b. transactions are not added.
c. transactions are processed more than once.
d. an audit trail is created.
II.
Enumeration: Provide the items being required
1. What are the levels of Input Validation Controls
2. Classes of Input Controls
3. What are the types of errors that can corrupt the data codes and cause processing errors?
III.
1)
2)
3)
4)
5)
6)
7)
8)
9)
10)
11)
12)
Classification: Classify each of the following as a field, record or file interrogation
Limit Check
Validity Check
Version Check
Missing data check
Sign Check
Expiration date check
Numeric – alphabetic Data Check
Sequence Check
Zero-value Check
Harder Label Check
Range Check
Reasonableness Check