Aud CIS Chap 7 Practice Materials PDF

lOMoARcPSD|40346255 AUD CIS CHAP 7 - practice materials AudPrinciples (Divine Word College of Calapan) Scan to open on Studocu Studocu is not sponsored or endorsed by any college or university Downloaded by unlocks by v ([email protected]) lOMoARcPSD|40346255 Chapter 7ÑComputer-Assisted Audit Tools and Techniques TRUE/FALSE 1. The three groups of application controls are batch controls, run-to-run controls, and audit trail controls. ANS: F PTS: 1 2. A reasonableness check determines if a value in one field is reasonable when considered along with data in other fields of the record ANS: T PTS: 1 3. A truncation error is a form of transcription error. ANS: T PTS: 1 4. A check digit is a method of detecting data coding errors. ANS: T PTS: 1 5. Input controls are intended to detect errors in transaction data after processing. ANS: F PTS: 1 6. The black box approach to testing computer applications allows the auditor to explicitly review program logic. ANS: F PTS: 1 7. The black box approach to testing computer applications require a detailed knowledge of the the program logic being tested. ANS: F PTS: 1 8. A run-to-run control is an example of an output control. ANS: F PTS: 1 9. Shredding computer printouts is an example of an output control. ANS: T PTS: 1 10. In a computerized environment, all input controls are implemented after data is input. ANS: F PTS: 1 11. Achieving batch control objectives requires grouping similar types of input transac- tions (such as sales orders) together in batches and then controlling the batches throughout data processing. Downloaded by unlocks by v ([email protected]) lOMoARcPSD|40346255 ANS: T PTS: 1 12. The white box tests of program controls are also known as auditing through the computer. ANS: T PTS: 1 13. Incorrectly recording sales order number 123456 as 124356 is an example of a transcription error ANS: F PTS: 1 14. When using the test data method, the presence of multiple error messages indicates a flaw in the preparation of test transactions. ANS: F PTS: 1 15. The base case system evaluation is a variation of the test data method. ANS: T PTS: 1 16. Tracing is a method used to verify the logical operations executed by a computer application. ANS: T PTS: 1 18. The results of a parallel simulation are compared to the results of a production run in order to judge the quality of the application processes and controls. ANS: T PTS: 1 19. Input controls are programmed procedures that perform tests on master file data to ensure they are free from errors. ANS: F PTS: 1 20. The integrated test facility (ITF) is an automated approach that permits auditors to test an application's logic and controls during its normal operation. ANS: T PTS: 1 21. Use of the integrated test facility poses no threat to organizational data files. ANS: F PTS: 1 22. Spooling is a form of processing control. ANS: F PTS: 1 23. A salami fraud affects a large number of victims, but the harm to each appears to be very small. Downloaded by unlocks by v ([email protected]) lOMoARcPSD|40346255 ANS: T PTS: 1 24. An input control that tests time card records to verify than no employee has worked more 50 hours in a pay period is an example of a range test. ANS: F PTS: 1 25. The black box approach to testing computer program controls is also known as auditing around the computer. ANS: T PTS: 1 MULTIPLE CHOICE 1. Which statement is not correct? The audit trail in a computerized environment a. consists of records that are stored sequentially in an audit file b. traces transactions from their source to their final disposition c. is a function of the quality and integrity of the application programs d. may take the form of pointers, indexes, and embedded keys ANS: A PTS: 1 2. All of the following concepts are associated with the black box approach to auditing computer applications except a. the application need not be removed from service and tested directly b. auditors do not rely on a detailed knowledge of the application's internal logic c. the auditor reconciles previously produced output results with production input transactions d. this approach is used for complex transactions that receive input from many sources ANS: D PTS: 1 3. Which test is not an example of a white box test? a. determining the fair value of inventory b. ensuring that passwords are valid c. verifying that all pay rates are within a specified range d. reconciling control totals ANS: A PTS: 1 4. When analyzing the results of the test data method, the auditor would spend the least amount of time reviewing a. the test transactions b. error reports c. updated master files d. output reports ANS: A PTS: 1 5. All of the following are advantages of the test data technique except a. auditors need minimal computer expertise to use this method b. this method causes minimal disruption to the firm's operations c. the test data is easily compiled Downloaded by unlocks by v ([email protected]) lOMoARcPSD|40346255 d. the auditor obtains explicit evidence concerning application functions ANS: C PTS: 1 6. All of the following are disadvantages of the test data technique except a. the test data technique requires extensive computer expertise on the part of the auditor b. the auditor cannot be sure that the application being tested is a copy of the current applica- tion used by computer services personnel c. the auditor cannot be sure that the application being tested is the same application used throughout the entire year d. preparation of the test data is time-consuming ANS: A PTS: 1 7. Program testing a. involves individual modules only, not the full system b. requires creation of meaningful test