Information Technology Auditing 4th Edition Test Bank by Ace Test Banks

Information Technology Auditing, 4th Edition Test Bank

richard@qwconsultancy.com

1|Pa ge

IT Auditing 4th Ed—Test Bank, Chapter 1

Chapter 1—Auditing and Internal Control TRUE/FALSE 1. Corporate management (including the CEO) must certify monthly and annually their organization’s internal controls over financial reporting. ANS: F

PTS: 1

2. Both the SEC and the PCAOB require management to use the COBIT framework for assessing internal control adequacy. ANS: F

PTS: 1

3. Both the SEC and the PCAOB require management to use the COSO framework for assessing internal control adequacy. ANS: F

PTS: 1

4. A qualified opinion on management’s assessment of internal controls over the financial reporting system necessitates a qualified opinion on the financial statements? ANS: F

PTS: 1

5. The same internal control objectives apply to manual and computer-based information systems. ANS: T

PTS: 1

6. The external auditor is responsible for establishing and maintaining the internal control system. ANS: F

PTS: 1

7. Segregation of duties is an example of an internal control procedure. ANS: T

PTS: 1

8. Preventive controls are passive techniques designed to reduce fraud. ANS: T 9.

PTS: 1

A key modifying assumption in internal control is that the internal control system is the responsibility of management. ANS: T

PTS: 1

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed—Test Bank, Chapter 1 10.

While the Sarbanes-Oxley Act prohibits auditors from providing non-accounting services to their audit clients, they are not prohibited from performing such services for non-audit clients or privately held companies. ANS: T

PTS: 1

11. The Sarbanes-Oxley Act requires the audit committee to hire and oversee the external auditors. ANS: T

PTS: 1

12. Section 404 requires that corporate management (including the CEO) certify their organization’s internal controls on a quarterly and annual basis. ANS: F

PTS: 1

13. Section 302 requires the management of public companies to assess and formally report on the effectiveness of their organization’s internal controls. ANS: F

PTS: 1

14. Application controls apply to a wide range of exposures that threaten the integrity of all programs processed within the computer environment. ANS: F

PTS: 1

15. Advisory services is an emerging field that goes beyond the auditor’s traditional attestation function. ANS: T

PTS: 1

16. An IT auditor expresses an opinion on the fairness of the financial statements. ANS: F

PTS: 1

17. External auditing is an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization. ANS: F

PTS: 1

18. External auditors can cooperate with and use evidence gathered by internal audit departments that are organizationally independent and that report to the Audit Committee of the Board of Directors. ANS: T

PTS: 1

19. Tests of controls determine whether the database contents fairly reflect the organization's transactions. ANS: F

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 1 20. Audit risk is the probability that the auditor will render an unqualified opinion on financial statements that are materially misstated. ANS: T

PTS: 1

21. A strong internal control system will reduce the amount of substantive testing that must be performed. ANS: T

PTS: 1

22. Substantive testing techniques provide information about the accuracy and completeness of an application's processes. ANS: F

PTS: 1

MULTIPLE CHOICE 1. The concept of reasonable assurance suggests that a. the cost of an internal control should be less than the benefit it provides b. a well-designed system of internal controls will detect all fraudulent activity c. the objectives achieved by an internal control system vary depending on the data processing method d. the effectiveness of internal controls is a function of the industry environment ANS: A

PTS: 1

2. Which of the following is not a limitation of the internal control system? a. errors are made due to employee fatigue b. fraud occurs because of collusion between two employees c. the industry is inherently risky d. management instructs the bookkeeper to make fraudulent journal entries ANS: C

PTS: 1

3. The most cost-effective type of internal control is a. preventive control b. accounting control c. detective control d. corrective control ANS: A

PTS: 1

4. Which of the following is a preventive control? a. credit check before approving a sale on account b. bank reconciliation c. physical inventory count d. comparing the accounts receivable subsidiary ledger to the control account ANS: A

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 1 5. A well-designed purchase order is an example of a a. preventive control b. detective control c. corrective control d. none of the above ANS: A

PTS: 1

6. A physical inventory count is an example of a a. preventive control b. detective control c. corrective control d. Feed-forward control ANS: B

PTS: 1

7. The bank reconciliation uncovered a transposition error in the books. This is an example of a a. preventive control b. detective control c. corrective control d. none of the above ANS: B

PTS: 1

8. Which of the following is not an element of the internal control environment? a. management philosophy and operating style b. organizational structure of the firm c. well-designed documents and records d. the functioning of the board of directors and the audit committee ANS: C

PTS: 1

9. Which of the following suggests a weakness in the internal control environment? a. the firm has an up-to-date organizational chart b. monthly reports comparing actual performance to budget are distributed to managers c. performance evaluations are prepared every three years d. the audit committee meets quarterly with the external auditors ANS: C

PTS: 1

10. Which of the following indicates a strong internal control environment? a. the internal audit group reports to the audit committee of the board of directors b. there is no segregation of duties between organization functions c. there are questions about the integrity of management d. adverse business conditions exist in the industry ANS: A

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 1 11. According to COSO, an effective accounting system performs all of the following except a. identifies and records all valid financial transactions b. records financial transactions in the appropriate accounting period c. separates the duties of data entry and report generation d. records all financial transactions promptly ANS: C

PTS: 1

12. Which of the following is the best reason to separate duties in a manual system? a. to avoid collusion between the programmer and the computer operator b. to ensure that supervision is not required c. to prevent the record keeper from authorizing transactions d. to enable the firm to function more efficiently ANS: C

PTS: 1

13. Which of the following is not an internal control procedure? a. authorization b. management’s operating style c. independent verification d. accounting records ANS: B

PTS: 1

14. The decision to extend credit beyond the normal credit limit is an example of a. independent verification b. authorization c. segregation of functions d. supervision ANS: B

PTS: 1

15. When duties cannot be segregated, the most important internal control procedure is a. supervision b. independent verification c. access controls d. accounting records ANS: A

PTS: 1

16. An accounting system that maintains an adequate audit trail is implementing which internal control procedure? a. access controls b. segregation of functions c. independent verification d. accounting records ANS: D

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 1 17. The importance to the accounting profession of the Sarbanes-Oxely Act is that a. bribery will be eliminated b. management will not override the company’s internal controls c. management are required to certify their internal control system d. firms will not be exposed to lawsuits ANS: C

PTS: 1

18. The board of directors consists entirely of personal friends of the chief executive officer. This indicates a weakness in a. the accounting system b. the control environment c. control procedures d. this is not a weakness ANS: B

PTS: 1

19. The office manager forgot to record in the accounting records the daily bank deposit. Which control procedure would most likely prevent or detect this error? a. segregation of duties b. independent verification c. accounting records d. supervision ANS: B

PTS: 1

20. Control activities under SAS 109/COSO include a. IT Controls, preventative controls, and Corrective controls b. physical controls, preventative controls, and corrective controls. c. general controls, application controls, and physical controls. d. transaction authorizations, segregation of duties, and risk assessment ANS: C

PTS: 1

21. Internal control system have limitations. These include all of the following except a. possibility of honest error b. circumvention c. management override d. stability of systems ANS: D

PTS: 1

22. Management can expect various benefits to follow from implementing a system of strong internal control. Which of the following benefits is least likely to occur? a. reduced cost of an external audit. b. prevents employee collusion to commit fraud. c. availability of reliable data for decision-making purposes. d. some assurance of compliance with the Foreign Corrupt Practices Act of 1977. e. some assurance that important documents and records are protected. ANS: B

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 1 23. Which of the following situations is not a segregation of duties violation? a. The treasurer has the authority to sign checks but gives the signature block to the assistant treasurer to run the check-signing machine. b. The warehouse clerk, who has the custodial responsibility over inventory in the warehouse, selects the vendor and authorizes purchases when inventories are low. c. The sales manager has the responsibility to approve credit and the authority to write off accounts. d. The department time clerk is given the undistributed payroll checks to mail to absent employees. e. The accounting clerk who shares the record keeping responsibility for the accounts receivable subsidiary ledger performs the monthly reconciliation of the subsidiary ledger and the control account. ANS: B

PTS: 1

24. Which concept is not an integral part of an audit? a. evaluating internal controls b. preparing financial statements c. expressing an opinion d. analyzing financial data ANS: B

PTS: 1

25. Which statement is not true? a. Auditors must maintain independence. b. IT auditors attest to the integrity of the computer system. c. IT auditing is independent of the general financial audit. d. IT auditing can be performed by both external and internal auditors. ANS: C

PTS: 1

26. Typically, internal auditors perform all of the following tasks except a. Fraud detection b. evaluation of operational efficiency c. review of compliance with legal obligations d. internal auditors perform all of the above tasks ANS: D

PTS: 1

27. The fundamental difference between internal and external auditing is that a. internal auditors represent the interests of the organization and external auditors represent outsiders b. internal auditors perform IT audits and external auditors perform financial statement audits c. internal auditors focus on financial statement audits and external auditors focus on operational audits and financial statement audits d. external auditors assist internal auditors but internal auditors cannot assist external auditors ANS: A

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 1 28. Internal auditors assist external auditors with financial audits to a. reduce audit fees b. ensure independence c. represent the interests of management d. the statement is not true; internal auditors are not permitted to assist external auditors with financial audits ANS: A

PTS: 1

29. Which statement is not correct? a. Auditors gather evidence using tests of controls and substantive tests. b. The most important element in determining the level of materiality is the mathematical formula. c. Auditors express an opinion in their audit report. d. Auditors compare evidence to established criteria. ANS: B

PTS: 1

30. All of the following are steps in an IT audit except a. substantive testing b. tests of controls c. post-audit testing d. audit planning ANS: C

PTS: 1

31. When planning the audit, information is gathered by all of the following methods except a. completing questionnaires b. interviewing management c. observing activities d. confirming accounts receivable ANS: D

PTS: 1

32. Substantive tests include a. examining the safety deposit box for stock certificates b. reviewing systems documentation c. completing questionnaires d. observation ANS: A

PTS: 1

33. Tests of controls include a. confirming accounts receivable b. counting inventory c. completing questionnaires d. counting cash ANS: C

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 1 34. All of the following are components of audit risk except a. control risk b. legal risk c. detection risk d. inherent risk ANS: B

PTS: 1

35. Control risk is a. the probability that the auditor will render an unqualified opinion on financial statements that are materially misstated b. associated with the unique characteristics of the business or industry of the client c. the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts d. the risk that auditors are willing to take that errors not detected or prevented by the control structure will also not be detected by the auditor ANS: C

PTS: 1

36. Which of the following is true? a. In the CBIS environment, auditors gather evidence relating only to the contents of databases, not the reliability of the computer system. b. Conducting an audit is a systematic and logical process that applies to all forms of information systems. c. Substantive tests establish whether internal controls are functioning properly. d. IT auditors prepare the audit report if the system is computerized. ANS: B

PTS: 1

37. Inherent risk a. exists because all control structures are flawed in some ways. b. is the likelihood that material misstatements exist in the financial statements of the firm. c. is associated with the unique characteristics of the business or industry of the client. d. is the likelihood that the auditor will not find material misstatements. ANS: C

PTS: 1

38. Attestation services require all of the following except a. written assertions and a practitioner’s written report b. the engagement is designed to conduct risk assessment of the client’s systems to verify their degree of SOX compliance c. the formal establishment of measurements criteria d. the engagement is limited to examination, review, and application of agreed-upon procedures ANS: B

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 1 39. The financial statements of an organization reflect a set of management assertions about the financial health of the business. All of the following describe types of assertions except a. that all of the assets and equities on the balance sheet exist b. that all employees are properly trained to carry out their assigned duties c. that all transactions on the income statement actually occurred d. that all allocated amounts such as depreciation are calculated on a systematic and rational basis ANS: B

PTS: 1

40. Which of the following is NOT an implication of section 302 of the Sarbanes-Oxley Act? a. Auditors must determine, whether changes in internal control has, or is likely to, materially affect internal control over financial reporting. b. Auditors must interview management regarding significant changes in the design or operation of internal control that occurred since the last audit. c. Corporate management (including the CEO) must certify monthly and annually their organization’s internal controls over financial reporting. d. Management must disclose any material changes in the company’s internal controls that have occurred during the most recent fiscal quarter. ANS: C

PTS: 1

SHORT ANSWER 1. List the four broad objectives of the internal control system. ANS: safeguard assets, ensure the accuracy and reliability of accounting records, promote organizational efficiency, comply with management’s policies and procedures PTS: 1 2. Explain the purpose of the PCAOB ANS: The PCAOB is empowered to set auditing, quality control, and ethics standards; to inspect registered accounting firms; to conduct investigations; and to take disciplinary actions. PTS: 1 3. What are the five internal control components described in the COSO framework ANS: the control environment, risk assessment, information and communication, monitoring, and control activities PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 1 4. What are management responsibilities under section 302 and 404? ANS: Section 302 requires that corporate management (including the CEO) certify their organization’s internal controls on a quarterly and annual basis. Section 404 requires the management of public companies to assess and formally report on the effectiveness of their organization’s internal controls. PTS: 1 5. Indicate whether each procedure is a preventive or detective control. a. b.

authorizing a credit sale preparing a bank reconciliation

Preventive Preventive

Detective Detective

locking the warehouse

Preventive

Detective

preparing a trial balance

Preventive

Detective

counting inventory

Preventive

Detective

ANS: A. preventive; B. detective; C. preventive; D. detective; E. detective PTS: 1

Use the internal control procedures listed below to complete statements 6 through 12. segregation of duties general authorization access controls supervision

specific authorization accounting records independent verification

6. A clerk reorders 250 items when the inventory falls below 25 items. This is an example of __________________________. ANS: general authorization PTS: 1 7. The internal audit department recalculates payroll for several employees each pay period. This is an example of __________________________. ANS: independent verification PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 1 8. Locking petty cash in a safe is an example of __________________________. ANS: access controls PTS: 1 9. Approving a price reduction because goods are damaged is an example of __________________________. ANS: specific authorization PTS: 1 10. Using cameras to monitor the activities of cashiers is an example of __________________________. ANS: supervision PTS: 1 11. Not permitting the computer programmer to enter the computer room is an example of _______________________________. ANS: segregation of duties PTS: 1 12. Sequentially numbering all sales invoices is an example of __________________________. ANS: accounting records PTS: 1

13. Both the SEC and the PCAOB have expressed an opinion as which internal control framework an organization should use to comply with SOX legislation. Explain. ANS: Both the SEC and PCAOB endorse the COSO framework but any framework can be used that encompasses all of the COSO’s general themes

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 1

14. COSO identifies two broad groupings of information system controls. What are they? ANS: general; application PTS: 1 15. What are the objectives of application controls? ANS: The objectives of application controls are to ensure the validity, completeness, and accuracy financial transactions. PTS: 1 16. Define general controls. ANS: General controls apply to all systems. They are not application specific. General controls include controls over IT governance, the IT infrastructure, security and access to operating systems and databases, application acquisition and development, and program changes. PTS: 1 17. Discuss the key features of Section 302 of the Sarbanes-Oxley Act. ANS: Section 302 requires corporate management (including the chief executive officer [CEO]) to certify financial and other information contained in the organization’s quarterly and annual reports. The rule also requires them to certify the internal controls over financial reporting. The certifying officers are required to have designed internal controls, or to have caused such controls to be designed, and to provide reasonable assurance as to the reliability of the financial reporting process. Furthermore, they must disclose any material changes in the company’s internal controls that have occurred during the most recent fiscal quarter. PTS: 1

18. Explain the relationship between internal controls and substantive testing. ANS: The stronger the internal controls, the less substantive testing must be performed. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 1 19. Distinguish between errors and irregularities. Which do you think concern the auditors the most? ANS: Errors are unintentional mistakes; while irregularities are intentional misrepresentations to perpetrate a fraud or mislead the users of financial statements. Errors are a concern if they are numerous or sizable enough to cause the financial statements to be materially misstated. Processes which involve human actions will contain some amount of human error. Computer processes should only contain errors if the programs are erroneous, or if systems operating procedures are not being closely and competently followed. Errors are typically much easier to uncover than misrepresentations, thus auditors typically are more concerned whether they have uncovered any and all irregularities. PTS: 1 20.

