ANSWER Key Quiz 5 Auditing CIS

San Beda College Alabang
Quiz # 5 and 6 AUDITING COMPUTER-BASED INFORMATION SYSTEMS & Using computer-assisted audit tools
and techniques (CAATS)
Auditing in a CIS Environment (2nd Sem AY2017-18)
NAME : __________________________________________
STRICTLY NO ERASURES AND ALTERATIONS, USE OF CORRECTION TAPE/FLUID NOT ALLOWED

Answers:
1. _______ 26. ________

51. ________
2. _______ 27. ________
52. ________
3. _______ 28. ________
53. ________
4. _______ 29. ________
54. ________
5. _______ 30. ________
55. ________
6. _______ 31. ________
56. ________
7. _______ 32. ________
57. ________
8. _______ 33. ________
58. ________
9. _______ 34. ________
35. ________ 59. ________
10. _______
36. ________ 60. ________
11. _______
37. ________
12. _______
13. ________ 38. ________
14. ________ 39. ________
15. ________ 40. ________
16. ________ 41. ________
17. ________ 42. ________
18. ________ 43. ________
19. ________ 44. ________
20. ________ 45. ________
21. ________ 46. ________
22. ________ 47. ________
23. ________ 48. ________
24. ________ 49. ________
25. ________ 50. ________

Page 1 of 7
FAR EASTERN UNIVERSITY
Accountancy - Institute of Accounts, Business and Finance
Auditing in a CIS Environment (1st Sem AY2017-18)
NAME : __________________________________________
I. Multiple Matching Type (25 pts). Match the idea or situation expressed in group 2 to the most appropriate term
found in the five columns of group 1. Shade the column letter of your choice on your scannable answer sheet.
Group 1
A B C D E
CAATs Step 1 CAATs Step 2 CAATs Step 3 CAATs Step 4 CAATs Step 5
CAATs Step 6 CAATs Step 7 CAATs Step 8 CAATs Step 9 CAATs Step 10
Reasonableness Control risk White box test Validity check Integrated test
check facility
Black box Check digit Program testing Tracing Run-to-run control
approach
Detection risk Sequence check Limit check Parallel simulation No answer
Group 2
1. The auditor determines which method of data extraction is most convenient for both parties. D
CAATs Step 4
2. This determines if a value in one field is reasonable when considered along with data in other fields
of the record A Reasonableness check
3. The auditor verifies the integrity of the data import process using ACL commands to ensure the data
were not compromised during the importing process. B CAATs Step 7
4. A method of detecting data coding errors such as transcription and transposition errors. B Check
digit
5. The auditor imports the data into the ACL. A CAATs Step 6
6. A program control that is also known as auditing through the computer. C White box test
7. The auditor documents the CAATs performed and the exceptions reconciled. E CAATs Step 10
8. This is a method used to verify the logical operations executed by a computer application. D
Tracing
9. The auditor sets key objectives based on risk assessment. A CAATs Step 1
10. An automated approach that permits auditors to test an application's logic and controls during its
normal operation. E Integrated test facility
11. The auditor formally requests data from the client, specifying the preferred format for the extracted
data. E CAATs Step 5
12. A program control that is also known as auditing around the computer. A Black box approach
13. The auditor identifies which files, records and fields are needed from the client. C CAATs Step 3
14. It requires creation of meaningful test data. C Program testing
15. The auditor investigates and reconciles any exceptions uncovered in the execution of the CAATs. D
CAATs Step 9
16. An input control check would detect a payment made to a nonexistent vendor. D Validity check
17. The auditor performs the specific CAATs that the audit team earlier identified for risk assessment. C
CAATs Step 8
18. A control device to ensure that no records are lost, unprocessed, or processed more than once for
each of the computer runs (processes) that the records must flow through. E run-to-run control
19. The auditor identifies which specific CAATs will provide sufficient, relevant, useful evidence to
achieve key audit objectives. B CAATs Step 2
Page 2 of 7
20. This is defined as the risk that a material misstatement will get through the internal control structure
and into the financial statements. B Control risk
II. True or False (20 pts). Shade the letter B if the idea being expressed is correct and C if otherwise.
21. Data integrity would be of most concern to an auditor relating to an organization’s internet security. (TRUE)
22. One limitation on the use of a generalized audit software (GAS) is that it requires lengthy detailed instructions
in order to accomplish specific tasks. (FALSE, the use of GAS is normally more efficient. Less time is required to
write instructions to accomplish a function than to manually select and examine items.
23. Specialized audit software may be written while its purposes and users are being defined. (FALSE, purpose
and users of this software must be defined before written).
24. Aging accounts receivable cannot be performed by an auditor using computer assisted audit techniques
(CAATs) software. (FALSE, this can be done using CAATS).
25. System efficiency would be of most concern to an auditor relating to an organization’s internet security.
(FALSE, Data Integrity)
26. Specialized audit software may be written in a procedure oriented language. (TRUE, specialized audit software
is written in a procedure or problem oriented language to fulfill a specific set of tasks).
27. An auditor is least likely to use computer software to prepare spreadsheets. (FALSE, many audit spreadsheet
programs are available)
28. It is more economical to design controls during the design stage than to do so later. (TRUE)
29. When the IS auditor is involved in the design phase of the system, he/she no longer needs to tests controls
during regular IS audits. (FALSE, still needs to test whether controls are in place and working as intended).
30. One limitation on the use of a generalized audit software (GAS) is that it requires significant programming
knowledge to be used effectively (FALSE, an advantage is that GAS requires minimal knowledge of computer
technology).
31. Matching identical product information in separate data files cannot be performed by an auditor using
computer assisted audit techniques (CAATs) software. (FALSE, this can be done using CAATS).
32. Auditing involves the use of established criteria to evaluate evidence. (TRUE)
33. An auditor is least likely to use computer software to access client data files. (FALSE, computer software
makes accessing company files much faster and easier)
34. Identifying missing check numbers cannot be performed by an auditor using computer assisted audit
techniques (CAATs) software. (FALSE, this can be done using CAATS).
35. Extracting data files containing only a two digit year date field and changing it to hold four digits cannot be
performed by an auditor using computer assisted audit techniques (CAATs) software. (TRUE)
36. Specialized audit software requires the auditor to have less computer expertise than generalized audit
software. (FALSE, generalized audit software requires less computer expertise than specialized audit
software).
37. One limitation on the use of a generalized audit software (GAS) is that it can only be used on hardware with
compatible operating system (TRUE)
38. One limitation on the use of a generalized audit software (GAS) is that it has limited application without
significant modification. (FALSE, the program is generalized; designed to be used on a variety of systems
without significant modifications).
39. Specialized audit software is written to interface with many different client systems. (FALSE, Generalized
Audit Software not specialized audit software).
40. Rejected and suspense item controls would be of most concern to an auditor relating to an organization’s
internet security. (False, Data Integrity)
Page 3 of 7
III. Multiple Choice (20 pts). From the choices, shade your best answer.
41. Which type of audit involves a review of general and applications controls, with a focus on determining if
there is compliance with policies and adequate safeguarding of assets?
A. Information systems audit
B. Financial audit
C. Operational audit
D. Compliance audit
Answer: A – an information systems audit reviews general and applications controls, with a focus on determining
whether there is compliance with policies and adequate safeguarding of assets
42. The PRIMARY advantage of a continuous audit approach is that it:

