12-17

The following questions concern the characteristics of IT systems. Choose

the best response.
a. Effective management of information technologies in an organization embraces the
viewpoint that
(1) Most technologies reduce existing risk conditions.
(2) Technologies reduce some types of risks while introducing new types of risks
to be managed.
(3) Technologies generally increase an organizations overall net risks.
(4) The objective of technology implementations is to increase profitability on a
net basis.
Answer: (2) Technologies reduce some types of risks while introducing new
types of risks to be managed.
b. Which of the following is generally not considered a category of IT general controls?
(1) Controls that determine whether a vendor number matches the pre-approved
vendors in the vendor master file.
(2) Controls that restrict system-wide access to programs and data.
(3) Controls that oversee the acquisition of application software.
(4) Controls that oversee the day-to-day operation of IT applications.
Answer: (1) Controls that determine whether a vendor number matches the
pre-approved vendors in the vendor master file.
c. As general IT controls weaken, the auditor is most likely to
(1) Reduce testing of automated application controls done by the computer.
(2) Increase testing of general IT controls to conclude whether they are operating
effectively.
(3) Expand testing of automated application controls used to reduce control risk
to cover greater portions of the fiscal year under audit.
(4) Ignore obtaining knowledge about the design of general IT controls and
whether they have been implemented.
Answer: (3) expand testing of automated application controls used to
reduce control risk to cover greater portions of the fiscal year under audit.
d. Which of the following is an example of an application control?
(1) The client uses access security software to limit access to each of the
accounting applications.
(2) Employees are assigned a user ID and password that must be changed every
quarter.
(3) The sales system automatically computes the total sale amount and posts the
total to the sales journal master file.
(4) Systems programmers are restricted from doing applications programming
functions.
Answer: (3) The sales system automatically computes the total sale amount
and posts the total to the sales journal master file.

12-18
The following questions concern auditing complex IT systems. Choose the
best response.
a. Which of the following client IT systems generally can be audited without examining
or directly testing the computer programs of the system?
(1) A system that performs relatively uncomplicated processes and produces
detailed output.
(2) A system that affects a number of essential master files and produces limited
output.
(3) A system that updates a few essential master files and produces no printed
output other than final balances.
(4) A system that does relatively complicated processing and produces little
detailed output.
Answer: (1) A system that performs relatively uncomplicated processes and
produces detailed output.
b. Your clients sales application ensures that all credit sales transactions in the sales
journal have an assigned bill of lading number; however, the system does not ensure
that all bill of lading numbers have an assigned sales invoice number. Your company
may have a control deficiency related to the
(1) Occurrence of sales transactions.
(2) Accuracy of sales transactions.
(3) Completeness of sales transactions.
(4) Completeness of the cash balance.
Answer: (3) Completeness of sales transactions.
c. Before processing, the system validates the sequence of items to identify any breaks in
sequence of input documents. This automated control is primarily designed to ensure
the
(1) Accuracy of input.
(2) Authorization of data entry.
(3) Completeness of input.
(4) Restriction of duplicate entries.
Answer: (3) Completeness of input.
d. An auditor will use the test data approach to obtain certain assurances with respect to
the
(1) Input data.
(2) Machine capacity.
(3) Procedures contained within the program.
(4) Degree of data entry accuracy.
Answer: (3) Procedures contained within the program.

12-27
Your new audit client, Hardwood Lumber Company, has a computerized accounting
system for all financial statement cycles. During planning, you visited with the
information systems vice president and learned that personnel in information systems
are assigned to one of four departments: systems programming, applications
programming, operations, or data control. Job tasks are specific to the individual and no
responsibilities overlap with other departments. Hardwood Lumber relies on the
operating system software to restrict online access to individuals. The operating system
allows an employee with READ capabilities to only view the contents of the program
or file. CHANGE allows the employee to update the contents of the program or file.
RUN allows the employee to use a program to process data. Programmers, both
systems and applications, are restricted to a READ-only access to all live application
software program files but have READ and CHANGE capabilities for test copies of those
software program files. Operators have READ and RUN capabilities for live application
programs. Data control clerks have CHANGE access to data files only and no access to
software program files. The person in charge of operations maintains access to the
operating software security features and is responsible for assigning access rights to
individuals. The computer room is locked and requires a card-key to access the room.
Only operations staff have a card-key to access the room, and security cameras monitor
access. A TV screen is in the information systems vice presidents office to allow periodic
monitoring of access. The TV presents the live picture and no tape record is maintained.
The librarian, who is in the operations department, is responsible for maintaining the
library of program tapes and files. The librarian has READ and CHANGE access rights
to program tapes and files. The files, when not being used, are stored in shelves located
in a room adjacent to the computer room. They are filed numerically based on the tape
label physically attached on the outside of the tape cartridge to allow for easy
identification by operators as they access tapes from the shelves for processing.
Required
What recommendations for change can you suggest to improve Hardwoods
information systems function?
ANSWER:
Recommendations to improve Hardwood Lumber Companys Information Systems
function:
The Vice President of Information Systems (VP of IS) should report on a day-today basis to senior management (i.e. the president) and should not be under the
authority of user personnel. This ensures that the IS function is not subordinate
to a user function, which might inappropriately allocate IS resources to that user
functions projects.
The VP of IS should have access to the board of directors and should be
responsible for periodically updating the board on significant IS projects.
Perhaps, the board should create an IS Steering Committee to oversee IS
activities (like the Audit Committee oversees the financial reporting process).

