ACCT 439 Chapter 8
12) Which of the following is a password security problem? A) Users are assigned (or select) passwords when accounts are created, but do not change them. B) Users have accounts on several systems with different passwords. C) Users copy their passwords on paper which is kept in their wallets. D) Users select passwords that are not listed in any online dictionary.
Answer: A
16) Various computing devices (e.g., desktops, laptops, tablets, phones) have resulted in a(n): A) Decentralization of data processing activities. B) Decreased concern over the accuracy of computerized processing. C) Decrease in the number of local area networks. D) Increase for general computer control activities.
Answer: A
22) Which of the following would be least likely to be considered a desirable attribute of a database management system? A) Data redundancy. B) Quick response to users' request for information. C) Control of users' identification numbers and passwords. D) Logging of terminal activity.
Answer: A
24) Which of the following testing techniques is more commonly used by internal auditors than by independent auditors? A) Integrated test facilities. B) Test data. C) Controlled programs. D) Tagging and tracing transactions.
Answer: A
26) When conducting fieldwork for a physical inventory, an auditor is least likely to perform which of the following steps using a generalized audit software package? A) Observing inventory. B) Selecting sample items of inventory. C) Analyzing data resulting from inventory. D) Recalculating balances in inventory reports.
Answer: A
31) Which of the following personnel is responsible for the proper functioning of the security features built into the operating system? A) The systems programmer. B) The application programmer. C) The computer operator. D) The telecommunications specialist.
Answer: A
33) Which of the following is not programmed as a processing control? A) Private lines. B) Validity tests. C) Self-checking numbers. D) Limit tests.
Answer: A
37) A data warehouse is an example of: A) Online analytical processing. B) Online transaction processing. C) Essential information batch processing. D) Decentralized processing.
Answer: A
43) Auditing by testing the input and output of a computer system instead of the computer program itself will: A) Not detect program errors which do not show up in the output sampled. B) Detect all program errors, regardless of the nature of the output. C) Provide the auditors with the same type of evidence. D) Not provide the auditors with the confidence in the results of the auditing procedures.
Answer: A
55) In the weekly computer run to prepare payroll checks, a check was printed for an employee who had been terminated the previous week. Which of the following controls, if properly utilized, would have been most effective in preventing the error or ensuing its prompt detection? A) A control total for hours worked, prepared from time cards collected by the timekeeping department. B) Requiring the treasurer's office to account for the numbers of the prenumbered checks issued to the computer department for the processing of the payroll. C) Use of a check digit for employee numbers. D) Use of a header label for the payroll input sheet.
Answer: A
58) The capability for computers to communicate with various electronic devices is an important feature in the design of modern business information systems. Which of the following risks associated with the use of telecommunications systems is minimized through the use of a password control system? A) Unauthorized access to system program and data files. B) Unauthorized physical availability of remote terminals. C) Physical destruction of system program and data files. D) Physical destruction of electronic devices.
Answer: A
61) The individual with whom an auditor would be most likely to discuss specific access controls within a client's relational database management system is the A) Database administrator. B) Controller. C) Systems analyst. D) Systems librarian.
Answer: A
62) Which of the following is not a problem associated with the use of test data for computer-audit purposes? A) Auditing through the computer is more difficult than auditing around the computer. B) It is difficult to design test data that incorporate all potential variations in transactions. C) Test data may be commingled with live data causing operating problems for the client. D) The program with which the test data are processed may differ from the one used in actual operations.
Answer: A
67) Encryption protection is least likely to be used in which of the following situations? A) When transactions are transmitted over local area networks. B) When wire transfers are made between banks. C) When confidential data are sent over the Internet. D) When financial data are sent over dedicated leased lines.
Answer: A
68) A fast-growing service company is developing its information technology internally. What is the first step in the company's systems development life cycle? A) Analysis. B) Implementation. C) Testing. D) Design.
Answer: A
20) Which of the following would not generally be considered a program control? A) Limit tests. B) Segregation of duties controls. C) Allowed character tests. D) Missing data tests.
Answer: B
21) Substantive procedures that cannot be performed with generalized audit software include: A) Performing certain analytical procedures, such as inventory turnover. B) Observing inventory. C) Recomputing depreciation. D) Selecting audit samples.
Answer: B
23) A problem for a CPA associated with advanced IT systems is that: A) The audit trail normally does not exist. B) The audit trail is sometimes generated only in machine readable form. C) The client's internal auditors may have been involved at the design stage. D) Tests of controls are not possible.
Answer: B
25) General controls over IT systems are typically tested using: A) Generalized audit software. B) Observation, inspection, and inquiry. C) Program analysis techniques. D) Test data.
Answer: B
30) The best method of achieving internal control over advanced IT systems is through the use of: A) Batch controls. B) Controls written into the computer system. C) Equipment controls. D) Documentation controls.
Answer: B
34) A system in which each department member is responsible for the development and execution of the computer application that he or she uses is referred to as: A) Stand-alone computing. B) End user computing. C) Distributed computing. D) Decentralized computing.