A. Does not require an IS auditor to collect evidence on system reliability while processing is taking place.
B. Requires the IS auditor to review and follow up immediately on all information collected.
C. Can improve system security when used in time-sharing environments that process a large number of
transactions.
D. Does not depend on the complexity of an organization's computer systems.
Answer: C
43. Data access security related to applications may be enforced through all the following except
a. User identification and authentication functions incorporated in the application.
b. Utility software functions.
c. User identification and authentication functions in access control software.
d. Security functions provided by a database management system.
Answer: B
44. An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with
the:
A. Maintenance of access logs of usage of various system resources.
B. Authorization and authentication of the user prior to granting access to system resources.
C. Adequate protection of stored data on servers by encryption or other means.
D. Accountability system and the ability to identify any terminal accessing system resources.
Answer: B
45. An IS auditor is conducting substantive audit tests of a new accounts receivable module. The IS auditor has a
tight schedule and limited computer expertise. Which would be the BEST audit technique to use in this
situation?
A. Test data
B. Parallel simulation
C. Integrated test facility
D. Embedded audit module
Answer: A
46. The primary objective of security software is to

a. Control access to information system resources.
b. Restrict access to prevent installation of unauthorized utility software.
c. Detect the presence of viruses.
d. Monitor the separation of duties within applications.
Answer: A
Page 4 of 7
47. Which of the following procedures is NOT used to detect unauthorized program changes?
A. Source code comparison (is used to detect unauthorized program changes by thoroughly testing a newly
developed program and keeping a copy of its source code)
B. Parallel simulation (an auditor writes a version of the program, reprocesses the company data, compares
the results to the company’s results, and investigates any differences)
C. Reprocessing (the auditor verifies the integrity of an application program, saves it, and on a surprise basis
uses the program to reprocess data and compare that output with the company’s output)
D. Reprogramming code
Answer: D - Reprogramming code is not used
48. A controller became aware that a competitor appeared to have access to the company’s pricing information.
The internal auditor determined that the leak of information was occurring during the electronic transmittal
of data from branch offices to the head office. Which of the following controls would be most effective in
preventing the leak of information?
a. Asynchronous transmission.
b. Encryption.
c. Use of fiber-optic transmission lines.
d. Use of passwords.
Answer: B
49. Which of the following is not a characteristic of auditing?

