Chapters 7&8

The auditors would most likely be concerned with which of the following controls in a distributed data processing system? Hardware controls. Systems documentation controls. Access controls. Disaster recovery controls.

Access controls.

The auditors would be least likely to use software to: Access client data files. Prepare spreadsheets. Assess computer control risk. Construct parallel simulations.

Assess computer control risk.

Which of the following is not ordinarily a procedure for documenting an auditor's understanding of internal control for planning purposes? Questionnaire. Flowchart. Confirmation. Checklist.

Confirmation.

When a CPA decides that the work performed by internal auditors may have an effect on the nature, timing, and extent of the CPA's procedures, the CPA should consider the competence and objectivity of the internal auditors. Relative to objectivity, the CPA should: Review the internal auditors' work. Consider the qualifications of the internal audit staff. Consider the organizational level to which the internal auditors report the results of their work. Review the training program in effect for the internal audit staff.

Consider the organizational level to which the internal auditors report the results of their work.

Effective internal control in a small company that has an insufficient number of employees to permit proper separation of responsibilities can be improved by: Employment of temporary personnel to aid in the separation of duties. Direct participation by the owner in key record keeping and control activities of the business. Engaging a CPA to perform monthly write-up work. Delegation of full, clear-cut responsibility for a separate major transaction cycle to each employee.

Direct participation by the owner in key record keeping and control activities of the business.

Which of the following is not an advantage of establishing an enterprise risk management system within an organization? Provides integrated responses to multiple risks. Reduces operational surprises. Eliminates all risks. Identifies opportunities.

Eliminates all risks.

To have an adequate basis to issue a management report on internal control under Section 404(a) of the Sarbanes-Oxley Act, management must do all of the following, except: Establish internal control with no material weakness. Accept responsibility for the effectiveness of internal control. Evaluate the effectiveness of internal control using suitable control criteria. Support the evaluation with sufficient evidence.

Establish internal control with no material weakness.

A primary objective of procedures performed to obtain an understanding of internal control is to provide the auditors with: Knowledge necessary to determine the nature, timing, and extent of further audit procedures. Audit evidence to use in reducing detection risk. A basis for modifying tests of controls. An evaluation of the consistency of application of management policies.

Knowledge necessary to determine the nature, timing, and extent of further audit procedures.

When an online real-time (OLRT) IT processing system is in use, internal control can be strengthened by: Providing for the separation of duties between data input and error handling operations. Attaching plastic file protection rings to reels of magnetic tape before new data can be entered on the file. Making a validity check of an identification number before a user can obtain access to the computer files. Preparing batch totals to provide assurance that file updates are made for the entire input.

Making a validity check of an identification number before a user can obtain access to the computer files.

An entity's ongoing monitoring activities often include: Periodic audits by internal auditors. The audit of the annual financial statements. Approval of cash disbursements. Management review of weekly performance reports.

Management review of weekly performance reports.

Which of the following is least likely to be considered by the auditors considering engagement of an information technology specialist on an audit? Complexity of the client's systems and IT controls. Number of financial institutions at which the client has accounts. Client's use of emerging technologies. Extent of the client's participation in electronic commerce.

Number of financial institutions at which the client has accounts.

End user computing is most likely to occur on which of the following types of computers? Mainframe. Decision support systems. Personal computers. Personal reference assistants.

Personal computers.

Controls over financial reporting are often classified as preventative, detective, or corrective. Which of the following is an example of a detective control? Segregation of duties over cash disbursements. Requiring approval of purchase transactions. Preparing bank reconciliations. Maintaining backup copies of key transactions.

Preparing bank reconciliations.

An auditor may compensate for a weakness in internal control by increasing the extent of: Tests of controls. Detection risk. Substantive tests of details. Inherent risk.

Substantive tests of details.

When the auditors are performing a first-time internal control audit in accordance with the Sarbanes-Oxley Act and PCAOB standards, they must: Modify their report for any significant deficiencies identified. Use a "bottom-up" approach to identify controls to test. Test controls for all significant accounts. Perform a separate assessment of controls over operations.

Test controls for all significant accounts.

Which of the following is an advantage of generalized audit software packages? They are all written in one identical computer language. They can be used for audits of clients that use differing computing equipment and file formats. They have reduced the need for the auditor to study input controls for computer related procedures. Their use can be substituted for a relatively large part of the required tests of controls.

They can be used for audits of clients that use differing computing equipment and file formats.

Which of the following symbols indicate that a file has been consulted?

Trapezoid --> triangle

The increased presence of user operated computers in the workplace has resulted in an increasing number of persons having access to the system. A control that is often used to prevent unauthorized access to sensitive programs is: Backup copies of data on diskettes. User identifications passwords. Input validation checks. Record counts of the number of input transactions in a batch being processed.

User identifications passwords.

Auditors often make use of computer programs that perform routine processing functions such as sorting and merging. These programs are made available by IT companies and others and are referred to as: Compiler programs. Utility programs. User programs. Supervisory programs.

Utility programs.

An auditor will use the computer test data method in order to gain assurances with respect to the: Security of data in a system. IT system capacity. Controls contained within a program. Degree of data entry accuracy for batch input data.

Controls contained within a program.

When erroneous data are detected by computer program controls, data may be excluded from processing and printed on an exception report. The exception report should probably be reviewed and followed up by the: Data control group. System analyst. Supervisor of IT operations. Computer programmer.

Data control group.

Which of the following would be least likely to be considered an objective of internal control? Encouraging adherence to managerial policies. Safeguarding assets. Checking the accuracy and reliability of accounting data. Detecting management fraud.

Detecting management fraud.

LAN is the abbreviation for: Large Area Network. Local Area Network. Longitudinal Analogue Network. Low Analytical Nets.

Local Area Network.

An accounts payable program posted a payable to a vendor not included in the online vendor master file. A control which would prevent this error is a: Validity check. Range check. Limit test. Control total.

Validity check.