Mod H

Module H
Auditing in a Computerized Environment
True / False Questions

1. In auditing around the computer, audit teams reconcile source
documents (input) to processing results.
True
False
2. In simple batch processing systems, it is not possible to use the

technique of auditing around the computer.
True
False
3. The basic concept of test data is that once a computer is programmed

to handle transactions in a certain way, every transaction will be
handled in the same way.
True
False
4. When using parallel simulation, audit teams prepare a computer

program to duplicate the logic and computer controls in the client's
computer program.
True
False
5. Input controls are one of the major categories of general controls.

True
False
6. A program description should contain a program flowchart, a list of the

program source code, and a record of all program changes.
True
False
2013 by McGraw-Hill Education. This is proprietary material solely for authorized instructor use. Not authorized for sale or distribution in
any manner. This document may not be copied, scanned, duplicated, forwarded, distributed, or posted on a website, in whole or part.
7. Computer librarians are primarily responsible for operating the

computer for each application system.
True
False
8. In an integrated test facility, simulated transactions are processed

through the client's computerized processing system along with the
client's actual transactions.
True
False
9. An important hardware control incorporated within computer

equipment is a parity check.
True
False
10 Computer operators should have complete access to programs and

. application documentation.
True
False
11 If an entity's general controls are ineffective, audit teams would likely

. gain additional assurance by increasing tests of their automated
application controls.
True
False
12 The method of auditing around the computer treats the computer

. system as a black box.
True
False
13 An embedded audit module creates simulated data to be processed by

. the client's computerized processing system.
True
False
14 The major phases in the audit team's study of internal control are the
. same in a computerized processing environment as those in a manual
processing environment.
True
False
15 The audit team may use internal auditors to develop and run computer. assisted auditing techniques under supervision and review of the audit
team.
True
False
16 One major difference in a computerized processing environment

. compared to a manual processing environment is the existence of
systematic rather than random errors.
True
False
17 Header and trailer labels are examples of external labels.

.
True False
18 The most important preventive controls for computer fraud are those
. that limit access to computers.
True
False
19 When weaknesses exist that could lead to computer fraud, the best
. strategy is to have the client help audit teams plan and execute
technical procedures to study and evaluate the system.
True
False
20 The use of the systems development life cycle is an example of an

. access to programs and data control.
True
False
Multiple Choice Questions
21 Which of the following controls most likely would ensure that an

. organization can reconstruct its financial records?
A. Hardware controls are built into the computer by the computer

manufacturer.
B. Backup files are stored in a location separate from original copies.
C. Personnel who are independent of data input perform parallel
simulations.
D. System flowcharts provide accurate descriptions of computer
operations.
22 When audit teams test a computerized processing system, which of the
. following is true of the test data approach?
A. Several transactions of each type must be tested.

B. Test data are processed by the client's computer programs under the
audit team's control.
C. Test data must consist of all possible valid and invalid combinations.
D. The computer program used to process test data is different from the
program used throughout the year by the client.
23 In end-user computing environments, the processing control procedures
. would ordinarily not include
A.
B.
C.
D.
Transaction logs.
Control totals.
Comparing input to output.
Online editing and sight verification.
24 Which of the following is not an appropriate statement with regard to

. computer control activities?
A. The duties of application programming, computer operation, and

control of data files should be separated.
B. Computer operators should maintain control of all software
programs.
C. Specific passwords should be required to access online files.
D. Computer programmers should be periodically rotated across
different applications.
25 Which of the following ensures that the coding of data does not change
. when it is moved from one internal storage location to another?
A.
B.
C.
D.
Preventive maintenance.
Echo check.
Internal label.
Parity check.
26 An audit team's approach to evaluating computerized processing

. systems that compares source documents to the computer output is
known as auditing
A.
B.
C.
D.
Around the computer.

Through the computer.
Without the computer.
With the computer.
27 The reprocessing of actual data using programs developed by the audit

. team to evaluate program controls is called
A.
B.
C.
D.
Test data.
Test deck.
Generalized audit software.
Parallel simulation.
28 Techniques needed to select specific transactions of audit interest for

. testing would not include
A.
B.
C.
D.
Embedded audit modules.

Monitoring system activity.
Snapshot.
Test data.
29 Computer operations controls are typically implemented for files and

. data used in processing. The major objectives of these controls include
each of the following except
A. Ensure that appropriate files are used in computerized processing.

B. Ensure restricted access to the computing environment.
C. Ensure that files are appropriately secured and protected from loss.
D. Ensure that files can be reconstructed from earlier versions of
information used in processing.
30 The audit team made a copy of the client's sales and billing program
. early in the audit. Several times during the audit, the team used this
copy of the program to process actual client data. The output of the
secured program was compared to that of the client's system. This
audit technique would be considered
A.
B.
C.
D.

Test data.
Tagging transactions.
31 Which of the following organizational positions would evaluate the

. existing system and design new computerized processing systems and
documentation?
A.
B.
C.
D.
Programmer.
Systems analyst.
Computer operator.
Data conversion operator.
32 The effectiveness of general controls is an important consideration for

. audit teams when assessing control risk on an audit. Which
management assertions are primarily affected by general controls?
A.
B.
C.
D.
Completeness and accuracy.

Occurrence and rights and obligations.
Accuracy and occurrence.
Completeness and occurrence.
33 The purpose of test data is to determine whether

.
A. The audit team's test data are consistent with the client's normal
transactions.
B. Controls operate as described in responses to internal control
questionnaire items and program flowcharts.
C. Every possible error is prevented or detected by the client's
computer controls.
D. All possible combinations of valid data are correctly processed.
34 Which of the following is an example of a computer operations control?
.
A.
B.
C.
D.
Control totals.
Balance of input to output.
File backup and retention.
Transaction logs.
35 Audit teams would least likely use computer-assisted audit techniques

. to
A.
Access client data files.
B.
Prepare spreadsheets.
C. Assess control risk related to computerized processing systems.
D. Construct and perform parallel simulations.
36 Which of the following methods allow fictitious and actual transactions

. to be processed together without client operating personnel being
aware of the testing process?
A.
B.
C.
D.
Integrated test facility.

Input controls matrix.
Data entry monitor.
37 Each of the following automated application controls is designed to

. ensure that the input of individual transactions and data is accurate
except
A.
B.
C.
D.
Check digits.
Valid sign tests.
Sequence tests.
Limit and reasonableness tests.
38 Audit teams would most likely introduce test data into a computerized
. payroll system to test internal controls related to the
A. Existence of unclaimed payroll checks held by supervisors.

B. Early cashing of payroll checks by employees.
C. Discovery of invalid employee identification numbers.
D. Proper approval of overtime by supervisors.
39 To obtain evidence that controls over access to computer programs are
. properly functioning, audit teams most likely would
A. Create checkpoints at periodic intervals after data processing to test

for unauthorized use of the system.
B. Examine the transaction log to discover whether any transactions
were lost or entered twice due to a system malfunction.
C. Enter invalid identification numbers or passwords to ascertain
whether the system rejects them.
D. Vouch a random sample of processed transactions to ensure proper
authorization.
40 Tests of controls in an advanced computerized processing system

.
A. Can be performed using only actual transactions because testing
simulated transactions does not provide relevant evidence.
B. Can be performed using actual transactions or simulated
transactions.
C. Is impractical because many procedures within the computerized
processing system leave no visible evidence of having been
performed.
D. Is inadvisable because it may distort the evidence in real-time
systems.
41 Which of the following is a general control that would most likely assist
. an organization whose systems analyst resigned during the
development of a major project?
A.
B.
C.
D.
Grandfather-father-son file retention.

Input and output validation routines.
Systems documentation.
Check digit verification.
42 Which of the following would most likely be a weakness in the internal

. control of a client that utilizes portable computing devices rather than a
large computer system?
A. Employee collusion possibilities are increased because portable

computing devices from one vendor can process the programs of a
system from different vendors.
B. Computer operators may be able to remove hardware and software
components and modify them at an off-site location.
C. Programming errors result in all similar transactions being processed
incorrectly because those transactions are processed under the same
conditions.
D. Certain transactions may be automatically initiated by the
computerized processing system and management's authorization of
these transactions may be implicit in its acceptance of the system
design.
43 When programs or files can be accessed from terminals, users should

. be required to enter a(n)
A.
B.
C.
D.
Parity check.
Personal identification code.
Self-diagnosis test.
Echo check.
44 Which of the following control procedures most likely could prevent

. computer personnel from modifying programs to bypass computer
controls?
A. Periodic management review of computer utilization reports and

systems documentation.
B. Separation of duties for computer programming and computer
operations.
C. Participation of user department personnel in designing and
approving new systems.
D. Physical security of computer facilities in limiting access to computer
equipment.
45 Which of the following is likely to be of least importance to audit teams
. when obtaining an understanding of the computer controls in an
organization with a computerized processing system?
A. Separation of duties within the computer function.