data c. need not be repeated once the system is implemented d. is primarily concerned with usability ANS: B PTS: 1 8. The correct purchase order number,is123456. All of the following are transcription errors except a. 1234567 b. 12345 c. 124356 d. 123454 ANS: C PTS: 1 9. Which of the following is correct? a. check digits should be used for all data codes b. check digits are always placed at the end of a data code c. check digits do not affect processing efficiency d. check digits are designed to detect transcription and transposition errors ANS: D PTS: 1 10. Which statement is not correct? The goal of batch controls is to ensure that during processing a. transactions are not omitted b. transactions are not added c. transactions are free from clerical errors d. an audit trail is created ANS: C PTS: 1 11. An example of a hash total is a. total payroll checksÐ$12,315 b. total number of employeesÐ10 c. sum of the social security numbersÐ12,555,437,251 d. none of the above ANS: C PTS: 1 Downloaded by unlocks by v ([email protected]) lOMoARcPSD|40346255 12. Which statement is not true? A batch control record a. contains a transaction code b. records the record count c. contains a hash total d. control figures in the record may be adjusted during processing e. All the above are true ANS: E PTS: 1 13. Which of the following is not an example of a processing control? a. hash total. b. record count. c. batch total. d. check digit ANS: D PTS: 1 14. Which of the following is an example of input control test? a. sequence check b. zero value check c. spooling check d. range check ANS: D PTS: 1 15. Which input control check would detect a payment made to a nonexistent vendor? a. missing data check b. numeric/alphabetic check c. range check d. validity check ANS: D PTS: 1 16. Which input control check would detect a posting to the wrong customer account? a. missing data check b. check digit c. reasonableness check d. validity check ANS: B PTS: 1 17. The employee entered "40" in the "hours worked per day" field. Which check would detect this unintentional error? a. numeric/alphabetic data check b. sign check c. limit check d. missing data check ANS: C PTS: 1 18. An inventory record indicates that 12 items of a specific product are on hand. A customer purchased two of the items, but when recording the order, the data entry clerk mistakenly entered 20 items sold. Which check could detect this error? a. numeric/alphabetic data checks b. limit check c. range check Downloaded by unlocks by v ([email protected]) lOMoARcPSD|40346255 d. reasonableness check ANS: B PTS: 1 19. Which check is not an input control? a. reasonableness check b. validity check. c. spooling check d. missing data check ANS: C PTS: 1 20. A computer operator was in a hurry and accidentally used the wrong master file to process a transaction file. As a result, the accounts receivable master file was erased. Which control would prevent this from happening? a. header label check b. expiration date check c. version check d. validity check ANS: A PTS: 1 21. Run-to-run control totals can be used for all of the following except a. to ensure that all data input is validated b. to ensure that only transactions of a similar type are being processed c. to ensure the records are in sequence and are not missing d. to ensure that no transaction is omitted ANS: A PTS: 1 22. Methods used to maintain an audit trail in a computerized environment include all of the following except a. transaction logs b. Transaction Listings. c. data encryption d. log of automatic transactions ANS: C PTS: 1 23. Risk exposures associated with creating an output file as an intermediate step in the printing process (spooling) include all of the following actions by a computer criminal except a. gaining access to the output file and changing critical data values b. using a remote printer and incurring operating inefficiencies c. making a copy of the output file and using the copy to produce illegal output reports d. printing an extra hardcopy of the output file ANS: B PTS: 1 24. Which statement is not correct? a. only successful transactions are recorded on a transaction log b. unsuccessful transactions are recorded in an error file c. a transaction log is a temporary file d. a hardcopy transaction listing is provided to users ANS: C PTS: 1 25. Input controls include all of the following except Downloaded by unlocks by v ([email protected]) lOMoARcPSD|40346255 a. check digits b. Limit check. c. spooling check d. missing data check ANS: C PTS: 1 26. Which of the following is an example of an input error correction technique? a. immediate correction b. rejection of batch c. creation of error file d. all are examples of input error correction techniques ANS: D PTS: 1 27. All of the following statements are true about the integrated test facility (ITF) except a. production reports are affected by ITF transactions b. ITF databases contain "dummy" records integrated with legitimate records c. ITF permits ongoing application auditing d. ITF does not disrupt operations or require the intervention of computer services personnel ANS: A PTS: 1 ANS: C PTS: 1 28. Which of the following is an input control? a. Reasonableness check b. Run-to-run check c. Spooling check d. Batch check e. None are input controls ANS: A PTS: 1 29. Which of the following is not an input control? a. Range check b. Limit check c. Spooling check d. Validity check e. They are all input controls ANS: C PTS: 1 30. When auditors do not rely on a detailed knowledge of the application's internal logic, they are performing a. black box tests of program controls b. white box tests of program controls c. substantive testing d. intuitive testing ANS: A PTS: 1 Downloaded by unlocks by v ([email protected]) lOMoARcPSD|40346255 SHORT ANSWER 1. The firm allows no more than 10 hours of overtime a week. An employee entered Ò15Ó in the field. Which control will detect this error? ANS Limit check PTS: 1 2. The password was ÒCANARYÓ; the employee entered ÒCAANARY.