Chapter 8 Internal Control and CBIS 120

Internal Control and Computer Based Information

Systems (CBIS)
MULTIPLE CHOICE:
1.

In the weekly computer run to prepare payroll checks, a

check was printed for an employee who had been
terminated the previous week. Which of the
following
controls, if properly utilized, would
have been most
effective in preventing the error
or ensuring its prompt
detection?
a.
A control total for hours worked, prepared from time
cards collected by the timekeeping department.
b.
Requiring the treasurer's office to account for the
number of the pre-numbered checks issued to the CBIS
department for the processing of the payroll.
c.
Use of a check digit for employee numbers.
d.
Use of a header label for the payroll input sheet.
ANSWER:

2.

An auditor is preparing test data for use in the audit of

a computer based accounts receivable application.
Which of the following items would be appropriate to include as
an
item in the test data?
a.
A transaction record which contains an incorrect master
file control total.
b.
A master file record which contains an invalid customer
identification number.
c.
A master file record which contains an incorrect master
file control total.
d.
A transaction record which contains an invalid customer
identification number.
ANSWER:
3.

Unauthorized alteration of on-line records can be prevented

by employing:
a.
Key verification.
b.
Computer sequence checks.
c.
Computer matching.
d.
Data base access controls.
ANSWER:

121

4.

Chapter 8 Internal Control and CBIS

In auditing through a computer, the test data method is used
by auditors to test the
a.
Accuracy of input data.
b.
Validity of the output.
c.
Procedures contained within the program.
d.
Normalcy of distribution of test data.
ANSWER:

5.
in

In the preliminary survey the auditor learns that a

department has several microcomputers. Which of the
following is usually true and should be considered
planning the audit?
a.
Microcomputers, though small, are capable of processing
financial information, and physical security is a
control concern.
b.
Microcomputers are limited to applications such as
worksheet generation and do not present a significant
audit risk.
c.
Microcomputers are generally under the control of the
data processing department and use the same control
features.
d.
Microcomputers are too small to contain any built-in
control features. Therefore, other controls must be
relied upon.
ANSWER:

6.

The primary reason for internal auditing's involvement in

the development of new computer-based sysstems is to:
a.
Plan post-implementation reviews.
b.
Promote adequate controls.
c.
Train auditors in CBIS techniques.
d.
Reduce overall audit effort.
ANSWER:

7.

Which of the following is an advantage of generalized

computer audit packages?
a.
They are all written in one identical computer
language.
b.
They can be used for audits of clients that use
differing CBIS equipment and file formats.
c.
They have reduced the need for the auditor to study
input controls for CBIS related procedures.
d.
Their use can be substituted for a relatively large
part of the required control testing.

Chapter 8 Internal Control and CBIS

ANSWER:
8.

The possibility of losing a large amount of information

stored in computer files most likely would be reduced by the
use of
a.
Back-up files
b.
Check digits
c.
Completeness tests
d.
Conversion verification.
ANSWER:

11.

Which of the following statements most likely represents a

disadvantage for an entity that keeps microcomputer-prepared
data files rather than manually prepared files?
a.
It is usually more difficult to detect transposition
errors.
b.
Transactions are usually authorized before they are
executed and recorded.
c.
It is usually easier for unauthorized persons to access
and alter the files.
d.
Random error associated with processing similar
transactions in different ways is usually greater.
ANSWER:

10.

Processing simulated file data provides the auditor with

information about the reliability of controls from evidence
that exists in simulated files. One of the techniques
involved in this approach makes use of
a.
Controlled reprocessing.
b.
Program code checking.
c.
Printout reviews.
d.
Integrated test facility.
ANSWER:

9.

122

An integrated test facility (ITF) would be appropriate when

the auditor needs to
a.
Trace a complex logic path through an application
system.
b.
Verify processing accuracy concurrently with
processing.
c.
Monitor transactions in an application system
continuously.
d.
Verify load module integrity for production programs.

123

Chapter 8 Internal Control and CBIS

ANSWER:
12.

Where computer processing is used in significant accounting

applications, internal accounting control procedures may be
defined by classifying control procedures into two types:
general and
a.
Administrative.
b.
Specific.
c.
Application.
d.
Authorization.
ANSWER:

13.
to

Checklists, systems development methodology, and staff

hiring are examples of what type of controls?
a.
Detective.
b.
Preventive.
c.
Subjective.
d.
Corrective.
ANSWER:

15.