B.
Controls over source documents.
C. Documentation maintained for accounting applications.
D. Relationship between costs and benefits of computer operations.
46 After obtaining a preliminary understanding of a client's computer

. controls, audit teams may decide not to perform tests of controls.
Which of the following would not be a valid reason for choosing to omit
tests of controls?
A. The client's computer controls duplicate manual controls existing

elsewhere in the system.
B. There appear to be major weaknesses that indicate a high level of
control risk.
C. The time and dollar costs of testing computer controls exceed the
time and dollar savings in substantive procedures.
D. The client's controls appear to function at an adequate level to justify
a low assessment of control risk.
47 When a real-time computerized processing system is in use, the
. computer controls can be strengthened by
A. Providing for the separation of duties between data input and error
listing operations.
B. Using a systems development life cycle for authorization, user
involvement, and testing of program modifications.
C. Preparing batch totals to provide assurance that file updates are
made for the entire group of transactions.
D. Performing a validity check of an identification number before a user
can obtain access to the computer files.
48 Which of the following statements best describes the impact on an
. audit when a client uses computerized processing of transactions?
A. The objective of the audit examination focuses on detection of fraud

and theft through the computer.
B. The type of substantive procedures performed by the audit team
change because of the use of computerized processing.
C. The effectiveness of computer controls implemented by the client
over its computerized processing may need to be evaluated by audit
teams.
D. Different independence standards are introduced for audit teams
when clients utilize computerized processing.
49 Computer controls that are pervasive and apply to all applications of a

. computerized processing system are referred to as
A.
B.
C.
D.
Computer controls.
Environment controls.
Automated application controls.
General controls.
50 Which of the following is not an example of a general control?

.
A. The organization's use of the systems development life cycle when
implementing or modifying computerized processing systems.
B. The organization's use of check digits to ensure accurate input of
transaction data.
C. Periodic and preventative maintenance performed on the computer
and related equipment.
D. The existence of appropriate separation of duties within the
computer department.
51 Computer controls that provide reasonable assurance that data are not
. altered or modified as they are transmitted through the system are
referred to as
A.
B.
C.
D.
General controls.
Hardware controls.
Input controls.
Transmission controls.
52 Which of the following is not a control included as part of the systems

. development life cycle?
A. Ensuring that all software acquisition and program development

efforts are consistent with the organization's needs and objectives.
B. Testing and validating new programs and developing proper
implementation plans.
C. Requiring that all programming efforts take place under the control
of the requesting user department.
D. Ensuring that data are converted completely and accurately for use
in the new systems.
53 Why is it important that the organization establish systems
. development and documentation standards?
A. These standards enable the organization to understand the

programming logic underlying recently developed programs.
B. These standards ensure that the program controls and
documentation included in recently developed programs is adequate.
C. The absence of these standards would constitute a material
weakness in internal control.
D. These standards ensure the appropriate separation of duties of
computer personnel.
54 Which of the following categories of general controls includes retention
. and recovery techniques for data and related programs?
A.
B.
C.
D.
Access to programs and data.

Computer operations.
Data file controls.
Hardware controls.
55 Which of the following computer controls would provide the best

. evidence that unauthorized users are not accessing specific computer
programs and files?
A. Using passwords requiring access to those programs and files.

B. Periodically reviewing and confirming access rights for the
organization's users.
C. Monitoring actual user activity through a program log and comparing
that activity to authorized levels.
D. Ensuring that access to programs and files is removed for recently
terminated employees.
56 Which of the following error conditions would not be detected through
. the use of batch totals?
A. A transposition of numbers in a numeric field.

B. Entry of an unauthorized transaction supported by documentary
evidence.
C. Failure to enter a valid transaction through input error.
D. Erroneously entering the same transaction twice.
57 Which of the following input controls would be least likely to identify the
. failure of an employee to input a transaction for which documentary
evidence has been prepared?
A.
B.
C.
D.
Batch totals.
Hash totals.
Missing data tests.
Sequence tests.
58 Auditing through the computer

.
A. Is a required approach under generally accepted auditing standards.
B. Requires the audit team to evaluate the operating effectiveness of
important computer controls.
C. Is normally utilized when the client has not implemented significant
computer controls.
D. Focuses on reconciling the input data to the results generated by the
client's computerized processing system.
59 Which of the following is not true with respect to the test data approach
. for evaluating computer controls?
A. The test data are created for a separate entity and are run
simultaneously with the client's actual data.
B. Only one of each type of error transaction needs to be included in the
test data.
C. The manual results of processing the test data are compared to the
results of processing these data through the client's computerized
processing system.
D. Audit teams consider potential errors and conditions of interest in
generating the test data.
60 As part of assessing the risk of material misstatement, the audit team
. must assess the control risk in the computerized processing system(s).
Initially, the audit team must identify the overall processing scope of
the system(s), which would include each of the following considerations
except
A. The types of transactions that are processed through the system(s).

B. The specific control procedures that have been implemented by the
client to prevent or detect misstatements that could occur based on
the audit team's analysis.
C. The programs and files that are accessed by the system(s) in
processing transactions.
D. The type of output that is created as a result of processing
transactions through the system(s).
61 Which of the following input controls would not be effective in

. identifying the erroneous input of numeric fields in a transaction?
A.
B.
C.
D.
Batch totals.
Hash totals.
Check digits.
Record counts.
62 In a computerized processing system, hardware controls are designed

. to
A. Arrange data in a logical sequential manner for processing purposes.

B. Correct errors in the computer programs.
C. Monitor and detect errors in source documents.
D. Detect and control errors arising from use of equipment.
63 An example of a program in which the audit team would be most
. interested in testing automated application controls is a(n)
A.
B.
C.
D.
Payroll processing program.

Operating system program.
Data management system software.
Utility program.
64 Which of the following would reduce the effectiveness of internal

. control in a computerized processing system?
A. The computer librarian maintains custody of computer program

instructions and detailed lists.
B. Computer operators have access to operator instructions and
detailed program lists.
C. The control group is solely responsible for the distribution of all
computer output.
D. Computer programmers write and debug programs that perform
routines designed by the systems analyst.
65 Which of the following is true with respect to fraud risk factors in a

. computerized environment?
A. Employees in a computerized environment are highly skilled.

B. Audit teams cannot evaluate the computerized processing system
during the year.
C. Higher dollar amounts are involved in a computerized environment.
D. Employees have increased access to processing systems and
computer resources in a computerized environment.
66 Controls used in the management of a computer center to minimize the
. possibility of using an incorrect file or program are
A.
B.
C.
D.
Control totals.
Record counts.
Limit checks.
External labels.
67 Audit teams would most likely use computer-assisted audit techniques

. to
A. Make copies of client data files for controlled reprocessing.

B. Construct a parallel simulation to test the client's computer controls.
C. Perform tests of a client's hardware controls.
D. Test the operative effectiveness of a client's password access
control.
68 Which of the following computerized processing systems generally can

. be audited without examining or directly testing the computer
programs of the system?
A. A system that performs relatively uncomplicated processes and

produces detailed output.
B. A system that affects a number of master files and produces a
limited output.
C. A system that updates a few master files and produces no other
printed output than final balances.
D. A system that performs relatively complicated processing and
produces very little detailed output.
69 The client's computerized exception reporting system helps audit teams
. conduct a more efficient audit because it
A.
Condenses data significantly.
B.
Highlights abnormal conditions.
C. Decreases the necessary level of tests of computer controls.
D.
Is an efficient computer input control.
70 Audit teams use the test data method to gain certain assurances with
. respect to
A.
Input data.
B.
Machine capacity.
C. Control procedures contained within the program.
D.
General controls.
71 When using test data, why are audit teams required to prepare only one
. transaction to test each computer processing alternative?
A. The speed and efficiency of the computer results in reduced sample

sizes.
B. The risk of misstatement is typically lower in a computerized
C. Audit teams generally perform more extensive substantive testing in
a computerized processing environment, resulting in less need to
test processing controls.
D. In a computerized processing environment, each transaction is
handled in an identical manner.
72 When auditing a computerized processing system, which of the
. following is not true of the test data approach?
A. The client's computer programs process test data under the audit
team's control.
B. The test data must consist of all possible valid and invalid conditions.
C. The test data need consist only of those valid and invalid conditions
in which audit teams are interested.
D. Only one transaction of each type need be tested.
73 Audit teams cannot test the reliable operation of computer control
. procedures by
A. Submitting test data at several different times for processing on the

computer program the client uses for actual transaction processing.
B. Manually comparing detailed transactions that the internal auditors
used to test a program to the program's actual error messages.
C. Programming a model transaction processing system and processing
actual client transactions for comparison to the output produced by
the client's program.
D. Manually reperforming actual transaction processing with
comparison of results to the actual system output.
74 Audit teams can obtain evidence of the proper functioning of password

. access control to a computerized processing system by
A. Writing a computer program that simulates the logic of a good

password control system.
B. Selecting a random sample of the client's completed transactions to
check the existence of proper authorization.
C. Attempting to sign on to the computerized processing system with a
false password.
D. Obtaining representations from the client's computer personnel that
the password control prevents unauthorized entry.
75 When processing controls within the computerized processing system
. may not leave visible evidence that could be inspected by audit teams,
the teams should:
A.
Make corroborative inquiries.
B. Observe the separation of duties of personnel.
C. Review transactions submitted for processing and comparing them to
related output.
D.
Review the run manual.
76 Which of the following statements most likely represents a control
. consideration for an entity that performs its accounting using portable
computing devices?
A. It is usually difficult to detect arithmetic errors.

