Ch 8 Consideration of Internal Control in an Information Technology Environment
The operating system is an example of system software
True
In the weekly computer run to prepare payroll checks, a check was printed for an employee who had been terminated the previous week. Which of the following controls, if properly utilized, would have been most effective in preventing the error or ensuring its prompt detection? A. A control total for house worked, prepared from time cards collected by the timekeeping department B. Requiring the treasurer's office to account for the numbers of the prenumbered checks issued to the computer department for the processing of the payroll C. Use of a check digit for employee numbers D. Use of a header label for the payroll input sheet
A. A control total for house worked, prepared from time cards collected by the timekeeping department
Which of the following would be least likely to be considered to desirable attribute of a database management system? A. Data redundancy B. Quick response to users' request for information C. Control of users' identification numbers and passwords D. Logging of terminal activity
A. Data redundancy
Small computer (e.g., desktops, laptops, tablets) have resulted in a(n): A. Decentralization of data processing activities B. Decreased concern over the accuracy of computerized processing C. Decrease in the number of local area networks D. Increase for general computer control activities
A. Decentralization of data processing activiites
A control feature in a computer system requires the central processing unit (CPU) to send signals to the printer to activate the print mechanism for each character. The print mechanism, just prior to printing, sends a signal back to the CPU verifying that the proper print position has been activated. This type of data transmission is referred to as: A. Echo control B. Validity control C. Signal control D. Check digit control
A. Echo control
Which of the following testing techniques is more commonly used by internal auditors then by independent auditors? A. Integrated test facilities B. Test data C. Controlled programs D. Tagging and tracing transaction
A. Integrated test faciliites
Auditing by testing the input and output of a computer system instead of the computer program itself will: A. Not detect program errors which do not show up in the output sampled B. Detect all program errors, regardless of the nature of the output C. Provide the auditors with the same type of evidence D. Not provide the auditors with the confidence in the results of the auditing procedures
A. Not detect program errors which do not show in the output sampled
When conducting fieldwork for a physical inventory, an auditor cannot perform which of the following steps using a generalized audit software package? A. Observing inventory B. Selecting sample items of inventory C. Analyzing data resulting from inventory D. Recalculating balances in inventory reports
A. Observing inventory
A data warehouse is an example of A. Online analytical processing B. Online transaction processing C. Essential information batch processing D. Decentralized processing
A. Online analytical processing
Which of the following is not programmed as a processing control? A. Private lines B. Validity tests C. Self-checking numbers D. Limit test
A. Private lines
Which of the following is a software component of a computer system? A. The operating system B. The storage unit C. The display monitor D. The optical scanner
A. The operating system
Which of the following personnel is responsible for the proper function of the security features built into the operating system? A. The systems programmer B. The application programmer C. The computer operator D. The telecommunications specialist
A. The systems programmer
The capability for computers to communicate with physically remote terminals is an important feature in the design of modern business information systems. Which of the following risks associated with the use of telecommunications systems is minimized through the use of a password control system? A. Unauthorized access to system program and data files B. Unauthorized physical availability of remote terminals C. Physical destruction of system program and data files D. Physical destruction of remote terminals
A. Unauthorized access to system program and data files
Which of the following is a password security problem? A. Users are assigned passwords when accounts are created, but do not change them B. Users have accounts on several systems with different passwords C. Users copy their passwords on note paper, which is kept in their wallets D. Users select passwords that are not listed in any online dictionary
A. Users are assigned passwords when accounts are created, but do not change them
When designing the physical layout of a data processing center, which of the following would be least likely to be a necessary control that is considered? A. Design of controls to restrict access B. Adequate physical layout space for the operating system C. Inclusions of an adequate power supply with surge protectors D. Consideration of risks related to other uses of electricity in the area
B. Adequate physical layout space for the operating system
In a client/server environment, the "client" is most likely to be the A. Supplier of the computer system B. Computers of various users C. Computer that contains the networks software and provides services to a server D. Database administrator
