ACIS - Auditing Computer Information System
ACIS - Auditing Computer Information System
ACIS - Auditing Computer Information System
College of Accountancy
Second Term, AY 2018-2019
TEST QUESTIONS
FINAL EXAMINATION (Completion)
ACIS – Auditing Computer Information System
Professor: Erwin L. Medina, CPA, MBA
INSTRUCTIONS: No examinees shall copy or refer to any solution, answer or work of another or
allow anyone to copy or refer to his work, nor in any manner help or ask the help of any person
or communicate with any person by means of words, signs gestures, codes, and other similar
acts which may enable him to exchange, impart or acquire relevant information while the
examination is in progress. Shade your corresponding answers in the answer sheet, if your
answer is not among the choices, shade letter E. Use only PERMANENT PEN. No erasures. Do
not detach any page of this questionnaire. (1 point for each correct answer). 70 Items.
1. An internal auditor noted the following points when conducting a preliminary survey
in connection with the audit of an EDP department. Which of the following would be
considered a safeguard in the control system on which the auditor might rely?
a. Programmers and computer operators correct daily processing problems as
they arise. b. The control group works with user organizations to correct rejected
input.
c. New systems are documented as soon as possible after they begin processing
live data. d. The average tenure of employees working in the EDP department is ten
months.
2. An on-line access control that checks whether the user’s code number is authorized to
initiate a specific type of transaction or inquiry is referred to as
a. Password c. Compatibility test
b. Limit check d. Reasonableness test
3. A control procedure that could be used in an on-line system to provide an immediate
check on whether an account number has been entered on a terminal accurately is a
a. Compatibility test c. Record count
b. Hash total d. Self-checking digit
4. A control designed to catch errors at the point of data entry is
a. Batch total c. Self-checking
digit b. Record count d.
Checkpoints
5. Program documentation is a control designed primarily to ensure that
a. Programmers have access to the tape library or information on
disk files. b. Programs do not make mathematical errors.
c. Programs are kept up to date and perform as
intended. d. Data have been entered and
processed.
6. Some of the more important controls that relate to automated accounting information
systems are validity checks, limit checks, field checks, and sign tests. These are classified
as
a. Control total validation routines c. Output controls
b. Hash totaling d. Input validation routines
7. Most of today’s computer systems have hardware controls that are built in by the
computer manufacturer. Common hardware controls are
a. Duplicate circuitry, echo check, and internal header labels
b. Tape file protection, cryptographic protection, and limit
checks c. Duplicate circuitry, echo check, and dual
reading
d. Duplicate circuitry, echo check, tape file protection, and internal header labels
8. Computer manufacturers are now installing software programs permanently
inside the computer as part of its main memory to provide protection from erasure
or loss if there is interrupted electrical power. This concept is known as
a. File integrity c. Random access memory (RAM)
b. Software control d. Firmware
9. Which one of the following represents a lack of internal control in a computer-based
information system?
a. The design and implementation is performed in accordance with
management’s specific authorization.
b. Any and all changes in application programs have the authorization and
approval of management.
c. Provisions exist to protect data files from unauthorized access, modification, or
destruction. d. Both computer operators and programmers have unlimited access
to the programs and
data files.
10. In an automated payroll processing environment, a department manager substituted the
time card for a terminated employee with a time card for a fictitious employee.
The fictitious employee had the same pay rate and hours worked as the terminated
employee. The best control technique to detect this action using employee
identification numbers would be a
a. Batch total b. Hash total c. Record count d. Subsequent
check
11. An employee in the receiving department keyed in a shipment from a remote
terminal and inadvertently omitted the purchase order number. The best systems control
to detect this error would be
a. Batch total c. Sequence check
b. Completeness test d. Reasonableness test
12. The reporting of accounting information plays a central role in the regulation
of business operations. Preventive controls are an integral part of virtually all
accounting processing systems, and much of the information generated by the
accounting system is used for preventive control purposes. Which one of the
following is not an essential element of a sound preventive control system?
a. Separation of responsibilities for the recording, custodial, and
authorization functions. b. Sound personnel policies.
c. Documentation of policies and
procedures.
d. Implementation of state-of-the-art software and
hardware.
