COMPUTER INFORMATION SYSTEM It exists when a computer of any type or size is involved in the processing by the entity of financial

information of significance to the audit, whether that computer is operated by the entity or by a third party. a. CIS environment c. IT environment b. Electronic Data Interchange (EDI) d. Local Area Network Answer: Letter A (definition, see PSA Glossary) 2. Which of the following standards or group of standards does a computerized information system environment mostly likely affect? a) General standards b) Standards of fieldwork c) Reporting standard d) Second standard of field work Answer: Letter B Computerized information system environment does affect standards of fieldwork because standard of fieldwork concerned about planning, internal control & evidential matter. 3. Which statement is correct regarding personal computer systems? a. Personal computers or PC's are economical yet powerful selfcontained general purpose computers consisting typically of a central processing unit (CPU). Memory, monitor, disk drives, printer cables and modems b. Programs and data are stored only on non-removable storage media. c. Personal Computers cannot be used to process accounting transactions ad produce report that are essential to the preparation of financial statements d. Generally, CIS environments in which personal computers are used are the same with other CIS environments. Answer: Letter A Personal computers or PC's are economical yet powerful self-contained general purpose computers consisting typically of a central processing unit (CPU). Memory, monitor, disk drives, printer cables and modems. 4. A personal computer can be used in various configurations including a. A stand alone workstation operated by a single user or a number of users at different times. b. A workstation which is part of a local area network of personal computers. c. A workstation connected to a server. d. All of the above. Answer: Letter D 5. Which statement is incorrect regarding personal computer configurations? a. The stand-alone workstation can be operated by a single user or a number of users at different times accessing the same or different programs. b. A stand-alone workstation may be referred to as a distributed system. c. A local area network is an arrangement where two or more personal computers are linked together through the use of special software and communication lines. d. Personal Computers can be linked to servers and used as part of such systems, for example, as an intelligent on-line workstation or as part of a distributed accounting system. Answer: Letter B (incorrect) Statements about Personal Computer Configuration. 1.

 The stand-alone workstation can be operated by a single user or a number of users at different times accessing the same or different programs. (5) A local area network is an arrangement where two or more personal computers are linked together through the use of special software and communication lines. (6) Personal Computers can be linked to servers and used as part of such systems, for example, as an intelligent on-line workstation or as part of a distributed accounting system. (7) Since control consideration and the characteristics of the hardware and software are different when personal computer is linked to other computers, such environments are described in other Supplements to Risk Assessments and Internal Control. 6. Which of the following is least likely characteristic of personal computers? a. They are small enough to be transportable. b. They are relatively expensive. c. They can be placed in operation quickly. d. The operating system software is less comprehensive than that found in larger computer environments. Answer: Letter B Although personal computer provide the user with substantial computing capabilities, they are small enough to be transportable , are relatively inexpensive and can be placed in operation quickly . Users with basic computer skill can learn to operate a personal computer easily since many operating system software and application programs are users-friendly and contain step-by-step instructions. Another characteristic is that operating system software, which is generally supplied by the personal computer manufacturer, is less comprehensive than that found in larger computer environments; e.g., it may not contain as many control and security features. 7. Which of the following is an inherent characteristic of software package? a. They are typically used without modifications of the programs. b. The programs are tailored-made according to the specific needs of the user. c. They are developed by software manufacturer according to a particular user's specifications. d. It takes a longer time of implementation. Answer: Letter A Software for a wide range of personal computer applications can be purchased from third-party vendors to perform (e.g., general ledger accounting, receivable accounting and production and inventory control). Such packages are typically used without modification of the programs . 8. Which of the following is not normally a removable storage media? a. Compact disk c. Tapes b. Diskettes d. Primary storage media Answer: Letter D Primary storage media (known as Hard Disk) is normally sealed in the personal computer or in stand-alone unit attached to the personal computer. 9. It is a computer program (a block of executable code) that attaches itself to a legitimate program or data file and uses its as a transport mechanism to reproduce itself without the knowledge of the user. a. Virus c. System management program b. Utility program d. Encryption Answer: Letter A

10.