B. Unauthorized persons find it easy to access the computer and alter
the data files.
C. Transactions are coded for account classifications before they are
processed on the computer.
D. Random errors in report printing are rare in packaged software
systems.
77 Computerized processing performed concurrently with a particular

. activity so that results are available to influence a decision being made
is referred to as
A.
B.
C.
D.
Batch processing.
Real-time processing.
Integrated data processing.
Random access processing.
78 Which of the following is not a characteristic of a batch processing

. system?
A. The collection of similar transactions that are sorted and processed

sequentially against a master file.
B. The input of transactions prior to processing.
C.
The production of numerous printouts.
D. The posting of a transaction as it occurs to several files without
intermediate printouts.
79 A customer intended to order 100 units of product Z96014 but
. incorrectly ordered product Z96015, which is not an actual product.
Which of the following controls most likely would detect this error?
A.
B.
C.
D.

Record count.
Hash total.
Redundant data check.
80 Which of the following automated application controls would offer

. reasonable assurance that inventory data were completely and
accurately entered?
A.
B.
C.
D.
Sequence checking.
Batch totals.
Limit tests.
Check digits.
81 Which of the following persons is responsible for controlling access to

. systems documentation and access to program and data files?
A.
B.
C.
D.
Programmers.
Data conversion operators.
Librarians.
Computer operators.
82 The evaluation of computer controls with simulated data processed

. through the client's computer programs is referred to as
A.
B.
C.
D.
Test data.
Database.
83 Audit teams can use the computer to test the operating effectiveness of
. the client's controls in each of the following cases except to
A. Select transactions and manually audit the actual transaction

processing.
B. Evaluate the computer controls using simulated data.
C. Compare external documentation with internal documentation.
D. Evaluate the computer controls using actual data processed through
the client's computer programs.
84 Which of the following is not a category of general controls?
.
A.
B.
C.
D.
Access to programs and data controls.

Computer operations controls.
Processing controls.
Program change controls.
85 To test the operating effectiveness of computer controls, audit teams

. can use each of the following methods except
A. Creating a "dummy entity" and processing simulated transactions

along with actual transactions.
B. Creating fictitious transactions for processing through the client's
computer programs separately from actual client transactions.
C. Processing actual client transactions through an auditor-created
program.
D. Observing the separation of duties of client personnel.
86 The tools and techniques applicable to auditing in a computerized
. environment should not include those that
A. Operate on a real-time basis with actual data.

B.
Use simulated or dummy data.
C.
Audit around the computer.
D.
Use program analysis techniques.
87 The technique of creating a minicompany with fictitious master file
. records to process simulated data simultaneously with actual client
data is referred to as a(n)
A.
B.
C.
D.
Sample audit review file.

Systems control audit review file.
Program analysis software.
88 Which of the following is not an example of a computer control related

. to file retention and security?
A.
Echo check.
B.
Storage in fireproof vaults.
C. Backup versions of files stored in remote locations.
D.
Grandfather-father-son concept.
89 Which of the following is not a major difference between a manual

. processing environment and a computerized processing environment?
A. A computerized processing environment requires data to be

converted into electronic format, which introduces the possibility of
input errors.
B. A computerized processing environment has an increased level of
human involvement.
C. Random errors are more likely in a manual processing environment
than a computerized processing environment.
D. A hard copy "audit trail" is less likely to exist in a computerized
processing environment than a manual processing environment.
90 A numerical field appended to an identification number that serves as
. an input control is a(n)
A.
B.
C.
D.
Batch total.
Hash total.
Check digit.
Valid character test.
91 The major disadvantage of an integrated test facility is that

.
A. Data processed through the client's system must be "backed out"
very carefully.
B. The cost of setting up the facility adds to overhead of the system.
C. Audit teams need extensive knowledge of computer programming.
D. It is a costly use of computer resources.
Fill in the Blank Questions
92 Auditing _________________________________________________ refers to the

. actual evaluation of the hardware and programs to determine the
reliability of computer operations and test the operating effectiveness
of the related controls.
________________________________________
93 Auditing ________________________________________ consists of reconciling
. source documents with computer output.
________________________________________
94 ____________________________ techniques are special audit modules
. designed and coded into computer programs to allow audit teams to
evaluate various stages of transaction processing.
________________________________________
95 The method of testing computer controls that requires audit teams to
. prepare a computer program to process a client's actual data is referred
to as a(n) _________________________________.
________________________________________
96 ______________________________ compare the client's processing of
. simulated transactions to the audit team's manual processing of those
transactions.
________________________________________
97 Controls that involve all applications of computerized processing (such
. as hardware controls) are referred to as
______________________________________.
________________________________________
98 An important control over program development is the entity's use of
. the _____________________________________________ life cycle to plan,
develop, and implement new computerized systems.
________________________________________
99 __________________________________ controls are "built in" to the

. computer equipment and provide reasonable assurance that data are
not altered or modified as they are transmitted within the system.
________________________________________
100 Check digits, record counts, and sequence tests are examples of
.
_____________________________ controls.
________________________________________
101 Four methods that are used by audit teams to test the operating
.
effectiveness of controls include inquiry, observation, documentation
examination, and ______________________
________________________________________
102 Separation of incompatible functions is an example of a
.
___________________________________ control.
________________________________________
103 _____________________________ processing occurs when a group of
.
similar transactions is accumulated and processed simultaneously.
________________________________________
104 _____________________________ describes the system and its controls and
.
is the means of communicating the essential elements of the
computerized processing system to current and potential users.
________________________________________
105 Retaining previous generations of files for use in reconstructing current
.
generations of files is known as the
_________________________________________ technique.
________________________________________
106 _____________________________ prepare flowcharts and code the logic of

.
the computer programs required by the overall system designed by
the systems analyst.
________________________________________
107 ____________________________________ represent comparisons of the
.
number of transactions submitted for data conversion with the number
of transactions actually entered for processing.
________________________________________
108 _____________________________ and _____________________________ are
.
special internal labels on files that provide reasonable assurance that
the correct files are used in processing.
________________________________________
109 A(n) __________________________________________ involves testing the
.
client's processing system and controls by creating a dummy
department or branch.
________________________________________
110 _____________________________________ are arithmetic totals of fields that
.
do not have a significant meaning (such as employee numbers).
________________________________________
111 _____________________________ computing environments are often
.
characterized by inadequate separation of duties and lack of physical
computer security.
________________________________________
Short Answer Questions
112 Match each of the following categories of general controls (letters A-E)
.
to the description of a computer control (numbers 1-10). A category of
general controls can be used more than once.
A. Hardware controls
B. Program development controls
C. Program change controls
D. Computer operations controls
E. Access to programs and data controls
____ 1. Separating the duties of systems programmers, computer
operators, and data librarians.
____ 2. Conducting preventative maintenance on computer equipment.
____ 3. Requiring the use of passwords to access computer programs
and files.
____ 4. Using the systems development life cycle for testing and
validation of new programs.
____ 5. Requiring program modifications to be tested and implemented
by appropriate personnel.
____ 6. Maintaining backup copies of files at safe, remote locations.
____ 7. Involving users in the design of programs and selection of
prepackaged software.
____ 8. Relying on parity checks imbedded into computer equipment by
the computer manufacturer.
____ 9. Using external labels to identify files and programs.
____ 10. Ensuring that emergency requests are appropriately
documented and properly authorized.
113 Identify whether each of the following statements is appropriate for

.
auditing around the computer (A), auditing through the computer (T),
or auditing both around and through the computer (B).
____ 1. It is more likely to be utilized when the client's computerized
processing systems are relatively simple.
____ 2. The method is permitted under generally accepted auditing
standards.
____ 3. It requires audit teams to evaluate and test the operating
effectiveness of computer controls.

____ 4. It primarily concerns correspondence between input and
output.
____ 5. The use of test data and parallel simulation are examples of
this approach.
____ 6. It should be used with more complex computerized processing
systems.
____ 7. Audit teams can design error conditions to evaluate how these
conditions are processed.
____ 8. Audit teams are required to consider important computer
controls that have been implemented by the client over computerized
processing of transactions.
____ 9. It is more likely to be used when clients have not implemented
extensive computer controls.
____ 10. It can be used to provide audit teams with a basis for
assessing control risk.
114 Match each of the following general controls with the broad category
.
of controls in which it is included (each control will be related to only
one category).
115 Match each of the automated application controls with the error
.
condition(s) they are designed to prevent or detect (each control may
be designed to prevent or detect more than one error condition).
Essay Questions
116 What is the difference between the use of test data and parallel
.
simulation?
117 At a meeting of the corporate audit committee attended by the

.
general manager of the products division (A. Smith) and the internal
audit manager (P. Marks), the following dialogue took place between
Smith and R. Jones (chair of the corporate audit committee):
Jones: Ms. Marks has suggested that the internal audit department
conduct an examination of the computer activities of the products
division.
Smith: I don't know much about the technicalities of computers, but
the division has some of the best computer people in the company.
Jones: Do you know whether the internal controls we have
implemented are satisfactory?
Smith: I suppose they are. No one has complained. What's so
important about controls anyway, as long as the system works? I don't
even know what type of controls we should have for our system.
Jones: Ms. Marks, can you explain the objective of computer controls
and provide us some examples?
Required:
Address Ms. Marks' response to the following points:
a. State the principal objective of achieving control over (1) input, (2)
processing, and (3) output.
b. Provide examples of (1) input controls, (2) processing controls, and
(3) output controls.
Matching Questions
118 Match each of the following input controls (letters A-K) with the
.
description or type of error that might be detected by this control
(numbers 1-11). Each input control relates to only one description or
type of error.
1. Data fields have the

