MULTIPLE CHOICE (60 POINTS) Direction: In the answer sheet provided, place the letter that identifies the correct response. (1.5 points each) 1. The most important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to a. Ensure complete audit coverage b. Comply with regulatory requirements c. Perform the audit according to the defined scope d. Provide a basis for drawing reasonable conclusions 2. While reviewing sensitive electronic working paper, the IS auditor noticed that they were not encrypted. This could compromise the a. Approval of the audit phase b. Access right to the working papers c. Confidentiality of the working papers d. Audit trail of the versioning of the working papers 3. When preparing an audit report, the IS auditor should ensure that the results are supported by a. Working papers of other auditors b. Statement from IS management c. Sufficient and appropriate evidence d. An organizational control self-assessment 4. System flowcharts a. illustrate the relationship between database entities in systems. b. describe the internal logic of computer applications in systems. c. depict logical tasks that are being performed, but not who is performing them d. represent relationships between key elements of both manual and computer systems. 5. the primary purpose for meeting with auditees prior to formally closing reviews is to a. Gain agreements on the findings b. Test the structure of final presentation c. Receive feedback on the adequacy of the audit procedures d. Confirm that the auditor did not overlook important issues 6. the primary reason an IS auditor performs a functional walkthrough during the preliminary phase of an audit assignment is to a. Identify control weakness b. Develop the risk assessment c. Comply with auditing standard d. Understand the business process 7. An IS auditors finds that the answers received during an interview with the payroll clerk do not support descriptions and documented procedures. Under these circumstances, the IS auditor should a. Suspend the audit b. Place greater reliance on previous audit c. Conclude that the controls are inadequate d. Expand the scope to include substantive testing 8. An appropriate control for ensuring the authenticity of orders received in an electronic data interchange a. Encrypt electronic orders b. Acknowledge receipt of electronic orders with a confirmation message c. Perform reasonable checks on quantities ordered before filling orders d. Verify the identity of senders and determine if orders correspond to contract terms 9. When selecting audit procedures, an IS auditors should use professional judgment to ensure that a. Sufficient evidence will be collected b. All material weaknesses will be identified c. Audit cost will be kept at a minimum level d. Significant deficiencies will be corrected within a reasonable time 10. During the planning stage of an IS audit, the primary goal of an IS auditor is to a. Address audit objectives b. Specify appropriate test c. Minimize audit resources d. Collect sufficient evidence 11. Which of the following represents the greatest potential risk in an electronic data interchange environment a. Transmission delay b. Lack of transaction authorizations c. Loss of duplication of EDI transmission d. Deletion or manipulation of transactions prior to, or after, establishment of application control 12. An organization uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms are completed and delivered to the banks, which prepares the check and reports for distribution. To best ensure payroll data accuracy a. Check should be compared to input forms b. Gross payroll should be recalculated manually c. Check should be reconciled with output reports d. Payroll reports should be compared to input reports 13. An IS auditor should use statistical sampling, and not judgment sampling, when a. The probability of error must be objective quantified b. The auditor wants to avoid sampling risk c. General audit software is unavailable d. The tolerable error rate cannot be determined 14. Real-time processing would be most beneficial in handling a firm’s a. fixed asset records b. depreciation records c. merchandise inventory d. retained earning information 15. Risk exposures in the General Ledger and Financial Reporting Systems include all of the following except a. loss of the audit trail b. loss of physical assets c. unauthorized access to the general ledger d. general ledger account out of balance with the subsidiary account 16. During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should a. Report the disagreement to the audit committee for resolution b. Accept the auditee’s position because they are the process owner c. Ask the auditee to sign a release form accepting full legal responsibility d. Elaborate on the significance of the finding and the risk of not correcting it 17. Which statement is not correct? The audit trail in a computerized environment a. may take the form of pointers, indexes, and embedded keys b. consists of records that are stored sequentially in an audit file c. traces transactions from their source to their final disposition d. is a function of the quality and integrity of the application programs 18. When developing a risk-based audit strategy, an Is auditor should conduct a risk assessment to ensure that a. Audit risk is considered b. A gap analysis is appropriate c. Vulnerabilities and threats are identified d. Controls needed to mitigate risk are in place 19. How does the process of systems auditing benefit from using a risk-based approach to audit planning? a. Auditing risk is reduced. b. Controls testing starts earlier. c. Controls testing is more thorough. d. Auditing resources are allocated to the areas of highest concern. 20. Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The auditor should: a. include the finding in the closing meeting for discussion purposes only b. not include the finding in the final report, because the audit report should include only unresolved findings. c. include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings. d. not include the finding in the final report, because corrective action can be verified by the IS auditor during the audit. 21. An IS auditor is validating a control that involved a review of system generated exception reports. Which of the following is the best evidence of the effectiveness of the control. a. Walkthrough with the reviewer of the operation of the control b. System generated exception report for the review period with the reviewers sign off c. Management's confirmation of the effectiveness of the control for the review period. d. A sample system generated exceptions report for the review period, with follow-up action items noted by the reviewer 22. Which of the following forms of evidence for the auditor would be considered the MOST reliable? a. An oral statement from the auditee b. The results of a test performed by an IS auditor c. An internally generated computer accounting report d. A confirmation letter received from an outside source 23. An IS auditor should ensure that the review of online electronic funds transfer reconciliation procedures include a. Tracing b. Vouching c. Corrections d. Authorizations 24. Which audit techniques provides the best evidence of segregation of duties in an IT department a. Observation and interviews b. Testing of user access rights c. Discussion with management d. Review of the organizational chart 25. When evaluating the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware of which of the following? a. Only preventive and detective controls are relevant b. Corrective controls can only be regarded as compensating c. Classification allows an IS auditor to determine which controls are missing d. The point at which controls are exercised as data flow through the system 26. Which of the following would normally be the MOST reliable evidence for an auditor? a. Trend data obtained from World Wide Web (Internet) sources b. A confirmation letter received from a third party verifying an account balance c. Assurance from line management that an application is working as designed d. Ratio analysts developed by the IS auditor from reports supplied by line management 27. Which of the following should be of most concern to an IS auditor? a. Lack of periodic examination of access rights b. Lack of notification to the public of an intrusion c. Failure to notify police of an attempted intrusion d. Lack of reporting of a successful attack on the network 28. In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should a. identify and evaluate the existing controls. b. disclose the threats and impacts to management. c. identify information assets and the underlying systems. d. identify and assess the risk assessment process used by management. 29. During a security audit of IT processes, an IS auditor found that there were no documented security procedures. The IS auditor should: a. Terminate the audit. b. Conduct compliance testing. c. Create the procedures document. d. Identify and evaluate existing practices. 30. An IS auditor has imported data from the clients database. The next step-confirming whether the imported data are complete-is performed by: a. Filtering data for different categories and matching them to the original data. b. Matching control totals of the imported data to control totals of the original data. c. Sorting the data to confirm whether the data are in the same order as the original data. d. Reviewing the printout of the first 100 records of original data with the first 100 records of imported data. II. SAP TEST OF TRANSACTIONS (40 POINTS) In the SAP link provided, please screenshot the following requirements that are necessary for auditors in the conduct of IT audit. Indicate your answers in the box provided below. 1. Show a sample screenshot of the following documents and reports necessary for accountants and auditors: a. Screenshot the related transactions for purchase order number 15 from purchase orders to outgoing payment relationship and discuss its corresponding journal entries. b. Screenshot the related transactions for sales order number 25 from sales orders to incoming payment relationship and discuss its corresponding journal entries. c. Transaction Journal Report for all Transactions performed on the months of October to December, 2013. d. Financial Statements for CY 2013 e. Generate the Journal Entry of A/R Invoice no. 7 f. How much is the Total Trade Receivable (before any adjustments)? g. Compute the amount of Allowance for Doubtful Accounts. According to the industry experiences, the collectability of accounts are as follow: 0 – 1 month = 100% Over one month not over two months = 98% Over two months not over three months = 95% Over three months not over four months = 92% Over four months = 90% h. Reperform Bank Reconciliation for Metrobank Account No. 9021. Balance per Bank Ref. No. 184,871.20 Add: Deposits in Transit Less: Outstanding Checks Total adjustments Adjusted Balance Balance per Book Add: 1,101,550.40 Less: Total Adjustments Adjusted Balance -END OF EXAMINATION-