Ó Which control will detect this error? ANS Validity check PTS: 1 3. The order entry system will allow a 10 percent variation in list price. For example, an item with a list price of $1 could be sold for 90 cents or $1.10 without any system interference. The cost of the item is $3, but the cashier entered $2. Which control would detect this error? ANS Range check PTS: 1 4. What are the three broad categories of application controls? ANS: input, processing, and output controls PTS: 1 Downloaded by unlocks by v ([email protected]) lOMoARcPSD|40346255 5. How does privacy relate to output control? ANS: If the privacy of certain types of output, e.g., sensitive information about clients or customers, is violated a firm could be legally exposed. PTS: 1 6. What are the three categories of processing control? ANS: Batch controls, run-to-run controls, and audit trail controls. PTS: 1 7. What control issue is related to reentering corrected error records into a batch processing system? What are the two methods for doing this? ANS: Errors detected during processing require careful handling, since these records may already be partially processed. Simply resubmitting the corrected records at the data input stage may result in processing portions of these transactions twice. Two methods are: (1) reverse the effects of the partially processed transactions and resubmit the corrected records to the data input stage. The second method is to reinsert corrected records into the processing stage at which the error was detected. PTS: 1 8. Output controls ensure that output is not lost, misdirected, or corrupted and that privacy is not violated. What are some output exposures or situations where output is at risk? ANS: output spooling, delayed printing, waste, report distribution PTS: 1 9. Name four input controls and describe what they test ANS: 1. numeric-alphabetic checks look for the correct type of character content in a field, numbers or letters; 2. limit checks verify that values are within preset limits; 3. range checks verify the values fall with in an acceptable range 4. reasonableness check determines if a value in one field, which has already passed a limit check and a range check, is reasonable when considered along with data in other fields of the record. PTS: 1 10. A __________________________ fraud affects a large number of victims but the harm to each appears to be very small. ANS: salami Downloaded by unlocks by v ([email protected]) lOMoARcPSD|40346255 PTS: 1 11. Give one example of an error that is detected by a check digit control. ANS: Check digits can effectively be used to determine that all of the numbers in a numeric data stream were entered. This method involves adding up the numbers in the data stream in order to determine the check digit. Consider the following number, 789. The check digit would be: 7 + 8 + 9 = 24 = 6. If a 7, an 8, and a 9 are not entered, then chances are that the check digit will be incorrect. This method will not detect a transposition error. For example, if 879 were entered, the check digit would still be 6. 12. Auditors do not rely on detailed knowledge of the application's internal logic when they use the __________________________ approach to auditing computer applications. ANS: black box or audit around the computer PTS: 1 13. Describe parallel simulation. ANS: The auditor writes a program that simulates the application under review. The simulation is used to reprocess production transactions that were previously processed by the production application. The results of the simulation are compared to the results of the original production run. PTS: 1 14. What is meant by auditing around the computer versus auditing through the computer? Why is this so important? ANS: Auditing around the computer involves black box testing in which the auditors do not rely on a detailed knowledge of the application's internal logic. Input is reconciled with corresponding output. Auditing through the computer involves obtaining an in-depth understanding of the internal logic of the computer application. As transactions become increasingly automated, the inputs and outputs may become decreasingly visible. Thus, the importance of understanding the programming components of the system is crucial. PTS: 1 Downloaded by unlocks by v ([email protected]) lOMoARcPSD|40346255 15. Classify each of the following as a field, record, or file interrogation: a. Limit check b. Validity check c. Version check d. Missing data check e. Sign checks f. Expiration date check g. Numeric-alphabetic data check h. Sequence check i. Zero-value check j. Header label check k. Range check l. Reasonableness check ANS: a. field b. field c. file d. file e. record f. file g. field h. record i. field j. file k. field l. record PTS: 1 16. What are the five major components of a GDIS? ANS: a. generalized validation module b. validated data file c. error file d. error reports e. transaction log PTS: 1 17. If all of the inputs have been validated before processing, then what purpose do run-to-run controls serve? ANS: The run-to-run control is a control device to ensure that no records are lost, unprocessed, or processed more than once for each of the computer runs (processes) that the records must flow through. PTS: 1 Downloaded by unlocks by v ([email protected]) lOMoARcPSD|40346255 18. Explain input controls. ANS: Input controls are programmed procedures (routines) that perform tests on transaction data to ensure they are free from errors. PTS: 1 19. Name three types of transcription error. ANS: 1. Addition errors occur when an extra digit or character is added to the code. For example, inventory item number 83276 is recorded as 832766. 