13. The most critical aspect regarding separation of duties within information systems
is between a. Project leaders and programmers c. Programmers and
systems analysts
b. Programmers and computer operators d. Data control and
file librarians
14. Whether or not a real time program contains adequate controls is most effectively
determined by the use of
a. Audit software c. A tracing
routine
b. An integrated test facility d. A traditional
test deck
15. Compatibility tests are sometimes employed to determine whether an
acceptable user is allowed to proceed. In order to perform compatibility tests,
the system must maintain an access control matrix. The one item that is not part
of an access control matrix is a
a. List of all authorized user code numbers and
passwords. b. List of all files maintained on the
system.
c. Record of the type of access to which each user
is entitled.
d. Limit on the number of transaction inquiries that can be made by each user in a
specified time period.
16. Which one of the following input validation routines is not likely to be appropriate in
a real time operation?
a. Field check c. Sequence
check
b. Sign check d. Redundant data
check
17. Which of the following controls is a processing control designed to ensure the
reliability and accuracy of data processing?
Limit test Validity
check test a. Yes
Yes
b. No No
c. No Yes
d. Yes No
18. Which of the following characteristics distinguishes computer processing
from manual processing?
a. Computer processing virtually eliminates the occurrence of computational
error normally associated with manual processing.
b. Errors or irregularities in computer processing will be detected soon after their
occurrences. c. The potential for systematic error is ordinarily greater in
manual processing than in
computerized processing.
Page 3 of 10
d. Most computer systems are designed so that transaction trails useful for audit
do not exist.
19. Which of the following most likely represents a significant deficiency in the
internal control structure?
a. The systems analyst review applications of data processing and maintains
systems documentation.
b. The systems programmer designs systems for computerized applications
and maintains output controls.
c. The control clerk establishes control over data received by the EDP
department and reconciles control totals after processing
d. The accounts payable clerk prepares data for computer processing and enters
the data into
the computer.
20. Which of the following activities would most likely be performed in the EDP
Department?
a. Initiation of changes to master
records.
b. Conversion of information to machine-
readable form. c. Correction of transactional
errors.
d. Initiation of changes to existing
applications.
21. For control purposes, which of the following should be organizationally
segregated from the computer operations function?
a. Data conversion c. Systems development
b. Surveillance of CRT messages d. Minor maintenance according to a
schedule
22. Which of the following is not a major reason for maintaining an audit trail for
a computer system?
a. Deterrent to irregularities c. Analytical
procedures b. Monitoring purposes d.
Query answering
23. In an automated payroll system, all employees in the finishing department were paid
the rate of P75 per hour when the authorized rate was P70 per hour. Which
of the following controls would have been most effective in preventing such an
error?
a. Access controls which would restrict the personnel department’s access to
the payroll master file data.
b. A review of all authorized pay rate changes by the personnel
department. c. The use of batch control totals by department.
d. A limit test that compares the pay rates per department with the
maximum rate for all employees.
24. Which of the following errors would be detected by batch controls?
a. A fictitious employee as added to the processing of the weekly time cards by
the computer operator.
b. An employee who worked only 5 hours in the week was paid for 50 hours.
c. The time card for one employee was not processed because it was lost in transit
between the payroll department and the data entry function.
d. All of the above.
25. The use of a header label in conjunction with magnetic tape is most likely to prevent
errors by the
a. Computer operator c. Computer
programmer b. Keypunch operator d.
Maintenance technician
26. For the accounting system of ACME Company, the amounts of cash disbursements
entered into an EDP terminal are transmitted to the computer that immediately
transmits the amounts back to the terminal for display on the terminal screen. This
display enables the operator to
Page 4 of 10
a. Establish the validity of the account number
b. Verify the amount was entered accurately
c. Verify the authorization of the disbursements
d. Prevent the overpayment of the account
27. When EDP programs or files can be accessed from terminals, users should be
required to enter a(an)
a. Parity check c. Self-
diagnostic test b. Personal identification code
d. Echo check
28. The possibility of erasing a large amount of information stored on magnetic
tape most likely would be reduced by the use of
a. File protection ring c. Completeness tests
b. Check digits d. Conversion verification
29. Which of the following controls most likely would assure that an entity can
reconstruct its financial records?
a. Hardware controls are built into the computer by the computer manufacturer.
b. Backup diskettes or tapes of files are stored away from originals.
c. Personnel who are independent of data input perform parallel simulations.
d. System flowcharts provide accurate descriptions of input and output operations.
