NATIONAL UNIVERSITY

College of Business and Accountancy

1st term, S.Y. 2019-2020

AUDCIS MIDTERM EXAM

Name: ______________________________________ Section: _________________ Score: ___________

1. Which of the following is likely to be of least importance to an auditor in reviewing the internal control in a company with a CBIS?
a. The segregation of duties within the data processing center.
b. The control over source documents
c. The documentation maintained for accounting applications.
d. The cost/benefit ratio of data processing operations

2. For the accounting system of Acme Company, the amounts of cash disbursements entered into an CBIS terminal are transmitted to
the computer that immediately transmits the amounts back to the terminal for display on the terminal screen. This display enables
the operator to
a. Establish the validity of the account number
b. Verify the amount was entered accurately
c. Verify the authorization of the disbursement
d. Prevent the overpayment of the account

3. Which of the following audit techniques most likely would provide an auditor with the most assurance about the effectiveness of the
operation of an internal control procedure?
a. Inquiry of client personnel
b. Recomputation of account balance amounts
c. Observation of client personnel
d. Confirmation with outside parties

4. Adequate technical training and proficiency as an auditor encompasses an ability to understand a CBIS sufficiently to identify and
evaluate
a. The processing and imparting of information
b. Essential accounting control features
c. All accounting control features
d. The degree to which programming conforms with application of generally accepted accounting principles.

5. Which of the following is not a major reason why an accounting audit trail should be maintained for a computer system?
a. Query answering
b. Deterrent to fraud
c. Monitoring purposes
d. Analytical review

6. Adequate control over access to data processing is required to

a. Prevent improper use or manipulation of data files and programs
b. Ensure that only console operators have access to program documentation
c. Minimize the need for backup data files
d. Ensure that hardware controls are operating effectively and as designed by the computer manufacturer

7. When testing a computerized accounting system, which of the following is not true of the test data approach?
a. The test data need consist of only those valid and invalid conditions in which the auditor is interested
b. Only one transaction of each type need be tested
c. Test data are processed by the client's computer programs under the auditor's control
d. The test data must consist of all possible valid and invalid conditions

8. In studying a client's internal controls, an auditor must be able to distinguish between prevention controls and detection controls.
Of the following data processing controls, which is the best detection control?
a. Use of data encryption techniques
b. Review of machine utilization logs
c. Policy requiring password security
d. Backup and recovery procedure
9. Which of the following procedures is an example of auditing "around" the computer?
a. The auditor traces adding machine tapes of sales order batch totals to a computer printout of the sales journal
b. The auditor develops a set of hypothetical sales transactions and, using the client's computer program, enters the transactions into
the system and observes the processing flow
c. The auditor enters hypothetical transactions into the client's processing system during client processing of live" data
d. The auditor observes client personnel as they process the biweekly payroll. The auditor is primarily concerned with computer
rejection of data that fails to meet reasonableness limits

10. Auditing by testing the input and output of a computer-based system instead of the computer program itself will
a. Not detect program errors which do not show up in the output sampled
b. Detect all program errors, regardless of the nature of the output
c. Provide the auditor with the same type of evidence
d. Not provide the auditor with confidence in the results of the auditing procedures

11. Which of the following is an acknowledged risk of using test data when auditing CBIS records?
a. The test data may not include all possible types of transactions
b. The computer may not process a simulated transaction in the same way it would an identical actual transaction
c. The method cannot be used with simulated master records
d. Test data may be useful in verifying the correctness of account balances, but not in determining the presence of processing
controls

12. When the auditor encounters sophisticated computer-based systems, he or she may need to modify the audit approach. Of the
following conditions, which one is not a valid reason for modifying the audit approach?
a. More advanced computer systems produce less documentation, thus reducing the visibility of the audit trail
b. In complex comuter-based systems, computer verification of data at the point of input replaces the manual verification found in less
sophisticated data processing systems
c. Integrated data processing has replaced the more traditional separation of duties that existed in manual and batch processing
systems.
d. Real-time processing of transactions has enabled the auditor to concentrate less on the completeness assertion