2. Truncation errors occur when a digit or character is removed from the end of a code. In this type of error, the inventory item above would be recorded as 8327. 3. Substitution errors are the replacement of one digit in a code with another. For example, code number 83276 is recorded as 83266. PTS: 1 20. Describe two types of transposition error ANS: 1. Single transposition errors occur when two adjacent digits are reversed. For instance, 83276 is recorded as 38276. 2. Multiple transposition errors occur when nonadjacent digits are transposed. For example, 83276 is recorded as 87236. PTS: 1 ESSAY 1. Various techniques can be used to control the input effort. Write a one-page essay discussing three techniques. ANS: Key Points a. Source document controls are designed to control the documents used to initiate transactions with pre-numbered source documents, used in sequence, and periodically accounted for. b. Data coding controls are designed to check on the integrity of data by preventing transcription errors and transposition errors. c. Batch controls are designed to manage large volumes of data by repeatedly verifying totals of specific fields, some financial and others nonfinancial. 2. Explain the three methods used to correct errors in data entry. ANS: Immediate Correction. In the direct data validation approach, error detection and correction take place during data entry. When an error or illogical relationship is entered, the system should halt the data entry procedure until the error is corrected. Downloaded by unlocks by v ([email protected]) lOMoARcPSD|40346255 Creation of an Error File. In the delayed data validation approach, errors are flagged and placed in an error file. Records with errors will not be processed until the error is investigated and corrected. Rejection of the Entire Batch. Some errors are associated with the entire batch and are not attributable to individual records. An example of this is a control total that does not balance. The entire batch is placed in the error file and will be reprocessed when the error is corrected. PTS: 1 3. The presence of an audit trail is critical to the integrity of the accounting information system. Discuss three of the techniques used to preserve the audit trail. ANS: Transaction logs list all transactions successfully processed by the system and serve as journals, permanent records. Transactions that were not processed successfully should be recorded in an error file. After processing transactions, a paper transaction listing should be produced and used by appropriate users to reconcile input. Logs and listings of automatic transactions should be produced for transactions received or initiated internally by the system. Error listing should document all errors and be sent to appropriate users to support error correction. PTS: 1 4. Define each of the following input controls and give an example of how they may be used: a. Missing data check b. Numeric/alphabetic data check c. Limit check d. Range check e. Reasonableness check f. Validity check ANS: Missing data check is useful because some programming languages are restrictive as to the justifica- tion (right or left) of data within the field. If data are not properly justified or if a character is missing (has been replaced with a blank), the value in the field will be improperly processed. For example, the presence of blanks in a numeric data field may cause a system failure. When the control routine detects a blank where it expects to see a data value, the error is flagged. A numeric-alphabetic check control identifies when data in a particular field are in the wrong form. For example, a customerÕs account balance should not contain alphabetic data and the presence of it will cause a data processing error. Therefore, if alphabetic data are detected, the error record flag is set. Limit checks are used to identify field values that exceed an authorized limit. For example, assume the firmÕs policy is that no employee works more than 44 hours per week. The payroll system input control program can test the hours-worked field in the weekly payroll records for values greater than 44. Range checks exit when data have upper and lower limits to their acceptable values. For example, if the range of pay rates for hourly employees in a firm is between 8 and 20 dollars, this control can examine the pay rate field of all payroll records to ensure that they fall within this range. Downloaded by unlocks by v ([email protected]) lOMoARcPSD|40346255 A reasonableness check.determines if a value in one field, which has already passed a limit check and a range check, is reasonable when considered along with data in other fields of the record. For example, assume that an employeeÕs pay rate of 18 dollars per hour falls within an acceptable range. This rate is excessive, however, when compared to the employeeÕs job skill code of 693; employees in this skill class should not earn more than 12 dollars per hour. A validity check compares actual field values against known acceptable values. For example, this control may be used to verify such things as valid vendor codes, state abbreviations, or employee job skill codes. If the value in the field does not match one of the acceptable values, the record is flagged as an error. PTS: 