B. Computers of various users
The completeness of computer generated sales figures can be tested by comparing the number of items listed on the daily sales report with the number of items billed on the actual invoices. This process uses: A. Self-checking numbers B. Control totals C. Validity tests D. Process tracing data
B. Control totals
The best method of achieving internal control over advanced IT systems is through the use of A. Batch controls B. Controls written into the computer system C. Equipment controls D. Documentation controls
B. Controls written into the computer system
If a control total were to be computed on each of the following data items, which would best be identified as a hash total for a payroll computer application? A. Net pay B. Department numbers C. Hours worked D. Total debits and total credits
B. Department numbers
Smith Corporation has numerous customers. Customer files are kept on disk storage. Each account in the customer file contains name, address, credit limit, and account balance. The auditor wishes to test these files to determine whether credit limits are being exceeded. The best procedure for the auditor to follow would be to: A. Develop test data that would cause some account balances to exceed the credit limit and determine if the system properly detects such situations B. Develop a program to compare credit limits with account balances and print out the details of any account with a balance exceeding its credit limit C. Require a printout of all account balances so they can be manually checked against the credit limits D. Request a printout of a sample of account balances so they can be individually checked against the credit limits
B. Develop a program to compare credit limits with account balances and print out the details of any account with a balance exceeding its credit limit
A system in which the end user is responsible for the development and execution of the computer application that he or she uses is referred to as: A. Laptop computing B. End User computing C. Distributed computing D. Decentralized computing
B. End user computing
In their consideration of a client's IT controls, the auditors will encounter general controls and application controls. Which of the following is an application control? A. The operations manual B. Hash total C. Systems documentation D. Control over program changes
B. Hash total
General controls over IT systems are typically tested using A. Generalized audit software B. Observation, inspection, and injury C. Program analysis techniques D. Test data
B. Observation, inspection and injury
An example of an access control is a A. Check digit B. Password C. Test facility D. Read only memory
B. Password
Which of the following would the auditors consider to be a weakness in an IT system? A. Operations have access to terminals B. Programmers are allowed access to the file library C. Reprocessing of exceptions detected by the computer is handled by a data control group D. More than on employee is present when the computer facility is in use
B. Programmers are allowed access to the file library
A problem for a CPA associated with advanced IT systems is that A. The audit trail normally does not exist B. The audit trail is sometimes generated only in machine readable form C. The clients internal auditors may have been involved at the design stage D. Tests of controls are not possible
B. The audit trail is sometimes generated only in machine readable form
A company's labor distribution report requires extensive corrections each month because of labor hours changed to inactive jobs. Which of the following data processing input controls appears to be missing? A. Completeness test B. Validity test C. Limit test D. Control total
B. Validity test
Which of the following is not a distinctive characteristic of advanced IT systems? A. Data communication B. Integrated database C. Batch processing of transactions D. Distributive data processing
C. Batch processing of transactions
Parallel simulation programs used by the auditors for testing programs: A. Must simulate all functions of the production computer-application system B. Cannot be developed with the aid of generalized audit software C. Can use live data or test data D. Is generally restricted to data base environments
C. Can use live data or test data
Which of the following testing techniques minimizes the possibility that the auditors will contaminate a client's financial records? A. Test data B. Integrated test facilities C. Controlled programs D. Tagging and tracing transactions
C. Controlled programs
When erroneous data are detected by computer program controls, such data may be excluded from processing and printed on an exception report. The exception report should most probably be reviewed and followed up on by the: A. Supervisor of computer operations B. Systems analyst C. Data control group D. Computer programmer
C. Data control group
Which of the following is most likely to include user group development and execution of certain computer applications? A. Telecommunication transmission systems B. Database administration C. End User computing D. Electronic data interchange systems
C. End user computing
Which of the following is not a data transmission control? A. Echo checks B. Data encryption C. File labels D. Parity checks
C. File labels
Which of the following computer system risks would be increased by the installation of a database system? A. Programming errors B. Data entry errors C. Improper data access D. Loss of power