The increased presence of the microcomputer in the workplace

has resulted in an increasing number of persons having
access to the computer. A control that is often used
prevent unauthorized access to sensitive programs is:
a.
Backup copies of the diskettes.
b.
Passwords for each of the users.
c.
Disaster-recovery procedures.
d.
Record counts of the number of input transactions in a
batch being processed.
ANSWER:

14.

When an on-line, real-time (OLRT) computer-based processing

system is in use, internal control can be strengthened by
a.
Providing for the separation of duties between
keypunching and error listing operations.
b.
Attaching plastic file protection rings to reels of
magnetic tape before new data can be entered on the
file.
c.
Making a validity check of an identification number
before a user can obtain access to the computer files.
d.
Preparing batch totals to provide assurance that file
updates are made for the entire input.

Chapter 8 Internal Control and CBIS

ANSWER:
16.

Given the increasing use of microcomputers as a means for

accessing data bases, along with on-line real-time
processing, companies face a serious challenge relating to
data security. Which of the following is not an appropriate
means for meeting this challenge?
a.
Institute a policy of strict identification and
password controls housed in the computer software that
permit only specified individuals to access the
computer files and perform a given function.
b.
Limit terminals to perform only certain transactions.
c.
Program software to produce a log of transactions
showing date, time, type of transaction, and operator.
d.
Prohibit the networking of microcomputers and do not
permit users to access centralized data bases.
ANSWER:

19.

One of the features that distinguishes computer processing

from manual processing is
a.
Computer processing virtually eliminates the occurrence
of computational error normally associated with manual
processing.
b.
Errors or fraud in computer processing will be
detected soon after their occurrences.
c.
The potential for systematic error is ordinarily
greater in manual processing than in computerized
processing.
d.
Most computer systems are designed so that transaction
trails useful for audit purposes do not exist.
ANSWER:

18.

When auditing "around" the computer, the independent auditor

focuses solely upon the source documents and
a.
Test data.
b.
CBIS processing.
c.
Control techniques.
d.
CBIS output.
ANSWER:

17.

124

What type of computer-based system is characterized by data

that are assembled from more than one location and records
that are updated immediately?

125

Chapter 8 Internal Control and CBIS

a.
b.
c.
d.

Microcomputer system.
Minicomputer system.
Batch processing system.
Online real-time system.

ANSWER:
20.

Company A has recently converted its manual payroll to a

computer-based system. Under the old system, employees who
had resigned or been terminated were occasionally kept on
the payroll and their checks were claimed and cashed by
other employees, in collusion with shop foremen. The
controller is concerned that this practice not be allowed to
continue under the new system. The best control for
preventing this form of "payroll padding" would be to
a.
Conduct exit interviews with all employees leaving the
company, regardless of reason.
b.
Require foremen to obtain a signed receipt from each
employee claiming a payroll check.
c.
Require the human resources department to authorize all
hires and terminations, and to forward a current
computerized list of active employee numbers to payroll
prior to processing. Program the computer to reject
inactive employee numbers.
d.
Install time clocks for use by all hourly employees.
ANSWER:

21.

Compared to a manual system, a CBIS generally

1.
Reduces segregation of duties.
2.
Increases segregation of duties.
3.
Decreases manual inspection of processing results.
4.
Increases manual inspection of processing results.
a.
1 and 3.
b.
1 and 4
c.
2 and 3
d.
2 and 4.
ANSWER:

22.

One of the major problems in a CBIS is that

incompatible functions may be performed by the same
individual. One compensating control for this is the
use of
a.
Echo checks.
b.
A self-checking digit system.

Chapter 8 Internal Control and CBIS

c.
d.

Computer generated hash totals.

A computer log.

ANSWER:
23.

An unauthorized employee took computer printouts from output

bins accessible to all employees. A control which would
have prevented this occurrence is
a.
A storage/retention control.
b.
A spooler file control.
c.
An output review control.
d.
A report distribution control.
ANSWER:

27.