13. If a control total were to be computed on each of the following data items, which would best be identified as a hash total for a payroll
CBIS application?
a. Net pay
b. Department numbers
c. Hours worked
d. Total debits and total credits

14. In a distributed data base (DDB) environment, control tests for access control administration can be designed which focus on
a. Reconciliation of batch control totals
b. Examination of logged activity
c. Prohibition of random access
d. Analysis of system generated core dumps

15. A control to verify that the dollar amounts for all debits and credits for incoming transactions are posted to a receivables master file
is the:
a. Generation number check
b. Master reference check
c. Hash total
d. Control total

16. The program flowcharting symbol representing a decision is a

a. Triangle
b. Circle
c. Rectangle
d. Diamond

17. An update program for bank account balances calculates check digits for account numbers. This is an example of
a. An input control
b. A file management control
c. Access control
d. An output control

18. CBIS controls are frequently classified as to general controls and application controls. Which of the following is an example of an
application control?
a. Programmers may access the computer only for testing and "debugging" programs
b. All program changes must be fully documented and approved by the information systems manager and the user department
authorizing the change
c. A separate data control group is responsible for distributing output, and also compares input and output on a test basis
d. In processing sales orders, the computer compares customer and product numbers with internally stored lists
19. After a preliminary phase of the review of a client's CBIS controls, an auditor may decide not to perform further tests related to the
control procedures within the CBIS portion of the client's internal control system. Which of the following would not be a valid reason
for choosing to omit further testing?
a. The auditor wishes to further reduce assessed risk
b. The controls duplicate operative controls existing elsewhere in the system
c. There appear to be major weaknesses that would preclude reliance on the stated procedures
d. The time and dollar costs of testing exceed the time and dollar savings in substantive testing if the controls are tested for
compliance

20. For good internal control over computer program changes, a policy should be established requiring that
a. The programmer designing the change adequately test the revised program
b. All program changes be supervised by the CBIS control group
c. Superseded portions of programs be deleted from the program run manual to avoid confusion
d. All proposed changes be approved in writing by a responsible individual.

21. Which of the following is not a technique for testing data processing controls?
a. The auditor develops a set of payroll test data that contain numerous errors. The auditor plans to enter these transactions into the
client's system and observe whether the computer detects and properly responds to the error conditions
b. The auditor utilizes the computer to randomly select customer accounts for confirmation
c. The auditor creates a set of fictitious custom accounts and introduces hypothetical sales transactions, as well as sales returns and
allowances, simultaneously with the client's live data processing
d. At the auditor's request, the client has modified its payroll processing program so as to separately record any weekly payroll entry
consisting of 60 hours or more. These separately recorded ("marked") entries are locked into the system and are available only to
the auditor

22. Which of the following would lessen internal control in a CBIS?

a. The computer librarian maintains custody of computer program instructions and detailed listings
b. Computer operators have access to operator instructions and detailed program listings
c. The control group is solely responsible for the distribution of all computer output
d. Computer programmers write and debug programs which perform routines designed by the systems analyst

23. Access control in an on-line CBIS can best be provided in most circumstances by
a. An adequate librarianship function controlling access to files
b. A label affixed to the outside of a file medium holder that identifies the contents
c. Batch processing of all input through a centralized, well-guarded facility
d. User and terminal identification controls, such as passwords

24. While entering data into a cash receipts transaction file, an employee transposed two numbers in a customer code. Which of the
following controls could prevent input of this type of error?
a. Sequence check
b. Record check
c. Self-checking digit
d. Field-size check

25. What is the computer process called when data processing is performed concurrently with a particular activity and the results are
available soon enough to influence the particular course of action being taken or the decision being made?
a. Batch processing
b. Real time processing
c. Integrated data processing
d. Random access processing

26. Which statement is incorrect regarding personal computer configurations?

a. The stand-alone workstation can be operated by a single user or a number of users at different times accessing the same or
different programs.
b. A stand-alone workstation may be referred to as a distributed system.
c. A local area network is an arrangement where two or more personal computers are linked together through the use of special
software and communication lines.
d. Personal computers can be linked to servers and used as part of such systems, for example, as an intelligent on-line workstation or
as part of a distributed accounting system.