Which statement is incorrect regarding internal control in personal computer environment? a. Generally, the CIS environment in which personal computers are used is less structured than a centrally-controlled CIS environment. b. Controls over the system development process and operations may not be viewed by the developer, the user management as being as important or cost-effective. c. In almost all commercially available operating systems, the built-in security provided has gradually increased over the years. d. In a typical personal computer environment, the distinction between general CIS controls and CIS application controls is easily ascertained. Answer: Letter D Should be: In a typical personal computer environment, the distinction between general CIS controls and CIS application controls may not be easily ascertained. 11. Personal computers are susceptible to theft, physical damage, unauthorized access or misuse of equipment. Which of the following is least likely a physical security to restrict access to personal computers when not in use? a. Using door locks or other security protection during nonbusiness hours. b. Fastening the personal computer to a table using security cables. c. Locking the personal computer in a protective cabinet or shell. d. Using anti-virus software programs. Answer: Letter D Anti-virus are software programs security against system damage but not physical security to restrict access to personal computer when not in use. Also include in physical security: Using alarm system that is activated any time the personal computer is disconnected or moved from its locations. 12. Which of the following is not likely a control over removable storage media to prevent misplacement, alteration without authorization or destruction? a. Using cryptography, which is the process of transforming programs and information into an unintelligible form. b. Placing responsibility for such media under personnel whose responsibilities include duties of software custodians or librarians. c. Using a program and data file check-in and check-out system and locking the designated storage locations. d. Keeping current copies of diskettes, compact disks or back-up tapes and hard disks in a fireproof container, either on-site, off-site or both. Answer: Letter A (included in the limiting access to program and data to authorized personnel) 13. Which of the following least likely protects critical and sensitive information from unauthorized access in a personal computer environment? a) Using secret file names and hiding the files. b) Keeping of back up copies offsite. c) Employing passwords. d) Segregating data into files organized under separate file directories.

Answer: Letter B Protects critical and sensitive information from unauthorized access in a personal computer environment are the following: a) A, C, and D b) Using cryptography c) Using anti-virus software programs 14. Which of the following best protects critical and sensitive information form unauthorized access in a personal computer environment? a) The use of secret file names and hiding the files. b) Using anti-virus software programs. Keeping of back up copies offsite. c) Keeping of back up copies offsite. d) Segregating data into files organized under separate file directories. Answer: Letter A For critical and sensitive information, this technique can be supplemented by assigning secret file names and hiding the files. 15. It refers to plans made by the entity to obtain access to comparable hardware, software and data in the event of their failure, loss or destruction. a. Back-up c. Anti-virus b. Encryption d. Wide Area Network (WAN) Answer: Letter A 16. The effect of personal computers on the accounting system and the associated risks will least likely depend on a. The extent to which the personal computer is being used to process accounting applications. b. The type and significance of financial transactions being processed. c. The nature of files and programs utilized in the applications. d. The cost of personal computers. Answer: Letter D 17. In the preliminary survey the auditor learns that a department has several microcomputers. Which of the following is usually true and should be considered in planning the audit? a) Microcomputers, though small, are capable of processing financial information, and physical security is a control concern. b) Microcomputers are limited to applications such as worksheet generation and do not present a significant audit risk. c) Microcomputers are generally under the control of the data processing department and use the same control features. d) Microcomputers are too small to contain any built-in control features. Therefore, other controls must be relied upon. Answer: Letter A In a personal computer environment, it may not be practicable or costeffective for management to implement sufficient controls to reduce the risks of undetected errors to a minimum level. Thus, the auditor may often assume that control risk is high in such system. 18. The auditor may often assume that control risk is high in personal computer systems since, it may not be practicable or cost-effective for management to implement sufficient controls to reduce the risks of undetected errors to a minimum level. This least likely entail a. More physical examination and confirmation of assets. b. More analytical procedures than tests of details. c. Larger sample sizes. d. Greater use of computer-assisted audit techniques, where appropriate

Answer: Letter B Should be: more tests of details 19. Computer systems that enable users to access data and programs directly through workstations are referred to as a. On-line computer systems b. Database management systems (DEMS) c. Personal computer systems d. Database systems Answer: Letter A 20. On-line systems allow users to initiate various functions directly. Such functions include: I. Entering transactions III. Requesting reports II. Making inquiries IV. Updating master files a. I, II, III and IV c. I and II b. I, II, and III d. I and IV Answer: Letter A 21. Many different types of workstations may be used in on-line computer systems. The functions performed by these workstations least likely depend on their a. Logic c. Storage b. Transmission d. Cost Answer: Letter D 22. Types of workstations include General Purpose Terminals and Special Purpose Terminals. Special Purpose Terminals include a. Basic keyboard and monitor c. Point of sale devices b. Intelligent terminal d. Personal computers Answer: Letter C (the other special purpose terminals is Automated Teller Machine or ATM, Choices A, B, & D are General Purpose Terminal 23. Special Purpose terminal used to initiate, validate, record, transmit and complete various banking transactions a. Automated teller machines c. Intelligent terminal b. Point of sale devices d. Personal computers Answer: Letter A 24. Which statement is incorrect regarding workstations? a. Workstations may be located either locally or at remote sites. b. Local workstations are connected directly to the computer through cables. c. The workstations require the use of telecommunications to link them to the computer. d. Workstations cannot be used by many users, for different purposes, in different locations, all at the same time. Answer: Letter D (incorrect) Should be: Workstations may be used by many users, for different purposes, in different locations, all at the same time. 25. On-line computer systems may be classified according to a. How information is entered into the system. b. How it is processed. c. When the results are available to the user. d. All of the above. Answer: Letter D 26. In an on-line /real time processing system a. Individual transactions are entered at workstations, validated and used to update related computer files immediately. b. Individual transactions are entered at a workstation, subjected to certain validation checks and added a transaction file that contains other transactions entered during the period.