Which of the following methods of testing application

controls utilizes a generalized audit software package
prepared by the auditors?
a.
Parallel simulation.
b.
Integrated testing facility approach.
c.
Test data approach.
d.
Exception report tests.
ANSWER:

26.

An organizational control over CBIS operations is

a.
Run-to-run balancing of control totals.
b.
Check digit verification of unique identifiers.
c.
Separation of operating and programming functions.
d.
Maintenance of output distribution logs.
ANSWER:

25.

Which of the following processing controls would be most

effective in assisting a store manager to ascertain whether
the payroll transaction data were processed in their
entirety?
a.
Payroll file header record.
b.
Transaction identification codes.
c.
Processing control totals.
d.
Programmed exception reporting.
ANSWER:

24.

126

Which of the following is a disadvantage of the integrated

test facility approach?

127

Chapter 8 Internal Control and CBIS

a.
b.
c.
d.

In establishing fictitious entities, the auditor may be

compromising audit independence.
Removing the fictitious transactions from the system is
somewhat difficult and, if not done carefully, may
contaminate the client's files.
ITF is simply an automated version of auditing "around"
the computer.
The auditor may not always have a current copy of the
authorized version of the client's program.

ANSWER:
28.
for

Totals of amounts in computer-record data fields which are

not usually added for other purposes but are used only
data processing control purposes are called
a.
Record totals.
b.
Hash totals.
c.
Processing data totals.
d.
Field totals.
ANSWER:

29.

A hash total of employee numbers is part of the input to a

payroll master file update program. The program compares
the hash total to the total computed for transactions
applied to the master file. The purpose of this
procedure
is to:
a.
Verify that employee numbers are valid.
b.
Verify that only authorized employees are paid.
c.
Detect errors in payroll calculations.
d.
Detect the omission of transaction processing.
ANSWER:
30.

Matthews Corp. has changed from a system of recording time

worked on clock cards to a computerized payroll system in
which employees record time in and out with magnetic cards.
The CBIS automatically updates all payroll records.
Because of this change
a.
A generalized computer audit program must be used.
b.
Part of the audit trail is altered.
c.
The potential for payroll related fraud is diminished.
d.
Transactions must be processed in batches.
ANSWER:

Chapter 8 Internal Control and CBIS

31.

Generalized audit software is of primary interest to the

auditor in terms of its capability to
a.
Access information stored on computer files.
b.
Select a sample of items for testing.
c.
Evaluate sample test results.
d.
Test the accuracy of the client's calculations.
ANSWER:

32.

An accounts payable program posted a payable to a vendor not

included in the on-line vendor master file. A control which
would prevent this error is a
a.
Validity check.
b.
Range check.
c.
Reasonableness test.
d.
Parity check.
ANSWER:

33.

128

In a computerized sales processing system, which of the

following controls is most effective in preventing sales
invoice pricing errors?
a.
Sales invoices are reviewed by the product managers
before being mailed to customers.
b.
Current sales prices are stored in the computer, and,
as stock numbers are entered from sales orders, the
computer automatically prices the orders.
c.
Sales prices, as well as product numbers, are entered
as sales orders are entered at remote terminal
locations.
d.
Sales prices are reviewed and updated on a quarterly
basis.
ANSWER:

34.

Which of the following is likely to be of least importance

to an auditor in reviewing the internal control in a
company
with a CBIS?
a.
The segregation of duties within the data processing
center.
b.
The control over source documents.
c.
The documentation maintained for accounting
applications.
d.
The cost/benefit ratio of data processing operations.
ANSWER:

129

Chapter 8 Internal Control and CBIS

35.

For the accounting system of Acme Company, the amounts of

cash disbursements entered into an CBIS terminal are
transmitted to the computer that immediately
transmits the
amounts back to the terminal for display on
the terminal
screen. This display enables the operator to
a.
Establish the validity of the account number.
b.
Verify the amount was entered accurately.
c.
Verify the authorization of the disbursement.
d.
Prevent the overpayment of the account.
ANSWER:
36.

Which of the following audit techniques most likely would

provide an auditor with the most assurance about the
effectiveness of the operation of an internal control
procedure?
a.
Inquiry of client personnel.
b.
Recomputation of account balance amounts.
c.
Observation of client personnel.
d.
Confirmation with outside parties.
ANSWER:

37.