Distinguish between inherent risk and control risk. How do internal controls and detection risk fit in? ANS: Inherent risk is associated with the unique characteristics of the business or industry of the client. Firms in declining industries are considered to have more inherent risk than firms in stable or thriving industries. Control risk is the likelihood that the control structure is flawed because internal controls are either absent or inadequate to prevent or detect errors in the accounts. Internal controls may be present in firms with inherent risk, yet the financial statements may be materially misstated due to circumstances outside the control of the firm, such as a customer with unpaid bills on the verge of bankruptcy. Detection risk is the risk that auditors are willing to accept that errors are not detected or prevented by the control structure. Typically, detection risk will be lower for firms with higher inherent risk and control risk. PTS: 1

21. Contrast internal and external auditing. ANS: Internal auditing is an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization. External auditing is often called "independent auditing" because it is done by certified public accountants who are independent of the organization being audited. This independence is necessary since the external auditors represent the interests of third-party stakeholders such as shareholders, creditors, and government agencies. PTS: 1

22. What are the components of audit risk? ANS: Inherent risk is associated with the unique characteristics of the business itself; control risk is the likelihood that the control structure is flawed because controls are absent or inadequate; and detection risk is the risk that auditors are willing to take that errors will not be detected by the audit. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 1 23. How do the tests of controls affect substantive tests? ANS: Tests of controls are used by the auditor to measure the strength of the internal control structure. The stronger the internal controls, the lower the control risk, and the less substantive testing the auditor must do. PTS: 1

24.

Define and contrast attestation services and advisory services. ANS: Attest services are engagements in which a practitioner is engaged to issue, or does issue, a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party, e.g., the financial statements prepared by an organization. Advisory services are professional services that are designed to improve the quality of information, both financial and non-financial, used by decision makers. The domain of assurance services is intentionally unbounded. PTS: 1

ESSAY 1.

What are the key points of the section 404 of the Sarbanes-Oxley Act? ANS: Section 404 requires the management of public companies to assess the effectiveness of their organization’s internal controls. This entails providing an annual report addressing the following points: (1) a statement of management’s responsibility for establishing and maintaining adequate internal control; (2) an assessment of the effectiveness of the company’s internal controls over financial reporting; (3) a statement that the organization’s external auditors have issued an attestation report on management’s assessment of the company’s internal controls; (4) an explicit written conclusion as to the effectiveness of internal control over financial reporting1;<ftn> and (5) a statement identifying the framework used in their assessment of internal controls. PTS:

IT Auditing 4th Ed—Test Bank, Chapter 1 2. Section 404 requires management to make a statement identifying the control framework used to conduct their assessment of internal controls. Discuss the options in selecting a control framework. ANS: The SEC has made specific reference to the Committee of the Sponsoring Organizations of the Treadway Commission (COSO) as a recommended control framework. Furthermore, the PCAOB’s Auditing Standard No. 2 endorses the use of COSO as the framework for control assessment. Although other suitable frameworks have been published, according to Standard No. 2, any framework used should encompass all of COSO’s general themes. PTS: 1 3. Explain how general controls impact transaction integrity and the financial reporting process. ANS: Consider an organization with poor database security controls. In such a situation, even data processed by systems with adequate built in application controls may be at risk. An individual who can circumvent database security, may then change, steal, or corrupt stored transaction data. Thus, general controls are needed to support the functioning of application controls, and both are needed to ensure accurate financial reporting. PTS: 1 4. Prior to SOX, external auditors were required to be familiar with the client organization’s internal controls, but not test them. Explain. ANS: Auditors had the option of not relying on internal controls in the conduct of an audit and therefore did not need to test them. Instead auditors could focus primarily of substantive tests. Under SOX, management is required to make specific assertions regarding the effectiveness of internal controls. To attest to the validity of these assertions, auditors are required to test the controls. PTS: 1 5. Does a qualified opinion on management’s assessment of internal controls over the financial reporting system necessitate a qualified opinion on the financial statements? Explain. ANS: No. Auditors are permitted to simultaneously render a qualified opinion on management’s assessment of internal controls and an unqualified opinion on the financial statements. In other words, it is technically possible for auditors to find internal controls over financial reporting to be weak, but conclude through substantive tests that the weaknesses did not cause the financial statements to be materially misrepresented. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 1 6. The PCAOB’s standard No. 2 specifically requires auditors to understand transaction flows in designing their test of controls. What steps does this entail? ANS: This involves: 1. Selecting the financial accounts that have material implications for financial reporting. 2. Identify the application controls related to those accounts. 3. Identify the general that support the application controls. The sum of these controls, both application and general, constitute the relevant internal controls over financial reporting that need to be reviewed. PTS: 1 7. The text describes six internal control activities. List four of them and provide a specific example of each one. ANS: Control Activity Authorization Segregation of functions Supervision

Example general (purchase of inventory when level drops) or specific (credit approval beyond normal limit) separate authorization from processing separate custody of assets from record keeping required when separation of duties is not possible, such as opening the mail (cash receipts)

Accounting records

maintain an adequate audit trail

Access controls

maintain physical security

Independent verification

bank reconciliation, physical inventory count

PTS: 1 8. Explain the purpose of the PCAOB. ANS: The Sarbanes-Oxley Act creates a Public Company Accounting Oversight Board (PCAOB). The PCAOB is empowered to set auditing, quality control, and ethics standards, to inspect registered accounting firms, to conduct investigations, and to take disciplinary actions. PTS: 1 9. Why is an Independent Audit Committee important to a company? ANS: The Sarbanes-Oxley Act requires all audit committee members to be independent and requires the audit committee to hire and oversee the external auditors. This provision is consistent with many investors who consider the board composition to be a critical investment factor. For example, Thompson Financial survey revealed that most institutional investors want corporate boards to be comprised of at least 75% of independent directors PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed—Test Bank, Chapter 1 10. What are the key points of the “Issuer and Management Disclosure” of the Sarbanes-Oxley Act? ANS: 1. Public companies must report all off balance-sheet transactions. 2. Annual reports filed with the SEC must include a statement by management asserting that it is responsible for creating and maintaining adequate internal controls and asserting to the effectiveness of those controls. 3. Officers must certify that the company’s accounts ‘fairly present’ the firms financial condition and results of operations. 4. Knowingly filing a false certification is a criminal offence. PTS: 1

11. In this age of high technology and computer based information systems, why are accountants concerned about physical (human) controls? ANS: Virtually all systems, regardless of their sophistication, employ human activities that need to be controlled. This class of controls relates primarily to the human activities employed in accounting systems. These activities may be purely manual, such as the physical custody of assets, or they may involve the use of computers to record transactions or update accounts. Physical controls do not relate to the computer logic that actually performs these accounting tasks. Rather, they relate to the human activities that initiate such computer logic. In other words, physical controls do not suggest an environment in which clerks update paper accounts with pen and ink.

PTS: 1

12. Discuss the advisory services that external auditors are no longer permitted to render to audit clients under SOX legislation. ANS: The Act addresses auditor independence by creating more separation between a firm’s attestation and non-auditing activities. This is intended to specify categories of services that a public accounting firm cannot perform for its client. These include the following nine functions: • Bookkeeping or other services related to the accounting records or financial statements; • Financial information systems design and implementation; • Appraisal or valuation services, fairness opinions, or contribution-in-kind reports; • Actuarial services; • Internal audit outsourcing services; • Management functions or human resources; • Broker or dealer, investment adviser, or investment banking services; • Legal services and expert services unrelated to the audit; and • Any other service that the PCAOB determines is impermissible. While the Sarbanes-Oxley Act prohibits auditors from providing the above services to their audit clients, they are not prohibited from performing such services for non-audit clients or privately held companies. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed—Test Bank, Chapter 1 13. Internal control in a computerized environment can be divided into two broad categories. What are they? Explain each. ANS: Internal controls can be divided into two broad categories. General controls apply to all or most of a system to minimize exposures that threaten the integrity of the applications being processed. These include operating system controls, data management controls, organizational structure controls, system development controls, system maintenance controls, computer center security, Internet and Intranet controls, EDI controls, and PC controls. Application controls focus on exposures related to specific parts of the system: payroll, accounts receivable, etc. PTS: 1 14. Define the management assertions of: existence or occurrence, completeness, rights and obligations, valuation or allocation, presentation and disclosure. ANS: The existence or occurrence assertion affirms that all assets and equities contained in the balance sheet exist and that all transactions in the income statement actually occurred. The completeness assertion declares that no material assets, equities, or transactions have been omitted from the financial statements. The rights and obligations assertion maintains that assets appearing on the balance sheet are owned by the entity and that the liabilities reported are obligations. The valuation or allocation assertion states that assets and equities are valued in accordance with generally accepted accounting principles and that allocated amounts such as depreciation expense are calculated on a systematic and rational basis. The presentation and disclosure assertion alleges that financial statement items are correctly classified (e.g.; long term liabilities will not mature within one year) and that footnote disclosures are adequate to avoid misleading the users of financial statements. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 2

Chapter 2— Auditing IT Governance Controls TRUE/FALSE 1. To fulfill the segregation of duties control objective, computer processing functions (like authorization of credit and billing) are separated. ANS: F

PTS: 1

2. To ensure sound internal control, program coding and program processing should be separated. ANS: T

PTS: 1

3. Some systems professionals have unrestricted access to the organization's programs and data. ANS: T

PTS: 1

4. IT governance focuses on the management and assessment of strategic IT resources 44

ANS: T

PTS: 1

5. Distributed data processing places the control IT recourses under end users. ANS: T

PTS: 1

6. An advantage of distributed data processing is that redundant tasks are greatly eliminated ANS: F

PTS: 1

7. Certain duties that are deemed incompatible in a manual system may be combined in a computer-based information system environment. ANS: T

PTS: 1

8. To improve control and efficiency, new systems development and program maintenance should be performed by the same individual or group. ANS: F

PTS: 1

9. Distributed data processing reduces the risk of operational inefficiencies. ANS: F

PTS: 1

10. The database administrator should be separated from systems development. ANS: T

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 2

11. A disaster recovery plan is a comprehensive statement of all actions to be taken after a disaster. ANS: T

PTS: 1

12. RAID is the use of parallel disks that contain redundant elements of data and applications. ANS: T

PTS: 1

13. Transaction cost economics (TCE) theory suggests that firms should outsource specific non−core IT assets ANS: F

PTS: 1

14. Commodity IT assets easily acquired in the marketplace and should be outsourced under the core competency theory. ANS: F

PTS: 1

15. A database administrator is responsible for the receipt, storage, retrieval, and custody of data files. ANS: F

PTS: 1

16. Virtualization is the technology that unleased cloud computing. ANS: T

PTS: 1

17. Fault tolerance is the ability of the system to continue operation when part of the system fails due to hardware failure, application program error, or operator error. ANS: T

PTS: 1

18. An often-cited benefit of IT outsourcing is improved core business performance. ANS: T

PTS: 1

19. Commodity IT assets include such things are network management. ANS: T

PTS: 1

20. Specific IT assets support an organization’s strategic objectives. ANS: T

PTS: 1

21. A generally accepted advantage of IT outsourcing is improved security. ANS: F

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 2 22. An advantage of distributed data processing is that individual end user groups set specific IT standards without concern for the broader corporate needs. ANS: F

PTS: 1

23. A mutual aid is the lowest cost disaster recovery option, but has shown to be effective and low risk. ANS: F

PTS: 1

24. Critical applications should be identified and prioritized by the user departments, accountants, and auditors. ANS: T

PTS: 1

25. A ROC is generally shared with multiple companies. ANS: T

PTS: 1

MULTIPLE CHOICE 1. All of the following are issues of computer security except a. releasing incorrect data to authorized individuals b. permitting computer operators unlimited access to the computer room c. permitting access to data by unauthorized individuals d. providing correct data to unauthorized individuals ANS: B

PTS: 1

2. Segregation of duties in the computer-based information system includes a. separating the programmer from the computer operator b. preventing management override c. separating the inventory process from the billing process d. performing independent verifications by the computer operator ANS: A

PTS: 1

3. In a computer-based information system, which of the following duties needs to be separated? a. program coding from program operations b. program operations from program maintenance c. program maintenance from program coding d. all of the above duties should be separated ANS: D

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 2 4. Participation in system development activities include: a. system analysts, database designers and programmers b. managers and operating personnel who work directly with the system c. accountants and auditors d. all of the above ANS: D

PTS: 1

5. Adequate backups will protect against all of the following except a. natural disasters such as fires b. unauthorized access c. data corruption caused by program errors d. system crashes ANS: B

PTS: 1

6. Which is the most critical segregation of duties in the centralized computer services function? a. systems development from data processing b. data operations from data librarian c. data preparation from data control d. data control from data librarian ANS: A

PTS: 1

7. Systems development is separated from data processing activities because failure to do so a. weakens database access security b. allows programmers access to make unauthorized changes to applications during execution c. results in inadequate documentation d. results in master files being inadvertently erased ANS: B

PTS: 1

8. Which organizational structure is most likely to result in good documentation procedures? a. separate systems development from systems maintenance b. separate systems analysis from application programming c. separate systems development from data processing d. separate database administrator from data processing ANS: A