Individual transactions immediately update a memo file containing information which has been extracted from the most recent version of the master file. d. The master files are updated by other systems. Answer: Letter A 27. It combines on-line/real time processing and on-line/batch processing. a. On-Line/memo Update (and Subsequent Processing) b. On-line Downloading/Uploading Processing c. On-Line/Inquiry d. On-Line/Combined Processing Answer: Letter A 28. It is a communication system that enables computer users to share computer equipment, application software, data and voice and video transmissions. a. Network c. Host b. File server d. Client Answer: Letter A File server is a computer with an operating system that allows multiple users on a network to access software applications and data files. The file server is a host machine. Host are computers that have an operating systems designed to allow several users to access them at the same time. 29. A type of network that multiple buildings are close enough to create a campus, but the space between the buildings is not under the control of the company is a. Local Area Network (LAN) b. Wide Area Network (WAN) c. Metropolitan Area Network (MAN) d. World Wide Web (WEB) Answer: Letter C 30. Which of the following is least likely a characteristics of Wide Area Network (WAN)? a. Created to connect two or more geographically separated LANs. b. Typically involves one or more long-distance providers , such as telephone company to provide the connections. c. WAN connections tend to be faster than LAN. d. Usually more expensive than LAN. Answer: Letter C ( Should be: High-speed WAN service are becoming more common, the WAN connections tend to be slower than LAN 31. Gateway is a. A hardware and software solution that enables communications between two dissimilar networking system or protocols. b. A device that forwards frames based on destination addresses. c. A device that connects and passes packets between two network segments that use the same communication protocol. d. A device that regenerates and retransmits the signal on a network. Answer: Letter A 32. A device that works to control the flow of data between two or more network segments. a. Bridge c. Repeater b. Router d. Switch

c.

Answer: Letter B Bridge a device that connects and passes packets between two network segments that use the same communication protocol. Repeater a device that regenerates and retransmits the signal on a network. Switch a device that forwards frames based on destinations addresses. 33. The undesirable characteristics of on-line computer systems least likely include a. Data are usually subjected to immediate validation checks. b. Unlimited access to users to all of the functions in a particular application. c. Possible lack of visible transaction trail. d. Potential programmer access to the system. Answer: Letter A When data are entered on-line, they are usually subject to immediate validation checks. Data failing this validation would not be accepted and a message may be displayed on the monitor, providing the user with the ability to correct the data and re-enter the valid data immediately. 34. Certain general CIS controls that are particularly important to online processing least likely include a. Access controls. b. Systems development and maintenance controls. c. Edit, reasonableness and other validation tests. d. Use of anti-virus software program. Answer: Letter C Certain general CIS controls are particularly important to on-line processing. These include: A, B & D Controls over user ID and passwords Programming control Transaction logs 35. Given the increasing use of microcomputers as a means for accessing data bases, along with on-line real-time processing, companies face a serious challenge relating to data security. Which of the following is not an appropriate means for meeting this challenge? a) Institute a policy of strict identification and password controls housed in the computer software that permit only specified individual to access the computer files and perform a given functions. b) Limit terminals to perform only certain transactions. c) Programs software to produce a log transaction showing date, time, type of transaction, and operator. d) Prohibit the networking of microcomputers and do not permit users to access centralized databases. Answer: Letter D The serious challenge faced by the companies relating to data security is, prohibiting the network access is not a normal control but should be limiting to authorized access, implementing user ID, or establishing software program of transaction log. 36. Certain CIS application controls that are particularly important to on-line processing least likely include a. Pre-processing authorization. b. Cut-off procedures. c. Transaction logs. d. Balancing Answer: Letter C

