CHAPTER 7

AUDITING IN A COMPUTERIZED ENVIRONMENT

With the rapid development in technology n recent years, computer information systems
(CIS) have become feasible, perhaps essential, for use even in small scale business
operations. Almost all entities now use computers to some extent in their accounting
systems. This widespread use of computers has offered new opportunities for
professional accountants and has also created some challenging problems to auditors.

Regardless of the extent of computerization or the methods of data processing being used,
the establishment and implementation of appropriate internal control systems rests with
management and those charged with governance. The auditor’s responsibility is to obtain
an understanding of the entity’s internal control system to be able to assess control risk
and determine the nature, timing and extent of tests to be performed.

 Characteristics of Computer Information Systems (CIS)

Computer information systems have essential characteristics that distinguish them

from manual processing systems.

 Lack of visible transaction trails

In a manual system, it is normally possible to follow a transaction through the

system by examining the source documents, entity’s records and financial reports.
In a CIS environment, data can b entered directly into the computer system
without supporting documents. Furthermore, records and files may not be printed
and can not be read without using the computer. The absence of these visible
documents supporting the processing of transactions makes the examination of
evidence more difficult.

 Consistency of Performance

CIS performs functions exactly as programmed. If the computer is programmed to

perform a specific data processing task, it will never get tired of performing the
assigned task in exactly the same manner. Because of this capability of the
computer to process transactions uniformly, clerical errors that are normally
associated with manual processing are eliminated. On the other hand, an incorrect
program could be very devastating because it will result to consistently erroneous
data processing.

 Ease of Access to Data and Computer Programs

In a CIS environment, data and computer programs may be accessed and altered
by unauthorized persons leaving no visible evidence. It is important, therefore,
 that appropriate controls are incorporated to the system to limit the access to data
files and programs only to authorized personnel.

 Concentration of duties

Proper segregation of duties is an essential characteristic of a sound internal

control system. However, because of the ability of the computer to process data
efficiently, there are functions that are normally segregated in manual processing
that are combined in a CIS environment.

As a particular example, in manual processing the function of recording cash

disbursements is incompatible with the responsibility for reconciling
disbursements. Since one of these functions serves as a check up the other,
assigning both functions to one employee would enable that employee to commit
and conceal errors or irregularities. A properly programmed computer, on the
other hand, has no tendency or motivation to commit irregularities or conceal its
errors. Hence, what appears to be an incompatible combination of functions may
be combined in a CIS environment without weakening the internal control
provided appropriate compensating controls are put in place.

 Systems generated transactions

Certain transactions may be initiated by the CIS itself without the need for an
input document. For example, interest may be calculated and charged
automatically to customer’s account balances on the basis of pre-authorized terms
contained in a computer program.

 Vulnerability of data and program storage media

In a manual system, the records are written in ink on substantial paper. The only
way to lose the information is to lose or to destroy physical records. The situation
is completely different in a CIS environment. The information on the computer
can be easily changed, leaving no trace of the original content. This change could
happen inadvertently and huge amount of information can be quickly lost.

 Internal Control in a CIS Environment

Many of the control procedures used in manual processing also apply in a CIS
environment. Examples of such control procedures include authorization of
transactions, proper segregation of duties, and independent checking. The
elements of internal control are the same; the computer just changes the methods
by which these elements are implemented.

A variety of controls are performed to check accuracy, completeness and

authorization of transactions. When computer processing is used in significant
 accounting applications, internal control procedures can be classified into two
types: general and application controls.

 General Controls

General controls are those controls policies and procedures that relate to the
overall computer information system. These controls include:

1. Organizational controls

Just as in a manual system, there should be a written plan of the organization,

with clear assignment of authority and responsibility. In a CIS environment, the
plan of the organization for an entity’s computer system should include
segregation between the user and CIS department, and segregation of duties
within the CIS department.

a. Segregation between the CIS department and user departments.

CIS department must be independent of all departments within the entity

that provide input data or that use output generated by the CIS.

The function of CIS is to process transactions. However, no transactions

will be processed unless it is initiated by the user department.
Therefore, all changes in computer files must be initiated and
authorized by the user department.

b. Segregation of duties within the CIS department

Functions within the CIS department should be properly segregated for

good organizational controls. The entity’s organizational structure
should provide for definite lines of authority and responsibility within the
CIS department. A sample of an organizational structure within the CIS
department is presented below:
 CIS Director

Systems Other
Operation
Development Functions

Computer
System Librarian
Operator
Analyst

Data Entry Control

Programmer
Operator Group

Position Primary Responsibilities

CIS Director Exercises control over the CIS operation.