27. Which of the following is the least likely characteristic of personal computers?
a. They are small enough to be transportable.
b. They are relatively expensive.
c. They can be placed in operation quickly.
d. The operating system software is less comprehensive than that found in larger computer environments.
28. Which of the following is an inherent characteristic of software package?
a. They are typically used without modifications of the programs.
b. The programs are tailored-made according to the specific needs of the user.
c. They are developed by software manufacturer according to a particular user’s specifications.
d. It takes a longer time of implementation.

29. Which of the following is not normally a removable storage media?

a. Compact disk
b. Tapes
c. Diskettes
d. Hard disk

30. It is a computer program (a block of executable code) that attaches itself to a legitimate program or data file and uses itself as a
transport mechanism to reproduce itself without the knowledge of the user.
a. Virus
b. System management program
c. Utility program
d. Encryption

31. Which statement is incorrect regarding internal control in personal computer environment?
a. Generally, the CIS environment in which personal computers are used is less structured than a centrally-controlled CIS
environment.
b. Controls over the system development process and operations may not be viewed by the developer, the user or management as
being as important or cost-effective.
c. In almost all commercially available operating systems, the built-in security provided has gradually increased over the years.
d. In a typical personal computer environment, the distinction between general CIS controls and CIS application controls is easily
ascertained.

32. Personal computers are susceptible to theft, physical damage, unauthorized access or misuse of equipment. Which of the following
is least likely a physical security to restrict access to personal computers when not in use?
a. Using door locks or other security protection during non-business hours.
b. Fastening the personal computer to a table using security cables.
c. Locking the personal computer in a protective cabinet or shell.
d. Using anti-virus software programs.

33. Which of the following is not likely a control over removable storage media to prevent misplacement, alteration without authorization
or destruction?
a. Using cryptography, which is the process of transforming programs and information into an unintelligible form.
b. Placing responsibility for such media under personnel whose responsibilities include duties of software custodians or librarians.
c. Using a program and data file check-in and check-out system and locking the designated storage locations.
d. Keeping current copies of diskettes, compact disks or back-up tapes and hard disks in a fireproof container, either on-site, off-site
or both.

34. Which of the following least likely protects critical and sensitive information from unauthorized access in a personal computer
environment?
a. Using secret file names and hiding the files.
b. Keeping of back up copies offsite.
c. Employing passwords.
d. Segregating data into files organized under separate file directories.

35. It refers to plans made by the entity to obtain access to comparable hardware, software and data in the event of their failure, loss or
destruction.
a. Back-up
b. Encryption
c. Anti-virus
d. Wide Area Network (WAN)

36. For the accounting system of ACME Company, the amounts of cash disbursements entered into an EDP terminal are transmitted to
the computer that immediately transmits the amounts back to the terminal for display on the terminal screen. This display enables
the operator to
a. Establish the validity of the account number
b. Verify the amount was entered accurately
c. Verify the authorization of the disbursements
d. Prevent the overpayment of the account

37. When EDP programs or files can be accessed from terminals, users should be required to enter a(an)
a. Parity check
b. Self-diagnostic test
c. Personal identification code
d. Echo check
38. The possibility of erasing a large amount of information stored on magnetic tape most likely would be reduced by the use of
a. File protection ring
b. Completeness tests
c. Check digits
d. Conversion verification

39. Which of the following controls most likely would assure that an entity can reconstruct its financial records?
a. Hardware controls are built into the computer by the computer manufacturer.
b. Backup diskettes or tapes of files are stored away from originals.
c. Personnel who are independent of data input perform parallel simulations.
d. System flowcharts provide accurate descriptions of input and output operations.