Adequate technical training and proficiency as an auditor

encompasses an ability to understand a CBIS
sufficiently to identify and evaluate
a.
The processing and imparting of information.
b.
Essential accounting control features.
c.
All accounting control features.
d.
The degree to which programming conforms with
application of generally accepted accounting
principles.
ANSWER:

38.

Which of the following is not a major reason why an

accounting audit trail should be maintained for a
computer
system?
a.
Query answering.
b.
Deterrent to fraud.
c.
Monitoring purposes.
d.
Analytical review.
ANSWER:
39.

Adequate control over access to data processing is required

to

Chapter 8 Internal Control and CBIS

a.
b.
c.
d.

Prevent improper use or manipulation of data files

and programs.
Ensure that only console operators have access to
program documentation.
Minimize the need for backup data files.
Ensure that hardware controls are operating effectively
and as designed by the computer manufacturer.

ANSWER:
40.

In studying a client's internal controls, an auditor must be

able to distinguish between prevention controls and
detection controls. Of the following data processing
controls, which is the best detection control?
a.
Use of data encryption techniques.
b.
Review of machine utilization logs.
c.
Policy requiring password security.
d.
Backup and recovery procedure.
ANSWER:

42.

When testing a computerized accounting system, which of the

following is not true of the test data approach?
a.
The test data need consist of only those valid and
invalid conditions in which the auditor is interested.
b.
Only one transaction of each type need be tested.
c.
Test data are processed by the client's computer
programs under the auditor's control.
d.
The test data must consist of all possible valid and
invalid conditions.
ANSWER:

41.

130

Which of the following procedures is an example of auditing

"around" the computer?
a.
The auditor traces adding machine tapes of sales order
batch totals to a computer printout of the sales
journal.
b.
The auditor develops a set of hypothetical sales
transactions and, using the client's computer program,
enters the transactions into the system and observes
the processing flow.
c.
The auditor enters hypothetical transactions into the
client's processing system during client processing of
live" data.
d.
The auditor observes client personnel as they process
the biweekly payroll. The auditor is primarily

131

Chapter 8 Internal Control and CBIS

concerned with computer rejection of data
meet reasonableness limits.

that fails to
ANSWER:
43.

Auditing by testing the input and output of a computer-based

system instead of the computer program itself will
a.
Not detect program errors which do not show up in the
output sampled.
b.
Detect all program errors, regardless of the nature of
the output.
c.
Provide the auditor with the same type of evidence.
d.
Not provide the auditor with confidence in the results
of the auditing procedures.
ANSWER:

44.

Which of the following is an acknowledged risk of using test

data when auditing CBIS records?
a.
The test data may not include all possible types of
transactions.
b.
The computer may not process a simulated transaction in
the same way it would an identical actual transaction.
c.
The method cannot be used with simulated master
records.
d.
Test data may be useful in verifying the correctness of
account balances, but not in determining the presence
of processing controls.
ANSWER:

45.

When the auditor encounters sophisticated computer-based

systems, he or she may need to modify the audit approach.
Of the following conditions, which one is not a valid reason
for modifying the audit approach?
a.
More advanced computer systems produce less
documentation, thus reducing the visibility of the
audit trail.
b.
In complex comuter-based systems, computer verification
of data at the point of input replaces the manual
verification found in less sophisticated data
processing systems.
c.
Integrated data processing has replaced the more
traditional separation of duties that existed in manual
and batch processing systems.

Chapter 8 Internal Control and CBIS

d.

Real-time processing of transactions has enabled the

auditor to concentrate less on the completeness
assertion.

ANSWER:
46.
a

The program flowcharting symbol representing a decision is a

a.
Triangle.
b.
Circle.
c.
Rectangle.
d.
Diamond.
ANSWER:

50.

A control to verify that the dollar amounts for all debits

and credits for incoming transactions are posted to a
receivables master file is the:
a.
Generation number check.
b.
Master reference check.
c.
Hash total.
d.
Control total.
ANSWER:

49.

In a distributed data base (DDB) environment, control tests

for access control administration can be designed which
focus on
a.
Reconciliation of batch control totals.
b.
Examination of logged activity.
c.
Prohibition of random access.
d.
Analysis of system generated core dumps.
ANSWER:

48.