System Analyst Designs new systems, evaluates and improves existing

systems, and prepares specifications for
programmers.

Programmer Guided by the specifications of the systems analyst, the

programmer writes a program, tests and debugs
such programs and prepares the computer operating
instructions.
Computer Operator Using the program and detailed operating instructions
prepared by the programmer, computer operator
operates the computer to process transactions.

Data Entry Operator Prepares and verifies input data for processing.

Librarian Maintains custody of systems documentation, programs

and files.

Control Group Reviews all input procedures, monitors computer

processing, follows up data processing errors,
reviews the reasonableness of output, and distributes
output to authorized personnel.

Optimal segregation of duties dictates that each of the above tasks be

assigned to different employees. However, some entities may not
have enough resources to maintain a large CIS department.

In small entities, with limited number of personnel, the functions of

systems analyst and programmer may be combined. As a
minimum, the functions of system development and computer operations
must be segregated. Systems analyst and programmer should not be
allowed to use the programs they developed and they should not be
allowed to operate the computer. Also, computer operators who run the
program should not participate in program design. A number of
computer related frauds have resulted when these functions were
combined.

2. Systems development and documentation controls

Software development as well as changes thereof must be approved by the

appropriate level of management and the user department. To ensure that
computer programs are functioning as designed, the program must be tested and
modified, if needed, by the user and CIS department.

Moreover, adequate systems documentation must be made in order to facilitate

the use of the programs as well as changes that may be introduced later into the
system.

3. Access Controls

Every computer system should have adequate security controls to protect

equipment, files and programs. Access to the computer should be limited only to
 operators and other authorized employees. Additionally, appropriate controls such
as the use of passwords must be adopted in order to protect data files and
programs from unauthorized alteration.

4. Data recovery controls

One of the characteristics of the CIS is the vulnerability of files and programs.
Computer files can be easily lost and the lost of these files can be disastrous to an
entity. The survival of an entity affected by such disaster depends on its ability to
recover the files on a timely basis.

A data recovery control provides for the maintenance of back up files and off site
storage procedures. Computer files should be copied daily to tape or disks and
secured off-site. In the event of disruption, reconstruction of files is achieved by
updating the most recent back-up with subsequent transaction data. When
magnetic tapes are used, a common practice in file retention called Grand-father,
father, son practice requires entity to keep the two most recent generations of
master files and transaction files in order to permit reconstruction of master files
if needed.

5. Monitoring controls

Monitoring controls are designed to ensure that CIS controls are working
effectively as planned. These include periodic evaluation of the adequacy and
effectiveness of the overall CIS operations conducted by persons within or outside
the entity.

 Application Controls

The processing of transaction involves three stages: the input, processing and
output stage. The input stage involves capturing of a mass of data; the processing
stage involves converting the mass of raw data into useful information; and output
stage involves preparation of information in a form useful to those who wish to
use it. To ensure that all relevant data are captured as input to the system, and to
ensure that the data are accurately processed during their conversion into
meaningful financial information, controls or other mechanisms must be
incorporated into the system.

Application controls are those policies and procedures that relate to specific use of
the system. These are designed to provide reasonable assurance that all
transactions are authorized, and that they are processed completely, accurately
and on a timely basis. These include

1. Controls over input

A large number of errors in a computer system are caused by inaccurate or
incomplete data entry. Input controls are designed to provide reasonable
assurance that data submitted for processing are complete, properly authorized
and accurately translated into machine readable form.

Examples of input controls include:

Key verification
This requires data to be entered twice (usually by different operators) to provide
assurance that there are no key entry errors committed.

Field check
This ensures that the input data agree with the required field format. For example,
all SSS number must contain ten digits. An input of an employee’s SSS number
with more or less than ten digits will be rejected by the computer.

Validity check
Information entered is compared with valid information in the master file to
determine the authenticity of the input. For example, the employees’ master file
may contain two valid codes to indicate the employee’s gender “1” for male and
“2” for female. A code of “3” is considered invalid and will be rejected by the
computer.

Self-checking digit
This is a mathematically calculated digit which is usually added to a document
number to detect common transpositional errors in data submitted for processing.