1 5. After data is entered into the system, it is processed. Processing control exists to make sure that the correct things happen during processing. Discuss processing controls. ANS: Processing controls take three formsÐbatch controls, run-to-run controls, and audit trail controls. Batch controls are used to manage the flow of high volumes of transactions through batch processing systems. The objective of batch control is to reconcile output produced by the system with the input originally entered into the system. This provides assurance that: _ All records in the batch are processed. _ No records are processed more than once. _ An audit trail of transactions is created from input through processing to the output stage of the system. Run-to-run controls use batch figures and new balances to monitor the batch as it goes through the systemÐi.e. from run-to-run. These are to assure that no transactions are lost and that all are processed completely. Audit trail controls are designed to document the movement of transactions through the system. The most common techniques include the use of transaction logs and transaction listings, unique transac- tion identifiers, logs and listings of automatic transactions, and error listings. PTS: 1 Downloaded by unlocks by v ([email protected]) lOMoARcPSD|40346255 6. If input and processing controls are adequate, why are output controls needed? ANS: Output controls are designed to ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Great risk exists if checks are misdirected, lost, or stolen. Certain types of data must be kept privateÐtrade secrets, patents pending, customer records, etc. PTS: 1 7. Describe and contrast the test data method with the integrated test facility. ANS: In the test data method, a specially prepared set of input data is processed; the results of the test are compared to predetermined expectations. To use the test data method, a copy of the current version of the application must be obtained. The auditor will review printed reports, transaction listings, error reports, and master files to evaluate application logic and control effectiveness. The test data approach results in minimal disruption to the organization's operations and requires little computer expertise on the part of auditors. The integrated test facility (ITF) is an automated approach that permits auditors to test an application's logic and controls during its normal operation. ITF databases contain test records integrated with legitimate records. During normal operations, test transactions are entered into the stream of regular production transactions and are processed against the test records. The ITF transactions are not included with the production reports but are reported separately to the auditor for evaluation. The auditor compares ITF results against expected results. In contrast to the test data approach, the ITF technique promotes ongoing application auditing and does not interfere with the normal work of computer services employees. In the test data approach, there is a risk that the auditor might perform the tests on a version of the application other than the production version; this cannot happen in the ITF approach. Both versions are relatively costly to implement. The major risk with the ITF approach is that ITF data could become combined with live data and the reports would be misstated; this cannot happen in the test data approach. PTS: 1 8.! Contrast the black box approach to IT auditing and the white box approach. Which is preferred? ANS: The black box approach is not concerned with the application's internal workings. The auditor examines documentation of the system, interviews personnel, and bases the evaluation on the logical consistency between input and output. This method is often referred to as "auditing-around-the- computer" because there is no examination of data as it is processed. The white box approach, also called "auditing-through-the-computer," relies on knowledge of the internal workings of the systems and actually tests the application in action with test data having known results. Several white box techniques are available. These include the test data method, base case evaluation, tracing, the integrated test facility, and parallel simulation. This method makes the computer a tool of the audit as well as its target. PTS: 1 Downloaded by unlocks by v ([email protected]) lOMoARcPSD|40346255 9. What is the purpose of the auditor's review of SDLC documentation? ANS: In reviewing the SDLC documentation, the auditor seeks to determine that completed projects now in use reflect compliance with SDLC policies including: ¥ User and computer services management properly authorized the project. ¥ A preliminary feasibility study showed that the project had merit. ¥ A detailed analysis of user needs was conducted that resulted in alternative conceptual designs. ¥ A cost-benefit analysis was conducted using reasonably accurate figures. ¥ The detailed design was an appropriate and accurate solution to the userÕs problem. ¥ Test results show that the system was thoroughly tested at both the individual module and the total system level before implementation. (To confirm these test results, the auditor may decide to retest selected elements of the application.) ¥ There is a checklist of specific problems detected during the conversion period, along with evidence that they were corrected in the maintenance phase. ¥ Systems documentation complies with organizational requirements and standards PTS: 1 Downloaded by unlocks by v ([email protected])

Aud CIS Chap 7 Practice Materials PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue