ANSWER Key Quiz 5 Auditing CIS

San Beda College Alabang Quiz # 5 and 6 AUDITING COMPUTER-BASED INFORMATION SYSTEMS & Using computer-assisted computer-assisted audit tools and techniques (CAATS) Auditing in a CIS Environment (2nd Sem AY2017-18)

NAME

: ________________________ _____________________________________ __________________ _____

STRICTLY NO ERASURES AND ALTERATIONS, USE OF CORRECTION TAPE/FLUID NOT ALLOWED Answers:

1.  _______

26.  ________ 51.  ________

2.  _______

27.  ________ 52.  ________

3.  _______

28.  ________ 53.  ________

4.  _______

29.  ________ 54.  ________

5.  _______

30.  ________ 55.  ________

6.  _______

31.  ________ 56.  ________

7.  _______

32.  ________ 57.  ________

8.  _______

33.  ________ 58.  ________

9.  _______

34.  ________ 35.  ________

59.  ________

36.  ________

60.  ________

10.  _______ 11.  _______ 37.  ________ 12.  _______ 13.  ________

38.  ________

14.  ________

39.  ________

15.  ________

40.  ________

16.  ________

41.  ________

17.  ________

42.  ________

18.  ________

43.  ________

19.  ________

44.  ________

20.  ________

45.  ________

21.  ________

46.  ________

22.  ________

47.  ________

23.  ________

48.  ________

24.  ________

49.  ________

25.  ________

50.  ________ Page 1 of 7

FAR EASTERN UNIVERSITY Accountancy - Institute of Accounts, B usiness and Finance

Quiz # 5 and 6 AUDITING COMPUTER-BASED INFORMATION SYSTEMS & Using computer-assisted audit tools and techniques (CAATS) Auditing in a CIS Environment (1 st Sem AY2017-18)

NAME

: __________________________________________

I. Multiple Matching Type  (25 pts). Match the idea or situation expressed in group 2 to the most appropriate term found in the five columns of group 1. Shade the column letter of your choice on your scannable answer sheet.

Group 1

A

B

C

D

E

CAATs Step 1

CAATs Step 2

CAATs Step 3

CAATs Step 4

CAATs Step 5

CAATs Step 6

CAATs Step 7

CAATs Step 8

CAATs Step 9

CAATs Step 10

Reasonableness check Black box approach Detection risk

Control risk

White box test

Validity check

Check digit

Program testing

Tracing

Integrated test facility Run-to-run control

Sequence check

Limit check

Parallel simulation

No answer

Group 2

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19.

The auditor determines which method of data extraction is most convenient for both parties. D CAATs Step 4 This determines if a value in one field is reasonable when considered along with data in other fields of the record A Reasonableness check The auditor verifies the integrity of the data import process using ACL commands to ensure the data were not compromised during the importing process. B CAATs Step 7 A method of detecting data coding errors such as transcription and transposition errors. B Check digit The auditor imports the data into the ACL. A CAATs Step 6 A program control that is also known as auditing through the computer. C White box test The auditor documents the CAATs performed and the exceptions reconciled. E CAATs Step 10 This is a method used to verify the logical operations executed by a computer application. D Tracing The auditor sets key objectives based on risk assessment. A CAATs Step 1 An automated approach that permits auditors to test an application's logic and controls during its normal operation. E Integrated test facility The auditor formally requests data from the client, specifying the preferred format for the extracted data. E CAATs Step 5 A program control that is also known as auditing around the computer. A Black box approach The auditor identifies which files, records and fields are needed from the client. C CAATs Step 3 It requires creation of meaningful test data. C Program testing The auditor investigates and reconciles any exceptions uncovered in the execution of the CAATs. D CAATs Step 9 An input control check would detect a payment made to a nonexistent vendor. D Validity check The auditor performs the specific CAATs that the audit team earlier identified for risk assessment. C CAATs Step 8 A control device to ensure that no records are lost, unprocessed, or processed more than once for each of the computer runs (processes) that the records must flow through. E run-to-run control The auditor identifies which specific CAATs will provide sufficient, relevant, useful evidence to achieve key audit objectives. B CAATs Step 2 Page 2 of 7

FAR EASTERN UNIVERSITY Accountancy - Institute of Accounts, B usiness and Finance

Quiz # 5 and 6 AUDITING COMPUTER-BASED INFORMATION SYSTEMS & Using computer-assisted audit tools and techniques (CAATS) Auditing in a CIS Environment (1 st Sem AY2017-18)

20.