Limit check
Limit check or reasonable check is designed to ensure that data submitted for
processing do not exceed a pre-determined limit or a reasonable amount.

Control totals
These are totals computed based on the data submitted for processing. Control
totals ensure the completeness of data before and after they are processed. These
controls include financial totals, hash totals and record counts. As an example,
assume the following data regarding the entity’s disbursements for the day.
 Voucher No. 142
P 20, 000
Voucher No. 143
P 5,000

Financial total = P 40,000 (P15,000 + P20,000 + 5000)

Hash total = 426 (141 + 142 + 143)
Record count = 3

2. Controls over processing

Processing controls are designed to provide reasonable assurance that input data
are processed accurately and that data are not lost, added, excluded, duplicated or
improperly changed. Almost all of the input controls that were mentioned earlier
are also part of the processing controls because such controls are usually
incorporated in the client’s computer program to detect errors in processing of
transactions.
3. Control over output

Output controls are designed to provide reasonable assurance that the results of
processing are complete, accurate and that these output are distributed only to
authorize personnel.
 A person who knows what an output should look like must review the CIS output
for reasonableness. Control totals are compared with those computed prior to
processing to ensure completeness of information. Finally, CIS outputs must be
restricted only to authorize employees who will be using such output.

The effectiveness of the general CIS controls is essential to the effectiveness of CIS
application controls. Thus, it may be more efficient to review the design of the general
controls first before reviewing the application controls.

 Test of Control in a CIS environment

Like manual processing environment, test of control in a CIS environment

involves evaluating the client’s internal control policies and procedures to
determine if they are functioning as intended. Regardless of the nature of the
client’s data processing system, auditors must perform tests of controls if they
intend to rely on the client’s internal control.

The auditor’s objective and scope of the audit do not change in a CIS
environment. However, the use of the computer changes the processing and
storage of financial information and may affect the organization and procedures
employed by the entity to achieve adequate internal control. Accordingly, the
methods employed by the auditor in testing the control may also be affected.

Testing the reliability of general controls may include observing client’s

personnel in performing their duties; inspecting program documentation; and
observing the security measures in force. In testing application controls, the
auditor ma either:

1) Audi around the computer; or

2) Use Computer-Assisted Audit Techniques

Auditing Around the Computer

Auditing around the computer is similar to testing control in a manual control

structure in that it involves examination of documents and reports and determine the
reliability of the system. When using this approach, the auditor ignores the client’s data
processing procedures, focusing solely on the input documents and the CIS output. Input
data are simply reconciled with the output to verify the accuracy of processing. Auditing
around the computer is based on the assumption that if the input reconciles with the
output, then the computer program must have processed the transaction accurately.
Hence, the auditor obtains knowledge about the reliability of the system without directly
examining the computer program of the system.
 Auditing around the computer can be used only if there are visible input
documents and detailed output that will enable the auditor to trace individual transactions
back and forth. This is also known as “black box approach” because it does not permit
direct assessment of actual processing of transaction.

 Computed Assisted Audit Techniques (CAATs)

When computer accounting systems perform tasks for which no visible evidence
is available, it may be impracticable for the auditor to test manually.
Consequently, auditor will have to audit directly the client’s computer program
using CAATs. This is also called “white box approach”

CAATs are computer programs and data which the auditor uses as part of the
audit procedures to process data of audit significance contained in an entity’s
information systems. Some of the commonly used CAATs include test data,
integrated test facility and parallel simulation.

1) Test data

The test data technique is primarily designed to test the effectiveness of the
internal control procedures which are incorporated in the client’s computer
program. The objective of the test data technique is to determine whether the
client’s computer programs can correctly handle valid and invalid conditions as
they arise.

To accomplish this objective the auditor prepares test data (fictitious transactions)
that consist of valid and invalid conditions. The auditor enters the test data into
the system and have the data processed by the entity’s computer program.

Since the auditor is the one who creates the test data, the auditor knows what the
output should look like assuming the client’s computer program is functioning
effectively. The auditor then compares the processing results with his
predetermined output. If the output generated by the client’s program is the same
as the auditor’s expected output, the auditor may conclude that the client’s
program is reliable.

TEST DATA

Auditor’s
Test Data

Processed Compare Auditor’s

Output
Using Manually Expected
client’s Output
 2) Integrated test facility (ITF)

A disadvantage of the test of data technique is that the auditor does not have
an assurance that the program tested is the same program used by the client
throughout the accounting period. In order to overcome this advantage, the test
data technique can be extended to an integrated test facility (ITF).