Limit and
appropriate positive or
reasonableness
negative sign
tests ____
2. Computer may
automatically generate and
authorize transactions
Record count ____
3. Data are inadvertently
Valid sign
input in an incorrect field
tests ____
4. The sum of a data field
has numerical significance
(such as the total number of
hours worked)
Batch totals ____
has no numerical
Error correction
significance (such as the
and resubmission
total of employee numbers)
procedures ____
6. Data conversion
personnel will not fail to
Authorization
enter data in a particular
and approval
field
controls ____
7. Data values exceed or fall
below some predetermined
limit
Check digit ____
appropriate numeric or
alphabetic characters
Hash totals ____
9. A numerical field is
appended to another
numerical field to ensure
Valid character
accurate input of data
tests ____
10. The number of payroll
transactions received for
processing is compared with
the number of transactions
entered into a transaction
Missing data
file
tests ____
11. Data entry personnel
are able to correct data
conversion errors in a timely
Data entry and
fashion
formatting ____
119 Match each of the following program-embedded techniques (letters A.

I) with a description of these techniques (numbers 1-9). Each
technique relates to only one description.
1. Identifying transactions at
input and obtaining a computer
trail of all processing steps
Extended
related to these transactions
records
2. Obtaining a record of
transactions and database
Program
elements prior to and following
analysis
computerized processing
techniques
3. Writing auditor-selected
transactions to a special file for
Tagging
later verification
transactions
4. Using software packages that
assist audit teams in
understanding the logic of an
application program and
following the flow of
Embedded
transactions and data through
audit
an application program
modules
5. Using hardware and software
to identify the individual who
accesses the system, the
applications and operations
accessed, and the time the
Parallel
were accessed
simulation
6. Processing simulated
transactions through the client's
system and comparing results to
predetermined results
Snapshot
7. Providing an audit trail of
transactions by accumulating
Integrated
the results of all processing
test facility
8. Processing actual
transactions through programs
designed by audit teams to
replicate the client's
system
Test data
Monitoring
transactions related to a
system
____
____
____
____
____
____
____
____
____
fictitious department or branch

created by the audit team
activity
Module H Auditing in a Computerized Environment Answer Key
True / False Questions

1.
In auditing around the computer, audit teams reconcile source

documents (input) to processing results.
TRUE
Reference: Question also found in study guide
AACSB: Analytic
AACSB: Technology
AICPA BB: Industry
AICPA BB: Leveraging Technology
AICPA FN: Decision Making
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: H-05 Identify how audit teams perform tests of controls in a computerized environment.
Topic: Testing Controls in a Computerized Environment
2.
In simple batch processing systems, it is not possible to use the

technique of auditing around the computer.
FALSE
AACSB: Analytic
AACSB: Technology
AICPA BB: Industry
Blooms: Understand
Learning Objective: H-02 Provide examples of general controls and understand how these controls relate to
transaction processing in a computerized processing system.
Topic: General Controls in a Computerized System
3.
The basic concept of test data is that once a computer is

programmed to handle transactions in a certain way, every
transaction will be handled in the same way.
TRUE
AACSB: Analytic
AACSB: Technology
AICPA BB: Industry
Blooms: Understand
Learning Objective: H-04 Describe how the audit team assesses control risk in a computerized environment.
Topic: Assessing Control Risk in a Computerized Environment
4.
When using parallel simulation, audit teams prepare a computer

program to duplicate the logic and computer controls in the client's
computer program.
TRUE
AACSB: Analytic
AACSB: Technology
AICPA BB: Industry
Blooms: Understand
5.
Input controls are one of the major categories of general controls.

FALSE
AACSB: Analytic
AACSB: Technology
AICPA BB: Industry

Blooms: Understand
Learning Objective: H-03 Provide examples of automated application controls and understand how these
controls relate to transaction processing in a computerized processing system.
Topic: Automated Application Controls in a Computerized System
6.
A program description should contain a program flowchart, a list of

the program source code, and a record of all program changes.
TRUE
AACSB: Analytic
AACSB: Technology
AICPA BB: Industry
Blooms: Understand
7.
Computer librarians are primarily responsible for operating the

computer for each application system.
FALSE
AACSB: Analytic
AACSB: Technology
AICPA BB: Industry
Blooms: Understand
8.
In an integrated test facility, simulated transactions are processed

through the client's computerized processing system along with the
client's actual transactions.
TRUE
AACSB: Analytic
AACSB: Technology
AICPA BB: Industry
Blooms: Understand
9.
An important hardware control incorporated within computer

equipment is a parity check.
TRUE
AACSB: Analytic
AACSB: Technology
AICPA BB: Industry
Blooms: Understand
10.
Computer operators should have complete access to programs and

application documentation.
FALSE
AACSB: Analytic
AACSB: Technology
AICPA BB: Industry
Blooms: Understand
11.
If an entity's general controls are ineffective, audit teams would likely

gain additional assurance by increasing tests of their automated
application controls.
FALSE
AACSB: Analytic
AACSB: Technology
AICPA BB: Industry
Blooms: Understand
12.
The method of auditing around the computer treats the computer

system as a black box.
TRUE
AACSB: Analytic
AACSB: Technology
AICPA BB: Industry
Blooms: Understand
13.
An embedded audit module creates simulated data to be processed

by the client's computerized processing system.
FALSE
AACSB: Analytic
AACSB: Technology
AICPA BB: Industry
Blooms: Understand
14.
The major phases in the audit team's study of internal control are the
same in a computerized processing environment as those in a
manual processing environment.
TRUE
AACSB: Analytic
AACSB: Technology
AICPA BB: Industry
Blooms: Understand
Topic: Assessing Control Risk in a Computerized Environment
15.
The audit team may use internal auditors to develop and run
computer-assisted auditing techniques under supervision and review
of the audit team.
TRUE
AACSB: Analytic
AACSB: Technology
AICPA BB: Industry
Blooms: Understand
16.
One major difference in a computerized processing environment

compared to a manual processing environment is the existence of
systematic rather than random errors.
TRUE
AACSB: Analytic
AACSB: Technology
AICPA BB: Industry
Blooms: Understand
Learning Objective: H-01 Identify how the use of a computerized processing system impacts the audit
examination.
Topic: Computerized Processing Systems
17.
Header and trailer labels are examples of external labels.

FALSE
AACSB: Analytic
AACSB: Technology
AICPA BB: Industry
Blooms: Understand
18.
The most important preventive controls for computer fraud are those
that limit access to computers.
TRUE
AACSB: Analytic
AACSB: Technology
AICPA BB: Industry
Blooms: Understand
Learning Objective: H-07 Define and describe computer fraud and the controls that can be used to prevent it.
Topic: Computer Abuse and Computer Fraud
19.
When weaknesses exist that could lead to computer fraud, the best
strategy is to have the client help audit teams plan and execute
technical procedures to study and evaluate the system.
FALSE
AACSB: Analytic
AACSB: Technology
AICPA BB: Industry
Blooms: Understand
Learning Objective: H-07 Define and describe computer fraud and the controls that can be used to prevent it.
Topic: Computer Abuse and Computer Fraud
20.
The use of the systems development life cycle is an example of an

access to programs and data control.
FALSE
AACSB: Analytic
AACSB: Technology
AICPA BB: Industry

Blooms: Understand
Multiple Choice Questions

21.
Which of the following controls most likely would ensure that an

organization can reconstruct its financial records?
A. Hardware controls are built into the computer by the computer

manufacturer.
B. Backup files are stored in a location separate from original copies.
C. Personnel who are independent of data input perform parallel
simulations.
D. System flowcharts provide accurate descriptions of computer
operations.
AACSB: Technology
Blooms: Apply
Difficulty: 3 Hard
Source: AICPA
Topic: Computer Operations Controls
22.
When audit teams test a computerized processing system, which of

the following is true of the test data approach?
A. Several transactions of each type must be tested.

B. Test data are processed by the client's computer programs under
the audit team's control.
C. Test data must consist of all possible valid and invalid
combinations.
D. The computer program used to process test data is different from
the program used throughout the year by the client.
AACSB: Technology
Blooms: Understand
Source: AICPA
Topic: Test Data
23.
In end-user computing environments, the processing control

procedures would ordinarily not include
A.
B.
C.
D.
Transaction logs.
Control totals.
Comparing input to output.
Online editing and sight verification.
AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: H-06 Describe the characteristics and control issues associated with end-user and other
computing environments.
Source: Original
Topic: Processing Controls
24.
Which of the following is not an appropriate statement with regard to

computer control activities?
A. The duties of application programming, computer operation, and

control of data files should be separated.
B. Computer operators should maintain control of all software
programs.
C. Specific passwords should be required to access online files.
D. Computer programmers should be periodically rotated across
different applications.
AACSB: Technology
Blooms: Understand
Source: Original
25.
Which of the following ensures that the coding of data does not
change when it is moved from one internal storage location to
another?
A.
B.
C.
D.
Preventive maintenance.
Echo check.
Internal label.
Parity check.
AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
Topic: Hardware Controls
26.
An audit team's approach to evaluating computerized processing

systems that compares source documents to the computer output is
known as auditing
A.
B.
C.
D.
Around the computer.