PTS: 1

9. All of the following are control risks associated with the distributed data processing structure except a. lack of separation of duties b. system incompatibilities c. system interdependency d. lack of documentation standards ANS: C

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 2 10. Which of the following is not an essential feature of a disaster recovery plan? a. off-site storage of backups b. computer services function c. second site backup d. critical applications identified ANS: B

PTS: 1

11. A cold site backup approach is also known as a. internally provided backup b. recovery operations center c. empty shell d. mutual aid pact ANS: C

PTS: 1

12. The major disadvantage of an empty shell solution as a second site backup is a. the host site may be unwilling to disrupt its processing needs to process the critical applications of the disaster stricken company b. recovery depends on the availability of necessary computer hardware c. maintenance of excess hardware capacity d. the control of the shell site is an administrative drain on the company ANS: B

PTS: 1

13. An advantage of a recovery operations center is that a. this is an inexpensive solution b. the initial recovery period is very quick c. the company has sole control over the administration of the center d. none of the above are advantages of the recovery operations center ANS: B

PTS: 1

14. For most companies, which of the following is the least critical application for disaster recovery purposes? a. month-end adjustments b. accounts receivable c. accounts payable d. order entry/billing ANS: A

PTS: 1

15. The least important item to store off-site in case of an emergency is a. backups of systems software b. backups of application software c. documentation and blank forms d. results of the latest test of the disaster recovery program ANS: D

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 2 16. Some companies separate systems analysis from programming/program maintenance. All of the following are control weaknesses that may occur with this organizational structure except a. systems documentation is inadequate because of pressures to begin coding a new program before documenting the current program b. illegal lines of code are hidden among legitimate code and a fraud is covered up for a long period of time c. a new systems analyst has difficulty in understanding the logic of the program d. inadequate systems documentation is prepared because this provides a sense of job security to the programmer ANS: C

PTS: 1

17. All of the following are recommended features of a fire protection system for a computer center except a. clearly marked exits b. an elaborate water sprinkler system c. manual fire extinguishers in strategic locations d. automatic and manual alarms in strategic locations ANS: B

PTS: 1

18. All of the following tests of controls will provide evidence about the physical security of the computer center except a. review of fire marshal records b. review of the test of the backup power supply c. verification of the second site backup location d. observation of procedures surrounding visitor access to the computer center ANS: C

PTS: 1

19. All of the following tests of controls will provide evidence about the adequacy of the disaster recovery plan except a. inspection of the second site backup b. analysis of the fire detection system at the primary site c. review of the critical applications list d. composition of the disaster recovery team ANS: B

PTS: 1

20. The following are examples of commodity assets except a. network management b. systems operations c. systems development d. server maintenance ANS: C

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 2 21. Which of the following is NOT an example of a specific assets? a. application maintenance b. data warehousing c. highly skilled employees d. server maintenance ANS: D

PTS: 1

22. Which of the following is true? a. Core competency theory argues that an organization should outsource specific core assets. b. Core competency theory argues that an organization should focus exclusively on its core business competencies c. Core competency theory argues that an organization should not outsource specific commodity assets. d. Core competency theory argues that an organization should retain certain specific non−core assets in-house. ANS: B

PTS: 1

23. Which of the following is not true? a. Large-scale IT outsourcing involves transferring specific assets to a vendor b. Specific assets, while valuable to the client, are of little value to the vendor c. Once an organization outsources its specific assets, it may not be able to return to its pre-outsource state. d. Specific assets are of value to vendors because, once acquired, vendors can achieve economies of scale by employing them with other clients ANS: D 24.

PTS: 1

Which of the following is not true? a. When management outsources their organization’s IT functions, they also outsource responsibility for internal control. b. Once a client firm has outsourced specific IT assets, its performance becomes linked to the vendor’s performance. c. IT outsourcing may affect incongruence between a firm’s IT strategic planning and its business planning functions. d. The financial justification for IT outsourcing depends upon the vendor achieving economies of scale. ANS: A

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 2 25.

Which of the following is not true? a. Management may outsource their organizations’ IT functions, but they cannot outsource their management responsibilities for internal control. b. Section 404 requires the explicit testing of outsourced controls. c. The SSAE 16 report, which is prepared by the outsourcer’s auditor, attests to the adequacy of the vendor’s internal controls. d. Auditors issue two types of SSAE 16 reports: Type I report and Type II report. ANS: C

26.

Segregation of duties in the computer-based information system includes a. separating the programmer from the computer operator b. preventing management override c. separating the inventory process from the billing process d. performing independent verifications by the computer operator ANS: A

27.

PTS: 1

Which of the following disaster recovery techniques may be least optimal in the case of a disaster? a. empty shell b. mutual aid pact c. recovery operation center d. they are all equally beneficial ANS: B

30.

PTS: 1

Which of the following is NOT a control implication of distributed data processing? a. redundancy b. user satisfaction c. incompatibility d. lack of standards ANS: B

29.

PTS: 1

A disadvantage of distributed data processing is a. the increased time between job request and job completion. b. the potential for hardware and software incompatibility among users. c. the disruption caused when the mainframe goes down. d. that users are not likely to be involved. ANS: B

28.

PTS: 1

Which of the following is a feature of fault tolerance control? a. interruptible power supplies b. RAID c. DDP d. MDP ANS: B

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 2 31.

Which of the following disaster recovery techniques is has the least risk associated with it? a. empty shell b. ROC c. internally provided backup d. they are all equally risky ANS: C

32.

PTS: 1

Cloud computing a. pools resources to meet the needs of multiple client firms b. allows clients to expand and contract services almost instantly c. both a. and b. d. neither a. not b. ANS: C

PTS: 1

SHORT ANSWER 1. What is the purpose of a data library? ANS: A data libray is a room adjacent to the computer center that provides safe storage for the off-line data files. The files could be backups or current data files. PTS: 1 2.

What are the three primary IT functions that must be separated? ANS: The three primary IT functions that must be separated are as follows: a. separate systems development from computer operations, b. separate the database administrator from other functions and systems development, and c. separate new systems development from maintenance. PTS: 1

3. What are the advantages of separting new systems development from systems maintenance? ANS: Documentation standards are improved because the maintenance group requires documentation to perform its maintenance duties. Denying the original programmer future access to the program deters program fraud. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed—Test Bank, Chapter 2 4. What problems may occur as a result of combining applications programming and maintenance tasks into one position? ANS: One problem that may occur is inadequate documentation. Documenting is not considered as interesting a task as designing, testing, and implementing a new system, thus a systems professional may move on to a new project rather than spend time documenting an almost complete project. Job security may be another reason a programmer may not fully document his or her work. Another problem that may occur is the increased potential for fraud. If the original programmer generates fraudulent code during development, then this programmer, through maintenance procedures, may disable the code prior to audits. Thus, the programmer can continue to cover his or her tracks. PTS: 1 5.

Why is poor-quality systems documentation a prevalent problem? ANS: Systems professionals do not find this documenting systems as interesting as the design, testing, and implementation steps. Further, the systems professionals are typically eager or pressured to move on to another project before documentation is complete. Job security is another reason for poor systems documentation. When a system is poorly documented it is difficult to interpret, test and debug. Therefore, the programmer who understands the system becomes relatively indispensable. When the programmer leaves, a new programmer inherits maintenance responsibility for the undocumented system. Depending on the complexity, the transition period may be long and costly. PTS: 1

What is RAID? ANS: RAID is the use of parallel disks that contain redundant elements of data and applications. If one disk fails, the lost data are automatically reconstructed from the redundant components stored on the other disks. PTS: 1

7. What are some risks associated with DDP? ANS: Inefficient use of resources, destruction of audit trails, inadequate segregation of duties, hiring qualified professionals, lack of standards PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed—Test Bank, Chapter 2 8.

For disaster recovery purposes, what criteria are used to identify an application or data as critical? ANS: Critical application and files are those that impact the short-run survival of the firm. Critical items impact cash flows, legal obligations, and customer relations. PTS: 1

List three pairs of system functions that should be separated in the centralized computer services organization. Describe a risk exposure if the functions are not separated. Functions to Separate

Risk Exposure

__________________________

ANS: separate systems development from data processing operations (unauthorized changes to application programs during execution), separate database administrator from systems development (unauthorized access to database files), separate new systems development from systems maintenance (writing fraudulent code and keeping it concealed during maintenance), separate data library from computer operations (loss of files or erasing current files) PTS: 1

10. Describe the components of a disaster recovery plan. ANS: Every disaster recovery plan should: designate a second site backup identify critical applications perform backup and off-site storage procedures create a disaster recovery team test the disaster recovery plan PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 2 11. What is a mirrored data center? ANS: A mirrored data center duplicates programs and data onto a computer at a separate location. Mirroring is performed for backup purposes. PTS: 1

12. What is a recovery operations center? What is its purpose? ANS: A recovery operations center (ROC) or hot site is a fully equipped backup data center that many companies share. In addition to hardware and backup facilities, ROC service providers offer a range of technical services to their clients, who pay an annual fee for access rights. In the event of a major disaster, a subscriber can occupy the premises and, within a few hours, resume processing critical applications.

PTS: 1

13. The distributed data processing approach carries some control implications of which accountants should be aware. Discuss two. ANS: Incompatibility of hardware and software, selected by users working independently, can result in system incompatibility that can affect communication. When individuals in different parts of the organization “do their own thing,” there can be significant redundancy between units. When user areas handle their own computer services functions, there may be a tendency to consolidate incompatible activities. Small units may lack the ability to evaluate systems professionals and to provide adequate opportunities and may therefore have difficulty acquiring qualified professionals. As the number of units handling systems tasks, there is an increasing chance that the systems will lack standards. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 2 14. Describe two tests that an auditor would perform to ensure that the disaster recovery plan is adequate. ANS: Review second site backup plan, critical application list, and off-site backups of critical libraries, applications and data files; ensure that backup supplies, source documents and documentation are located off-site. Review which employees are members of the disaster recovery team. PTS: 1

15. What is an auditor looking for when testing computer center controls? ANS: When testing computer center controls, the auditor is trying to determine that the physical security controls are adequate to protect the organization from physical exposures, that insurance coverage on equipment is adequate, that operator documentation is adequate to deal with operations and failures, and that the disaster recovery plan is adequate and feasible. PTS: 1

16. What is IT Governance? ANS: IT governance is a broad concept relating to the decision rights and accountability for encouraging desirable behavior in the use of IT. Three aspects of IT governance are of particular importance to SOX compliance: organizational structure of the IT function, computer operations, and disaster recovery planning. PTS: 1 17. Why should the tasks of systems development and maintenance be segregated from operations? ANS: The segregation of systems development (both new systems development and maintenance) and operations activities is of the greatest importance. Systems development and maintenance professionals acquire (by in-house development and purchase) and maintain systems for users. Operations staff should run these systems and have no involvement in their design and implementation. Consolidating these functions invites fraud. With detailed knowledge of an application’s logic and control parameters along with access to the computer operations, an individual could make unauthorized changes to application logic during execution. Such changes may be temporary (on the fly.) and will disappear with little or no trace when the application terminates. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed—Test Bank, Chapter 2 18. Briefly explain the core-competency theory. ANS: Core competency theory argues that an organization should focus exclusively on its core business competencies, while allowing outsourcing vendors to efficiently manage the non−core areas such as the IT functions. PTS: 1

19. What are commodity IT assets? ANS: Commodity IT assets are not unique to a particular organization and are thus easily acquired in the marketplace. These include such things as network management, systems operations, server maintenance, and help-desk functions. PTS: 1 20. Briefly outline transaction cost economics as it relates to IT outsourcing. ANS: Transaction cost economics theory is in conflict with the core competency school by suggesting that firms should retain certain specific non−core IT assets in-house. Because of their esoteric nature, specific assets cannot be easily replaced once they are given up in an outsourcing arrangement. PTS: 1 21. What is contained in the SSAE 16 attest report? ANS: The SSAE attest report provides a description of the service provider’s system including details of how transactions are processed and results are communicated to their client organizations. The report also describes relevant internal control issues consistent with the COSO control model, specific control objectives and the controls designed to achieve those objectives. PTS: 1

22. What are the often cited benefits of IT outsourcing? ANS: Oft-cited benefits of IT outsourcing include improved core business performance, improved IT performance (due to the vendor’s expertise), and reduced IT costs. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed—Test Bank, Chapter 2 23. Define specific asset. ANS: Specific IT assets, are unique to the organization and support its strategic objectives. Because of their idiosyncratic nature, specific assets have little value outside of their current use. PTS: 1

24. List five risks associated with IT outsourcing. ANS: Failure to Perform Vendor Exploitation Outsourcing Costs Exceed Benefits Reduced Security Loss of strategic advantage. PTS: 1

25. What are the objectives of IT Governance? ANS: Key objectives of IT governance are to reduce risk and ensure that investments in IT resources add value to the corporation. PTS: 1 ESSAY 1. Describe how a Corporate Computer Services Function can overcome some of the problems associated with distributed data processing. ANS: The Corporate Computer Services Function may provide the following technical advice and expertise to distributed data processing units: central testing of commercial software and hardware; installation of new software; trouble-shooting hardware and software problems; technical training; firm-wide standard setting for the systems area; and performance evaluation of systems professionals. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed—Test Bank, Chapter 2 2. Discuss the advantages and disadvantages of the second site backup options. ANS: Second site backups include mutual aid pacts, empty shell, recovery operations center, and internally provided backups. Mutual Aid Pacts Advantages Inexpensive Disadvantages May encounter reluctance to share facilities during an emergency Empty Shell Advantages Disadvantages

Inexpensive Extended time lag between disaster and initial recovery May encounter competition among users for shell resources

Recovery Operations Center Advantages Rapid initial recovery Disadvantages Expensive Internally Provided Backups Advantages Controlled by the firm Compatibility of hardware and software Rapid initial recovery Disadvantages Expense of maintaining excess capacity year round PTS: 1

3. Auditors examine the physical environment of the computer center as part of their audit. Many characteristics of computer centers are of interest to auditors. What are they? Discuss. ANS: The characteristics of computer centers that are of interest of auditors include: physical location because it affects the risk of disaster–it should be away from man-made and natural hazards; construction of the computer center should be sound; access to the computer center should be controlled; air-conditioning should be adequate given the heat generated by electronic equipment and the failure that can result from over-heating; fire suppression systems are critical; and adequate power supply is needed to ensure service. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 2