If a control total were to be computed on each of the

following data items, which would best be identified as
hash total for a payroll CBIS application?
a.
Net pay.
b.
Department numbers.
c.
Hours worked.
d.
Total debits and total credits.
ANSWER:

47.

132

An update program for bank account balances calculates check

digits for account numbers. This is an example of

133

Chapter 8 Internal Control and CBIS

a.
b.
c.
d.

An input control.
A file management control.
Access control.
An output control.

ANSWER:
51.

CBIS controls are frequently classified as to general

controls and application controls. Which of the following
is an example of an application control?
a.
Programmers may access the computer only for testing
and "debugging" programs.
b.
All program changes must be fully documented and
approved by the information systems manager and the
user department authorizing the change.
c.
A separate data control group is responsible for
distributing output, and also compares input and output
on a test basis.
d.
In processing sales orders, the computer compares
customer and product numbers with internally stored
lists.
ANSWER:

52.

After a preliminary phase of the review of a client's CBIS

controls, an auditor may decide not to perform further
tests related to the control procedures within the CBIS
portion of the client's internal control system. Which
of the following would not be a valid reason for
choosing to
omit further testing?
a.
The auditor wishes to further reduce assessed risk.
b.
The controls duplicate operative controls existing
elsewhere in the system.
c.
There appear to be major weaknesses that would preclude
reliance on the stated procedures.
d.
The time and dollar costs of testing exceed the time
and dollar savings in substantive testing if the
controls are tested for compliance.
ANSWER:
53.

For good internal control over computer program changes, a

policy should be established requiring that
a.
The programmer designing the change adequately test
the revised program.
b.
All program changes be supervised by the CBIS control
group.

Chapter 8 Internal Control and CBIS

c.
d.

Superseded portions of programs be deleted from the

program run manual to avoid confusion.
All proposed changes be approved in writing by a
responsible individual.

ANSWER:
54.

Which of the following would lessen internal control in a

CBIS?
a.
The computer librarian maintains custody of computer
program instructions and detailed listings.
b.
Computer operators have access to operator instructions
and detailed program listings.
c.
The control group is solely responsible for the
distribution of all computer output.
d.
Computer programmers write and debug programs which
perform routines designed by the systems analyst.
ANSWER:

56.

Which of the following is not a technique for testing data

processing controls?
a.
The auditor develops a set of payroll test data that
contain numerous errors. The auditor plans to enter
these transactions into the client's system and observe
whether the computer detects and properly responds to
the error conditions.
b.
The auditor utilizes the computer to randomly select
customer accounts for confirmation.
c.
The auditor creates a set of fictitious customer
accounts and introduces hypothetical sales
transactions, as well as sales returns and allowances,
simultaneously with the client's live data processing.
d.
At the auditor's request, the client has modified its
payroll processing program so as to separately record
any weekly payroll entry consisting of 60 hours or
more. These separately recorded ("marked") entries are
locked into the system and are available only to the
auditor.
ANSWER:

55.

134

Access control in an on-line CBIS can best be provided

in most circumstances by
a.
An adequate librarianship function controlling access
to files.
b.
A label affixed to the outside of a file medium holder

135

Chapter 8 Internal Control and CBIS

c.
d.

that identifies the contents.

Batch processing of all input through a centralized,
well-guarded facility.
User and terminal identification controls, such as
passwords.

ANSWER:

57.

While entering data into a cash receipts transaction file,

an employee transposed two numbers in a customer code.
Which of the following controls could prevent input of
this
type of error?
a.
Sequence check.
b.
Record check.
c.
Self-checking digit.
d.
Field-size check.
ANSWER:
58.

What is the computer process called when data processing is

performed concurrently with a particular activity and the
results are available soon enough to influence the
particular course of action being taken or the decision
being made?
a.
Batch processing.
b.
Real time processing.
c.
Integrated data processing.
d.
Random access processing.
ANSWER:

59.

Reconciling processing control totals is an example of

a.
An input control.
b.
An output control.
c.
A processing control.
d.
A file management control.
ANSWER:

60.