30. Mill Co. uses a batch processing method to process its sales transactions. Data on
Mill’s sales transaction tape are electronically sorted by customer number and are
subject to programmed edit checks in preparing its invoices, sales journals, and
updated customer account balances. One of the direct outputs of the creation of
this tape most likely would be a
a. Report showing exceptions and control totals.
b. Printout of the updated inventory records.
c. Report showing overdue accounts receivable.
d. Printout of the sales price master file.
31. Using microcomputers in auditing may affect the methods used to review the
work of staff assistants because
a. The audit field work standards for supervision may differ.
b. Documenting the supervisory review may require assistance of
consulting services personnel.
c. Supervisory personnel may not have an understanding of the capabilities and
limitations of microcomputers.
d. Working paper documentation may not contain readily observable details of
calculations.
32. An auditor anticipates assessing control risk at a low level in a computerized
environment.
Under these circumstances, on which of the following procedures would the
auditor initially focus?
a. Programmed control procedures c. Output control
procedures b. Application control procedures d.
General control procedures
33. After the preliminary phase of the review of a client’s EDP controls, an auditor may
decide not to perform tests of controls (compliance tests) related to the control
procedures within the EDP portion of the client’s internal control structure. Which
of the following would not be a valid reason for choosing to omit such tests?
a. The controls duplicate operative controls existing elsewhere in the structure.
b. There appear to be major weaknesses that would preclude reliance on
the stated procedure.
c. The time and costs of testing exceed the time and costs in substantive testing if
the tests of controls show the controls to be operative.
d. The controls appear adequate.
34. Which of the following client electronic data processing (EDP) systems generally
can be audited without examining or directly testing the EDP computer programs
of the system?
Page 5 of 10
a. A system that performs relatively uncomplicated processes and produces
detailed output.
b. A system that affects a number of essential master files and produces a limited
output.
c. A system that updates a few essential master files and produces no printed
output other than final balances.
d. A system that performs relatively complicated processing and produces very
little detailed output.
35. Computer systems are typically supported by a variety of utility software
packages that are important to an auditor because they
a. May enable unauthorized changes to data files if not properly controlled.
b. Are very versatile programs that can be used on hardware of many
manufacturers.
c. May be significant components of a client’s application programs.
d. Are written specifically to enable auditors to extract and sort data.
36. To obtain evidence that online access controls are properly functioning, an auditor
most likely would
a. Create checkpoints at periodic intervals after live data processing to test for
unauthorized use of the system.
b. Examine the transaction log to discover whether any transactions were lost or
entered twice due to a system malfunction
c. Enter invalid identification numbers or passwords to ascertain whether the
system rejects them.
d. Vouch a random sample of processed transactions to assure proper
authorization
37. Which of the following statements most likely represents a disadvantage for an
entity that keeps microcomputer-prepared data files rather than manually prepared
files?
a. Attention is focused on the accuracy of the programming process rather
than errors in individual transactions.
b. It is usually easier for unauthorized persons to access and alter the files.
c. Random error associated with processing similar transactions in different ways is
usually greater.
d. It is usually more difficult to compare recorded accountability with physical
count of assets.
38. An auditor would least likely use computer software to
a. Access client data files c. Assess EDP controls
b. Prepare spreadsheets d. Construct parallel simulations
39. A primary advantage of using generalized audit software packages to audit
the financial statements of a client that uses an EDP system is that the auditor may
a. Consider increasing the use of substantive tests of transactions in place of
analytical procedures.
b. Substantiate the accuracy of data through self-checking digits and hash totals.
c. Reduce the level of required tests of controls to a relatively small amount.
d. Access information stored on computer files while having a limited
understanding of the client’s hardware and software features.