4. Compare and contrast the following disaster recovery options: empty shell, recovery operations center, and internally provided backup. Rank them from most risky to least risky, as well as most costly to least costly. ANS: The lowest cost method is internally provided backup. With this method, organizations with multiple data processing centers may invest in internal excess capacity and support themselves in the case of disaster in one data processing center. This method is not as risky as the mutual aid pact because reliance on another organization is not a factor. In terms of cost, the next highest method is the empty shell where two or more organizations buy or lease space for a data processing center. The space is made ready for computer installation; however, no computer equipment is installed. This method requires lease or mortgage payments, as well as payment for air conditioning and raised floors. The risk of this method is that the hardware, software, and technicians may be difficult, if not impossible, to have available in the case of a natural disaster. Further, if multiple members' systems crash simultaneously, an allocation problem exists. The method with lowest risk and also the highest cost is the recovery operations center. This method takes the empty shell concept one step further - the computer equipment is actually purchased and software may even be installed. Assuming that this site is far enough away from the disaster-stricken area not to be affected by the disaster, this method can be a very good safeguard. PTS: 1 5. What is a disaster recovery plan? What are the key features? ANS: A disaster recovery plan is a comprehensive statement of all actions to be taken before, during, and after a disaster, along with documented, tested procedures that will ensure the continuity of operations. The essential features are: providing second site backup, identifying critical applications, backup and off-site storage procedures, creating a disaster recovery team, and testing the disaster recovery plan. PTS: 1 6. Explain the outsourcing risk of failure to perform. ANS: Once a client firm has outsourced specific IT assets, its performance becomes linked to the vendor’s performance. The negative implications of such dependency are illustrated in the financial problems that have plagued the huge outsourcing vendor Electronic Data Systems Corp. (EDS). In a cost-cutting effort, EDS terminated seven thousand employees, which impacted its ability to serve other clients. Following an eleven-year low in share prices, EDS stockholders filed a class-action lawsuit against the company. Clearly, vendors experiencing such serious financial and legal problems threaten the viability of their clients also. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed—Test Bank, Chapter 2

7. Explain vendor exploitation. ANS: Once the client firm has divested itself of specific assets it becomes dependent on the vendor. The vendor may exploit this dependency by raising service rates to an exorbitant level. As the client’s IT needs develop over time beyond the original contract terms, it runs the risk that new or incremental services will be negotiated at a premium. This dependency may threaten the client’s long term flexibility, agility and competitiveness and result in even greater vendor dependency. PTS: 1 8.

Explain why reduced security is an outsourcing risk. ANS: Information outsourced to off-shore IT vendors raises unique and serious questions regarding internal control and the protection of sensitive personal data. When corporate financial systems are developed and hosted overseas, and program code is developed through interfaces with the host company's network, US corporations are at risk of losing control of their information. To a large degree US firms are reliant on the outsourcing vendor’s security measures, data-access policies and the privacy laws of the host country. PTS: 1

Explain how IT outsourcing can lead to loss of strategic advantage. ANS: Alignment between IT strategy and business strategy requires a close working relationship between corporate management and IT management in the concurrent development of business and IT strategies. This, however, is difficult to accomplish when IT planning is geographically redeployed off-shore or even domestically. Further, since the financial justification for IT outsourcing depends upon the vendor achieving economies of scale, the vendor is naturally driven to toward seeking common solutions that may be used by many clients rather than creating unique solutions for each of them. This fundamental underpinning of IT outsourcing is inconsistent with the client’s pursuit of strategic advantage in the marketplace. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 2 10. Although IT governance is a broad area, only three of them are discussed in the chapter. Name them and explain why these topics were chosen. ANS: Although all IT governance issues are important to the organization, not all of them are matters of internal control under SOX that may potentially impact the financial reporting process This chapter examined three IT governance issues that are addressed by SOX and the COSO internal control framework. These are: 1) organizational structure of the IT function, 2) computer center operations, and 3) disaster recovery planning. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 3

Chapter 3—Security Part I: Auditing Operating Systems and Networks TRUE/FALSE 1. In a computerized environment, the audit trail log must be printed onto paper documents. ANS: F

PTS: 1

2. Disguising message packets to look as if they came from another user and to gain access to the host’s network is called spooling. ANS: F

PTS: 1

3. A formal log-on procedure is the operating system’s last line of defense against unauthorized access. ANS: F

PTS: 1

4. Computer viruses usually spread throughout the system before being detected. ANS: T

PTS: 1

5. A worm is software program that replicates itself in areas of idle memory until the system fails. ANS: T

PTS: 1

6. Viruses rarely attach themselves to executable files. ANS: F

PTS: 1

7. Operating system controls are of interest to system professionals but should not concern accountants and auditors. ANS: F

PTS: 1

8. The most frequent victims of program viruses are microcomputers. ANS: T

PTS: 1

9. Audit trails in computerized systems are comprised of two types of audit logs: detailed logs of individual keystrokes and event-oriented logs. ANS: T

PTS: 1

10. In a telecommunications environment, line errors can be detected by using an echo check. ANS: T

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 3 11. The message authentication code is calculated by the sender and the receiver of a data transmission. ANS: T

PTS: 1

12. The request-response technique should detect if a data communication transmission has been diverted. ANS: T

PTS: 1

13. Electronic data interchange translation software interfaces with the sending firm and the value added network. ANS: F

PTS: 1

14. A value added network can detect and reject transactions by unauthorized trading partners. ANS: T

PTS: 1

15. Electronic data interchange customers may be given access to the vendor's data files. ANS: T

PTS: 1

16. The audit trail for electronic data interchange transactions is stored on magnetic media. ANS: T

PTS: 1

17. A firewall is a hardware partition designed to protect networks from power surges. ANS: F

PTS: 1

18. To preserve audit trails in a computerized environment, transaction logs are permanent records of transactions. ANS: T

PTS: 1

19. The network paradox is that networks exist to provide user access to shared resources while one of its most important objectives is to control access. ANS: T

PTS: 1

20. IP spoofing is a form of masquerading to gain unauthorized access to a Web server. ANS: T

PTS: 1

21. The rules that make it possible for users of networks to communicate are called protocols. ANS: T

PTS: 1

22. A factor that contributes to computer crime is the reluctance of many organizations to prosecute criminals for fear of negative publicity. ANS: T

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 3 23. Because of network protocols, users of networks built by different manufacturers are able to communicate and share data. ANS: T

PTS: 1

24. The client-server model can only be applied to ring and star topologies. ANS: F 25.

PTS: 1

Only two types of motivation drive DoS attacks: 1) to punish an organization with which the perpetrator had a grievance; and 2) to gain bragging rights for being able to do it. ANS: F

PTS: 1

26. The bus topology connects the nodes in parallel. ANS: T

PTS: 1

27. A network topology is the physical arrangement of the components of the network. ANS: T 28.

A digital signature is a digital copy of the sender’s actual signature that cannot be forged. ANS: F

29.

PTS: 1

A smurf attack involves three participants: a zombie, an intermediary, and the victim. ANS: F

PTS: 1

30. In a hierarchical topology, network nodes communicate with each other via a central host computer. ANS: T

PTS: 1

31. Polling is one technique used to control data collisions. ANS: T

PTS: 1

32. The more individuals that need to exchange encrypted data, the greater the chance that the key will become known to an intruder. To overcome this problem, private key encryption was devised. ANS: F

PTS: 1

33. A ping is used to test the state of network congestion and determine whether a particular host computer is connected and available on the network. ANS: T

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 3 34. HTML tags are customized to delimit attributes, the content of which can be read and processed by computer applications. ANS: F

PTS: 1

MULTIPLE CHOICE 1. The operating system performs all of the following tasks except a. translates third-generation languages into machine language b. assigns memory to applications c. authorizes user access d. schedules job processing ANS: C

PTS: 1

2. Which of the following is considered an unintentional threat to the integrity of the operating system? a. a hacker gaining access to the system because of a security flaw b. a hardware flaw that causes the system to crash c. a virus that formats the hard drive d. the systems programmer accessing individual user files ANS: B

PTS: 1

3. A software program that replicates itself in areas of idle memory until the system fails is called a a. Trojan horse b. worm c. logic bomb d. none of the above ANS: B

PTS: 1

4. A software program that allows access to a system without going through the normal logon procedures is called a a. logic bomb b. Trojan horse c. worm d. back door ANS: D

PTS: 1

5. All of the following will reduce the exposure to computer viruses except a. install antivirus software b. install factory-sealed application software c. assign and control user passwords d. install public-domain software from reputable bulletin boards ANS: D

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 3 6. Hackers can disguise their message packets to look as if they came from an authorized user and gain access to the host’s network using a technique called a. spoofing. b. spooling. c. dual-homed. d. screening. ANS: A

PTS: 1

7. Passwords are secret codes that users enter to gain access to systems. Security can be compromised by all of the following except a. failure to change passwords on a regular basis b. using obscure passwords unknown to others c. recording passwords in obvious places d. selecting passwords that can be easily detected by computer criminals ANS: B

PTS: 1

8. Which control will not reduce the likelihood of data loss due to a line error? a. echo check b. encryption c. vertical parity bit d. horizontal parity bit ANS: B

PTS: 1

9. Which method will render useless data captured by unauthorized receivers? a. echo check b. parity bit c. public key encryption d. message sequencing ANS: C

PTS: 1

10. Which method is most likely to detect unauthorized access to the system? a. message transaction log b. data encryption standard c. vertical parity check d. request-response technique ANS: A

PTS: 1

11. All of the following techniques are used to validate electronic data interchange transactions except a. value added networks can compare passwords to a valid customer file before message transmission b. prior to converting the message, the translation software of the receiving company can compare the password against a validation file in the firm's database c. the recipient's application software can validate the password prior to processing d. the recipient's application software can validate the password after the transaction has been processed ANS: D

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 3

12. All of the following tests of controls will provide evidence that adequate computer virus control techniques are in place and functioning except a. verifying that only authorized software is used on company computers b. reviewing system maintenance records c. confirming that antivirus software is in use d. examining the password policy including a review of the authority table ANS: B

PTS: 1

13. Audit objectives for communications controls include all of the following except a. detection and correction of message loss due to equipment failure b. prevention and detection of illegal access to communication channels c. procedures that render intercepted messages useless d. all of the above ANS: D

PTS: 1

14. When auditors examine and test the call-back feature, they are testing which audit objective? a. incompatible functions have been segregated b. application programs are protected from unauthorized access c. physical security measures are adequate to protect the organization from natural disaster d. illegal access to the system is prevented and detected ANS: D

PTS: 1

15. In an electronic data interchange (EDI) environment, when the auditor compares the terms of the trading partner agreement against the access privileges stated in the database authority table, the auditor is testing which audit objective? a. all EDI transactions are authorized b. unauthorized trading partners cannot gain access to database records c. authorized trading partners have access only to approved data d. a complete audit trail is maintained ANS: C

PTS: 1

16. In determining whether a system is adequately protected from attacks by computer viruses, all of the following policies are relevant except a. the policy on the purchase of software only from reputable vendors b. the policy that all software upgrades are checked for viruses before they are implemented c. the policy that current versions of antivirus software should be available to all users d. the policy that permits users to take files home to work on them ANS: D

PTS: 1

17. In an electronic data interchange environment, customers routinely a. access the vendor's accounts receivable file with read/write authority b. access the vendor's price list file with read/write authority c. access the vendor's inventory file with read-only authority d. access the vendor's open purchase order file with read-only authority ANS: C

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 3 18. In an electronic data interchange environment, the audit trail a. is a printout of all incoming and outgoing transactions b. is an electronic log of all transactions received, translated, and processed by the system c. is a computer resource authority table d. consists of pointers and indexes within the database ANS: B

PTS: 1

19. All of the following are designed to control exposures from subversive threats except a. firewalls b. one-time passwords c. field interrogation d. data encryption ANS: C

PTS: 1

20. Many techniques exist to reduce the likelihood and effects of data communication hardware failure. One of these is a. hardware access procedures b. antivirus software c. parity checks d. data encryption ANS: C

PTS: 1

21. Which of the following deal with transaction legitimacy? a. transaction authorization and validation b. access controls c. EDI audit trail d. all of the above ANS: D

PTS: 1

22. Firewalls are a. special materials used to insulate computer facilities b. a system that enforces access control between two networks c. special software used to screen Internet access d. none of the above ANS: B

PTS: 1

23. Which of the following is true? a. Deep Packet Inspection uses a variety of analytical and statistical techniques to evaluate the contents of message packets. b. An Intrusion prevention system works in parallel with a firewall at the perimeter of the network to act as a filer that removes malicious packets from the flow before they can affect servers and networks. c. A distributed denial of service attack is so named because it is capable of attacking many victims simultaneously who are distributed across the internet. d. None of the above are true statements. ANS: A

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 3 24. A system of computers that connects the internal users of an organization that is distributed over a wide geographic area is a(n) a. LAN b. decentralized network c. multidrop network d. Intranet ANS: D

PTS: 1

25. Network protocols fulfill all of the following objectives except a. facilitate physical connection between network devices b. provide a basis for error checking and measuring network performance c. promote compatibility among network devices d. result in inflexible standards ANS: D

PTS: 1

26. To physically connect a workstation to a LAN requires a a. file server b. network interface card c. multiplexer d. bridge ANS: B

PTS: 1

27. Packet switching a. combines the messages of multiple users into one packet for transmission. At the receiving end, the packet is disassembled into the individual messages and distributed to the intended users. b. is a method for partitioning a database into packets for easy access where no identifiable primary user exists in the organization. c. is used to establish temporary connections between network devices for the duration of a communication session. d. is a denial of service technique that disassembles various incoming messages to targeted users into small packages and then reassembles them in random order to create a useless garbled message. ANS: C

28.

PTS: 1

A virtual private network: a. is a password-controlled network for private users rather than the general public. b. is a private network within a public network. c. is an Internet facility that links user sites locally and around the world. d. defines the path to a facility or file on the web. e. none of the above is true. ANS: B

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 3 29.