Through the computer.
Without the computer.
With the computer.
AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
Topic: Approaches to Auditing
27.
The reprocessing of actual data using programs developed by the

audit team to evaluate program controls is called
A.
B.
C.
D.
Test data.
Test deck.
AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
Topic: Parallel Simulation
28.
Techniques needed to select specific transactions of audit interest for

testing would not include
A.
B.
C.
D.
Embedded audit modules.

Monitoring system activity.
Snapshot.
Test data.
AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
29.
Computer operations controls are typically implemented for files and

data used in processing. The major objectives of these controls
include each of the following except
A. Ensure that appropriate files are used in computerized processing.

B. Ensure restricted access to the computing environment.
C. Ensure that files are appropriately secured and protected from
loss.
D. Ensure that files can be reconstructed from earlier versions of
information used in processing.
AACSB: Technology
Blooms: Understand
Source: Original
30.
The audit team made a copy of the client's sales and billing program
early in the audit. Several times during the audit, the team used this
copy of the program to process actual client data. The output of the
secured program was compared to that of the client's system. This
audit technique would be considered
A.
B.
C.
D.

Test data.
Tagging transactions.
AACSB: Technology
Blooms: Understand
Source: Original
31.
Which of the following organizational positions would evaluate the

existing system and design new computerized processing systems
and documentation?
A.
B.
C.
D.
Programmer.
Systems analyst.
Computer operator.
Data conversion operator.
AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
32.
The effectiveness of general controls is an important consideration

for audit teams when assessing control risk on an audit. Which
management assertions are primarily affected by general controls?
A.
B.
C.
D.
Completeness and accuracy.

Occurrence and rights and obligations.
Accuracy and occurrence.
Completeness and occurrence.
AACSB: Analytic
AICPA BB: Critical Thinking
AICPA FN: Risk Analysis
Blooms: Understand
Source: Original
Topic: General Controls
33.
The purpose of test data is to determine whether
A. The audit team's test data are consistent with the client's normal
transactions.
B. Controls operate as described in responses to internal control
questionnaire items and program flowcharts.
C. Every possible error is prevented or detected by the client's
computer controls.
D. All possible combinations of valid data are correctly processed.
AACSB: Technology
Blooms: Understand
Source: Original
Topic: Test Data
34.
Which of the following is an example of a computer operations

control?
A.
B.
C.
D.
Control totals.
Balance of input to output.
File backup and retention.
Transaction logs.
AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
35.
Audit teams would least likely use computer-assisted audit

techniques to
A.
Access client data files.
B.
Prepare spreadsheets.
C. Assess control risk related to computerized processing systems.
D. Construct and perform parallel simulations.
AACSB: Technology
Blooms: Understand
Source: AICPA
Topic: Test Data
36.
Which of the following methods allow fictitious and actual

transactions to be processed together without client operating
personnel being aware of the testing process?
A.
B.
C.
D.

Input controls matrix.
Data entry monitor.
AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: AICPA
Topic: Integrated Test Facility
37.
Each of the following automated application controls is designed to

ensure that the input of individual transactions and data is accurate
except
A.
B.
C.
D.
Check digits.
Valid sign tests.
Sequence tests.
Limit and reasonableness tests.
AACSB: Technology

Blooms: Apply
Difficulty: 3 Hard
Source: Original
Topic: Input Controls
38.
Audit teams would most likely introduce test data into a

computerized payroll system to test internal controls related to the
A. Existence of unclaimed payroll checks held by supervisors.

B. Early cashing of payroll checks by employees.
C. Discovery of invalid employee identification numbers.
D. Proper approval of overtime by supervisors.
AACSB: Technology
Blooms: Apply
Difficulty: 3 Hard
Source: AICPA
Topic: Test Data
39.
To obtain evidence that controls over access to computer programs

are properly functioning, audit teams most likely would
A. Create checkpoints at periodic intervals after data processing to

test for unauthorized use of the system.
B. Examine the transaction log to discover whether any transactions
were lost or entered twice due to a system malfunction.
C. Enter invalid identification numbers or passwords to ascertain
whether the system rejects them.
D. Vouch a random sample of processed transactions to ensure
proper authorization.
AACSB: Technology
Blooms: Apply
Difficulty: 3 Hard
Source: AICPA
Topic: Access to Programs and Data Controls
40.
Tests of controls in an advanced computerized processing system
A. Can be performed using only actual transactions because testing

simulated transactions does not provide relevant evidence.
B. Can be performed using actual transactions or simulated
transactions.
C. Is impractical because many procedures within the computerized
processing system leave no visible evidence of having been
performed.
D. Is inadvisable because it may distort the evidence in real-time
systems.
AACSB: Technology
Blooms: Understand
Source: AICPA
41.
Which of the following is a general control that would most likely

assist an organization whose systems analyst resigned during the
development of a major project?
A.
B.
C.
D.
Grandfather-father-son file retention.

Input and output validation routines.
Systems documentation.
AACSB: Technology
Blooms: Understand
Source: AICPA
Topic: Program Change Controls
42.
Which of the following would most likely be a weakness in the

internal control of a client that utilizes portable computing devices
rather than a large computer system?
A. Employee collusion possibilities are increased because portable

computing devices from one vendor can process the programs of a
system from different vendors.
B. Computer operators may be able to remove hardware and
software components and modify them at an off-site location.
C. Programming errors result in all similar transactions being
processed incorrectly because those transactions are processed
under the same conditions.
D. Certain transactions may be automatically initiated by the
computerized processing system and management's authorization
of these transactions may be implicit in its acceptance of the
system design.
AACSB: Technology
Blooms: Evaluate
Difficulty: 3 Hard
Source: AICPA
Topic: Control Considerations
43.
When programs or files can be accessed from terminals, users should

be required to enter a(n)
A.
B.
C.
D.
Parity check.
Personal identification code.
Self-diagnosis test.
Echo check.
AACSB: Technology
Blooms: Understand
Source: AICPA
44.
Which of the following control procedures most likely could prevent

computer personnel from modifying programs to bypass computer
controls?
A. Periodic management review of computer utilization reports and

systems documentation.
B. Separation of duties for computer programming and computer
operations.
C. Participation of user department personnel in designing and
approving new systems.
D. Physical security of computer facilities in limiting access to
computer equipment.
AACSB: Technology
Blooms: Evaluate
Difficulty: 3 Hard
Source: AICPA
Topic: Program Change Controls
45.
Which of the following is likely to be of least importance to audit

teams when obtaining an understanding of the computer controls in
an organization with a computerized processing system?
A. Separation of duties within the computer function.

B.
Controls over source documents.
C. Documentation maintained for accounting applications.
D. Relationship between costs and benefits of computer operations.
AACSB: Analytic
Blooms: Understand
Source: Original
Topic: Obtaining Understanding of Controls
46.
After obtaining a preliminary understanding of a client's computer

controls, audit teams may decide not to perform tests of controls.
Which of the following would not be a valid reason for choosing to
omit tests of controls?
A. The client's computer controls duplicate manual controls existing

elsewhere in the system.
B. There appear to be major weaknesses that indicate a high level of
control risk.
C. The time and dollar costs of testing computer controls exceed the
time and dollar savings in substantive procedures.
D. The client's controls appear to function at an adequate level to
justify a low assessment of control risk.
AACSB: Analytic
Blooms: Apply
Difficulty: 3 Hard
Source: Original
Topic: Tests of Controls
47.
When a real-time computerized processing system is in use, the

computer controls can be strengthened by
A. Providing for the separation of duties between data input and error
listing operations.
B. Using a systems development life cycle for authorization, user
involvement, and testing of program modifications.
C. Preparing batch totals to provide assurance that file updates are
made for the entire group of transactions.
D. Performing a validity check of an identification number before a
user can obtain access to the computer files.
AACSB: Technology
Blooms: Evaluate
Difficulty: 3 Hard
Source: Original
48.
Which of the following statements best describes the impact on an

audit when a client uses computerized processing of transactions?
A. The objective of the audit examination focuses on detection of

fraud and theft through the computer.
B. The type of substantive procedures performed by the audit team
change because of the use of computerized processing.
C. The effectiveness of computer controls implemented by the client
over its computerized processing may need to be evaluated by
audit teams.
D. Different independence standards are introduced for audit teams
when clients utilize computerized processing.
AACSB: Technology
Blooms: Understand
examination.
Source: Original
Topic: Effect of Computerized Processing on the Audit
49.
Computer controls that are pervasive and apply to all applications of

a computerized processing system are referred to as
A.
B.
C.
D.
Computer controls.
Environment controls.
Automated application controls.
General controls.
AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
50.
Which of the following is not an example of a general control?
A. The organization's use of the systems development life cycle when

implementing or modifying computerized processing systems.
B. The organization's use of check digits to ensure accurate input of
transaction data.
C. Periodic and preventative maintenance performed on the
computer and related equipment.
D. The existence of appropriate separation of duties within the
computer department.
AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
51.
Computer controls that provide reasonable assurance that data are

not altered or modified as they are transmitted through the system
are referred to as
A.
B.
C.
D.
General controls.
Hardware controls.
Input controls.
Transmission controls.
AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
52.
Which of the following is not a control included as part of the systems

development life cycle?
A. Ensuring that all software acquisition and program development

efforts are consistent with the organization's needs and objectives.
B. Testing and validating new programs and developing proper
implementation plans.
C. Requiring that all programming efforts take place under the control
of the requesting user department.
D. Ensuring that data are converted completely and accurately for
use in the new systems.
AACSB: Technology
Blooms: Understand
Source: Original
Topic: Program Development Controls
53.
Why is it important that the organization establish systems

development and documentation standards?
A. These standards enable the organization to understand the

programming logic underlying recently developed programs.
B. These standards ensure that the program controls and
documentation included in recently developed programs is
adequate.
C. The absence of these standards would constitute a material
weakness in internal control.
D. These standards ensure the appropriate separation of duties of
computer personnel.
AACSB: Technology
Blooms: Understand
Source: Original
Topic: Program Development Controls
54.
Which of the following categories of general controls includes

retention and recovery techniques for data and related programs?
A.
B.
C.
D.
Access to programs and data.