A disadvantage of auditing around the computer is that it

a.
Permits no assessment of actual processing.
b.
Requires highly skilled auditors.
c.
Demands intensive use of machine resources.
d.
Interacts actively with auditee applications.
ANSWER:

Chapter 8 Internal Control and CBIS

61.
the

The completeness of computer-generated sales figures can be

tested by comparing the number of items listed on the
daily sales report with the number of items billed on
actual invoices. This process uses
a.
Check digits.
b.
Control totals.
c.
Validity tests.
d.
Process tracing data.
ANSWER:

62.

On-line real-time systems and electronic data interchange

systems have the advantages of providing more timely
information and reducing the quantity of documents
associated with less automated systems. The advantages,
however, may create some problems for the auditor. Which of
the following characteristics of these systems does not
create an audit problem?
a.
The lack of traditional documentation of transactions
creates a need for greater attention to programmed
controls at the point of transaction input.
b.
Hard copy may not be retained by the client for long
periods of time, thereby necessitating more frequent
visits by the auditor.
c.
Control testing may be more difficult given the
increased vulnerability of the client's files to
destruction during the testing process.
d.
Consistent on-line processing of recurring data
increases the incidence of errors.
ANSWER:

64.

Which of the following controls would be most efficient in

reducing common data input errors?
a.
Keystroke verification.
b.
A set of well-designed edit checks.
c.
Balancing and reconciliation.
d.
Batch totals.
ANSWER:

63.

136

Creating simulated transactions that are processed through a

system to generate results that are compared with
predetermined results, is an auditing procedure
referred to
as
a.
Desk checking.
b.
Use of test data.

137

Chapter 8 Internal Control and CBIS

c.
d.

Completing outstanding jobs.

Parallel simulation.

ANSWER:
65.

To obtain evidential matter about control risk, an auditor

ordinarily selects tests from a variety of techniques,
including
a.
Analysis.
b.
Confirmations.
c.
Reprocessing.
d.
Comparison.
ANSWER:

66.

To ensure that goods received are the same as those shown on

the purchase invoice, a computerized system should:
a.
Match selected fields of the purchase invoice to goods
received.
b.
Maintain control totals of inventory value.
c.
Calculate batch totals for each input.
d.
Use check digits in account numbers.
ANSWER:

68.

A major exposure associated with the rapidly expanding use

of microcomputers is the absence of:
a.
Adequate size of main memory and disk storage.
b.
Compatible operating systems.
c.
Formalized procedures for purchase justification.
d.
Physical, data file, and program security.
ANSWER:

67.

Errors in data processed in a batch computer system may not

be detected immediately because
a.
Transaction trails in a batch system are available
only for a limited period of time.
b.
There are time delays in processing transactions in
a batch system.
c.
Errors in some transactions cause rejection of other
transactions in the batch.
d.
Random errors are more likely in a batch system than in
an on-line system.
ANSWER:

138

Chapter 8 Internal Control and CBIS

69.

Which of the following is a computer test made to ascertain

whether a given characteristic belongs to the group?
a.
Parity check.
b.
Validity check.
c.
Echo check.
d.
Limit check.
ANSWER:

COMPLETION:
70.

Although computerized data processing does not affect audit

objectives, the auditor may need to modify the audit
, given complex CBIS applications.
ANSWER:

71.

In a batch processing system transactions are processed in

groups, whereas in a real-time system transactions are
entered as they
and are processed as they are
.
ANSWER:

72.

, realthan batch processing

INFORMATION CAPABILITY, COMPLEX

A distinguishing feature of integrated data base systems is

that many files are updated
as transactions
are processed.
ANSWER:

74.

OCCUR, ENTERED

Although powerful in terms of

time systems are more
systems.
ANSWER:

73.

APPROACH

SIMULTANEOUSLY

systems, by eliminating the

need to reenter data into the accounting system, reduce the
incidence of processing errors; but, by reducing transaction
documentation, these systems also require greater attention
to proper controls over the
of transactions.
ANSWER:

ELECTRONIC DATA INTERCHANGE, INPUT

139

75.

Chapter 8 Internal Control and CBIS

Input controls, processing controls, and output controls are
categories of
controls.
ANSWER:

76.

Some entities require completing a

prior
to transaction input, in order to ensure consistency and
completeness of recurring inputs.
ANSWER:

77.