A ping signal is used to initiate a. URL masquerading b. digital signature forging c. Internet protocol spoofing d. a smurf attack e. none of the above is true ANS: D

PTS: 1

30. In a star topology, when the central site fails a. individual workstations can communicate with each other b. individual workstations can function locally but cannot communicate with other workstations c. individual workstations cannot function locally and cannot communicate with other workstations d. the functions of the central site are taken over by a designated workstation ANS: B

PTS: 1

31. Which of the following statements is correct? The client-server model a. is best suited to the token-ring topology because the random-access method used by this model detects data collisions. b. distributes both data and processing tasks to the server’s node. c. is most effective used with a bus topology. d. is more efficient than the bus or ring topologies. ANS: B

PTS: 1

32. A star topology is appropriate a. for a wide area network with a mainframe for a central computer b. for centralized databases only c. for environments where network nodes routinely communicate with each other d. when the central database does not have to be concurrent with the nodes ANS: A

PTS: 1

33. In a ring topology a. the network consists of a central computer which manages all communications between nodes b. has a host computer connected to several levels of subordinate computers c. all nodes are of equal status; responsibility for managing communications is distributed among the nodes d. information processing units rarely communicate with each other ANS: C

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 3 34. A distributed denial of service (DDoS) attack a. is more intensive that a Dos attack because it emanates from single source b. may take the form of either a SYN flood or smurf attack c. is so named because it effects many victims simultaneously, which are distributed across the internet d. turns the target victim's computers into zombies that are unable to access the Internet ANS: B

PTS: 1

35. Which of the following statements is correct? TCP/IP a. is the basic protocol that permits communication between Internet sites. b. controls Web browsers that access the WWW. c. is the file format used to produce Web pages. d. is a low-level encryption scheme used to secure transmissions in HTTP format. ANS: A

PTS: 1

36. FTP a. is the document format used to produce Web pages. b. controls Web browsers that access the Web. c. is used to connect to Usenet groups on the Internet d. is used to transfer text files, programs, spreadsheets, and databases across the Internet. e. is a low-level encryption scheme used to secure transmissions in higher-level () format. ANS: D

PTS: 1

37. IP spoofing a. combines the messages of multiple users into a “spoofing packet” where the IP addresses are interchanged and the messages are then distributes randomly among the targeted users. b. is a form of masquerading to gain unauthorized access to a web server. c. is used to establish temporary connections between network devices with different IP addresses for the duration of a communication session. d. is a temporary phenomenon that disrupts transaction processing. It will resolve itself when the primary computer completes processing its transaction and releases the IP address needed by other users. ANS: B

PTS: 1

38. HTML a. is the document format used to produce Web pages. b. controls Web browsers that access the Web. c. is used to connect to Usenet groups on the Internet. d. is used to transfer text files, programs, spreadsheets, and databases across the Internet. e. is a low-level encryption scheme used to secure transmissions in higher-level () format. ANS: A

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 3 39. A message that is made to look as though it is coming from a trusted source but is not is called a. a denial of service attack b. digital signature forging c. Internet protocol spoofing d. URL masquerading ANS: C

PTS: 1

40. An IP Address: a. defines the path to a facility or file on the web. b. is the unique address that every computer node and host attached to the Internet must have. c. is represented by a 64-bit data packet. d. is the address of the protocol rules and standards that governing the design of internet hardware and software. ANS: B

PTS: 1

41. A digital signature is a. the encrypted mathematical value of the message sender’s name b. derived from the digest of a document that has been encrypted with the sender’s private key c. the computed digest of the sender’s digital certificate d. allows digital messages to be sent over analog telephone lines ANS: B

PTS: 1

42. HTTP a. is the document format used to produce Web pages. b. controls Web browsers that access the Web. c. is used to connect to Usenet groups on the Internet d. is used to transfer text files, programs, spreadsheets, and databases across the Internet. e. is a low-level encryption scheme used to secure transmissions in higher-level () format. ANS: B

PTS: 1

43. Which of the following statements is correct? a. Packet switching combines the messages of multiple users into a “packet” for transmission. At the receiving end, the packet is disassembled into the individual messages and distributed to the intended users. b. The decision to partition a database assumes that no identifiable primary user exists in the organization. c. Packet switching is used to establish temporary connections between network devices for the duration of a communication session. d. A deadlock is a temporary phenomenon that disrupts transaction processing. It will resolve itself when the primary computer completes processing its transaction and releases the data needed by other users. ANS: C

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 3 SHORT ANSWER 1. What is a virus? ANS: A virus is a program that attaches itself to another legitimate program in order to penetrate the operating system. PTS: 1 2. List three methods of controlling unauthorized access to telecommunication messages. ANS: call-back devices, data encryption, message sequence numbering, message authentication codes, message transaction logs, and request-response technique PTS: 1 3. What are some typical problems with passwords? ANS: users failing to remember passwords; failure to change passwords frequently; displaying passwords where others can see them; using simple, easy-to-guess passwords PTS: 1 4. Discuss the key features of the one-time password technique: ANS: The one-time password was designed to overcome the problems associated with reusable passwords. The user’s password changes continuously. This technology employs a credit card-sized smart card that contains a microprocessor programmed with an algorithm that generates, and electronically displays, a new and unique password every 60 seconds. The card works in conjunction with special authentication software located on a mainframe or network server computer. Each user’s card is synchronized to the authentication software, so that at any point in time both the smart card and the network software are generating the same password for the same user. PTS: 1 5. What is event monitoring? ANS: Event monitoring summarizes key activities related to system resources. Event logs typically record the IDs of all users accessing the system; the time and duration of a user’s session; programs that were executed during a session; and the files, databases, printers, and other resources accessed. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 3 6. What are the auditor's concerns in testing EDI controls? ANS: When testing EDI controls, the auditor's primary concerns are related to ascertaining that EDI transactions are authorized, validated, and in compliance with organization policy, that no unauthorized organizations gain access to records, that authorized trading partners have access only to approved data, and that adequate controls are in place to maintain a complete audit trail. PTS: 1 7.

What can be done to defeat a DDoS Attack? ANS: Intrusion Prevention Systems (IPS) that employ deep packet inspection (DPI) are a countermeasure to DDoS attacks. PTS: 1

What is deep packet inspection? ANS: DPI is a technique that searches individual network packets for protocol non-compliance and can identify and classify malicious packets based on a database of known attack signatures. PTS: 1

9. Explain how smurf attacks can be controlled. ANS: The targeted organization can program their firewall to ignore all communication from the attacking site, once the attackers IP address is determined. PTS: 1 10. Explain how SYN Flood attacks can be controlled. ANS: Two things can be done: First, Internet hosts can program their firewalls to block outbound message packets that contain invalid internal IP addresses. Second, security software can scan for half-open connections that have not been followed by an ACK packet. The clogged ports can then be restored to allow legitimate connections to use them. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 3 11.

Discuss the private key encryption technique and its shortcomings. ANS: To encode a message, the sender provides the encryption algorithm with the key, which produces the ciphertext message. This is transmitted to the receiver’s location, where it is decoded using the same key to produce a cleartext message. Because the same key is used for coding and decoding, control over the key becomes an important security issue. The more individuals that need to exchange encrypted data, the greater the chance that the key will become known to an intruder who could intercept a message and read it, change it, delay it, or destroy it. PTS: 1

12. Discuss the public key encryption technique. ANS: This approach uses two different keys: one for encoding messages and the other for decoding them. The recipient has a private key used for decoding that is kept secret. The encoding key is public and published for everyone to use. Receivers never need to share private keys with senders, which reduces the likelihood that they fall into the hands of an intruder. One of the most trusted public key encryption methods is Rivest-Shamir-Adleman (RSA). This method is, however, computationally intensive and much slower than private key encryption. PTS: 1

ESSAY

1. What is an operating system? What does it do? What are operating system control objectives? ANS: An operating system is a computer’s control program. It controls user sharing of applications and resources such as processors, memory, databases, and peripherals such as printers. Common PC operating systems include Windows 2000, Windows NT, and Linux. An operating system carries out three primary functions: translating high level languages into machine language using modules called compilers and interpreters; allocating computer resources to users, workgroups, and applications; and managing job scheduling and multiprogramming. Operating systems have five basic control objectives: 1. to protect itself from users, 2. to protect users from each other, 3. to protect users from themselves, 4. to protect it from itself, and 5. to protect itself from its environment. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 3 2. What are the three security objectives of audit trails? Explain. ANS: Audit trails support system security objectives in three ways. By detecting unauthorized access to the system, the audit trail protects the system from outsiders trying to breach system controls. By monitoring system performance, changes in the system may be detected. The audit trail can also contribute to reconstructing events such as system failures, security breaches, and processing errors. In addition, the ability to monitor user activity can support increased personal accountability. PTS: 1 3. Discuss three sources of exposure (threats) to the operating system. ANS: 1. Privileged personnel who abuse their authority. Systems administrators and systems programmers require unlimited access to the operating system to perform maintenance and to recover from system failures. Such individuals may use this authority to access users’ programs and data files. 2. Individuals both internal and external to the organization who browse the operating system to identify and exploit security flaws. 3. Individuals who intentionally (or accidentally) insert computer viruses or other forms of destructive programs into the operating system. PTS: 1 4. Discuss three techniques for breaching operating system controls. ANS: Browsing involves searching through areas of main memory for password information. Masquerading is a technique where a user is made to believe that he/she has accessed the operating system and therefore enters passwords, etc., that can later be used for unauthorized access. A virus is a program that attaches itself to legitimate software to penetrate the operating system. Most are destructive. A worm is software that replicates itself in memory. A logic bomb is a destructive program triggered by some "logical" condition–a matching date, e.g., Michelangelo's birthday. PTS: 1 5. A formal log-on procedure is the operating system’s first line of defense. Explain how this works. ANS: When the user logs on, he or she is presented with a dialog box requesting the user’s ID and password. The system compares the ID and password to a database of valid users. If the system finds a match, then the log-on attempt is authenticated. If, however, the password or ID is entered incorrectly, the log-on attempt fails and a message is returned to the user. The message should not reveal whether the password or the ID caused the failure. The system should allow the user to reenter the log-on information. After a specified number of attempts (usually no more than five), the system should lock out the user from the system. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed—Test Bank, Chapter 3 6. Explain the concept of discretionary access privileges. ANS: In centralized systems, a system administrator usually determines who is granted access to specific resources and maintains the access control list. In distributed systems, however, resources may be controlled (owned) by end users. Resource owners in this setting may be granted discretionary access privileges, which allow them to grant access privileges to other users. For example, the controller, who is the owner of the general ledger, may grant read-only privileges to a manager in the budgeting department. The accounts payable manager, however, may be granted both read and write permissions to the ledger. Any attempt by the budgeting manager to add, delete, or change the general ledger will be denied. The use of discretionary access control needs to be closely supervised to prevent security breaches because of its liberal use. PTS: 1 7.

Contrast a LAN and a WAN. Typically, who owns and maintains a WAN? ANS: A LAN is a local area network covering a limited geographic area (a room, a building, several buildings within a restricted geographic distance). Information processing units connected to a LAN are usually microcomputer-based workstations. Typically, LANs are privately owned and controlled. When networks exceed the geographic limitations of the LAN, they are called WANs. Because of the distances involved and the high cost of telecommunication infrastructure, WANs are often commercial networks (at least in part) that the organization leases. The nodes of a WAN may include microcomputer workstations, minicomputers, mainframes, and LANs. The WAN may be used to link geographically dispersed segments of a single organization or connect multiple organizations in a trading partner arrangement. PTS: 1 8. Network communication poses some special types of risk for a business. What are the two broad areas of concern? Explain. ANS: Two general types of risk exist when networks communicate with each other–risks from subversive threats and risks from equipment failure. Subversive threats include interception of information transmitted between sender and receiver, computer hackers gaining unauthorized access to the organization’s network, and denial-of-service attacks from remote locations on the Internet. Methods for controlling these risks include firewalls, encryption, digital signatures, digital certificates, message transaction logs, and call-back devices. Equipment failure can be the result of line errors. The problems can be minimized with the help of echo checks, parity checks, and good backup control. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 3 9. Describe the basic differences between the star, ring, and bus topologies. ANS: The star topology is a configuration of IPUs with a large central computer (the host) at the hub (or center) that has connections to a number of smaller computers. Communication between nodes is managed from the host. The ring topology connects many computers of equal status. There is no host. Management of communication is distributed among the nodes. In the bus topology, all nodes are connected to a common cable, the bus. Communication and file transfer are controlled centrally by one or more server. PTS: 1 10. Define and contrast digital certificate and digital signature. ANS: A digital certificate is like an electronic identification card that is used in conjunction with a public key encryption system to verify the authenticity of the message sender. These are issued by certification authorities. A digital signature is an electronic authentication technique that ensures that the transmitted message originated with the authorized sender and that it was not tampered with after the signature was applied. PTS: 1 11. Explain the function of the two parts of the TCP/IP protocol. ANS: The two parts of the TCP/IP protocol are the transfer control protocol (TCP) and the Internet protocol (IP). This controls how individual packets of data are formatted, transmitted, and received. The TCP supports the transport function of the OSI (Open System Interface) model that has been adopted by the International Standards Organization for the communication community. This ensures that the full message is received. The IP component provides the routing mechanism. It contains a network address and is used to route messages to their destinations. PTS: 1 12. What are network protocols? What functions do they perform? ANS: Network protocols are the rules and standards governing the design of hardware and software that permit users of networks manufactured by different vendors to communicate and share data. Protocols perform a number of different functions. a. They facilitate the physical connection between network devices. b. They synchronize the transfer of data between physical devices. c. They provide a basis for error checking and measuring network performance. d. They promote compatibility among network devices. e. They promote network designs that are flexible, expandable, and cost-effective. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed—Test Bank, Chapter 3 13. Explain a SYN flood attack. ANS: Normally user establishes a connection on the Internet via a three-way handshake. The connecting server sends an initiation code called a SYN (SYNchronize) packet to the receiving server. The receiving server then acknowledges the request by returning a SYNchronize-AC Knowledge (SYNAC K) packet. Finally, the initiating host machine responds with an ACK packet code. The SYN flood attack is accomplished by not sending the final acknowledgment to the server’s SYNACK response, which causes the server to keep signaling for acknowledgement until the server times out. The individual or organization perpetrating the SYN flood attack transmits hundreds of SYN packets to the targeted receiver, but never responds with an ACK to complete the connection. As a result, the ports of the receiver’s server are clogged with incomplete communication requests that prevent legitimate transactions from being received and processed. Organizations under attack may, thus, be prevented from receiving Internet messages for days at a time. PTS: 1 14. Explain a smurf attack. ANS: A smurf attack involves three parties: the perpetrator, the intermediary, and the victim. It is accomplished by exploiting an internet maintenance tool called a ping, which is used to test the state of network congestion and determine whether a particular host computer is connected and available on the network. The perpetrator of a smurf attack uses a program to create a ping message packet that contains the forged IP address of the victim’s computer (IP spoofing) rather than that of the actual source computer. The ping message is then sent to the intermediary, which is actually an entire sub network of computers. By sending the ping to the network’s IP broadcast address, the perpetrator ensures that each node on the intermediary network receives the echo request automatically. Consequently, each intermediary node sends echo responses to the ping message, which are returned to the victim’s IP address not the source computer’s. The resulting flood of echoes can overwhelm the victim’s computer and cause network congestion that makes it unusable for legitimate traffic. PTS: 1 15. Explain a distributed denial of service attack. ANS: A distributed denial of service (DDoS) attack may take the form of a SYN flood or smurf attack. The distinguishing feature of the DDoS is the sheer scope of the event. The perpetrator of a DDoS attack may employ a virtual army of so-called zombie or bot (robot) computers to launch the attack. Since vast numbers of unsuspecting intermediaries are needed, the attack often involves one or more Internet Relay Chat (IRC) networks as a source of zombies. The perpetrator accesses the IRC and uploads a malicious program such as a Trojan horse, which contains DDoS attack script. This program is subsequently downloaded to the PCs of the many thousands of people who visit the IRC site. The attack program runs in the background on the new zombie computers, which are now under the control of the perpetrator. Via the zombie control program the perpetrator can direct the DDoS to specific victims and turn on or off the attack at will. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed—Test Bank, Chapter 3