When using this technique, the auditor creates dummy or fictitious employee or
other appropriate unit for testing within the entity’s computer system. Unlike test
data, which is run independent of the client’s data and ITF integrates the
processing of test data with the actual processing of ordinary transactions without
management being aware of the testing process. The resultant output, relating to
the dummy unit, is then compared with the predetermined results to evaluate the
reliability of the client’s program.

By processing test data simultaneously with client’s data, ITF provides assurance
that the program tested by the auditor is the same program used by the client in
processing transactions.

INTEGRATED TEST FACILITY

Auditor’s Client’s Data

Test Data Auditor’s
Processed
Output Compar Expected
Using Client’s e Output
Program Manuall
When using ITF, the auditor must be alert to the danger of contaminating the
client’s master files. Thus, care must be taken to reverse or eliminate the effects of
all audit test transactions in order to avoid contamination of client’s computer
files.

3) Parallel simulation

In contrast to the test and ITF techniques, which require the auditor to create test
inputs to be processed using the client’s computer program that simulates key
features or processes of the program under review. The simulated program is then
used to reprocess transactions that were previously processed by the client’s
program.

The auditor compares the results obtained from the simulation with the client’s
output to be able to make inference about the reliability of the client’s program.

PARALLEL SIMULATION
 Client’s Client’s
Data Data

Processed Processed
Using Client’s Using Auditor’s
Program Program

Compar
Output e Output
Manuall
y

Parallel simulation can be accomplished by using generalized audit software or

purpose written programs. Generalized audit software consist of generally
available computer packages which have been designed to perform common
audit tasks such as performing or verifying calculations, summarizing and
totaling files, and reporting in a format specified by the auditor. Purpose written
programs, on the other hand, are designed to perform audit tasks in specific
circumstances. These programs may be developed by the auditor, the entity
being audited or an outside programmer hired by the auditor.

 CAATs for Advanced Computer Systems

Advanced computer systems sometimes do not retain permanent audit trails, thus
requiring capture of audit data as transactions are processed. Such systems may
require audit procedures that are able to identify and capture audit data as
transactions occur. Some of the commonly used CAATs include:

1) Snapshots

This technique involves taking a picture of a transaction as it flows through the

computer systems. Audit software routines are embedded ate different points in
the processing logic to capture the images of the transaction as it progresses
through the various stages of processing. Such a technique permits an auditor to
track data and evaluate the computer processes applied to the data.

2) Systems control audit review files (SCARF)

This involves embedding audit software modules within an application system to

provide continuous monitoring of the systems transaction. The information is
collected into a special computer file that the auditor can examine.
Multiple Choice Questions:

1. The characteristics that distinguish computer processing from manual processing

include the following

(1) Computer processing uniformly subjects like transactions to the same

instructions.
(2) Computer systems always ensure that complete transaction trials useful for
audit purposes are preserved for indefinite periods.
(3) Computer processing virtually eliminates the occurrence of clerical errors
normally associated with manual processing.
(4) Control procedures as to segregation of functions may no longer be necessary
in computer environment.

a) All of the above statements are true.

b) Only statements (2) and (4) are true.
c) Only statements (1) and (3) are true.
d) All of the above statements are false.

2. Which of the following statements is not correct?

a) The overall objective and scope of an audit do not change in a CIS
environment.
b) When computers or CIS are introduced, the basic concept of evidence
accumulation remains the same.
c) Most CIS rely extensively on the same type of procedures for control that are
used in manual processing system.
d) The specific methods appropriate for implementing the basic auditing
concepts do not change, as systems become more complex.

3. The use of CIS will least likely affect the

a) The procedure followed by the auditor in obtaining a sufficient understanding
of the accounting and internal control systems.
b) The auditor’s specific audit objectives.
c) The consideration of inherent risk and control risk through which the auditor
arrives at the risk assessment.
d) The auditor’s design and performance of tests of control and substantive
procedures appropriate to meet the audit objective.