Certain CIS application controls are particularly important to on-line processing. These include: A, B & D Edit, reasonableness and other validation tests File controls Master file controls Rejected data 37. The effect of an on-line computer system on the accounting system and the associated risks will generally depend on, except: a) The extent to which the on-line system is being used to process accounting applications. b) The type and significance of financial transactions being processed. c) The nature of files and programs utilized in the applications d) All the statement above has the effect in an on-line computer system. Answer: Letter D 38. Risk of fraud or error in on-line systems may be reduced in the following circumstances, except a. If on-line data entry is performed at or near the point where transactions originate, there is less risk that the transactions will not be recorded. b. If invalid transactions are corrected and re-entered immediately, there is a less risk that such transactions will not be corrected and re-submitted on a timely basis. c. If data entry is performed on-line by individuals who understand the nature of the transactions involved, the data entry process may be less prone to errors that when it is performed by individuals unfamiliar with the nature of the transactions. d. On-line access to data or programs through the telecommunications may provide greater opportunity for access to data and programs by unauthorized persons. Answer: Letter D (Risk of fraud or error in on-line systems may be increased, 39. Risk fraud or error on-line computer systems may be increased for the following reasons, except a. If workstations are located throughout the entity, the opportunity for unauthorized use of a workstation and the entry of unauthorized transactions may increase. b. Workstations may provide the opportunity for unauthorized uses such as modification of previously entered transactions or balances. c. If on-line processing is interrupted for any reason, for example, due to faulty telecommunications, there may be a greater chance that transactions or files may be lost and that the recovery may not be accurate and complete. d. If the transactions are processed immediately on-line, there is less risk that they will be processed in the wrong accounting period. Answer: Letter D (Risk of fraud or error in on-line systems may be reduced, (76) The following matters are of particular importance to the auditor in an on-line computer system, except a. Authorization, completeness and accuracy of on-line transactions. b. Integrity of records and processing, due to on-line access to the system by many users and programmers. c. Changes in the performance of audit procedures including the use of CAAT's.

d. Cost-benefit ratio in installing on-line computer system. Answer: Letter D The following matters are of particular importance to the auditor in an online computer system: A, B, & D The need for auditor with technical skills in on-line computer systems. The effect of the on-line computer systems on the timing of audit procedures The lack of visible transactions trails. Procedures carried out during planning stage. Audit procedures performed concurrently with on-line processing; and Procedures performed after processing has taken place. (77) A collection of data that is shared and used by a number of different users for different purposes. a. Database b. Information file c. Master file d. Transaction file Answer: Letter A (78) Which of the following is least likely a characteristic of a database system? a. Individual applications share the date in the database for different purposes. b. Separate data files are maintained for each application and similar data used by several applications may be repeated on several different files. c. A software facility is required to keep track of the location of the data in the database. d. Coordination is usually performed by a group of individuals whose responsibility is typically referred to as "database administration." Answer: Letter B (79) Database administration tasks typically include I. Defining the database structure. II. Maintaining data integrity, security and completeness. III. Coordinating computer operations related to the database. IV. Monitoring system performance. V. Providing administrative support. a. All of the above c. II and V only b. All except I d. II, III and V only Answer: Letter A (80) As to data sharing, data independence and other characteristics of database systems a. General CIS controls normally have a greater influence than CIS application controls on database systems. b. CIS application controls normally have an equal influence with general CIS controls on database systems. c. General CIS controls normally have an equal influence with CIS application controls on database systems. d. CIS application controls normally have no influence on database systems. Answer: Letter A ( Due to data sharing, data independence and other characteristics of database systems, general computer information system (CIS) controls normally have a greater influence than CIS application controls on database systems. (81) Which statement is incorrect regarding the general CIS controls of particular importance in a database environment?