16. Discuss the changing motivation behind a denial of service attack. ANS: The motivation behind DoS attacks may originally have been to punish an organization with which the perpetrator had a grievance or simply to gain bragging rights for being able to do it. Today, DoS attacks are also perpetrated for financial gain. Financial institutions, which are particularly dependent on Internet access, have been prime targets. Organized criminals threatening a devastating attack have extorted several institutions, including the Royal Bank of Scotland. The typical scenario is for the perpetrator to launch a short DDoS attack (a day or so) to demonstrate what life would be like if the organization were isolated from the Internet. After the attack, the CEO of the organization receives a phone call demanding that a sum of money be deposited in an off-shore account, or the attack will resume. Compared to the potential loss in customer confidence, damaged reputation, and lost revenues, the ransom may appear to be a small price to pay. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 4

Chapter 4 -- Security Part II: Auditing Database Systems TRUE/FALSE 1. The database approach to data management is sometimes called the flat file approach. ANS: F

PTS: 1

2. The database management system provides a controlled environment for accessing the database. ANS: T

PTS: 1

3. To the user, data processing procedures for routine transactions, such as entering sales orders, appear to be identical in the database environment and in the traditional environment. ANS: T

PTS: 1

4. An important feature associated with the traditional approach to data management is the ability to produce ad hoc reports. ANS: F

PTS: 1

5. The data definition language is used to insert special database commands into application programs. ANS: F

PTS: 1

6. There is more than one conceptual view of the database. ANS: F

PTS: 1

7. In the database method of data management, access authority is maintained by systems programming. ANS: F

PTS: 1

8. The physical database is an abstract representation of the database. ANS: F

PTS: 1

9. A customer name and an unpaid balance is an example of a one-to-many relationship. ANS: F

PTS: 1

10. In the relational model, a data element is called a relation. ANS: F

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 4 11. Subschemas are used to authorize user access privileges to specific data elements. ANS: F

PTS: 1

12. A recovery module suspends all data processing while the system reconciles its journal files against the database. ANS: F

PTS: 1

13. A major difference between the database and flat-file models is the pooling of data into a common shared database. ANS: T

PTS: 1

14. Examining programmer authority tables for information about who has access to Data Definition Language commands will provide evidence about who is responsible for creating subschemas. ANS: T

PTS: 1

15. Data normalization groups data attributes into tables in accordance with specific design objectives. ANS: T

PTS: 1

16. Under the database approach, data is viewed as proprietary or owned by users. ANS: F

PTS: 1

17. The data dictionary describes all of the data elements in the database. ANS: T

PTS: 1

18. When information system needs arise, users send formal requests for computer applications to the database administrator of the organization. ANS: F

PTS: 1

19. A deadlock is a phenomenon that prevents the processing of transactions. ANS: T

PTS: 1

20. Time stamping is a control that is used to ensure database partitioning. ANS: F

PTS: 1

21. A lockout is a software control that prevents multiple users from simultaneous access to data. ANS: T

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 4 22. An entity is any physical thing about which the organization wishes to capture data. ANS: F

PTS: 1

23. Data access methods allow records to be located, stored and retrieved. . ANS: F

PTS: 1

24. The term occurrence is used to describe the number of attributes or fields pertaining to a specific entity. ANS: F

PTS: 1

25. The earliest DBAs were based on the hierarchical data model. ANS: T

PTS: 1

MULTIPLE CHOICE 1.

All of the following are basic data management tasks except a. data deletion b. data storage c. data attribution d. data retrieval ANS: C

PTS: 1

2. The task of searching the database to locate a stored record for processing is called a. data deletion b. data storage c. data attribution d. data retrieval ANS: D

PTS: 1

3. Which of the following is not a problem usually associated with the flat-file approach to data management? a. data redundancy b. restricting access to data to the primary user c. data storage d. currency of information ANS: B

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 4 4. Which characteristic is associated with the database approach to data management? a. data sharing b. multiple storage procedures c. data redundancy d. excessive storage costs ANS: A

PTS: 1

5. Which characteristic is not associated with the database approach to data management? a. the ability to process data without the help of a programmer b. the ability to control access to the data c. constant production of backups d. the inability to determine what data is available ANS: D

PTS: 1

6. The textbook refers to four interrelated components of the database concept. Which of the following is not one of the components? a. the database management system b. the database administrator c. the physical database d. the conceptual database ANS: D

PTS: 1

7. Which of the following is not a responsibility of the database management system? a. provide an interface between the users and the physical database b. provide security against a natural disaster c. ensure that the internal schema and external schema are consistent d. authorize access to portions of the database ANS: C

PTS: 1

8. A description of the physical arrangement of records in the database is a. the internal view b. the conceptual view c. the subschema d. the external view ANS: A

PTS: 1

9. Which of the following may provide many distinct views of the database? a. the schema b. the internal view c. the user view d. the conceptual view ANS: C

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 4 10. Users access the database a. by direct query b. by developing operating software c. by constantly interacting with systems programmers d. all of the above ANS: A

PTS: 1

11. The data definition language a. identifies, for the database management system, the names and relationships of all data elements, records, and files that comprise the database b. inserts database commands into application programs to enable standard programs to interact with and manipulate the database c. permits users to process data in the database without the need for conventional programs d. describes every data element in the database ANS: A

PTS: 1

12. The data manipulation language a. defines the database to the database management system b. transfers data to the buffer area for manipulation c. enables application programs to interact with and manipulate the database d. describes every data element in the database ANS: C

PTS: 1

13. Which statement is not correct? A query language like SQL a. is written in a fourth-generation language b. requires user familiarity with COBOL c. allows users to retrieve and modify data d. reduces reliance on programmers ANS: B

PTS: 1

14. Which duty is not the responsibility of the database administrator? a. to develop and maintain the data dictionary b. to implement security controls c. to design application programs d. to design the subschema ANS: C

PTS: 1

15. In a hierarchical model a. links between related records are implicit b. the way to access data is by following a predefined data path c. an owner (parent) record may own just one member (child) record d. a member (child) record may have more than one owner (parent) ANS: B

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 4 16. Which term is not associated with the relational database model? a. tuple b. attribute c. collision d. relation ANS: C

PTS: 1

17. In the relational database model a. relationships are explicit b. the user perceives that files are linked using pointers c. data is represented on two-dimensional tables d. data is represented as a tree structure ANS: C

PTS: 1

18. In the relational database model all of the following are true except a. data is presented to users as tables b. data can be extracted from specified rows from specified tables c. a new table can be built by joining two tables d. only one-to-many relationships can be supported ANS: D

PTS: 1

19. In a relational database a. the user’s view of the physical database is the same as the physical database b. users perceive that they are manipulating a single table c. a virtual table exists in the form of rows and columns of a table stored on the disk d. a programming language (COBOL) is used to create a user’s view of the database ANS: B

PTS: 1

20. Which of the following is not a common form of conceptual database model? a. hierarchical b. network c. sequential d. relational ANS: C

PTS: 1

21. Which statement is false? a. The DBMS is special software that is programmed to know which data elements each user is authorized to access. b. User programs send requests for data to the DBMS. c. During processing, the DBMS periodically makes backup copies of the physical database. d. The DBMS does not control access to the database. ANS: D

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 4 22. All of the following are elements of the DBMS which facilitate user access to the database except a. query language b. data access language c. data manipulation language d. data definition language ANS: B

PTS: 1

23. Which of the following is a level of the database that is defined by the data definition language? a. user view b. schema c. internal view d. all are levels or views of the database ANS: D

PTS: 1

24. An example of a distributed database is a. partitioned database b. centralized database c. networked database d. all are examples of distributed databases ANS: A

PTS: 1

25. Data currency is preserved in a centralized database by a. partitioning the database b. using a lockout procedure c. replicating the database d. implementing concurrency controls ANS: B

PTS: 1

26. Which procedure will prevent two end users from accessing the same data element at the same time? a. data redundancy b. data replication c. data lockout d. none of the above ANS: C

PTS: 1

27. The advantages of a partitioned database include all of the following except a. user control is enhanced b. data transmission volume is increased c. response time is improved d. risk of destruction of entire database is reduced ANS: B

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 4 28. A replicated database is appropriate when a. there is minimal data sharing among information processing units b. there exists a high degree of data sharing and no primary user c. there is no risk of the deadlock phenomenon d. most data sharing consists of read-write transactions ANS: B

PTS: 1

29. What control maintains complete, current, and consistent data at all information processing units? a. deadlock control b. replication control c. concurrency control d. gateway control ANS: C

PTS: 1

30. Data concurrency a. is a security issue in partitioned databases b. is implemented using time stamping c. may result in data lockout d. occurs when a deadlock is triggered ANS: B

PTS: 1

31. All of the following are advantages of a partitioned database except a. increased user control by having the data stored locally b. deadlocks are eliminated c. transaction processing response time is improved d. partitioning can reduce losses in case of disaster ANS: B

PTS: 1

32. Which backup technique is most appropriate for sequential batch systems? a. grandparent-parent-child approach b. staggered backup approach c. direct backup d. remote site, intermittent backup ANS: A

PTS: 1

33. When creating and controlling backups for a sequential batch system, a. the number of backup versions retained depends on the amount of data in the file b. off-site backups are not required c. backup files can never be used for scratch files d. the more significant the data, the greater the number of backup versions ANS: D

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 4 34. In a direct access file system a. backups are created using the grandfather-father-son approach b. processing a transaction file against a maser file creates a backup file c. files are backed up immediately before an update run d. if the master file is destroyed, it cannot be reconstructed ANS: C

PTS: 1

35. Which of the following is not an access control in a database system? a. antivirus software b. database authorization table c. passwords d. voice prints ANS: A

PTS: 1

36. Which of the following is not a basic database backup and recovery feature? a. checkpoint b. backup database c. transaction log d. database authority table ANS: D

PTS: 1

37. Audit objectives for the database management system include all of the following except a. verifying that the security group monitors and reports on fault tolerance violations b. confirming that backup procedures are adequate c. ensuring that authorized users access only those files they need to perform their duties d. verifying that unauthorized users cannot access data files ANS: A

PTS: 1

38. All of the following tests of controls will provide evidence that access to the data files is limited except a. inspecting biometric controls b. reconciling program version numbers c. comparing job descriptions with access privileges stored in the authority table d. attempting to retrieve unauthorized data via inference queries ANS: B

PTS: 1

39. Which of the following is not a test of access controls? a. biometric controls b. encryption controls c. backup controls d. inference controls ANS: C

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 4 40. To preserve the confidentiality and integrity of the database requires: a. biometric devices b. user-defined procedures. c. backup controls d. inference controls . ANS: D

PTS: 1

SHORT ANSWER Use the following words to complete the sentences in questions 1 through 5. database administrator data redundancy query language sequential structure

data dictionary index sequential access method schema subschema

1. _________________________ occurs when a specific file is reproduced for each user who needs access to the file. ANS: data redundancy PTS: 1 2. The conceptual view of the database is often called ____________________. ANS: schema PTS: 1 3. The ____________________ allows users to retrieve and modify data easily. ANS: query language PTS: 1 4. The __________________________ authorizes access to the database. ANS: database administrator PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 4 5. The __________________________ describes every data element in the database. ANS: data dictionary PTS: 1 6. How does the database approach solve the problem of data redundancy? ANS: Data redundancy is not a problem with the database approach because individual data elements need to be stored only once yet be available to multiple users. PTS: 1 7. Describe two tests of controls that would provide evidence that the database management system is protected against unauthorized access attempts. ANS: compare job descriptions with authority tables; verify that database administration employees have exclusive responsibility for creating authority tables and designing user subschemas; evaluate biometric and inference controls PTS: 1 8. What is a database authorization table? ANS: The database authorization table contains rules that limit the actions a user can take. Each user is granted certain privileges that are coded in the authority table, which is used to verify the user’s action requests. PTS: 1 9. What are two types of distributed databases? ANS: Partitioned and replicated databases. PTS: 1 10. Describe an environment in which a firm should use a partitioned database. ANS: A partitioned database approach works best in organizations that require minimal data sharing among its information processing units and when a primary user of the data can be identified. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed—Test Bank, Chapter 4 11. Why are the hierarchical and network models called navigational databases? ANS: These are called navigational models because traversing or searching them requires following a predefined path which is established through explicit linkages between related records. PTS: 1 12. What is a database lockout? ANS: To achieve data currency, simultaneous access to individual data elements by multiple sites needs to be prevented. The solution to this problem is to use a database lockout, which is a software control that prevents multiple simultaneous accesses to data. PTS: 1 13. What is the partitioned database approach and what are its advantages? ANS: The partitioned database approach splits the central database into segments or partitions that are distributed to their primary users. The advantages of this approach are: Storing data at local sites increases users’ control. Permitting local access to data and reducing the volume of data that must be transmitted between sites improves transaction processing response time. Partitioned databases can reduce the potential for disaster. By having data located at several sites, the loss of a single site cannot terminate all data processing by the organization. PTS: 1 14. What is a replicated database and what are the advantages of this approach? ANS: The entire database is replicated at each distributed site. Replicated databases are effective in companies where there exists a high degree of data sharing but no primary user. Since common data are replicated at each site, the data traffic between sites is reduced considerably. PTS: 1 15. What is a legacy system? ANS: Legacy systems are large mainframe systems that were implemented from the late 1960s through the 1980s. Organizations today still make extensive use of these systems. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed—Test Bank, Chapter 4 16. What is the flat-file model? ANS: The flat-file model describes an environment in which individual data files are not related to other files. End users in this environment own their data files rather than share them with other users. PTS: 1

17. What are the four primary elements of the database approach? ANS: The users, the database management system, the database administrator, and the physical database structures. PTS: 1

18. What types of problems does data redundancy cause? ANS: a. increased data storage because the same data is stored in multiple files b. increased data updating because changes must be made to multiple files c. problem of current data in some files, but not all files PTS: 1 19.