4. Which of the following is unique to CIS?

a) Error listing
b) Flowchart
c) Questionnaires
d) Pre-numbered documents
5. Where computer processing is used in significant accounting applications, internal
control procedures may be defined by classifying control procedures in two types:
general and
a) Administrative
b) Specific
c) Application
d) Authorization
6. A control which relates to all parts of the CIS is called a(n)
a) System control
b) General control
c) Applications control
d) Universal control

7. Controls which apply to a specific use of the system are called

a) Systems control
b) General control
c) Applications control
d) User controls

8. Some CIS control procedures relate to all CIS activities (general controls) and
some relate to specific tasks (application controls). General controls include
a) Controls design to ascertain that all data submitted to CIS for processing have
been properly authorized
b) Controls that relate to the correction and resubmission of data that were
initially incorrect
c) Controls for documenting and approving programs and changes to programs.
d) Controls designed to assure the accuracy of the processing results.

9. An auditor assessing control risk at a low level in a CIS environment. Under these
circumstances, on which of the following procedures would the auditor initially
focus?
a) Programmed control procedures
b) Application control procedures
c) Output control procedures
d) General control procedures

10. Which of the following is not a general control?

a) The plan of organization and operation of CIS activity.
b) Procedures for documenting, reviewing, and approving systems and programs.
c) Processing control
d) Hardware controls.

11. Which of the following activities would most likely be performed in the CIS
department?
a) Initiation of changes to master records
b) Conversion of information to machine-readable from.
 c) Correction of transactional errors.
d) Initiation of changes to existing applications.

12. For control purposes which of the following should be organizationally

segregated from the computer operations functions?
a) Data conversion
b) Systems development
c) Minor maintenance according to a schedule
d) Processing of data

13. Where computers are used, the effectiveness of internal control depends, in part,
upon whether the organizational structure includes any incompatible
combinations. Such a combination would exist when there is no separation of the
duties between
a) Documentation librarian and manager of programming
b) Programming and computer operator
c) Systems analyst and programmer
d) Processing control clerk and keypunch supervisor

14. Which of the following is a general control that would most likely assist an entity
whose system analyst left the entity in the middle of a major project?
a) Grandfather-father-son record retention
b) Data encryption
c) Systems documentation
d) Check digit verification

15. Internal control is ineffective when computer department personnel

a) Participate in computer software acquisition decision
b) Design documentation for computerized systems
c) Originate changes in master files
d) Provide physical security for program files

16. Access control on an on-line CIS can best be provided in most circumstances by
a) An adequate librarianship function controlling access to files.
b) A label affixed to the outside of a file medium holder that identifies the
contents
c) Batch processing of all input through a centralized, well guarded facility
d) User and terminal identification controls such passwords

17. Adequate control over access to data processing is required to

a) Deter improper use or manipulation of data files and programs
b) Ensure that only console operators have access to program documentation
c) Minimize the need for backup data files
d) Ensure that hardware controls are operating effectively and as designed by the
computer manufacturer
18. The management of ABC Co. suspects that someone is tampering with pay rates
by entering changes through the Co.’s remote terminals located in the factory. The
method ABC Co. should implement to protect the system form these unauthorized
alterations to the system’s files is
a) Batch totals
b) Checkpoint recovery
c) Passwords
d) Record count

19. The possibility of losing a large amount of information stored in computer files
most likely would be reduced by the use of
a) Back up files
b) Check digits
c) Completeness tests
d) Conversion verification

20. Which of the following controls most likely would assure that an entity can
reconstruct its financial records?
a) Hardware controls are built into the computer by the computer manufacturer.
b) Backup diskettes or tapes of files are stored away from originals
c) Personnel who are independent of data input perform parallel simulations
a) System flowcharts provide accurate descriptions of input and output
operations.

21. Unauthorized alteration of on line records can be prevented by employing:

a) Key verification
b) Computer sequence checks
c) Computer matching
d) Data base access controls

22. A Co. updates its accounts receivable master file weekly and retains the master
files and corresponding update transactions for the most recent 2-week period.
The purpose of this practice is to
a) Verify run-to-run control totals for receivables.
b) Match internal labels to avoid writing on the wrong volume.
c) Permit reconstruction of the master file if needed.
d) Validate groups of update transactions for each

23. Which of the following is not an example of an application control?

a) An equipment failure causes an error message of the monitor
b) There is a preprocessing authorization of the sales transactions
c) There are reasonableness tests of the unit-selling price of sale
d) After processing, all sales transactions are reviewed by the sales department.
24. Which of the following is not a processing control?
a) Control risk
b) Reasonable test
c) Check digits
d) Control total