Since data are shared by many users, control may be enhanced when a standard approach is used for developing each new application program and for application program modification. b. Several data owners should be assigned responsibility for defining access and security rules, such as who can use the data (access) and what functions they can perform (security). c. User access to the database can be restricted through the use of passwords. d. Responsibilities for performing the various activities required to design, implement and operate a database are divided among technical, design, administrative and user personnel. Answer: Letter B Should be: A single data owners should be assigned responsibility for defining access and security rules, such as who can use the data (access) and what functions they can perform (security). (82) These require a database administrator to assign security attributes to data that cannot be changed by database users. a. Discretionary access controls c. Name-dependent restrictions b. Mandatory access controls d. Content-dependent restrictions Answer: Letter B Discretionary access controls allow users to specify who can access data they own and what action privileges they have with respect to that data. Name-dependent restrictions: users either have access to a named data resource or they do not have access to the resource. Content-dependent restrictions: user are permitted or denied access to a data resource depending on its contents. (83) A discretionary access control wherein users are permitted or denied access to data resource depending on the time series of accesses to and actions they have undertaken on data resources. a. Name-dependent restrictions c. Context-dependent restrictions b. Content-dependent restrictions d. History-dependent restrictions Answer: Letter D Context-dependent restrictions: users are permitted or denied access to data resource depending on the context in which they are seeking access. (84) The effect of a database system on the accounting system and the associated risks will least likely depend on: a. The extent to which databases are being used by accounting applications. b. The type and significance of financial transactions being processed. c. The nature of the database, the DBMS, the database administration tasks and the applications. d. The CIS application controls. Answer: Letter D Also include in the effect of Database on the accounting system and associated risks: The general controls which are particularly important in a database environment. (85) Audit procedures in a database environment will be affected principally by a. The extent to which the data in the database are used by the accounting system. b. The type and significance of financial transactions being processed.

a.

10

The nature of the database, the DBMS, the database administration tasks and the applications. d. The general CIS controls which are particularly important in a database environment. Answer: Letter A (86) Where auditor decides to perform compliance or substantive test related to the database, audit procedures may include using the function of the DBMS to, except a) Provide an audit trail b) Check the integrity of the data base c) Generate test data d) Obtain all information for the audit Answer: Letter D) Where auditor decides to perform compliance or substantive test related to the database, audit procedures may include using the function of the DBMS to: A, B, & C Provide access to the database or a copy of relevant parts of the database for the purpose of using audit software Obtain information necessary for the audit (51) The BSP and bank external auditor roles are being perceived as: a) The same b) Parallel c) Complementary d) Different Answer: Letter C In many respects, the BSP and external auditors face similar challenges and, increasingly, their roles are being perceived as complementary . (52) The roles and responsibilities of a banks board of director and management, the banks external auditors, and the BSP derive from: a) Law, custom and, for external auditors, professional practice. b) Law, custom and professional practice c) Law, and custom d) Law Answer: Letter A The roles and responsibilities of a banks board of director and management, the banks external auditors, and the BSP derive from law, custom and, for external auditors, professional practice. (53) The primarily responsible for the corporate governance of the bank. a) Bank audit committee and management b) Management and board of directors c) Board of directors d) BSP and banks external auditors Answer: Letter C The primary responsibility for the conduct of the business of a bank is vested in the board of directors and the management appointed by it. The board of directors is primarily responsible for the corporate governance of the bank. (54) Which of the statement is incorrect regarding the role of the banks external auditor? a) The objective of an audit of a banks financial statements by an external auditor is to enable an independent auditor to express an opinion as to whether the banks financial statements are prepared, in all material respect, in accordance with generally accepted accounting principles in the Philippines. b) The external auditors report is appropriately addressed as required by the circumstances of the engagement, ordinarily to either the shareholders or audit committee.

c.

11

c) The auditor design audit procedures to reduce to an acceptably low level the risk of giving inappropriate audit opinion when the financial statements are materially misstated. d) The auditor consider how the financial statements might be materially misstated and considers whether fraud risk factors are present that indicate the possibility of fraudulent financial reporting misappropriation of assets. Answer: Letter B Should be: The external auditors report is appropriately addressed as required by the circumstances of the engagement, ordinarily to either the shareholders or board of directors. (55) The external auditor is required to report to the BSP the following, except: a) Any material finding during the audit involving fraud or dishonesty which will reduce capital funds by at least one percent (1%). b) Adjustment or potential losses amounting to at lest one percent (1%) of capital funds of the bank. c) Any findings to the effect that the total bank assets, on a going concern basis, are no longer adequate to cover the total claims of creditors. d) Any of the above situations are required to be reported by the external auditor to the BSP. Answer: Letter D (56) Banks have the following characteristics that generally distinguish them from most other commercial enterprises. Which statement is incorrect? a) The banks operate with very high leverage. b) The banks asset can rapidly change in value and whose value is often difficult to determine. c) The banks ordinarily have no fiduciary duties in respect of the assets they hold that belong to other persons. d) The banks are an integral part of, or are linked to, national and international settlement systems and consequently could pose systematic risk to the countries in which they operate. Answer: Letter C ( Should be: The banks have fiduciary duties in respect of the assets they hold that belong to other persons. (57) In obtaining knowledge of the banks business requires the auditor to understand the following, except: a) The banks corporate governance structure. b) The economic and regulatory environment in which the bank operates. c) The market conditions existing in each of the significant sectors in which the bank operates. d) The inherent and control risk of the bank. Answer: Letter D In obtaining knowledge of the banks business requires the auditor to understand the following: The banks corporate governance structure. The economic and regulatory environment in which the bank operates. The market conditions existing in each of the significant sectors in which the bank operates. (58) Fiduciary risk is: a) Bank of foreign customers and counterparties having to settle their obligations because of economic, political and social factors of the counterpartys home country and external to the customer or counterparty. b) The risk that a customer or counterparty will not settle an obligation for full value, either when due or at any time thereafter.