40. Auditors often make use of computer programs that perform routine processing
functions such as sorting and merging. These programs are made available by
electronic data processing companies and others and are specifically referred to
as
a. Compiler programs c. Utility programs
b. Supervisory programs d. User programs
41. Smith Corporation has numerous customers. A customer file is kept on disk storage.
Each customer file contains name, address, credit limit, and account balance. The
auditor wishes to test this file to determine whether the credit limits are being
exceeded. The best procedure for the auditor to follow would be to
a. Develop test data that would cause some account balances to exceed the
credit limit and determine if the system properly detects such situations.
Page 6 of 10
b. Develop a program to compare credit limits with account balances and print
out the details of any account with a balance exceeding its credit limit.
c. Request a printout of all account balances so they can be manually checked
against the credit limits.
d. Request a printout of a sample of account balances so they can be individually
checked against the credit limits.
42. The use of generalized audit software package
a. Relieves an auditor of the typical tasks of investigating exceptions,
verifying sources of information, and evaluating reports.
b. Is a major aid in retrieving information from computerized files.
c. Overcomes the need for an auditor to learn much about computers.
d. Is a form of auditing around the computer.
43. An auditor used test data to verify the existence of controls in a certain
computer program.
Even though the program performed well on the test, the auditor may still have a
concern that
a. The program tested is the same one used in the regular production runs.
b. Generalized audit software may have been a better tool to use.
c. Data entry procedures may change and render the test useless.
d. The test data will not be relevant in subsequent audit periods.
44. An auditor most likely would introduce test data into a computerized payroll
system to test internal controls related to the
a. Existence of unclaimed payroll checks held by supervisors.
b. Early cashing of payroll checks by employees.
c. Discovery of invalid employee I.D. numbers.
d. Proper approval of overtime by supervisors.
45. When an auditor tests a computerized accounting system, which of the following is
true of the test data approach?
a. Test data must consist of all possible valid and invalid conditions.
b. The program tested is different from the program used throughout the year by
the client.
c. Several transactions of each type must be tested.
d. Test data are processed by the client’s computer programs under the auditor’s
control.
46. Which of the following statements is not true to the test data approach when
testing a computerized accounting system?
a. The test need consist of only those valid and invalid conditions which interest the
auditor
b. Only one transaction of each type need be tested.
c. The test data must consist of all possible valid and invalid conditions.
d. Test data are processed by the client’s computer programs under the auditor’s
control.
47. Which of the following is not among the errors that an auditor might include in the
test data when auditing a client’s EDP system?
a. Numeric characters in alphanumeric fields.
b. Authorized code.
c. Differences in description of units of measure.
d. Illogical entries in fields whose logic is tested by programmed consistency
checks.
48. An auditor who is testing EDP controls in a payroll system would most likely use test
data that contain conditions such as
a. Deductions not authorized by employees.
b. Overtime not approved by supervisors.
c. Time tickets with invalid job numbers.
d. Payroll checks with unauthorized signatures.
49. Auditing by testing the input and output of an EDP system instead of the computer
program itself will
Page 7 of 10
a. Not detect program errors which do not show up in the output sampled.
b. Detect all program errors, regardless of the nature of the output.
c. Provide the auditor with the same type of evidence.
d. Not provide the auditor with confidence in the results of the auditing
procedures.
50. Which of the following computer-assisted auditing techniques allows fictitious
and real transactions to be processed together without client operating
personnel being aware of the testing process?
a. Integrated test facility c. Parallel simulation
b. Input controls matrix d. Data entry monitor
51. Which of the following methods of testing application controls utilizes a
generalized audit software package prepared by the auditors?
a. Parallel simulation c. Test data approach
b. Integrated testing facility approach d. Exception report tests
52. Misstatements in a batch computer system caused by incorrect programs or data
may not be detected immediately because
a. Errors in some transactions may cause rejection of other transactions in the
batch.
b. The identification of errors in input data typically is not part of the program.
c. There are time delays in processing transactions in a batch system.
d. The processing of transactions in a batch system is not uniform.
53. Which of the following is not a characteristic of a batch processed
computer system?
a. The collection of like transactions which are sorted and processed sequentially
against a master file.
b. Keypunching of transactions, followed by machine processing.
c. The production of numerous printouts.
d. The posting of a transaction, as it occurs, to several files, without immediate
printouts.