25. When CIS programs or files can be accessed from terminals, users should be
required to enter a (n)
a) Parity check
b) Personal identification code
c) Self diagnosis test
d) Echo check

26. Which of the following is an example of a check digit?

a) An agreement of the total number of employees to the total number of checks
printed by the computer
b) An algebraically determined number produced by the other digits of the
employee number.
c) A logic test that ensures all employee numbers are nine digits
d) A limit check that an employee’s hours do not exceed 50 hours per work week

27. The completeness of computer generated sales figures can be tested by comparing
the number of items listed on the daily sales report with the number of items
billed on the actual invoices. This process uses
a) Check digits
b) Control totals
c) Validity tests
d) Process tracing data

28. Which of the following is correct?

a) Check digits should be used for all data codes.
b) Check digits are always placed at the end of data code
c) Check digits do not affect processing efficiency
d) Check digits are designed to detect transcription errors.

29. A clerk inadvertently entered an account number 12368 rather than account
number 12638. In processing this transaction, the error would be detected with
which of the following controls?
a) Batch total
b) Key verifying
c) Self-checking digit
d) An internal consistency check

30. Totals of amount in computer record data fields, which are not usually added but
are used only for data processing control purposes, are called
 a) Record totals
b) Hash totals
c) Processing data totals
d) Field totals

31. If a control total were to be computed on each of the following data items, which
would best be identified as a hash total for a payroll CIS application?
a) Net pay
b) Hours worked
c) Department numbers
d) Total debits and total credits

32. In updating a computerized accounts receivable file, which one of the following
would be used as a batch control to verify the accuracy of the posting of cash
receipts remittances?
a) The sum of the cash deposits plus the discounts less the sales returns.
b) The sum of the cash deposits
c) The sum of the cash deposits less the discounts taken by customers.
d) The sum of the cash deposits plus the discounts taken by customers.

33. Which statement in NOT correct? The goal of batch controls is to ensure that
during processing
a) Transaction are not omitted
b) Transactions are not added to create.
c) Transaction are process more than once
d) An audit trial is created

34. An example of a hash total is

a) Total payroll checks – P12,315
b) Total number of employees – 10
c) Sum of the social security numbers – 12,555,437,251
d) None of the above.

35. The employee entered “40” in the “hours worked per day” field. Which check
would detect this unintentional error?
a) Numeric/alphabetical check
b) Sign check
c) Limit check
d) Missing data check

36. An unauthorized employee took computer printouts from output bins accessible to
all employees. A control which would have prevented this occurrence is
a) A storage/retention control
b) An output review control
c) A spooler file control
d) A report distribution control
37. It involves application of auditing procedures using the computer as an audit tool.
This includes computer program and data the auditor uses as part of the audit
procedures to process data of audit significance contained in an entity’s
information systems.
a) Test data approach
b) Computer assisted audit techniques
c) Generalized audit software
d) Auditing around the computer

38. When auditing “around” the computer, the independent auditor focuses solely
upon the source documents and
a) Test data
b) CIS processing
c) Compliance techniques
d) CIS output

39. Which of the following CIS generally can be audited without examining or
directly testing the computer programs of the system?
a) A system that performs relatively uncomplicated process and produces detail
output
b) A system that affects a number of essential master files and produces n a
limited output
c) A system that updates a few essential master files and produces no printed
output other than final balances
d) A system that uses an on-line real-time processing feature.

40. Which of the following procedures is an example of auditing “around” the

computer?
a) The auditor traces adding machine tapes of sales order batch totals to a
computer printout of the sales journal.
b) The auditor develops a set of hypothetical sales transactions and using the
client’s computer program, enters the transactions into the system and
observes the processing flow.
c) The auditor enters hypothetical transactions into the client’s processing
system during client processing of live” data.
d) The auditor observes client personnel as they process the biweekly payroll.
The auditor is primarily concerned with computer rejection of data that fails to
meet reasonableness limits.

41. A disadvantage of auditing around the computer is that it

a) Permits no direct assessment of actual processing
b) Requires highly skilled auditors.
c) Demands intensive use of machine resources.
d) Interacts actively with auditee applications.
42. Auditing by testing the input and output of an IT system instead of the computer
program itself will
a) Not detect program errors which do not show up in the output sampled.
b) Detect all program errors, regardless of the nature of the output
c) Provide the auditor with the same type of evidence
d) Not provide the auditor with confidence in the results of the auditing
procedures.