 Operations staff should not have responsibility for maintaining the operating
software security features. This responsibility should be assigned to a more
senior, trusted IS individual, such as the VP of IS.
Video monitors should be examined continually. The actual monitors could be
viewed on an ongoing basis by building security guards. Hardwood should
consider taping what the cameras are viewing for subsequent retrieval in the
event of a security breach.
Consider requiring the use of card-keys and passwords to grant entrance to the
computer room to enhance security surrounding unauthorized access to the
computer room.
Hardwood may consider purchasing a vendor developed access security software
package to strengthen on-line security beyond the features currently provided by
the operation softwares security features.
Restrict programmer access to test copies of software programs for only those
programs that have been authorized for program change. Access to copies of
other programs may not be necessary when those programs have not been
authorized for change.
Grant systems programmers access only to approved test copies of systems
software, and grant application programmers access only to approved copies of
application software.
Consider hiring a systems analyst to coordinate all program development
projects. Systems analysts can strengthen communications between user and
programming personnel, and they can increase the likelihood that a strong
systems development process is followed.
Develop a weekly Job Schedule that outlines the order in which operators should
process jobs. The VP of IS should review computer output to determine that it
reconciles to the approved Job Schedule. This will increase the likelihood that
only approved jobs are processed and that they are processed in the correct
sequence.
Relocate the secondary storage to a physically secure room separate from the
computer room. Only grant the librarian access to this room. This will prevent
the unauthorized removal of program and data files.
Remove the librarians CHANGE rights to program and data files. The librarian
should not be able to make changes to those files. The librarian should only be
able to copy the contents of those files.
Develop regular procedures for preparing backup copies of programs and data
files and ensure those copies are sent to off-site storage.

 Use internal header and trailer labels on program tapes to ensure that the proper
tapes are mounted for processing.
Consider purchasing a vendor-developed librarian software package to assist the
librarian in maintaining complete and accurate records of secondary storage
programs and data files.
Make sure only user department personnel have the ability to authorization
additions or changes to data files.

13-22
The following questions concern types of audit tests. Choose the best
response.
a. The auditor looks for an indication on duplicate sales invoices to see whether the
accuracy of invoices has been verified. This is an example of
(1) A test of details of balances.
(2) A test of control.
(3) A substantive test of transactions.
(4) Both a test of control and a substantive test of transactions.
Answer: (2) A test of control.
b. An auditors decision either to apply analytical procedures as substantive tests or to
perform substantive tests of transactions and account balances usually is determined by
the
(1) Availability of data aggregated at a high level.
(2) Relative effectiveness and efficiency of the tests.
(3) Timing of tests performed after the balance sheet date.
(4) Auditors familiarity with industry trends.
Answer: (2) Relative effectiveness and efficiency of the tests.
c. The auditor faces a risk that the audit will not detect material misstatements that
occur in the accounting process. To minimize this risk, the auditor relies primarily on
(1) Substantive tests.
(2) Tests of controls.
(3) Internal control.
(4) Statistical analysis.
Answer: (1) Substantive tests.
d. A conceptually logical approach to the auditors evaluation of internal control
consists of the following four steps:
I. Determining the internal controls that should prevent or detect errors and
fraud.
II. Identifying control deficiencies to determine their effect on the nature, timing,
or extent of auditing procedures to be applied and suggestions to be made to the
client.

III. Determining whether the necessary internal control procedures are

prescribed and are being followed satisfactorily.
IV. Considering the types of errors and fraud that can occur.
What should be the order in which these four steps are performed?
(1) I, II, III, and IV
(2) I, III, IV, and II
(3) III, IV, I, and II
(4) IV, I, III, and II
Answer: (4) IV, I, III, and II
13-23
The following questions deal with tests of controls. Choose the best
response.
a. Which of the following statements about tests of controls is most accurate?
(1) Auditing procedures cannot concurrently provide both evidence of the
effectiveness of internal control procedures and evidence required for substantive
tests.
(2) Tests of controls include observations of the proper segregation of duties.
(3) Tests of controls provide direct evidence about monetary misstatements in
transactions.
(4) Tests of controls ordinarily should be performed as of the balance sheet date
or during the period subsequent to that date.
Answer: (2) Tests of controls include observations of the proper
segregation of duties.
b. To support the auditors initial assessment of control risk below maximum, the
auditor performs procedures to determine that internal controls are operating
effectively. Which of the following audit procedures is the auditor performing?
(1) Tests of details of balances
(2) Substantive tests of transactions
(3) Tests of controls
(4) Tests of trends and ratios
Answer: (3) Tests of controls
c. The primary objective of performing tests of controls is to obtain
(1) A reasonable degree of assurance that the clients internal controls are
operating effectively on a consistent basis throughout the year.
(2) Sufficient, appropriate audit evidence to afford a reasonable basis for the
auditors opinion, without the need for additional evidence.
(3) Assurances that informative disclosures in the financial statements are
reasonably adequate.
(4) Knowledge and understanding of the clients prescribed procedures and
methods.
Answer: (1) A reasonable degree of assurance that the clients internal
controls are operating effectively on a consistent basis throughout the year.

d. To test the effectiveness of controls, an auditor ordinarily selects from a variety of

techniques, including
(1) Analysis.
(2) Confirmation.
(3) Re-performance.
(4) Comparison.
Answer: (3) Re-performance.
13-24
The following are 11 audit procedures taken from an audit program:
1. Foot the accounts payable trial balance and compare the total with the general ledger.
2. Confirm accounts payable balances directly with vendors.
3. Account for a sequence of checks in the cash disbursements journal to determine
whether any have been omitted.
4. Examine vendors invoices to verify the ending balance in accounts payable.
5. Compare the balance in payroll tax expense with previous years. The comparison
takes the increase in payroll tax rates into account.
6. Examine the internal auditors initials on monthly bank reconciliations as an
indication of whether they have been reviewed.
7. Examine vendors invoices and other documentation in support of recorded
transactions in the acquisitions journal.
8. Multiply the commission rate by total sales and compare the result with commission
expense.
9. Examine vendors invoices and other supporting documents to determine whether
large amounts in the repair and maintenance account should be capitalized.
10. Discuss the duties of the cash disbursements clerk with him and observe whether he
has responsibility for handling cash or preparing the bank reconciliation.
11. Inquire about the accounts payable supervisors monthly review of a computergenerated exception report of receiving reports and purchase orders that have not been
matched with a vendor invoice.
Required
a. Indicate whether each procedure is a test of control, substantive test of
transactions, analytical procedure, or a test of details of balances.
b. Identify the type of evidence for each procedure.

ANSWER:

SL. NO.

AUDIT PROCEDURE

TESTS

TYPE OF
EVIDENCE

01

Foot the accounts payable

trial balance and compare the
total with the general ledger.

Test of details of
balances.

Recalculation

02

Confirm accounts payable

Test of details of
balances directly with vendors. balances.

Confirmation

03

Account for a sequence of Test of control

checks
in
the
cash
disbursements
journal
to
determine whether any have
been omitted.

Documentation

04

Examine vendors invoices to Test of details of

verify the ending balance in balances.
accounts payable.

Documentation

05

Compare the balance in Analytical

payroll tax expense with procedures
previous
years.
The
comparison takes the increase
in payroll tax rates into
account.

Analytical
procedures

06

Examine the internal auditors

initials on monthly bank
reconciliations as an
indication of whether they
have been reviewed.

Documentation

07

Examine vendors invoices and Substantive test of

other
documentation
in transactions
support
of
recorded
transactions
in
the
acquisitions journal.

Documentation

08

Multiply the commission rate

by total sales and compare the
result with commission

Analytical
procedures

Test of control

Analytical
procedures

expense.
09

Examine vendors invoices and Test of details of

other supporting documents balances.
to determine whether large
amounts in the repair and
maintenance account should
be capitalized.

Documentation

10

Discuss the duties of the cash Test of control

disbursements clerk with him
and observe whether he has
responsibility for handling
cash or preparing the bank
reconciliation.

Inquiry and
Observation

11

Inquire about the accounts Test of control

payable supervisors monthly
review
of
a
computergenerated exception report of
receiving reports and purchase
orders that have not been
matched with a vendor
invoice.

Inquiry