This is defined as the risk that a material misstatement will get through the internal control structure and into the financial statements. B Control risk

II. True or False (20 pts). Shade the letter B if the idea being expressed is correct and C if otherwise. 21. Data integrity would be of most concern to an auditor relating to an organization’s internet security. (TRUE) 22. One limitation on the use of a generalized audit software (GAS) is that it requires lengthy detailed instructions in order to accomplish specific tasks. (FALSE, the use of GAS is normally more efficient. Less time is required to write instructions to accomplish a function than to manually select and examine items. 23. Specialized audit software may be written while its purposes and users are being defined. (FALSE, purpose and users of this software must be defined before written). 24. Aging accounts receivable cannot be performed by an auditor using computer assisted audit techniques (CAATs) software. (FALSE, this can be done using CAATS). 25. System efficiency would be of most concern to an auditor relating to an organization’s internet security. (FALSE, Data Integrity) 26. Specialized audit software may be written in a procedure oriented language. (TRUE, specialized audit software is written in a procedure or problem oriented language to fulfill a specific set of tasks). 27. An auditor is least likely to use computer software to prepare spreadsheets. (FALSE, many audit spreadsheet programs are available) 28. It is more economical to design c ontrols during the design stage than to do so later. (TRUE) 29. When the IS auditor is involved in the design phase of the system, he/she no longer needs to tests controls during regular IS audits. (FALSE, still needs to test whether controls are in place and w orking as intended). 30. One limitation on the use of a generalized audit software (GAS) is that it requires significant programming knowledge to be used effectively (FALSE, an advantage is that GAS requires minimal knowledge of computer technology). 31. Matching identical product information in separate data files cannot be performed by an auditor using computer assisted audit techniques (CAATs) software. (FALSE, this can be done using CAATS). 32. Auditing involves the use of established criteria to evaluate evidence. (TRUE) 33. An auditor is least likely to use computer software to access client data files. (FALSE, computer software makes accessing company files much faster and easier) 34. Identifying missing check numbers cannot be performed by an auditor using computer assisted audit techniques (CAATs) software. (FALSE, this can be done using CAATS). 35. Extracting data files containing only a two digit year date field and changing it to hold four digits cannot be performed by an auditor using computer assisted audit techniques (CAATs) software. (TRUE) 36. Specialized audit software requires the auditor to have less computer expertise than generalized audit software. (FALSE, generalized audit software requires less computer ex pertise than specialized audit software). 37. One limitation on the use of a ge neralized audit software (GAS) is that it c an only be used on hardware with compatible operating system (TRUE) 38. One limitation on the use of a generalized audit software (GAS) is that it has limited application without significant modification. (FALSE, the program is generalized; designed to be used on a variety of systems without significant modifications). 39. Specialized audit software is written to interface with many different client systems. (FALSE, Generalized Audit Software not specialized audit software). 40. Rejected and suspense item controls would be of most concern to an auditor relating to an organization’s internet security. (False, Data Integrity)

Page 3 of 7

FAR EASTERN UNIVERSITY Accountancy - Institute of Accounts, B usiness and Finance

Quiz # 5 and 6 AUDITING COMPUTER-BASED INFORMATION SYSTEMS & Using computer-assisted audit tools and techniques (CAATS) Auditing in a CIS Environment (1 st Sem AY2017-18)

III. Multiple Choice (20 pts). From the choices, shade your best answer. 41. Which type of audit involves a review of general and applications controls, with a focus on determining if there is compliance with policies and adequate safeguarding of assets? A.

Information systems audit

B.

Financial audit

C.

Operational audit

D.

Compliance audit

Answer: A – an information systems audit reviews general and applications controls, with a focus on dete rmining whether there is compliance with policies and adequate safe guarding of assets 42.

The PRIMARY advantage of a continuous audit approach is that it:

A. Does not require an IS auditor to collect evidence on system reliability while processing is taking place. B. Requires the IS auditor to review and follow up immediately on all information collected. C. Can improve system security when used in time-sharing environments that process a large number of transactions. D. Does not depend on the complexity of an organization's computer systems. Answer: C 43. Data access security related to applications may be enforced through all the following except a.

User identification and authentication functions incorporated in the application.

b.

Utility software functions.

c.

User identification and authentication functions in access control software.

d.

Security functions provided by a database management system.

Answer: B 44. An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the: A. Maintenance of access logs of usage of various system resources. B. Authorization and authentication of the user prior to granting access to system resources. C. Adequate protection of stored data on servers by encryption or other means. D. Accountability system and the ability to identify any terminal accessing system resources. Answer: B 45. An IS auditor is conducting substantive audit tests of a ne w accounts receivable module. The IS auditor has a tight schedule and limited computer expertise. Which would be the BEST audit technique to use in this situation? A. Test data B. Parallel simulation C. Integrated test facility D. Embedded audit module Answer: A 46. The primary objective of security software is to a.

Control access to information system resources.

b.

Restrict access to prevent installation of unauthorized utility software.

c.

Detect the presence of viruses.

d.

Monitor the separation of duties within applications.

Answer: A Page 4 of 7

FAR EASTERN UNIVERSITY Accountancy - Institute of Accounts, B usiness and Finance

Quiz # 5 and 6 AUDITING COMPUTER-BASED INFORMATION SYSTEMS & Using computer-assisted audit tools and techniques (CAATS) Auditing in a CIS Environment (1 st Sem AY2017-18) 47. Which of the following procedures is NOT used to detect unauthorized program changes? A.

Source code comparison (is used to detect unauthorized program changes by thoroughly testing a newly

developed program and keeping a copy of its source code) B.