40. Mill Co. uses a batch processing method to process its sales transactions. Data on Mill’s sales transaction tape are electronically
sorted by customer number and are subject to programmed edit checks in preparing its invoices, sales journals, and updated
customer account balances. One of the direct outputs of the creation of this tape most likely would be a
a. Report showing exceptions and control totals.
b. Printout of the updated inventory records.
c. Report showing overdue accounts receivable.
d. Printout of the sales price master file.

41. Using microcomputers in auditing may affect the methods used to review the work of staff assistants because
a. The audit field work standards for supervision may differ.
b. Documenting the supervisory review may require assistance of consulting services personnel.

c. Supervisory personnel may not have an understanding of the capabilities and limitations of microcomputers.
d. Working paper documentation may not contain readily observable details of calculations.

42. An auditor anticipates assessing control risk at a low level in a computerized environment. Under these circumstances, on which of
the following procedures would the auditor initially focus?
a. Programmed control procedures
b. Output control procedures
c. Application control procedures
d. General control procedures

43. After the preliminary phase of the review of a client’s EDP controls, an auditor may decide not to perform tests of controls
(compliance tests) related to the control procedures within the EDP portion of the client’s internal control structure. Which of the
following would not be a valid reason for choosing to omit such tests?
a. The controls duplicate operative controls existing elsewhere in the structure.
b. There appear to be major weaknesses that would preclude reliance on the stated procedure.
c. The time and costs of testing exceed the time and costs in substantive testing if the tests of controls show the controls to be
operative.
d. The controls appear adequate.

44. Which of the following client electronic data processing (EDP) systems generally can be audited without examining or directly testing
the EDP computer programs of the system?
a. A system that performs relatively uncomplicated processes and produces detailed output.
b. A system that affects a number of essential master files and produces a limited output.
c. A system that updates a few essential master files and produces no printed output other than final balances.
d. A system that performs relatively complicated processing and produces very little detailed output.

45. Computer systems are typically supported by a variety of utility software packages that are important to an auditor because they
a. May enable unauthorized changes to data files if not properly controlled.
b. Are very versatile programs that can be used on hardware of many manufacturers.
c. May be significant components of a client’s application programs.
d. Are written specifically to enable auditors to extract and sort data.

46. To obtain evidence that online access controls are properly functioning, an auditor most likely would
a. Create checkpoints at periodic intervals after live data processing to test for unauthorized use of the system.
b. Examine the transaction log to discover whether any transactions were lost or entered twice due to a system malfunction
c. Enter invalid identification numbers or passwords to ascertain whether the system rejects them.
d. Vouch a random sample of processed transactions to assure proper authorization

47. Which of the following statements most likely represents a disadvantage for an entity that keeps microcomputer-prepared data files
rather than manually prepared files?
a. Attention is focused on the accuracy of the programming process rather than errors in individual transactions.
b. It is usually easier for unauthorized persons to access and alter the files.
c. Random error associated with processing similar transactions in different ways is usually greater.
d. It is usually more difficult to compare recorded accountability with physical count of assets.
48. An auditor would least likely use computer software to
a. Access client data files
b. Assess EDP controls
c. Prepare spreadsheets
d. Construct parallel simulations

49. A primary advantage of using generalized audit software packages to audit the financial statements of a client that uses an EDP
system is that the auditor may
a. Consider increasing the use of substantive tests of transactions in place of analytical procedures.
b. Substantiate the accuracy of data through self-checking digits and hash totals.
c. Reduce the level of required tests of controls to a relatively small amount.
d. Access information stored on computer files while having a limited understanding of the client’s hardware and software features.

50. Auditors often make use of computer programs that perform routine processing functions such as sorting and merging. These
programs are made available by electronic data processing companies and others and are specifically referred to as
a. Compiler programs
b. Utility programs
c. Supervisory programs
d. User programs