54. Where disk files are used, the grandfather-father-son updating backup concept
is relatively difficult to implement because the
a. Location of information points on disks is an extremely time consuming task.
b. Magnetic fields and other environmental factors cause off-site storage to be
impractical.
c. Information must be dumped in the form of hard copy if it is to be reviewed
before used in updating.
d. Process of updating old records is destructive.
55. An auditor would most likely be concerned with which of the following controls in a
distributed data processing system?
a. Hardware controls c. Access controls
b. Systems documentation controls d. Disaster recovery controls
56. If a control total were computed on each of the following data items, which
would best be identified as a hash total for a payroll EDP application?
a. Total debits and total credits c. Department numbers
b. Net pay d. Hours worked
57. Which of the following is a computer test made to ascertain whether a given
characteristic belongs to the group?
a. Parity check c. Echo check
b. Validity check d. Limit check
58. A control feature in an electronic data processing system requires the central
processing unit (CPU) to send signals to the printer to activate the print mechanism
for each character. The print mechanism, just prior to printing, sends a signal back
to the CPU verifying that the proper print position has been activated. This type of
hardware control is referred to as
a. Echo check c. Signal control
b. Validity control d. Check digit control
Page 8 of 10
59. Which of the following is an example of a check digit?
a. An agreement of the total number of employees to the total number of checks
printed by the computer.
b. An algebraically determined number produced by the other digits of the
employee number.
c. A logic test that ensures all employee numbers are nine digits.
d. A limit check that an employee’s hours do not exceed 50 hours per work week.
60. In a computerized system, procedure or problem-oriented language is converted
to machine language through a(an)
a. Interpreter b. Verifier c. Compiler d. Converter
61. A customer erroneously ordered Item No. 86321 rather than item No. 83621. When
this order is processed, the vendor’s EDP department would identify the error with
what type of control?
a. Key verifying c. Batch total
b. Self-checking digit d. Item inspection
62. The computer process whereby data processing is performed concurrently with
a particular activity and the results are available soon enough to influence the
course of action being taken or the decision being made is called:
a. Random access sampling c. On-line, real-time system
b. Integrated data processing d. Batch processing system
63. Internal control is ineffective when computer department
personnel
a. Participate in computer software acquisition decisions.
b. Design documentation for computerized systems.
c. Originate changes in master file.
d. Provide physical security for program files.
64. Test data, integrated test data and parallel simulation each require an auditor to
prepare data and computer programs. CPAs who lack either the technical
expertise or time to prepare programs should request from the manufacturers or
EDP consultants for
a. The program Code c. Generalized audit software
b. Flowchart checks d. Application controls
65. Which of the following best describes a fundamental control weakness often
associated with electronic data processing system?
a. EDP equipment is more subject to system error than manual processing is
subject to human error.
b. Monitoring is not an adequate substitute for the use of test data.
c. EDP equipment processes and records similar transactions in a similar manner.
d. Functions that would normally be separated in a manual system are combined
in the EDP
system like the function of programmers and
operators.
66. Which of the following tasks could not be performed when using a generalized audit
software package?
a. Selecting inventory items for observations.
b. Physical count of inventories.
c. Comparison of inventory test counts with perpetual records.
d. Summarizing inventory turnover statistics for obsolescence analysis.
67. All of the following are “auditing through the computer” techniques except
a. Reviewing source code c. Automated tracking and
mapping
b. Test-decking d. Integrated test facility
68. The output of a parallel simulation should always be
a. Printed on a report.
b. Compared with actual results manually.
c. Compared with actual results using a comparison program.
Page 9 of 10
d. Reconciled to actual processing output.
69. Generalized audit software is a computer-assisted audit technique. It is one of the
widely used technique for auditing computer application systems. Generalized
audit software is most often used to
a. Verify computer processing.
b. Process data fields under the control of the operation manager.
c. Independently analyze data files.
d. Both a and b.
70. From an audit viewpoint, which of the following represents a potential disadvantage
associated with the widespread use of microcomputers?
a. Their portability.
b. Their ease of access by novice users.
c. Their easily developed programs using spreadsheets which do not have to be
documented.
d. All of the above.
Page 10 of 10