Computer operations.
Data file controls.
Hardware controls.
AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
55.
Which of the following computer controls would provide the best

evidence that unauthorized users are not accessing specific
computer programs and files?
A. Using passwords requiring access to those programs and files.

B. Periodically reviewing and confirming access rights for the
organization's users.
C. Monitoring actual user activity through a program log and
comparing that activity to authorized levels.
D. Ensuring that access to programs and files is removed for recently
terminated employees.
AACSB: Technology
Blooms: Evaluate
Difficulty: 3 Hard
Source: Original
56.
Which of the following error conditions would not be detected

through the use of batch totals?
A. A transposition of numbers in a numeric field.

B. Entry of an unauthorized transaction supported by documentary
evidence.
C. Failure to enter a valid transaction through input error.
D. Erroneously entering the same transaction twice.
AACSB: Technology
Blooms: Apply
Difficulty: 3 Hard
Source: Original
57.
Which of the following input controls would be least likely to identify

the failure of an employee to input a transaction for which
documentary evidence has been prepared?
A.
B.
C.
D.
Batch totals.
Hash totals.
Missing data tests.
Sequence tests.
AACSB: Technology
Blooms: Apply
Difficulty: 3 Hard
Source: Original
58.
Auditing through the computer
A. Is a required approach under generally accepted auditing

standards.
B. Requires the audit team to evaluate the operating effectiveness of
important computer controls.
C. Is normally utilized when the client has not implemented
significant computer controls.
D. Focuses on reconciling the input data to the results generated by
the client's computerized processing system.
AACSB: Technology
Blooms: Understand
Source: Original
59.
Which of the following is not true with respect to the test data
approach for evaluating computer controls?
A. The test data are created for a separate entity and are run
simultaneously with the client's actual data.
B. Only one of each type of error transaction needs to be included in
the test data.
C. The manual results of processing the test data are compared to
the results of processing these data through the client's
computerized processing system.
D. Audit teams consider potential errors and conditions of interest in
generating the test data.
AACSB: Technology
Blooms: Understand
Source: Original
Topic: Test Data
60.
As part of assessing the risk of material misstatement, the audit

team must assess the control risk in the computerized processing
system(s). Initially, the audit team must identify the overall
processing scope of the system(s), which would include each of the
following considerations except
A. The types of transactions that are processed through the

system(s).
B. The specific control procedures that have been implemented by
the client to prevent or detect misstatements that could occur
based on the audit team's analysis.
C. The programs and files that are accessed by the system(s) in
processing transactions.
D. The type of output that is created as a result of processing
transactions through the system(s).
AACSB: Technology
Blooms: Understand
Source: Original
Topic: Risk of Misstatement
61.
Which of the following input controls would not be effective in

identifying the erroneous input of numeric fields in a transaction?
A.
B.
C.
D.
Batch totals.
Hash totals.
Check digits.
Record counts.
AACSB: Technology
Blooms: Apply
Difficulty: 3 Hard
Source: Original
62.
In a computerized processing system, hardware controls are

designed to
A. Arrange data in a logical sequential manner for processing

purposes.
B. Correct errors in the computer programs.
C. Monitor and detect errors in source documents.
D. Detect and control errors arising from use of equipment.
Reference: Question also found in textbook
AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
63.
An example of a program in which the audit team would be most

interested in testing automated application controls is a(n)
A.
B.
C.
D.
Payroll processing program.

Operating system program.
Data management system software.
Utility program.

AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
Topic: General
64.
Which of the following would reduce the effectiveness of internal

control in a computerized processing system?
A. The computer librarian maintains custody of computer program

instructions and detailed lists.
B. Computer operators have access to operator instructions and
detailed program lists.
C. The control group is solely responsible for the distribution of all
computer output.
D. Computer programmers write and debug programs that perform
routines designed by the systems analyst.
AACSB: Technology
Blooms: Evaluate
Difficulty: 3 Hard
Source: Original
65.
Which of the following is true with respect to fraud risk factors in a

computerized environment?
A. Employees in a computerized environment are highly skilled.

B. Audit teams cannot evaluate the computerized processing system
during the year.
C. Higher dollar amounts are involved in a computerized
environment.
D. Employees have increased access to processing systems and
computer resources in a computerized environment.
AACSB: Technology
Blooms: Understand
examination.
Source: Original
Topic: Differences in Computerized Processing Environment
66.
Controls used in the management of a computer center to minimize

the possibility of using an incorrect file or program are
A.
B.
C.
D.
Control totals.
Record counts.
Limit checks.
External labels.

AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
67.
Audit teams would most likely use computer-assisted audit

techniques to
A. Make copies of client data files for controlled reprocessing.

B. Construct a parallel simulation to test the client's computer
controls.
C. Perform tests of a client's hardware controls.
D. Test the operative effectiveness of a client's password access
control.
AACSB: Technology
Blooms: Understand
Source: Original
68.
Which of the following computerized processing systems generally

can be audited without examining or directly testing the computer
programs of the system?
A. A system that performs relatively uncomplicated processes and

produces detailed output.
B. A system that affects a number of master files and produces a
limited output.
C. A system that updates a few master files and produces no other
printed output than final balances.
D. A system that performs relatively complicated processing and
produces very little detailed output.
AACSB: Technology
Blooms: Evaluate
Difficulty: 3 Hard
Source: Original
69.
The client's computerized exception reporting system helps audit

teams conduct a more efficient audit because it
A.
Condenses data significantly.
B.
Highlights abnormal conditions.
C. Decreases the necessary level of tests of computer controls.
D. Is an efficient computer input control.
AACSB: Technology
Blooms: Understand
examination.
Source: Original
Topic: Exception Reports
70.
Audit teams use the test data method to gain certain assurances with
respect to
A.
Input data.
B.
Machine capacity.
C. Control procedures contained within the program.
D.
General controls.
AACSB: Technology
Blooms: Understand
Source: Original
Topic: Test Data
71.
When using test data, why are audit teams required to prepare only
one transaction to test each computer processing alternative?
A. The speed and efficiency of the computer results in reduced

sample sizes.
B. The risk of misstatement is typically lower in a computerized
C. Audit teams generally perform more extensive substantive testing
in a computerized processing environment, resulting in less need
to test processing controls.
D. In a computerized processing environment, each transaction is
handled in an identical manner.
AACSB: Technology
Blooms: Understand
Source: Original
Topic: Test Data
72.
When auditing a computerized processing system, which of the

following is not true of the test data approach?
A. The client's computer programs process test data under the audit
team's control.
B. The test data must consist of all possible valid and invalid
conditions.
C. The test data need consist only of those valid and invalid
conditions in which audit teams are interested.
D. Only one transaction of each type need be tested.
AACSB: Technology
Blooms: Understand
Source: Original
Topic: Test Data
73.
Audit teams cannot test the reliable operation of computer control

procedures by
A. Submitting test data at several different times for processing on

the computer program the client uses for actual transaction
processing.
B. Manually comparing detailed transactions that the internal
auditors used to test a program to the program's actual error
messages.
C. Programming a model transaction processing system and
processing actual client transactions for comparison to the output
produced by the client's program.
D. Manually reperforming actual transaction processing with
comparison of results to the actual system output.
AACSB: Technology

Blooms: Apply
Difficulty: 3 Hard
Source: Original
74.
Audit teams can obtain evidence of the proper functioning of

password access control to a computerized processing system by
A. Writing a computer program that simulates the logic of a good

password control system.
B. Selecting a random sample of the client's completed transactions
to check the existence of proper authorization.
C. Attempting to sign on to the computerized processing system with
a false password.
D. Obtaining representations from the client's computer personnel
that the password control prevents unauthorized entry.
AACSB: Technology
Blooms: Apply
Difficulty: 3 Hard
Source: Original
Topic: Tests of Controls
75.
When processing controls within the computerized processing system

may not leave visible evidence that could be inspected by audit
teams, the teams should:
A.
Make corroborative inquiries.
B. Observe the separation of duties of personnel.
C. Review transactions submitted for processing and comparing them
to related output.
D.
Review the run manual.
AACSB: Technology

Blooms: Apply
Difficulty: 3 Hard
Source: Original
Topic: Auditing Around the Computer
76.
Which of the following statements most likely represents a control

consideration for an entity that performs its accounting using
portable computing devices?
A. It is usually difficult to detect arithmetic errors.