PASSWORDS

Programmed controls for testing the validity of customer

numbers, product numbers, employee numbers, and vendor
numbers, as well as tests for reasonableness, are
collectively referred to as
controls.
ANSWER:

80.

USER CONTROLS

In on-line real-time systems the most effective means for

assuring limited access to data bases is by the use of
properly controlled
.
ANSWER:

79.

TRANSACTION LOG

are manual control procedures applied

by organizational units whose data are processed by data
processing.
ANSWER:

78.

APPLICATION

INPUT EDITING

In a ____________ __________ system, users own their own

data, whereas in _________ ______ systems, users share a
single operating system housed in a central location.
ANSWER:

FLAT FILE, MULTI-USER

MATCHING:
81. Indicate by letter whether each of the listed auditing
procedures is a general control test, an application control
test, or a substantive audit test.
G = General control test
A = Application control test
S = Substantive audit test
____1.

The auditor utilizes the services of the firms computer

Chapter 8 Internal Control and CBIS

140

audit specialist assist in testing controls over the

electronic processing of customer remittances.
____2.

In testing the sales processing set of controls, the

auditor has designed a set of transactions that include
unauthorized sales prices, invalid customer numbers, and
lack of credit authorization.

____3.

The auditor interviews the clients information systems

manager to clear exceptions detected when the auditor
reviewed data processing job descriptions for
incompatible functions.

____4.

The auditor confirmed a sample of customer accounts

receivable to evaluate the correctness of year-end
balances in customer accounts.

____5.

Using generalized audit software, the auditor reprocessed

a sample of the clients weekly payroll and compared
the resulting output with the clients payroll summary
for the same period.

____6.

The auditor attempted to access the clients computerized

data files using the passwords of terminated employees.

____7.

By examining vendors invoices supporting debits to the

account Machinery and Equipment, the auditor was able
to gain satisfaction as to the account balance at year
end.

____8.

The auditor examined authorizations and studied

documentation relating to CBIS modifications made
by the client during the year under audit.

____9.

The auditor examined and tested the clients anti virus

software for effectiveness.

____10. The auditor examined printouts from network monitoring

software and observed data input for proper functioning
of protocol controls and data encryption.
SOLUTION:
1.
2.
3.

A
A
G

141

Chapter 8 Internal Control and CBIS

4.
5.
6.
7.
8.
9.
10.

S
A
G
S
G
G
G

PROBLEM/ESSAY:
82.

For each of the following independent situations, identify

the control weakness that permitted the error or fraud,

and
indicate how the weakness should be corrected.
A.

In a computerized sales processing system, numerous

pricing errors appeared on customer invoices.

B.

Joshua Ness, a computer programmer for a bank, set up

a demand deposit account in his name. He then wrote a
program subroutine that automatically transferred
funds from accounts that had shown no activity for
least three months to the newly-established

at
account.
C.

In a computerized payroll system, foremen, in collusion

with employees, were able to inflate pay rates. In
addition, terminated employees were retained on the
payroll and the fraudulent checks were endorsed by
a foreman or employee and deposited in his or her
personal account.

D.

After implementing a newly-designed EDI system with

its vendors, Hilo Enterprises discovered numerous
errors in type, pricing, and quantity of goods received
versus goods ordered.

SOLUTION:
A.
computer

Computer did not verify selling prices. A master list

of current sales prices should be housed in the
computer and updated as prices change. The

Chapter 8 Internal Control and CBIS

142

should then be programmed to price the invoices.

B.

Ness was able to access data files for the purpose of

establishing an unauthorized account. Programmers
should not have access to data files except for

testing
and debugging programs. Moreover, formal authorization
of new accounts should be a part of the internal
control system.
C.

The foremen were able to alter pay rates and retain

terminated employees on the payroll. To correct this
weakness, all new hires and terminations, as well
as
pay rate changes, should require authorization of
the
human resources department. A current master list
of
employee numbers and pay rates should then be
housed in
the computer, and the computer programmed to
perform
validity tests of rates and numbers as payrolls are
processed.
D.

Controls were not designed to prevent vendor errors.

Protocol controls should be installed to detect and log
errors; and the EDI hardware should include an echo
check that returns messages from the vendors computer
to Hilos computer to verify correctness of orders
received by the vendor.