Answer: B
35) In a client/server environment, the "client" is most likely to be the: A) Supplier of the computer system. B) Computers of various users. C) Computer that contains the networks software and provides services to a server. D) Database administrator.
Answer: B
36) When designing the physical layout of a data processing center, which of the following would be least likely to be a necessary control that is considered? A) Design of controls to restrict access. B) Adequate physical layout space for the operating system. C) Inclusions of an adequate power supply system with surge protection. D) Consideration of risks related to other uses of electricity in the area.
Answer: B
38) An example of an access control is a: A) Check digit. B) Password. C) Test facility. D) Read only memory.
Answer: B
44) If a control total were to be computed on each of the following data items, which would best be identified as a hash total for a payroll computer application? A) Net pay. B) Department numbers. C) Hours worked. D) Total debits and total credits.
Answer: B
45) Smith Corporation has numerous customers. Customer files are kept on disk storage. Each account in the customer file contains name, address, credit limit, and account balance. The auditor wishes to test these files to determine whether credit limits are being exceeded. The best procedure for the auditor to follow would be to: A) Use generalized audit software to develop test data that would cause some account balance to exceed the credit limit and determine if the system properly detects such situations. B) Use generalized audit software to compare credit limits with account balances and print out the details of any account with a balance exceeding its credit limit. C) Require a printout of all account balances so they can be manually checked against the credit limits. D) Request a printout of a sample of account balances so they can be individually checked against the credit limits.
Answer: B
46) In their consideration of a client's IT controls, the auditors will encounter general controls and application controls. Which of the following is an application control? A) The operations manual. B) Hash total. C) Systems documentation. D) Control over program changes.
Answer: B
50) A control feature in a computer application program that involves comparing a customer number to the customer database: A) Limit test. B) Validity test. C) Authorization test. D) Check digit test.
Answer: B
52) The completeness of computer generated sales figures can be tested by comparing the number of items listed on the daily sales report with the number of items billed on the actual invoices. This process uses: A) Self-checking numbers. B) Control totals. C) Validity tests. D) Process tracing data.
Answer: B
56) A company's labor distribution report requires extensive corrections each month because of labor hours charged to inactive jobs. Which of the following data processing input controls appears to be missing? A) Completeness test. B) Validity test. C) Limit test. D) Control total.
Answer: B
65) A bank wants to reject erroneous account numbers to avoid invalid input. Management of the bank was told that there is a method that involves adding another number at the end of the account numbers and subjecting the other numbers to an algorithm to compare with the extra numbers. What technique is this? A) Optical character recognition (OCR) software. B) Check digit. C) Validity check. D) Field (format) check.
Answer: B
66) Because log-on procedures may be cumbersome and tedious, users often store log-on sequences in their personal computers and invoke them when they want to use mainframe facilities. A risk of this practice is that A) Personal computers become much more likely to be physically stolen. B) Anyone with access to the personal computers could log on to the mainframe. C) Backup procedures for data files would not be as effective. D) Users with inadequate training would make more mistakes.
Answer: B
69) Which of the following terms best describes a payroll system? A) Database management system (DBMS). B) Transaction processing system (TPS). C) Decision support system (DSS). D) Enterprise resource planning (ERP) system.
Answer: B
13) Which of the following components may not use a network as part of the information systems architecture? A) The operating system. B) Printers. C) Off-the-shelf accounting software. D) Enterprise resource planning (ERP) systems.
Answer: C
15) Which of the following computer related employees should not be allowed access to program listings of application programs? A) The systems analyst. B) The programmer. C) The operator. D) The librarian.
Answer: C
17) Which of the following is most likely to include user group development and execution of certain computer applications? A) Telecommunication transmission systems. B) Database administration. C) End user computing. D) Electronic data interchange systems.
Answer: C
18) A network security system that monitors and controls the incoming and outgoing network access and data based on predetermined security criteria is referred to as a A) cloud approach. B) method of data encryption. C) firewall. D) test data approach.
Answer: C
19) Which of the following is an example of general computer control? A) Input validation checks. B) Control total. C) Firewalls. D) Self-checking numbers.
Answer: C
27) Which of the following personnel is responsible for determining the computer processing needs of the various users? A) The application programmer. B) The computer operator. C) The systems analyst. D) The systems programmer.
Answer: C
28) Which of the following testing techniques minimizes the possibility that the auditors will contaminate a client's financial records? A) Test data. B) Integrated test facilities. C) Controlled programs. D) Tagging and tracing transactions.
Answer: C
29) Which of the following is not a distinctive characteristic of advanced IT systems? A) Data communication. B) Integrated database. C) Batch processing of transactions. D) Distributive data processing.
Answer: C
39) End user computing is most likely to occur on which of the following types of computers? A) Mainframe. B) Relational databased computers. C) Personal computers, tablets and other such devices. D) Personal reference assistants.
Answer: C
40) The auditors are least likely to "audit around the computer" when: A) Input transactions are batched and system logic is straightforward. B) Processing primarily consists of sorting the input data and updating the master file sequentially. C) Processing is primarily online and updating is real-time. D) Outputs are in hard copy form.