Parallel simulation (an auditor writes a version of the program, reprocesses the company data, compares

the results to the company’s results, and investigates any differences)

C.

Reprocessing (the auditor verifies the integrity of an application program, saves it, and on a surprise basis

uses the program to reprocess data and compare that output with the company’s output)

D.

Reprogramming code

Answer: D - Reprogramming code is not used 48. A controller became aware that a competitor appeared to have access to the company’s pricing information. The internal auditor determined that the leak o f information was occurring during the electronic transmittal of data from branch offices to the head office. Which of the following controls would be most effective in preventing the leak of information? a.

Asynchronous transmission.

b.

Encryption.

c.

Use of fiber-optic transmission lines.

d.

Use of passwords.

Answer: B 49. Which of the following is not a characteristic o f auditing? A.

Auditing is a systematic, step by step, process.

B.

Auditing involves the collection and review of evidence

C.

Auditing involves the use of established criteria to evaluate evidence.

D.

Auditing’s primary objective is to identify fraud and their perpetrators.

Answer: D 50. Which of the following is not a reason an internal auditor should participate in internal control reviews during the design of a new system? A.

It is more economical to design controls during the design stage than to do so later.

B.

It eliminates the need for testing controls during regular audits

C.

It minimizes the need for expensive modifications after the system is implemented.

D.

It permits the design of audit trails while they are economical

Answer: B  – even if the auditor participates in internal control reviews, the auditor will have to test controls to determine whether they are in place and working as intended. 51. In a small organization, where segregation of duties is not practical, an employee performs the function of computer operator and application programmer. Which of the following controls should the IS auditor recommend? A. Automated logging of changes to development libraries B. Additional staff to provide segregation of duties C. Procedures that verify that only approved program changes are implemented D. Access controls to prevent the operator from making program modifications Answer: C 52. An IS auditor auditing hardware monitoring procedures should review A. system availability reports. B. cost-benefit reports. Page 5 of 7

FAR EASTERN UNIVERSITY Accountancy - Institute of Accounts, B usiness and Finance

Quiz # 5 and 6 AUDITING COMPUTER-BASED INFORMATION SYSTEMS & Using computer-assisted audit tools and techniques (CAATS) Auditing in a CIS Environment (1 st Sem AY2017-18) C. response time reports. D. database utilization reports. Answer: A 53. Which of the following BEST provides access control to payroll data being processed on a local server? A. Logging of access to personal information B. Separate password for sensitive transactions C. Software restricts access rules only to authorized staff D. System access restricted to business hours Answer: C 54. All administrative and professional staff in a corporate legal department prepares documents on terminals connected to a host LAN file server. The best control over unauthorized access to sensitive documents in the systems is a.

Required entry of passwords for acce ss to the system.

b.

Physical security for all disks containing document files.

c.

Periodic server backup and storage in a secure area.

d.

Required entry of passwords for acce ss to individual documents.

Answer: D 55. Which of the following tests confirm that the new system can operate in its target environment? A. Sociability testing B. Regression testing C. Validation testing D. Black box testing Answer: A 56. The PRIMARY purpose of undertaking a parallel run of a new system is to: A. verify that the system provides required business functionality. B. validate the operation of the new system against its predecessor. C. resolve any errors in the progr am and file interfaces. D. verify that the system can process the production load. Answer: B 57. An auditor has just completed a physical security audit of a data center. Because the center engages in topsecret defense contract work, the auditor has chosen to recommend biometric authentication for workers entering the building. The recommendation might include devices that verify all of the following except a.

Fingerprints.

b.

Retina patterns.

c.

Speech patterns.

d.

Password patterns.

Answer: D 58. Which of the following is a computer program wr itten especially for audit use? A.

GAS (Generalized audit software)

B.

CATAS (non sense term, should be CAATS)

C.

ITF (Integrated Test Facility, places a small set of fictitious records in master files. Transactions are

processed for these records, and the actual and expected results are compared Page 6 of 7

FAR EASTERN UNIVERSITY Accountancy - Institute of Accounts, B usiness and Finance

Quiz # 5 and 6 AUDITING COMPUTER-BASED INFORMATION SYSTEMS & Using computer-assisted audit tools and techniques (CAATS) Auditing in a CIS Environment (1 st Sem AY2017-18) D.

CIS (Continuous and intermittent simulation embeds an audit module in a DBMS that examines all

transactions that update the database). Answer: A Generalized audit software eg. ACL and IDEA 59. The focus of an operational audit is on which of the following? A.

Reliability and integrity of financial information (financial statement audit)

B.

All aspects of information systems management

C.

Internal controls (operational audit is much broader than just inter nal control)

D.

Safeguarding assets (operational audit is much broader than safeguarding of assets)

Answer: B – all aspects of information system management 60. A utility is available to update critical tables in case of data inconsistency. This utility can be executed at the OS prompt or as one of menu options in an application. The BEST control to mitigate the risk o f unauthorized manipulation of data is to: A. Delete the utility software and install it as and when required. B. Provide access to utility on a need-to-use basis. C. Provide access to utility to user management D. Define access so that the utility can be only executed in menu option. Answer: B

Page 7 of 7