12

c) The risk of loss from future movements in the exchange rates applicable to foreign currency assets, liabilities, rights and obligations. d) The risk of loss arising from factors such as failure to maintain safe custody or negligence in the management of assets on behalf of other parties. Answer: Letter D (A Country risk, B Credit risk, C Currency risk) (59) Modeling risk is: a) The risk associated with the imperfections and subjectivity of valuation models used to determine the values of assets or liabilities. b) The risk of loss arising from changes in the banks ability to sell or dispose of an asset. c) The risk that a movement in interest rates would have adverse effect on the value of assets and liabilities or would affect interest cash flow. d) The risk that contracts are documented incorrectly or are not legally enforceable in the relevant jurisdiction in which the contracts are to be enforced or where the counterparties operate. Answer: Letter A (B Liquidity risk, C Interest rate risk, D Legal and documentary risk) (60) Replacement risk is: a) The risk of direct or indirect loss resulting form inadequate or failed internal process, people, and systems or from external events. b) The risk of loss arising from failure to comply with regulatory or legal requirements in the relevant jurisdiction in which the bank operates. c) The risk of failure of a customer or counterparty to perform the terms of a contract. d) The risk of loss from adverse changes in market prices, including interest rate, foreign exchange rates, equity and commodity process and from movements in the market process of investments. Answer: Letter C sometimes-called performance risk (A Operational risk, B Regulatory risk, D Price risk) (61) Transfer risk is: a) The risk of loss arising from the possibility of the bank not having sufficient funds to meet its obligations, or from the banks inability to access capital markets to raise required funds. b) The risk of loss arising when counterpartys obligation is not dominated in the counterpartys home currency. c) The risk that one side of a transaction will be settles without value being received from the customer or counterparty. d) The risk of losing business because of negative public opinion and consequential damage to the banks reputation. Answer: Letter B (A Solvency risk, C Settlement risk, D Reputational risk) (62) It is ordinarily referred to the process of clearing transactions may cause a significant build-up of receivables and payables during a day, most of which are settled by the end of the day. a) Inter-pay payment risk b) Intra-pay payment risk c) Counter-pay payment risk d) Payment risk Answer: Letter B (63) RAP means: a) BSP Regulatory Accounting of the Philippines for Banks b) BSP Regulatory Assurance Policy for Banks c) BSP Regulatory Accounting Principles for Banks d) BSP Regulatory Auditing Procedures for Banks Answer: Letter C - BSP Regulatory Accounting Principles for Banks

13

(64) It exists when a computer of any type or size is involved in the processing by the entity of financial information of significance to the audit, whether that computer is operated by the entity or by a third party refers to: a) Computer information system b) Computer information system environment c) Computer environment d) Computer-assisted audit techniques Answer: Letter B (definition, see glossary of terms) (65) The use of computer may result in the design of systems that provide less visible evidence that those using manual procedures. In addition, these systems may be accessible by the larger number of persons. Systems characteristics that may results from the nature of CIS processing include are, choose incorrect statement: a) Absence of input documents. b) Lack of visible transaction trail. c) Lack of visible output. d) Vulnerability of data and program storage media Answer: Letter D ( Systems characteristics that may results from the nature of CIS processing include: A, B, & C Ease access to data and computer program. (66) The development of CIS will generally results in design and procedural characteristics that are different for those found in manual systems. These different design and procedural aspects of CIS include, except: a) Consistency of performance. b) Programmed controls procedures. c) Single transactions update of multiple or data base computer files. d) Changes to application systems Answer Letter D These different design and procedural aspects of CIS include: A, B, & C Systems generated transactions Vulnerability of data and programs storage media (67) The purpose of general CIS controls is to establish a framework of overall control over the CIS activities and to provide a reasonable level of assurance that the overall objectives of internal control are achieved. General CIS controls may include, except: a) Organizations and management controls. b) Application systems development and maintenance controls. c) Acquisition of application systems for third parties. d) Computer operations control Answer: Letter C General CIS controls may include: A, B & D Systems software controls Data entry and program control (68) Application systems development and maintenance control is: a) Designed to establish an organizational framework over CIS activities. b) Designed to provide reasonable assurance that systems are developed and maintained in an authorized and efficient manner. c) Designed to control the operation of the systems and provide reasonable assurance. d) Designed to provide reasonable assurance that systems software is acquire or developed in an authorized and efficient manner. Answer: Letter B