C. Improper data access
Internal control is ineffective when computer department personnel: A. Participate in computer software acquisition decisions B. Design documentation for computerized systems C. Originate changes in master files D. Provide physical security for program files
C. Originate changes in master files
End user computing is most likely to occur on which of the following types of computers? A. Mainframe B. Macrocomputers C. Personal computers D. Personal reference assistants
C. Personal computers
Auditing through the computer is most likely to be used when: A. Input transactions are batched and system logic is straightforward B. Processing primarily consists of sorting the input data and updating the master file sequentially C. Processing is primarily online and updating is real-time D. Outputs are in hard copy form
C. Processing is primarily online and updating is real-time
The purpose of using generalized computer programs is to test and analyze a client's computer: A. Systems B. Equipment C. Records D. Processing tape
C. Records
Which of the following computer related employees should not be allowed access to program listings of application programs? A. The systems analyst B. The programmer C. The operator D. The librarian
C. The operator
Which of the following personnel is responsible for determining the computer processing needs of the various users? A. The application programmer B. The computer operator C. The systems analyst D. The systems programmer
C. The systems analyst
Which of the following is least likely to be tested with generalized audit software? a. An aging of accounts receivable b. A schedule of inventory c. A depreciation schedule d. A computer operations manual
D. A computer operations manual
Which of the following is least likely to be a general control over computer activities? A. Procedures for developing new programs and systems B. Requirements for system documentation C. A change request log D. A control list
D. A control list
General controls include: A. Procedures for developing new programs and systems B. Requirements for system documentation C. A change request log D. All of the above
D. All of the above
Which of the following is not data transmission control? A. Data encryption B. Parity check C. Message acknowledgment techniques D. Distributed data processing
D. Distributed data processing
Which of the following constitutes a weakness in the internal control of a computer system? A. One generation of backup files is stored in an off-premises location B. Machine operator distribute error messages to the control group C. Machine operators do not have access to the complete systems manual D. Machine operators are supervised by the programmer
D. Machine operators are supervised by the programmer
Which of the following is an example of general computer control? A. Input validation checks B. Control total C. Operations manual D. Generalized audit software
D. Operations manual
Which of the following procedures would an entity most likely include in its disaster recovery A. Convert all data from external formats to an internal company format B. Maintain a program to prevent illegal activity C. Develop an auxiliary power supply to provide uninterrupted electricity D. Store duplicate copies of files in a location away from the computer center
D. Store duplicate copies of files in a location away from the computer center
An auditor may decide not to perform tests of controls related to control activities within the computer portion of the client's internal control. Which of the following would not be a valid reason for choosing to omit such test? A. The controls duplicate operative controls existing elsewhere B. There appear to be major weaknesses that would preclude reliance on the stated procedure C. The time and dollar costs of testing exceed the time and dollar savings in substantive testing if the tests show the controls to be operative D. The controls appear abequate
D. The controls appear adequate
Which of the following is likely to be of least importance to an auditor in considering the internal control in a company with the computer processing? A. The segregation of duties within the computer center B. The control over source documents C. The documentation maintained for accounting applications D. The cost/benefit of data processing operations
D. The cost/benefit of data processing operations
Passwords for microcomputer software programs are designed to prevent: A. Inaccurate access to the computer B. Unauthorized access to the computer C. incomplete updating of data files D. Unauthorized use of the software
D. Unauthorized use of the software
Auditors usually begin their consideration of IT systems with tests of application controls
False
Distributive data processing eliminates the need for data security
False
For good internal control, programmers should not be given access to compete program documentation for the programs they work on.
False
Internal file labels are designed to prevent errors by programmers
False
Magnetic tape drives have the advantage of direct access to stored data
False
Most advanced computer systems do not have audit trails
False
For auxiliary storage when the computer is operating, personal computers use hard disk drives
True
Generalized audit software may be used for substantive tests or for test of controls
True
Data encryption is an example of data transmission control
True