A. Auditing is a systematic, step by step, process.
B. Auditing involves the collection and review of evidence
C. Auditing involves the use of established criteria to evaluate evidence.
D. Auditing’s primary objective is to identify fraud and their perpetrators.
Answer: D
50. Which of the following is not a reason an internal auditor should participate in internal control reviews during
the design of a new system?
A. It is more economical to design controls during the design stage than to do so later.
B. It eliminates the need for testing controls during regular audits
C. It minimizes the need for expensive modifications after the system is implemented.
D. It permits the design of audit trails while they are economical
Answer: B – even if the auditor participates in internal control reviews, the auditor will have to test controls to
determine whether they are in place and working as intended.
51. In a small organization, where segregation of duties is not practical, an employee performs the function of
computer operator and application programmer. Which of the following controls should the IS auditor
recommend?
A. Automated logging of changes to development libraries
B. Additional staff to provide segregation of duties
C. Procedures that verify that only approved program changes are implemented
D. Access controls to prevent the operator from making program modifications
Answer: C
52. An IS auditor auditing hardware monitoring procedures should review

A. system availability reports.
B. cost-benefit reports.
Page 5 of 7
C. response time reports.

D. database utilization reports.
Answer: A
53. Which of the following BEST provides access control to payroll data being processed on a local server?
A. Logging of access to personal information
B. Separate password for sensitive transactions
C. Software restricts access rules only to authorized staff
D. System access restricted to business hours
Answer: C
54. All administrative and professional staff in a corporate legal department prepares documents on terminals
connected to a host LAN file server. The best control over unauthorized access to sensitive documents in the
systems is
a. Required entry of passwords for access to the system.
b. Physical security for all disks containing document files.
c. Periodic server backup and storage in a secure area.
d. Required entry of passwords for access to individual documents.
Answer: D
55. Which of the following tests confirm that the new system can operate in its target environment?
A. Sociability testing
B. Regression testing
C. Validation testing
D. Black box testing
Answer: A
56. The PRIMARY purpose of undertaking a parallel run of a new system is to:
A. verify that the system provides required business functionality.
B. validate the operation of the new system against its predecessor.
C. resolve any errors in the program and file interfaces.
D. verify that the system can process the production load.
Answer: B
57. An auditor has just completed a physical security audit of a data center. Because the center engages in top-
secret defense contract work, the auditor has chosen to recommend biometric authentication for workers
entering the building. The recommendation might include devices that verify all of the following except
a. Fingerprints.
b. Retina patterns.
c. Speech patterns.
d. Password patterns.
Answer: D
58. Which of the following is a computer program written especially for audit use?
A. GAS (Generalized audit software)
B. CATAS (non sense term, should be CAATS)
C. ITF (Integrated Test Facility, places a small set of fictitious records in master files. Transactions are
processed for these records, and the actual and expected results are compared
Page 6 of 7
D. CIS (Continuous and intermittent simulation embeds an audit module in a DBMS that examines all
transactions that update the database).
Answer: A Generalized audit software eg. ACL and IDEA
59. The focus of an operational audit is on which of the following?

A. Reliability and integrity of financial information (financial statement audit)
B. All aspects of information systems management
C. Internal controls (operational audit is much broader than just internal control)
D. Safeguarding assets (operational audit is much broader than safeguarding of assets)
Answer: B – all aspects of information system management
60. A utility is available to update critical tables in case of data inconsistency. This utility can be executed at the
OS prompt or as one of menu options in an application. The BEST control to mitigate the risk of unauthorized
manipulation of data is to:
A. Delete the utility software and install it as and when required.
B. Provide access to utility on a need-to-use basis.
C. Provide access to utility to user management
D. Define access so that the utility can be only executed in menu option.
Answer: B
Page 7 of 7

ANSWER Key Quiz 5 Auditing CIS

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

ANSWER Key Quiz 5 Auditing CIS

Загружено:

Авторское право:

Доступные форматы

San Beda College Alabang

STRICTLY NO ERASURES AND ALTERATIONS, USE OF CORRECTION TAPE/FLUID NOT ALLOWED

1. _ 26. __

14. 39.

15. 40.

16. 41.

17. 42.

18. 43.

19. 44.

20. 45.

21. 46.

22. 47.

23. 48.

24. 49.

25. 50.

42. The PRIMARY advantage of a continuous audit approach is that it:

46. The primary objective of security software is to

49. Which of the following is not a characteristic of auditing?

52. An IS auditor auditing hardware monitoring procedures should review

C. response time reports.

59. The focus of an operational audit is on which of the following?

Вам также может понравиться