Answer: C
41) Software that is designed to disable or damage computer systems or data is referred to as: A) Improper programming intelligence. B) Cloud. C) Malware. D) Malfeasance.
Answer: C
42) Usernames, passwords, and identity cards are examples approaches to: A) Processing controls. B) Manual input controls. C) Authorization. D) Firewalls.
Answer: C
47) When erroneous data are detected by computer program controls, such data may be excluded from processing and printed on an exception report. The exception report should most probably be reviewed and followed up on by the: A) Supervisor of computer operations. B) Systems analyst. C) Data control group. D) Computer programmer.
Answer: C
48) A system in which hardware and software are not only linked together, but are also very dependent upon each other is referred to as: A) A system with weak internal control. B) Equipment combination. C) Tightly coupled. D) Offline development.
Answer: C
53) An audit client outsources portions of its IT system to a cloud service provider. Which type of report would a report on management's description of the service organizations system and operating effectiveness of controls? A) Change request report. B) Type 1 report. C) Type 2 report. D) OE report.
Answer: C
63) Which of the following employees normally would be assigned the operating responsibility for designing the information system? A) Computer programmer. B) Data processing manager. C) Systems analyst. D) Internal auditor.
Answer: C
64) A computer input control is designed to ensure that A) Machine processing is accurate. B) Only authorized personnel have access to the computer area. C) Data received for processing are properly authorized and converted to machine-readable form. D) Computer processing has been performed as intended for the particular application.
Answer: C
71) When a client's accounts payable computer system was relocated, the administrator provided support through an Internet connection to a server. Subsequently, the administrator left the company. No changes were made to the accounts payable system at that time. Which of the following situations represents the greatest security risk? A) User passwords are not required to be in alphanumeric format. B) Management procedures for user accounts are not documented. C) User accounts are not removed upon termination of employees. D) Security logs are not periodically reviewed for violations.
Answer: C
11) Which of the following procedures would an entity most likely include in its disaster recovery plan? A) Convert all data from external formats to an internal company format. B) Maintain a program to prevent illegal activity. C) Develop an auxiliary power supply to provide uninterrupted electricity. D) Store duplicate copies of files in a location away from the computer center.
Answer: D
14) Which of the following is least likely to be a general control over computer activities? A) Procedures for developing new programs and systems. B) Requirements for system documentation. C) A change request log. D) A validity test.
Answer: D
32) Which of the following is not a data communication control? A) Data encryption. B) Parity check. C) Message acknowledgment techniques. D) Distributed data processing.
Answer: D
49) An auditor may decide not to perform tests of controls related to the control activities within the computer portion of the client's internal control. Which of the following would not be a valid reason for choosing to omit such test? A) The controls duplicate operative controls existing elsewhere. B) There appear to be major weaknesses that would preclude reliance on the stated procedure. C) The time and dollar costs of testing exceed the time and dollar savings in substantive testing if the tests show the controls to be operative. D) The controls appear adequate.
Answer: D
51) Which of the following constitutes a weakness in the internal control of a computer system? A) One generation of backup files is stored in an off-premises location. B) Operators distribute error messages to the control group. C) Operators do not have access to the complete systems manual. D) Operators are supervised by programmers.
Answer: D
54) Which of the following is likely to be of least importance to an auditor in considering the internal control in a company with computer processing? A) The segregation of duties within the computer center. B) The control over source documents. C) The documentation maintained for accounting applications. D) The cost/benefit of data processing operations.
Answer: D
57) Passwords are designed primarily to prevent: A) Inaccurate processing of data. B) Unauthorized access to personal computer. C) Inaccurate dating of transactions. D) Unauthorized access to the system.
Answer: D
59) Consider the following computer applications: (1) At a catalog sales firm, as phone orders are entered into their computer, both inventory and credit are immediately checked. (2) A manufacturer's computer sends the coming week's production schedule and parts orders to a supplier's computer. Which statement below is true for these applications? A) Both applications are examples of EDI. B) Both applications are examples of online real-time processing. C) The first application is an example of EDI and the second is an example of online real-time. D) The first application is an example of online real-time and the second is an example of EDI.
Answer: D
60) An auditor anticipates assessing control risk at a low level in a computerized environment. Under these circumstances, on which of the following controls would the auditor initially focus? A) Programmed controls. B) Application controls. C) Output controls. D) General controls.
Answer: D
70) Entities doing business on the Internet generally use any of the following methods to prevent unauthorized intruders from accessing proprietary information except: A) Password management. B) Data encryption. C) Biometric identifiers. D) Batch processing.
Answer: D
72) Which of the following statements presents an example of a general control for a computerized system? A) Limiting entry of sales transactions to only valid credit customers. B) Creating hash totals from Social Security numbers for the weekly payroll. C) Restricting entry of accounts payable transactions to only authorized users. D) Restricting access to the computer center by use of biometric devices.
Answer: D