What flat-file data management problems are solved as a result of using the database concept? ANS: a. no data redundancy b. single update of data c. current values for all user applications d. task-data independence. PTS: 1

20.

What are four ways in which database management systems provide a controlled environment to manage user access and the data resources? ANS: Program development, backup and recovery, database usage reporting, and database access. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 4 21.

Explain the relationship between the three levels of the data definition language. As a user, which level would you be most interested in? ANS: One level is the schema, which is the conceptual view of the data. The schema describes the entire database and it represents the database logically. The second level is the internal view, which is the physical arrangement of the records. At this level, the data records are described as well as linkages between files. The next level is the subschema, which is the external view of the database that specific users have authorization to use. This is also called the user view and is the level that users find of most interest. PTS: 1

22. What is the internal view of a database? ANS: The internal view of a database is the physical arrangement of the records. It describes the data structure, the linkages between files, and the physical arrangement of the records. PTS: 1

23. What is a data dictionary, and what purpose does it serve? ANS: The data dictionary describes every data element in the database. It enables all users (and programmers) to share a common view of the data resource, thus greatly facilitating the analysis of user needs. PTS: 1 24. Discuss and give an example of one-to-one, one-to-many, and many-to-many record associations. ANS: A one-to-one association means that for every occurrence in record type X, either zero or one occurrence exists of record type Y. An example would be that for every student, only one social security number exists. A one-to-many association means that for every occurrence in record type X, either zero, one, or many occurrences exist of record type Y. An example would be buyers of assigned seating at concerts. Each potential buyer would leave the sales box office with zero, one, or many seats. A many-to-many association is a two-way relationship. For each occurrence of record types X and Y, zero, one, or many occurrences exist of record type Y and X, respectively. An example would be a student-professor relationship. Each student has multiple professors each semester, and each professor has multiple students each semester. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed—Test Bank, Chapter 4 ESSAY 1. What are the four elements of the database approach? Explain the role of each. ANS: Users are the individuals in the organization who access the data in the database. This may happen via user programs or by direct query. The database management system is a set of programs that control access to the database and that manage the data resource through program development, backup and recovery functions, usage reporting, and access authorization. The database administrator is a function (which may involve part of one individual’s duties or an entire department) which manages the database resources through database planning, design, implementation, operation and maintenance, and growth and change. The physical database is the only physical form that the database has. It is comprised of magnetic spots on magnetic media. PTS: 1 2. Explain the three views of a database. ANS: The unique internal view of the database is the physical arrangement of records which describes the structure of data records, the linkages between files, and the physical arrangement and sequence of records in the file. The unique conceptual view (or schema) represents the database logically and abstractly. The many user views (or subschema) define the portion of a database that an individual user is authorized to access. PTS: 1 3. Explain a database lockout and the deadlock phenomenon. Contrast that to concurrency control and the timestamping technique. Describe the importance of these items in relation to database integrity. ANS: In a centralized database, a lockout is used to ensure data currency. A lockout prevents simultaneous access to individual data elements by different information processing units (IPU). When one IPU requests access to a data element, a lock is put on the file, record, or element. No other IPU can access the file, record, or element until the lock is released. In a partitioned database, lockouts are also used to ensure data currency. It is possible, however, for multiple sites to place locks on records that results in a deadlock condition which prevents transactions from processing. All transactions are in a wait state until the locks are removed. A deadlock cannot be resolved without outside intervention from the user’s application, the DBMS, or the operating system. © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed—Test Bank, Chapter 4 In a replicated database, a large volume of data flows between sites, and temporary inconsistencies in the database may occur. Concurrency control ensures that transactions executed at each IPU are accurately reflected in the databases of all other sites. A popular method for concurrency control is to timestamp transactions. Transactions that may be in conflict are assigned a system-wide timestamp. Then, the identified transactions are processed in timestamp order. Both database lockouts and concurrency controls are designed to ensure that the transactions are completely processed and that all transactions are accurately reflected in the firm’s databases. Failure to implement these controls can result in transactions being lost, being partially processed, or with inconsistent databases. PTS: 1 4. One purpose of a database system is the easy sharing of data. But this ease of sharing can also jeopardize security. Discuss at least three forms of access control designed to reduce this risk. ANS: Many types of access control are possible. A user view is a subset of a database that limits a user’s view or access to the database. The database authorization table contains rules that limit what a user can do, i.e., read, insert, modify, delete. A user-defined procedure adds additional queries to user access to prevent others from accessing in a specific user’s place. To protect the data in a database, many systems use data encryption to make it unreadable by intruders. A newer technique uses biometric devices to authenticate users. PTS: 1

5. In a distributed data processing system, a database can be centralized or distributed. What are the options? Explain. ANS: In a distributed data processing system, a database can be centralized or distributed. When the database is centralized, the entire database is stored at a central site which processes requests from users at remote locations. Certain concerns arise when data processing is distributed. Questions arise with regard to data currency when multiple users have access to the database. Database lockout prevents more than one user from making changes at the same time. Distributed databases can be partitioned with parts stored at different sites, or replicated, with the entire database stored in multiple locations. When the database is partitioned, users have more control over data stored at local sites, transaction processing time is improved, and the potential of data loss is reduced. When the database is replicated, the entire database is stored at multiple locations. This works well when the primary use of the database is for querying. When transactions are processed at many sites, problems of database concurrency arise. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 4 6. Ownership of data in traditional legacy systems often leads to data redundancy. This in turn leads to several data management problems. What are they? How does the database approach solve them? ANS: Data redundancy causes significant data management problems in three areas: data storage, data updating, and currency of information. Data storage is a problem because if multiple users need the data, it must be collected and stored multiple times at multiple costs. When multiple users hold the same information, changes must be updated in all locations or data inconsistency results. Failure to update all occurrence of a data item can affect the currency of the information. With a database system, these problems are solved. There is no data redundancy since a data item is stored only once. Hence changes require only a single update, thus leading to current value. PTS: 1 7. What services are provided by a database management system? ANS: Database management systems typically provide the following services: a. program development which permits both programmers and end users to create applications to access the database; b. backup and recovery is built in therefore reducing likelihood of data loss; c. database usage reporting captures statistics on what data is being used, by whom, when; and especially d. database access is provided to authorized users. PTS: 1 8. Discuss the key factors to consider in determining how to partition a corporate database. ANS: The partitioned approach works best for organizations that require minimal data sharing among users at remote sites. To the extent that remote users share common data, the problems associated with the centralized approach will apply. The primary user must now manage requests for data from other sites. Selecting the optimum host location for the partitions to minimize data access problems requires an indepth analysis of end-user data needs. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 4 9. Distinguish between a database lockout and a deadlock. ANS: To achieve data currency, simultaneous access to individual data elements or records by multiple users needs to be prevented. The solution to this problem is a database lockout, which is a software control that prevents multiple simultaneous accesses to data. A deadlock occurs when multiple users seeking access to the same set of records lockout each other. As a result, the transactions of all users assume a wait state until the locks are removed. A deadlock is a permanent condition that must be resolved by special software that analyzes each deadlock condition to determine the best solution. PTS: 1 10. Replicated databases create considerable data redundancy, which is in conflict with the database concept. Explain the justification of this approach. ANS: The primary justification for a replicated database is to support read-only queries in situations involving a high degree of data sharing, but no primary user exists. With data replicated at every site, data access for query purposes is ensured, and lockouts and delays due to network traffic are minimized. A potential problem arises, however, when replicated databases need to be updated by transactions. Since each site processes only local transactions, the common data attributes that are replicated at each site will be updated by different transactions and thus, at any point in time, will have uniquely different values. System designers need to employ currency control techniques to ensure that transactions processed at different locations are accurately reflected in all the databases copies. PTS: 1 11. Contrast the navigational databases with relational databases. What is the primary advantage of the relational model? ANS: The most apparent difference between the relational model and navigational models is the way that data associations are represented to the user. In navigational models, data are represented in tree structures or network structures. The navigational database models have explicit links, called pointers, between records. Data are accessed using defined data paths. The relational model portrays data in the form of two-dimensional tables. Users do not perceive any pointers linking the tables. At the conceptual level (logical view) and the external level (user’s view), data are represented only as tables. Relations between tables are formed by an attribute (data element) that is common to the tables. This attribute is a primary key in one table and a foreign key in the other. The relational model is more flexible than a navigational model. Users can obtain data from the database by using the primary key and a database query language. Typically users do not require assistance from programmers to obtain answers to ad hoc queries. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 5

Chapter 5— Systems Development and Program Change Activities TRUE/FALSE 1. The objective of systems planning is to link systems projects to the strategic objectives of the firm. ANS: T

PTS: 1

2. The Systems Development Life Cycle (SDLC) concept applies to specific applications and not to strategic systems planning. ANS: F

PTS: 1

3. An accountant’s responsibility in the SDLC is to ensure that the system applies proper accounting conventions and rules and possesses adequate control. ANS: T

PTS: 1

4. In the conceptual design phase of the Systems Development Life Cycle (SDLC), task force members are focused on selecting the new system design. ANS: F

PTS: 1

5. When determining the operational feasibility of a new system, the expected ease of transition from the old system to the new system should be considered. ANS: T

PTS: 1

6. One-time costs include operating and maintenance costs. ANS: F

PTS: 1

7. When preparing a cost-benefit analysis, design costs incurred in the systems planning, systems analysis and conceptual design phases of the Systems Development Life Cycle are relevant costs. ANS: F

PTS: 1

8. A tangible benefit can be measured and expressed in financial terms. ANS: T

PTS: 1

9. Instead of implementing an application in a single big-bang release, modern systems are delivered in parts continuously and quickly ANS: T

PTS: 1

10. When the nature of the project and the needs of the user permit, most organizations will seek a precoded commercial software package rather than develop a system in-house. ANS: T

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 5

11. All of the steps in the Systems Development Life Cycle apply to software that is developed in-house and to commercial software. ANS: F

PTS: 1

12. During the detailed feasibility study of the project, the systems professional who proposed the project should be involved in performing the study. ANS: F

PTS: 1

13. Recurring costs include: hardware maintenance, software acquisition, software maintenance, insurance, supplies and personnel costs. ANS: F PTS: 1 14. The payback method is often more useful than the net present value method for evaluating systems projects because the effective lives of information system tend to be short and shorter payback projects are often desirable. ANS: T

PTS: 1

15. Intangible benefits are not physical, but can be measured and expressed in financial terms. ANS: F

PTS: 1

16. Legal feasibility identifies conflicts between the proposed system and the company’s ability to discharge its legal responsibilities ANS: T

PTS: 1

17. Programs in their compiled state are very susceptible to the threat of unauthorized modification. ANS: F

PTS: 1

18. Maintenance access to systems increases the risk that logic will be corrupted either by the accident or intent to defraud. ANS: T

PTS: 1

19. Source program library controls should prevent and detect unauthorized access to application programs. ANS: T

PTS: 1

20. The user test and acceptance procedure is the last point at which the user can determine the system’s acceptability prior to it going into service. ANS: T

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 5 MULTIPLE CHOICE 1. Which control is not associated with new systems development activities? a. reconciling program version numbers b. program testing c. user involvement d. internal audit participation ANS: A

PTS: 1

2. Which test of controls will provide evidence that the system as originally implemented was free from material errors and free from fraud? Review of the documentation indicates that a. a cost-benefit analysis was conducted b. the detailed design was an appropriate solution to the user's problem c. tests were conducted at the individual module and total system levels prior to implementation d. problems detected during the conversion period were corrected in the maintenance phase ANS: C

PTS: 1

3. Routine maintenance activities require all of the following controls except a. documentation updates b. testing c. formal authorization d. internal audit approval ANS: D

PTS: 1

4. Which statement is correct? a. compiled programs are very susceptible to unauthorized modification b. the source program library stores application programs in source code form c. modifications are made to programs in machine code language d. the source program library management system increases operating efficiency ANS: B

PTS: 1

5. Which control ensures that production files cannot be accessed without specific permission? a. Database Management System b. Recovery Operations Function c. Source Program Library Management System d. Computer Services Function ANS: C

PTS: 1

6. Program testing a. involves individual modules only, not the full system b. requires creation of meaningful test data c. need not be repeated once the system is implemented d. is primarily concerned with usability ANS: B

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 5 7. Which statement is not true? a. An audit objective for systems maintenance is to detect unauthorized access to application databases. b. An audit objective for systems maintenance is to ensure that applications are free from errors. c. An audit objective for systems maintenance is to verify that user requests for maintenance reconcile to program version numbers. d. An audit objective for systems maintenance is to ensure that the production libraries are protected from unauthorized access. ANS: A

PTS: 1

8. When the auditor reconciles the program version numbers, which audit objective is being tested? a. protect applications from unauthorized changes b. ensure applications are free from error c. protect production libraries from unauthorized access d. ensure incompatible functions have been identified and segregated ANS: A

PTS: 1

9. Which is not a level of a data flow diagram? a. conceptual level b. context level c. intermediate level d. elementary level ANS: A

PTS: 1

10. Which statement is not correct? The structured design approach a. is a top-down approach b. is documented by data flow diagrams and structure diagrams c. assembles reusable modules rather than creating systems from scratch d. starts with an abstract description of the system and redefines it to produce a more detailed description of the system ANS: C

PTS: 1

11. The benefits of the object-oriented approach to systems design include all of the following except a. this approach does not require input from accountants and auditors b. development time is reduced c. a standard module once tested does not have to be retested until changes are made d. system maintenance activities are simplified ANS: A

PTS: 1

12. Evaluators of the detailed feasibility study should not include a. the internal auditor b. the project manager c. a user representative d. the system designer ANS: D

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 5 13. A cost-benefit analysis is a part of the detailed a. operational feasibility study b. schedule feasibility study c. legal feasibility study d. economic feasibility study ANS: D

PTS: 1

14. Examples of one-time costs include all of the following except a. hardware acquisition b. insurance c. site preparation d. programming ANS: B

PTS: 1

15. Examples of recurring costs include a. software acquisition b. data conversion c. personnel costs d. systems design ANS: C

PTS: 1

16. A commercial software system that is completely finished, tested, and ready for implementation is called a a. backbone system b. vendor-supported system c. benchmark system d. turnkey system ANS: D

PTS: 1

17. Which of the following is not an advantage of commercial software? Commercial software a. can be installed faster than a custom system b. can be easily modified to the user’s exact specifications c. is significantly less expensive than a system developed in-house d. is less likely to have errors than an equivalent system developed in-house ANS: B

PTS: 1

18. Which step is least likely to occur when choosing a commercial software package? a. a detailed review of the source code b. contact with user groups c. preparation of a request for proposal d. comparison of the results of a benchmark problem ANS: A