43. Which of the following is NOT a common type of white box approach?
a) Test data
b) Integrated test facility
c) Auditing around the computer
d) Parallel simulation

44. Compliance testing of an advanced CIS

a) Can be performed using only actual transactions since testing of simulated
transactions is of no consequence
b) Can be performed using actual transactions or simulated transactions
c) Is impractical since many procedures within the ICS activity leave no visible
evidence of having been performed
d) Is inadvisable because it may distort the evidence in master files

45. Creating simulated transaction that are processed though a system to generate
results that are compared with predetermined results, is an auditing procedure
referred to as
a) Program checking
b) Use of test data
c) Completing outstanding jobs
d) Parallel simulation

46. An auditor estimates that 10,000 checks were issued during the accounting period.
If a computer application control which performs a limit check for each check
request is to be subjected to the auditor’s test data approach, the sample should
include
a) Approximately 1,000 test items
b) A number of test items determined by the auditor to be sufficient under the
circumstances
c) A number of test items determined by the auditor’s reference to the
appropriate sampling tables
d) One transaction

47. An integrated test facility (ITF) would be appropriate when the auditor needs to
a) Trace a complex logic path through an application system.
b) Verify processing accuracy concurrently with processing
c) Monitor transactions in an application system continuously.
d) Verify load module integrity for production programs
48. The auditor’s objective to determine whether the client’s computer programs can
correctly handle valid and invalid transactions as they arise is accomplished
through the
a) Test data approach
b) Generalized audit software approach
c) Microcomputer-aided auditing approach
d) Generally accepted auditing standards.

49. When an auditor tests a computerized accounting system, which of the following
is true of the test data approach?
a) Several transactions of each type must be tested
b) Test data must consist of all possible valid and invalid conditions
c) The program tested is different from the program used throughout the year by
the client
d) Test data are processed by the client’s computer programs under the auditor’s
control.

50. Which of the following statements is not true to the test data approach when
testing a computerized accounting system?
a) The test needs to consist of only those valid and invalid conditions which
interest the auditor.
b) Only one transaction of each type need be tested
c) The test data must consist of all possible valid and invalid conditions.
d) Test data processed by the client’s computed programs under the auditor’s
control.

51. In auditing through a computer, the test data method is used by auditors to test the
a) Accuracy of input data
b) Validity of the output
c) Procedures contained within the program
d) Normalcy of distribution of test data

52. Which of the following computer-assisted auditing techniques allows fictitious

and real transactions to be processed together without client operating personnel
being aware of the testing process?
a) Parallel simulation
b) Generalized audit software programming
c) Integrated test facility
d) Test data approach

53. A primary reason auditors are reluctant to use an ITF is that it requires them to
a) Reserve specific master file records and process them at regular intervals
b) Collect transaction and master file records in a separate file
c) Notify user personnel so they can make manual adjustments to output
d) Identify and reverse the fictitious entries to avoid contamination of the master
file.
54. Which of the following is a disadvantage of the integrated test facility approach?
a) In establishing fictitious entities, the auditor may be compromising audit
independence
b) Removing the fictitious transactions from the system is somewhat difficult
and if not done carefully, may contaminate the client’s files.
c) ITF is simply an automated version of auditing “around” the computer
d) The auditor may not always have a current copy of the authorized version of
the client’s program

55. The audit approach in which the auditor runs his/her own program on a controlled
basis in order to verify the client’s data recorded in a machine language is
a) The test data approach
b) The generalized audit software approach
c) The microcomputer aided auditing approach
d) Called auditing around the computer

56. This question is based on the following chart:

.Tran
sactio
n
File

Client’s Auditor’s
Program Program
.Tran
sactio
n
File

Output Compare Output

Exceptions
Report

This flowchart depicts

a) Program code checking
b) Parallel simulation
c) Integrated test facility
d) Controlled reprocessing
57. Which of the following methods of testing application controls utilizes a
generalized audit software package prepared by the auditors?
a) Parallel simulation
b) Integrated testing facility approach
c) Test data approach
d) Exception report test

58. Parallel simulation is an audit technique employed to verify processing by making

use of audit test programs. These audit test programs “simulate” the processing
logic of an application program or progress under review. Which statement
indicates the use of parallel simulation audit techniques?
a) Live transactions are processed using live programs
b) Live transactions are processed with test master file
c) Test transactions are processed using test programs
d) Live transactions are processed using test programs