14

A Organization and management controls C Computer operation control D Systems software controls (69) These are typically designed to establish control over application systems development and maintenance, except. a) Testing, conversion, implementation and documentation of new or revised systems b) Changes to application systems c) Access to systems documentations d) Policies and procedures relating to control functions. Answer: Letter D Typically designed to establish control over application systems development and maintenance: A, B & C Acquisition of application systems for third parties. (70) The following are the other CIS safeguards that contribute to the continuity of CIS processing, except: a) Offsite back- up of data and computer programs. b) Recovery procedures for use in the event of theft, loss or intentional or accidental destruction. c) Provision for offsite processing in the event of disaster. d) Documentation of the program in the case the programmer resigned. Answer: D (71) The purpose of CIS application controls is to establish specific control procedures over the accounting applications in order to provide reasonable assurance that all transactions are authorized and recorded, and are processed completely, accurately, and on a timely basis. CIS application controls include: except: a) Controls over input. b) Controls over processing and computer data files. c) Control over output. d) Manual controls exercised by the user. Answer: Letter D CIS application controls include: Controls over input. Controls over processing and computer data files. Control over output. (72) Control over input are designed to provide reasonable assurance least likely include: a) Transactions are properly authorized before being processed by the computer. b) Transactions are accurately converted into machine-readable form and recorded in the computer files. c) Transaction are not lost, added, duplicated or improperly changed. d) Results of processing are accurate. Answer: Letter D Control over input are designed to provide reasonable assurance that: A, B, & C Incorrect transactions are rejected, corrected and, if necessary, resubmitted on a timely basis. (73) Controls over processing and computer data files are designed to provide reasonable assurance least likely include: a) Transactions, including system-generated transactions are properly processed by the computer. b) Transactions are not lost, added, duplicated or improperly changed. c) Access to output is restricted to authorized personnel. d) Processing errors are identified and corrected on a timely basis.

15

Answer: Letter C Controls over processing and computer data files are designed to provide reasonable assurance that: Transactions, including system-generated transactions are properly processed by the computer. Transactions are not lost, added, duplicated or improperly changed. Processing errors are identified and corrected on a timely basis. (74) Controls over output are designed to provide reasonable assurance least likely include: a) Results of processing are accurate. b) Access to output is restricted to authorized personnel. c) Processing errors are identified and corrected on a timely basis. d) Output is provided to appropriate authorized personnel on a timely basis. Answer: Letter C Controls over output are designed to provide reasonable assurance that: Results of processing are accurate. Access to output is restricted to authorized personnel. Output is provided to appropriate authorized personnel on a timely basis. (75) The applications of auditing procedures using the computer as an audit tool refer to (a) Integrated Test Facility (c) Auditing through the computer (b) Data-based management system (d) Computer assisted auditing techniques Answer: Letter D (definition, see Glossary of terms) (76) Which statement is incorrect regarding CAATs? a. CAATs are often an efficient means of testing a large number of transactions or controls over large populations. b. To ensure appropriate control procedures, the presence of the auditor is not necessarily required at the computer facility during the running of a CAAT. c. The general principles outlined in PAPS 1009 apply in small entity IT environments. d. Where smaller volumes of data are processed, the use of CAATs is more cost effective. Answer: Letter D Should be: Where smaller volumes of data are processed, the use of manual methods may be more cost effective. (77) Consists of generalized computer programs designed to perform common audit tasks or standardized data processing functions. a. Package or generalized audit software b. Customized or purpose written programs c. Utility programs d. System management programs Answer: Letter A Customized or purpose-written programs perform audit tasks in specific circumstances, where packages audit software is deemed insuitable usually because system constrains make it difficult or impossible to use. Utility programs are of the operating systems and security software packages that are provided by computer manufacturers and software vendors and used by an entity to perform common data processing functions. Systems management program are enhanced productivity tools that are typically part of a sophisticated operating systems environment. (78) The use of generalized audit software package