B. Unauthorized persons find it easy to access the computer and alter
the data files.
C. Transactions are coded for account classifications before they are
processed on the computer.
D. Random errors in report printing are rare in packaged software
systems.
AACSB: Technology
Blooms: Understand
Source: Original
Topic: Control Considerations
77.
Computerized processing performed concurrently with a particular

activity so that results are available to influence a decision being
made is referred to as
A.
B.
C.
D.
Batch processing.
Real-time processing.
Integrated data processing.
Random access processing.

AACSB: Technology

Blooms: Remember
Difficulty: 1 Easy
Source: Original
78.
Which of the following is not a characteristic of a batch processing

system?
A. The collection of similar transactions that are sorted and processed

sequentially against a master file.
B. The input of transactions prior to processing.
C. The production of numerous printouts.
D. The posting of a transaction as it occurs to several files without
intermediate printouts.
AACSB: Technology
Blooms: Understand
Source: Original
79.
A customer intended to order 100 units of product Z96014 but

incorrectly ordered product Z96015, which is not an actual product.
Which of the following controls most likely would detect this error?
A.
B.
C.
D.

Record count.
Hash total.
Redundant data check.

AACSB: Technology
Blooms: Evaluate
Difficulty: 3 Hard
Source: Original
80.
Which of the following automated application controls would offer

reasonable assurance that inventory data were completely and
accurately entered?
A.
B.
C.
D.
Sequence checking.
Batch totals.
Limit tests.
Check digits.

AACSB: Technology
Blooms: Evaluate
Difficulty: 3 Hard
Source: Original
81.
Which of the following persons is responsible for controlling access to

systems documentation and access to program and data files?
A.
B.
C.
D.
Programmers.
Data conversion operators.
Librarians.
Computer operators.

AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
82.
The evaluation of computer controls with simulated data processed

through the client's computer programs is referred to as
A.
B.
C.
D.
Test data.
Database.

AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
Topic: Test Data
83.
Audit teams can use the computer to test the operating effectiveness
of the client's controls in each of the following cases except to
A. Select transactions and manually audit the actual transaction

processing.
B. Evaluate the computer controls using simulated data.
C. Compare external documentation with internal documentation.
D. Evaluate the computer controls using actual data processed
through the client's computer programs.
AACSB: Analytic
Blooms: Apply
Difficulty: 3 Hard
Source: Original
84.
Which of the following is not a category of general controls?
A.
B.
C.
D.
Access to programs and data controls.

Computer operations controls.
Processing controls.
Program change controls.

AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
85.
To test the operating effectiveness of computer controls, audit teams

can use each of the following methods except
A. Creating a "dummy entity" and processing simulated transactions

along with actual transactions.
B. Creating fictitious transactions for processing through the client's
computer programs separately from actual client transactions.
C. Processing actual client transactions through an auditor-created
program.
D. Observing the separation of duties of client personnel.
AACSB: Technology
Blooms: Apply
Difficulty: 3 Hard
Source: Original
86.
The tools and techniques applicable to auditing in a computerized

environment should not include those that
A. Operate on a real-time basis with actual data.

B.
Use simulated or dummy data.
C.
Audit around the computer.
D.
Use program analysis techniques.
AACSB: Technology
Blooms: Understand
Source: Original
87.
The technique of creating a minicompany with fictitious master file

records to process simulated data simultaneously with actual client
data is referred to as a(n)
A.
B.
C.
D.
Sample audit review file.

Systems control audit review file.
Program analysis software.

AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
88.
Which of the following is not an example of a computer control

related to file retention and security?
A.
Echo check.
B.
Storage in fireproof vaults.
C. Backup versions of files stored in remote locations.
D.
Grandfather-father-son concept.
AACSB: Technology
Blooms: Understand
Source: Original
89.
Which of the following is not a major difference between a manual

processing environment and a computerized processing
environment?
A. A computerized processing environment requires data to be

converted into electronic format, which introduces the possibility
of input errors.
B. A computerized processing environment has an increased level of
human involvement.
C. Random errors are more likely in a manual processing environment
than a computerized processing environment.
D. A hard copy "audit trail" is less likely to exist in a computerized
processing environment than a manual processing environment.
AACSB: Technology
Blooms: Understand
examination.
Source: Original
Topic: Differences in Computerized Processing Environment
90.
A numerical field appended to an identification number that serves

as an input control is a(n)
A.
B.
C.
D.
Batch total.
Hash total.
Check digit.
Valid character test.

AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
91.
The major disadvantage of an integrated test facility is that
A. Data processed through the client's system must be "backed out"

very carefully.
B. The cost of setting up the facility adds to overhead of the system.
C. Audit teams need extensive knowledge of computer programming.
D. It is a costly use of computer resources.
AACSB: Technology
Blooms: Understand
Source: Original
Fill in the Blank Questions

92.
Auditing _________________________________________________ refers to

the actual evaluation of the hardware and programs to determine the
reliability of computer operations and test the operating
effectiveness of the related controls.
through the computer
93.
Auditing ________________________________________ consists of

reconciling source documents with computer output.
around the computer
94.
____________________________ techniques are special audit modules

designed and coded into computer programs to allow audit teams to
evaluate various stages of transaction processing.
Program-embedded
95.
The method of testing computer controls that requires audit teams to

prepare a computer program to process a client's actual data is
referred to as a(n) _________________________________.
parallel simulation
96.
______________________________ compare the client's processing of

simulated transactions to the audit team's manual processing of
those transactions.
Test data
97.
Controls that involve all applications of computerized processing

(such as hardware controls) are referred to as
______________________________________.
general controls
98.
An important control over program development is the entity's use of

the _____________________________________________ life cycle to plan,
develop, and implement new computerized systems.
systems development
99.
__________________________________ controls are "built in" to the

computer equipment and provide reasonable assurance that data are
not altered or modified as they are transmitted within the system.
Hardware
100. Check digits, record counts, and sequence tests are examples of
_____________________________ controls.
input
101. Four methods that are used by audit teams to test the operating
effectiveness of controls include inquiry, observation, documentation
examination, and ______________________
reperformance
102. Separation of incompatible functions is an example of a
___________________________________ control.
computer operations
103. _____________________________ processing occurs when a group of
similar transactions is accumulated and processed simultaneously.
Batch
104. _____________________________ describes the system and its controls
and is the means of communicating the essential elements of the
computerized processing system to current and potential users.
Documentation
105. Retaining previous generations of files for use in reconstructing

current generations of files is known as the
_________________________________________ technique.
grandfather-father-son
106. _____________________________ prepare flowcharts and code the logic of
the computer programs required by the overall system designed by
the systems analyst.
Programmers
107. ____________________________________ represent comparisons of the
number of transactions submitted for data conversion with the
number of transactions actually entered for processing.
Record counts
108. _____________________________ and _____________________________ are
special internal labels on files that provide reasonable assurance that
the correct files are used in processing.
Headers; trailers
109. A(n) __________________________________________ involves testing the

client's processing system and controls by creating a dummy
department or branch.
integrated test facility
110. _____________________________________ are arithmetic totals of fields
that do not have a significant meaning (such as employee numbers).
Hash totals
111. _____________________________ computing environments are often
characterized by inadequate separation of duties and lack of physical
computer security.
End-user
Short Answer Questions
112. Match each of the following categories of general controls (letters AE) to the description of a computer control (numbers 1-10). A
category of general controls can be used more than once.
A. Hardware controls
B. Program development controls
C. Program change controls
D. Computer operations controls
E. Access to programs and data controls
____ 1. Separating the duties of systems programmers, computer
operators, and data librarians.
____ 2. Conducting preventative maintenance on computer
equipment.
____ 3. Requiring the use of passwords to access computer programs
and files.
____ 4. Using the systems development life cycle for testing and
validation of new programs.
____ 5. Requiring program modifications to be tested and
implemented by appropriate personnel.
____ 6. Maintaining backup copies of files at safe, remote locations.
____ 7. Involving users in the design of programs and selection of
prepackaged software.
____ 8. Relying on parity checks imbedded into computer equipment
by the computer manufacturer.
____ 9. Using external labels to identify files and programs.
____ 10. Ensuring that emergency requests are appropriately
documented and properly authorized.
1. D, 2. A, 3. E, 4. B, 5. C, 6. D, 7. B, 8. A, 9. D, 10. C
AACSB: Technology
Blooms: Understand
Source: Original
Topic: Types of General Controls
113. Identify whether each of the following statements is appropriate for