16

Relieves an auditor of the typical tasks of investigating exceptions, verifying sources of information, and evaluating reports. b. Is a major aid in retrieving information from computerized files c. Overcomes the need for auditor to learn much about computers. d. Is a form of auditing around the computer Answer: Letter A Package or generalized audit software - consists of generalized computer programs designed to perform common audit tasks or standardized data processing functions, such as reading data, selecting and analyzing information, summarizing and totaling files, performing or verifying calculations, creating data files, providing totals, and unusual items, and reporting in a format specified by the auditor. (79) Auditors often make use of computer programs that perform routine processing functions such as sorting and merging. These programs are made available by electronic data processing companies and others that are specifically referred to as a. Compiler programs b. Supervisory programs c. Utility programs d. User programs Answer: Letter C Utility programs - are of the operating systems and security software packages that are provided by computer manufacturers and software vendors and used by an entity to perform common data processing functions, such as sorting, copying creating, merging, erasing, and printing files. (80) Which of the following computer-assisted auditing techniques allows fictitious and real transactions to be processed together without the client operating personnel being aware of the testing process. a. Integrated test facility. b. Input control matrix. c. Parallel simulation. d. Data entry monitor. Answer: Letter A Test transactions used in an integrated test facility where a dummy unit (for example, a fictitious department or employee) is established, and to which test transaction are posted during the normal processing cycle. (81) Audit automation least likely include a. Expert systems b. Tools to evaluate a client's risk management procedures. c. Manual working papers. d. Corporate and financial modeling programs for use as predictive audit tests. Answer: Letter C Should be: electronic working papers. (82) When planning an audit, the auditor may consider an appropriate combination of manual and computer assisted audit techniques. In determining whether to use CAATs, the factors to consider include, except: a. The IT knowledge, expertise and experience of the audit team. b. The availability of CAATs and suitable computer facilities and data. c. The practicability of manual tests. d. Effectiveness and efficiency Answer: Letter C

a.

17

In determining whether to use CAATs, the factors to consider include: A, B, & D The impracticability of manual tests. Timing (83) The working papers need to contain sufficient documentation to describe the CAAT application, such as audit evidence. Audit evidence least likely include: a. Output provided. b. Description of the audit work performed on the output. c. Recommendation to entity management. d. Audit conclusion Answer: Letter C ( Recommendation to entity management is incidental to services performed to the client, thus, is it not included in the audit evidence. (84) The following statements are the special consideration relating to small entity IT environment. Which statement is incorrect? a. The level of general control may be such that the auditor will place less reliance on the system of internal control. b. Where smaller volumes of data are processed, the use of CAATs is more cost effective. c. A small entity may not be able to provide adequate technical assistance to the auditor, making the use of CAATs impracticable. d. Certain audit package or generalized audit software may not operate on small computers, thus restricting the auditors choice CAATs. Answer: Letter B Should be: Where smaller volumes of data are processed, the use of manual methods may be more cost effective. (85) It refers to the worldwide network of computer networks, it is shares public network that enables communications with other entities and individuals around the world. a) Local area network b) Metropolitan area network c) Internet d) Networking Answer: Letter C (86) There are many matters that may be relevant to the auditors when considering the entitys e-commerce strategy in the context of the auditors understanding of the control environment, include (choose incorrect statement): a) Whether e-commerce supports new activity for the entity. b) Management evaluation of how e-commerce affects the business operations but not on the earnings of the entity and its financial requirements. c) Managements attitude to risk and how this may affect the risk profile of the entity. d) Managements commitment to relevant codes of best practice or web deal programs. Answer: Letter B Matters that may be relevant to the auditors when considering the entitys e-commerce strategy in the context of the auditors understanding of the control environment, include A, C, & D Involvement of those charged with governance in considering the alignment of e-commerce activities with the entitys overall business strategy. Sources of revenue for the entity and how these are changing.

18

 Management evaluation of how e-commerce affects the earnings of the entity and its financial requirements. The extent to which management has identified e-commerce opportunities and risk in a documented strategy that is supported by appropriate controls. (87) Management faces many business risks relating to the entitys e-commerce activities. The least likely included in business risks related to entitys e-commerce is: a) Loss of transaction integrity b) Loss of information privacy c) Improper accounting policy d) Difficulty in verifying customers and supplier identity. Answer: Letter D Management faces many business risks relating to the entitys ecommerce activities, including: A, B & C Pervasive e-commerce security risks Systems availability risk Noncompliance with taxation and other legal and regulatory requirements Failure to ensure that contract evidenced only by electronic means are binding, and Over reliance on e-commerce when placing significant business systems or other business transactions on the internet (88) It refers to the way various IT systems are integrated with one another and thus operate, in effect, as one system. a) Internet b) Systems processes c) Process alignment d) Programs Answer: Letter C

19