auditing around the computer (A), auditing through the computer (T),
or auditing both around and through the computer (B).
____ 1. It is more likely to be utilized when the client's computerized
processing systems are relatively simple.
____ 2. The method is permitted under generally accepted auditing
standards.
____ 3. It requires audit teams to evaluate and test the operating
effectiveness of computer controls.
____ 4. It primarily concerns correspondence between input and
output.
____ 5. The use of test data and parallel simulation are examples of
this approach.
____ 6. It should be used with more complex computerized processing
systems.
____ 7. Audit teams can design error conditions to evaluate how these
conditions are processed.
____ 8. Audit teams are required to consider important computer
controls that have been implemented by the client over
computerized processing of transactions.
____ 9. It is more likely to be used when clients have not implemented
extensive computer controls.
____ 10. It can be used to provide audit teams with a basis for
assessing control risk.
1. A, 2. B, 3. T, 4. A, 5. T, 6. T, 7. T, 8. T, 9. A, 10. B
AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
Topic: Auditing Approaches in a Computerized Environment
114. Match each of the following general controls with the broad category
of controls in which it is included (each control will be related to only
one category).
1. B, 2. E, 3. D, 4. C, 5. D, 6. A, 7. D, 8. C
Feedback: Reference: Question also found in study guide
AACSB: Technology
Blooms: Understand
Source: Original
Topic: Types of General Controls
115. Match each of the automated application controls with the error
condition(s) they are designed to prevent or detect (each control may
be designed to prevent or detect more than one error condition).
1. A; 2. B, C, D; 3. A, B, C, D; 4. A, B, C, D; 5. A; 6. A; 7. A; 8. B; 9. A,
D; 10. A, D; 11. A; 12. D; 13. D; 14. D; 15. D
Feedback: Reference: Question also found in study guide
AACSB: Technology
Blooms: Evaluate
Difficulty: 3 Hard
Source: Original
Essay Questions
116. What is the difference between the use of test data and parallel
simulation?
The primary differences between the use of test data and parallel
simulation are the nature of the data used and the system used to
process the data. The test data approach uses simulated data
created by the audit team that is processed through the client's
computerized processing system. Parallel simulation involves
comparing the results of separate processing of actual (not
simulated) data through the client's computerized processing system
and through a program prepared by the audit team.
AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
Topic: Test Data and Parallel Simulation
117. At a meeting of the corporate audit committee attended by the

general manager of the products division (A. Smith) and the internal
audit manager (P. Marks), the following dialogue took place between
Smith and R. Jones (chair of the corporate audit committee):
Jones: Ms. Marks has suggested that the internal audit department
conduct an examination of the computer activities of the products
division.
Smith: I don't know much about the technicalities of computers, but
the division has some of the best computer people in the company.
Jones: Do you know whether the internal controls we have
implemented are satisfactory?
Smith: I suppose they are. No one has complained. What's so
important about controls anyway, as long as the system works? I
don't even know what type of controls we should have for our
system.
Jones: Ms. Marks, can you explain the objective of computer controls
and provide us some examples?
Required:
Address Ms. Marks' response to the following points:
a. State the principal objective of achieving control over (1) input, (2)
processing, and (3) output.
b. Provide examples of (1) input controls, (2) processing controls, and
(3) output controls.
a.
(1) The objective of input controls is to provide reasonable assurance
that data received for processing by the computer department have
been properly authorized and accurately entered or converted for
processing.
(2) The objective of processing controls is to provide reasonable
assurance that data processing has been performed accurately and
without any omission or duplicate processing of transactions.
(3) The objective of output controls is to provide reasonable
assurance that only authorized persons receive output or have
access to files produced by the system.
b.
(1) Examples of input controls include:
Data entry and formatting controls

Authorization and approval controls
Check digits
Record counts
Batch totals
Hash totals
Valid character tests
Valid sign tests
Missing data tests
Sequence tests
Limit and reasonableness tests
Error correction and resubmission procedures
(2) Examples of processing controls include

Clients periodically testing and evaluating the processing accuracy
of its programs
Run-to-run totals
Control total reports
Error correction and resubmission procedures
Limit and reasonableness tests
(3) Examples of output controls include
Review of output for reasonableness
Control total reports

Master file changes
Controls over output distribution
AACSB: Technology
Blooms: Understand
Source: Original
Topic: Types of Automated Application Controls
Matching Questions
118. Match each of the following input controls (letters A-K) with the
description or type of error that might be detected by this control
(numbers 1-11). Each input control relates to only one description or
type of error.

Limit and
appropriate positive or
reasonableness
negative sign
tests 7
2. Computer may
automatically generate and
1
authorize transactions
Record count 0
3. Data are inadvertently
input in an incorrect field
Valid sign tests 1
has numerical significance
(such as the total number of
hours worked)
Batch totals 4
has no numerical
Error correction
significance (such as the
and resubmission 1
total of employee numbers)
procedures 1
6. Data conversion
personnel will not fail to
Authorization
enter data in a particular
and approval
field
controls 2
7. Data values exceed or fall
below some predetermined
limit
Check digit 9
appropriate numeric or
alphabetic characters
Hash totals 5
9. A numerical field is
appended to another
numerical field to ensure
Valid character
accurate input of data
tests 8
10. The number of payroll
transactions received for
processing is compared with
the number of transactions
entered into a transaction
Missing data
file
tests 6
11. Data entry personnel are
able to correct data
conversion errors in a timely
Data entry and
fashion
formatting 3
AACSB: Technology

Blooms: Evaluate
Difficulty: 3 Hard
Source: Original
119. Match each of the following program-embedded techniques (letters

A-I) with a description of these techniques (numbers 1-9). Each
technique relates to only one description.
1. Identifying transactions at input

and obtaining a computer trail of
all processing steps related to
these transactions
2. Obtaining a record of
transactions and database
elements prior to and following
3. Writing auditor-selected
transactions to a special file for
later verification
4. Using software packages that
assist audit teams in
understanding the logic of an
application program and following
the flow of transactions and data
through an application program
5. Using hardware and software to
identify the individual who
accesses the system, the
accessed, and the time the
applications and operations were
accessed
transactions through the client's
computerized processing system
and comparing results to
predetermined results
7. Providing an audit trail of
transactions by accumulating the
results of all processing
8. Processing actual transactions
through programs designed by
audit teams to replicate the
client's computerized processing
system
transactions related to a fictitious
department or branch created by
the audit team
Extended
records 7
Program
analysis
techniques 4
Tagging
transactions 1
Embedded
audit
modules 3
Parallel
simulation 8
Snapshot
Integrated
test facility 9
Test data
Monitoring
system
activity 5
AACSB: Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
Topic: Program-Embedded Techniques

Mod H

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mod H

Uploaded by

Copyright:

Available Formats

Module H

Auditing in a Computerized Environment

True / False Questions

2. In simple batch processing systems, it is not possible to use the

3. The basic concept of test data is that once a computer is programmed

4. When using parallel simulation, audit teams prepare a computer

5. Input controls are one of the major categories of general controls.

6. A program description should contain a program flowchart, a list of the

7. Computer librarians are primarily responsible for operating the

8. In an integrated test facility, simulated transactions are processed

9. An important hardware control incorporated within computer

10 Computer operators should have complete access to programs and

11 If an entity's general controls are ineffective, audit teams would likely

12 The method of auditing around the computer treats the computer

13 An embedded audit module creates simulated data to be processed by

16 One major difference in a computerized processing environment

17 Header and trailer labels are examples of external labels.

20 The use of the systems development life cycle is an example of an

Multiple Choice Questions

21 Which of the following controls most likely would ensure that an

A. Hardware controls are built into the computer by the computer

A. Several transactions of each type must be tested.

24 Which of the following is not an appropriate statement with regard to

A. The duties of application programming, computer operation, and

26 An audit team's approach to evaluating computerized processing

Around the computer.

27 The reprocessing of actual data using programs developed by the audit

28 Techniques needed to select specific transactions of audit interest for

Embedded audit modules.

29 Computer operations controls are typically implemented for files and

A. Ensure that appropriate files are used in computerized processing.

Generalized audit software.

31 Which of the following organizational positions would evaluate the

32 The effectiveness of general controls is an important consideration for

Completeness and accuracy.

33 The purpose of test data is to determine whether

35 Audit teams would least likely use computer-assisted audit techniques

36 Which of the following methods allow fictitious and actual transactions

Integrated test facility.

37 Each of the following automated application controls is designed to

A. Existence of unclaimed payroll checks held by supervisors.

A. Create checkpoints at periodic intervals after data processing to test

40 Tests of controls in an advanced computerized processing system

Grandfather-father-son file retention.

42 Which of the following would most likely be a weakness in the internal

A. Employee collusion possibilities are increased because portable

43 When programs or files can be accessed from terminals, users should

44 Which of the following control procedures most likely could prevent

A. Periodic management review of computer utilization reports and

A. Separation of duties within the computer function.

46 After obtaining a preliminary understanding of a client's computer

A. The client's computer controls duplicate manual controls existing

A. The objective of the audit examination focuses on detection of fraud

49 Computer controls that are pervasive and apply to all applications of a

50 Which of the following is not an example of a general control?

52 Which of the following is not a control included as part of the systems

A. Ensuring that all software acquisition and program development

A. These standards enable the organization to understand the

Access to programs and data.

55 Which of the following computer controls would provide the best

A. Using passwords requiring access to those programs and files.

A. A transposition of numbers in a numeric field.

58 Auditing through the computer