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 5 19. The output of the detailed design phase of the Systems Development Life Cycle (SDLC) is a a. fully documented system report b. systems selection report c. detailed system design report d. systems analysis report ANS: C

PTS: 1

20. The detailed design report contains all of the following except a. input screen formats b. alternative conceptual designs c. report layouts d. process logic ANS: B

PTS: 1

21. System documentation is designed for all of the following groups except a. systems designers and programmers b. end users c. accountants d. all of the above require systems documentation ANS: D

PTS: 1

22. Which type of documentation shows the detailed relationship of input files, programs, and output files? a. structure diagrams b. overview diagram c. system flowchart d. program flowchart ANS: C

PTS: 1

23. Typical contents of a run manual include all of the following except a. run schedule b. logic flowchart c. file requirements d. explanation of error messages ANS: B

PTS: 1

24. Computer operators should have access to all of the following types of documentation except a. a list of users who receive output b. a program code listing c. a list of all master files used in the system d. a list of required hardware devices ANS: B

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 5 25. Which task is not essential during a data conversion procedure? a. decomposing the system b. validating the database c. reconciliation of new and old databases d. backing up the original files ANS: A

PTS: 1

26. When converting to a new system, which cutover method is the most conservative? a. cold turkey cutover b. phased cutover c. parallel operation cutover d. data coupling cutover ANS: C

PTS: 1

27. Site preparation costs include all of the following except a. crane used to install equipment b. freight charges c. supplies d. reinforcement of the building floor ANS: C

PTS: 1

28. The testing of individual program modules is a part of a. software acquisition costs b. systems design costs c. data conversion costs d. programming costs ANS: D

PTS: 1

29. When implementing a new system, the costs associated with transferring data from one storage medium to another is an example of a. a recurring cost b. a data conversion cost c. a systems design cost d. a programming cost ANS: B

PTS: 1

30. An example of a tangible benefit is a. increased customer satisfaction b. more current information c. reduced inventories d. faster response to competitor actions ANS: C

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 5 31. An example of an intangible benefit is a. expansion into other markets b. reduction in supplies and overhead c. more efficient operations d. reduced equipment maintenance ANS: C

PTS: 1

32. A tangible benefit a. can be measured and expressed in financial terms b. might increase revenues c. might decrease costs d. all of the above ANS: D

PTS: 1

33. Intangible benefits a. are easily measured b. are of relatively little importance in making information system decisions c. are sometimes estimated using customer satisfaction surveys d. when measured, do not lend themselves to manipulation ANS: C

PTS: 1

34. Which technique is least likely to be used to quantify intangible benefits? a. opinion surveys b. simulation models c. professional judgment d. review of accounting transaction data ANS: D

PTS: 1

35. The formal product of the systems evaluation and selection phase of the Systems Development Life Cycle is a. the report of systems analysis b. the systems selection report c. the detailed system design d. the systems plan ANS: B

PTS: 1

36. Typically a systems analysis a. results in a formal project schedule b. does not include a review of the current system c. identifies user needs and specifies system requirements d. is performed by the internal auditor ANS: C

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 5

37. A disadvantage of surveying the current system is a. it constrains the generation of ideas about the new system b. it highlights elements of the current system that are worth preserving c. it pinpoints the causes of the current problems d. all of the above are advantages of surveying the current system ANS: A

PTS: 1

38. Systems analysis involves all of the following except a. gathering facts b. surveying the current system c. redesigning bottleneck activities d. reviewing key documents ANS: C

PTS: 1

39. The systems analysis report does not a. identify user needs b. specify requirements for the new system c. formally state the goals and objectives of the system d. specify the system processing methods ANS: D

PTS: 1

40. The role of the steering committee includes a. designing the system outputs b. resolving conflicts that arise from a new system c. selecting the programming techniques to be used d. approving the accounting procedures to be implemented ANS: B

PTS: 1

41. Project planning includes all of the following except a. specifying system objectives b. preparing a formal project proposal c. selecting hardware vendors d. producing a project schedule ANS: C

PTS: 1

42. Aspects of project feasibility include all of the following except a. technical feasibility b. economic feasibility c. logistic feasibility d. schedule feasibility ANS: C

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 5 43. Which of the following is not a tool of systems analysts? a. observation b. task participation c. audit reports d. personal interviews ANS: C

PTS: 1

44. When developing the conceptual design of a system, a. all similarities and differences between competing systems are highlighted b. structure diagrams are commonly used c. the format for input screens and source documents is decided d. inputs, processes, and outputs that distinguish one alternative from another are identified ANS: D

PTS: 1

45. The role of the accountant/internal auditor in the conceptual design phase of the Systems Development Life Cycle includes all of the following except a. the accountant is responsible for designing the physical system b. the accountant is responsible to ensure that audit trails are preserved c. the internal auditor is responsible to confirm that embedded audit modules are included in the conceptual design d. the accountant is responsible to make sure that the accounting conventions that apply to the module are considered by the system designers ANS: A

PTS: 1

46. Strategic systems planning is important because the plan a. provides authorization control for the Systems Development Life Cycle b. will eliminate any crisis component in systems development c. provides a static goal to be attained within a five-year period d. all of the above ANS: A

PTS: 1

47. Project feasibility includes all of the following except a. technical feasibility b. conceptual feasibility c. operational feasibility d. schedule feasibility ANS: B

PTS: 1

SHORT ANSWER 1. Contrast the source program library (SPL) management system to the database management system (DBMS). ANS: The SPL software manages program files and the DBMS manages data files. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed—Test Bank, Chapter 5 2. List three methods used to control the source program library. ANS: passwords, separate test libraries, audit trail and management reports, program version numbers, controlling access to maintenance commands PTS: 1 3. New system development activity controls must focus on the authorization, development, and implementation of new systems and its maintenance. Discuss at least five control activities that are found in an effective system development life cycle. ANS: System authorization activities assure that all systems are properly authorized to ensure their economic justification and feasibility. User specification activities should not be stifled by technical issues. Users can provide written description of the logical needs that must be satisfied by the system. Technical design activities must lead to specifications that meet user needs. Documentation is both a control and evidence of control. Internal audit involvement should occur throughout the process to assure that the system will serve user needs. Program testing is to verify that data is processed as intended. PTS: 1 4. List three advantages and one disadvantage of commercial software. ANS: Advantages include very quick implementation time, relatively inexpensive software, and reliable, tested software. Disadvantages include not being able to customize the system and difficulty in modifying the software. PTS: 1 5. Describe a risk associated with the phased cutover procedure for data conversion. ANS: Incompatibilities may exist between the new subsystems and the yet-to-be replaced old subsystems. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 5 6. Why is it important that the systems professionals who design a project not perform the detailed feasibility study of the project? ANS: Objectivity is essential to the fair assessment of each project design. To ensure objectivity, an independent systems professional should perform the study. PTS: 1 7. ____________________ benefits can be measured and expressed in financial terms, while ____________________ benefits cannot be easily measured and/or quantified. ANS: Tangible, intangible PTS: 1 8. What is a systems selection report? ANS: A systems selection report is a formal document that consists of a revised feasibility study, a costbenefit analysis, and a list and explanation of intangible benefits for each alternative design. The steering committee uses this report to select a system. PTS: 1 9. Why is the payback method often more useful than the net present value method for evaluating systems projects? ANS: Because of brief product life cycles and rapid advances in technology, the effective lives of information system tends to be short. Shorter payback projects are often desirable. PTS: 1 10. What are the auditor’s objectives relating to systems development? ANS: The auditor’s objectives are to ensure that (1) systems development activities are applied consistently and in accordance with management’s policies to all systems development projects; (2) the system as originally implemented was free from material errors and fraud; (3) the system was judged necessary and justified at various checkpoints throughout the SDLC; and (4) system documentation is sufficiently accurate and complete to facilitate audit and maintenance activities. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 5 11. Describe a test of controls that would provide evidence that only authorized program maintenance is occurring. ANS: reconcile program version numbers, confirm maintenance authorizations PTS: 1 12.

What are program version numbers and how are the used? ANS: The SPLMS assigns a version number automatically to each program stored on the SPL. When programs are first placed in the libraries (at implementation), they are assigned version number zero. With each modification to the program, the version number is increased by one. PTS: 1

13. Explain why accountants are interested in the legal feasibility of a new systems project. ANS: Legal feasibility identifies conflicts between the proposed system and the company’s ability to discharge its legal responsibilities. Accountants are often tasked with the legal requirements associated with developing the internal control system and securing information from inappropriate disclosure. PTS: 1 14. Explain an advantage of surveying the current system when preparing a systems analysis for a new systems project. ANS: An analysis of the current system will identify what aspects of the current system should be retained; facilitate the conversion from the old to the new system; and may uncover causes of reported problems. PTS: 1 15. What are two purposes of the systems project proposal? ANS: First, it summarizes the findings of the study conducted to this point into a general recommendation for a new or modified system. This enables management to evaluate the perceived problem along with the proposed system as a feasible solution. Second, the proposal outlines the linkage between the objectives of the proposed system and the business objectives of the firm. It shows that the proposed new system complements the strategic direction of the firm. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 5 16. List two ways that a systems project can contribute to the strategic objectives of the firm. ANS: A new system can improve the operational performance by eliminating nonessential activities and costs, provide a method of differentiating the product or service from the competitors, and provide information that will help improve management decision-making. PTS: 1 17. List four types of facts that should be gathered during an analysis of a system. ANS: data sources; operation users; data stores; processes; data flows; controls; transaction volumes; error rates; resource costs; bottlenecks; and redundant operations PTS: 1 18. Distinguish between escapable and inescapable costs. Give an example. ANS: Escapable costs are directly related to the system, and they cease to exist when the system ceases to exist. An example would be an annual software support fee for purchased software. If the system ceases to exist, the support for the software will no longer be necessary. Inescapable costs, on the other hand, represent costs which will not be eliminated if the system is scrapped. An example would be an overhead charge for office space in a building which is owned by the company. If the system ceases to exist, these costs will be allocated to the remaining departments. PTS: 1 19. Why is cost-benefit analysis more difficult for information systems than for many other types of investments organizations make? ANS: The benefits of information systems are oftentimes very difficult to assess. Many times the benefits are intangible, such as improved decision making capabilities. Also, maintenance costs may be difficult to predict. Most other investments that organizations make, i.e. purchase of a new piece of equipment, tend to have more tangible and estimable costs and benefits. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 5 ESSAY 1. Outline the five controllable activities that relate to new systems development ANS: Systems Authorization Activities: All systems should be properly authorized to ensure their economic justification and feasibility. This requires a formal environment in which users submit requests to systems professionals in written form. User Specification Activities: Users need to be actively involved in the systems development process. Users should create a detailed written description of their needs. It should describe the user’s view of the problem, not that of the systems professionals. Technical Design Activities: The technical design activities translate user specifications into a set of detailed technical specifications for a system that meets the user’s needs. The scope of these activities includes systems analysis, feasibility analysis, and detailed systems design. Internal Audit Participation: The internal auditor plays an important role in the control of systems development activities. The auditor should become involved at the inception of the process and continue through all phases of development and in the maintenance phase. In addition, the User Test and Acceptance Procedures: Prior to system implementation, the individual modules of the system need to be formally and rigorously tested as a whole. The test team should comprise of user personnel, systems professionals, and internal auditors. The details of the tests performed and their results need to be formally documented and analyzed. Once the test team is satisfied that the system meets its stated requirements, the system can be transferred to the user. PTS: 1

2. Discuss the three groups that participate in systems development. ANS: System professionals are systems analysts, systems engineers, database designers, and programmers. These individuals actually build the system. End users are those for whom the system is built. There are many users at all levels in an organization. These include managers and operations personnel, including accountants. During systems development, systems professionals work with primary users to obtain an understanding of users’ problems and a clear statement of their needs. Stakeholders are individuals who have an interest in the system but are not formal end users. These include the internal steering committee and internal and external auditors. Stakeholders work with the development team to ensure user’s needs are met, adequate internal controls are designed into the systems and that the systems development process itself is properly implemented and controlled. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 5 3. Define the feasibility measures that should be considered during project analysis and give an example of each. ANS: Technical feasibility is an assessment as to whether the system can be developed under existing technology or if new technology is needed. An example might be a situation where a firm wants to completely automate the sales process. A question would be-Is technology available that allows sales to be made without humans? Economic feasibility is an assessment as to the availability of funds to complete the project. A question would be-Is it cost feasible to purchase equipment to automate sales? Legal feasibility identifies any conflicts with the proposed system and the company’s ability to discharge its legal responsibilities. An example would be a firm that is proposing a new mail order sales processing system for selling wine. Operational feasibility shows the degree of compatibility between the firm’s existing procedures and personnel skills and the operational requirements of the new system. Do the firm have the right work force to operate the system? If not, can employees be trained? If not, can they be hired? Schedule feasibility pertains to whether the firm can implement the project within an acceptable time frame. An example would be a new ticket sales system for a sports team. The system would need to be implemented prior to the start of the new season. PTS: 1 4. Explain the role of accountants in the conceptual design stage. ANS: Accountants are responsible for the logical information flows in a new system. Alternate systems considered must be properly controlled, audit trails must be preserved, and accounting conventions and legal requirements must be met. Auditability of a new system depends in part on its design. PTS: 1 5. Discuss the advantages and disadvantages of the three methods of converting to a new system: cold turkey cutover, phased cutover, and parallel operation cutover. ANS: Cold turkey–This is the fastest, quickest and least expensive cutover method. It is also the most risky. If the system does not function properly, there is no backup system to rely on. Phased cutover–The phased cutover avoids the risk of total system failure because the conversion occurs one module at a time. The disadvantage of this method is the potential incompatibilities between new modules that have been implemented and old modules that have not yet been phased out. Parallel operation cutover–This is the most time consuming and costly of the three methods, but it also provides the greatest security. The old system is not terminated until the new system is tested for accuracy. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed—Test Bank, Chapter 5

6. What is the purpose of the auditor's review of SDLC documentation? ANS: In reviewing the SDLC documentation, the auditor seeks to determine that completed projects now in use reflect compliance with SDLC policies including: • User and computer services management properly authorized the project. • A preliminary feasibility study showed that the project had merit. • A detailed analysis of user needs was conducted that resulted in alternative conceptual designs. • A cost-benefit analysis was conducted using reasonably accurate figures. • The detailed design was an appropriate and accurate solution to the user’s problem. • Test results show that the system was thoroughly tested at both the individual module and the total system level before implementation. (To confirm these test results, the auditor may decide to retest selected elements of the application.) • There is a checklist of specific problems detected during the conversion period, along with evidence that they were corrected in the maintenance phase. • Systems documentation complies with organizational requirements and standards PTS: 1 7. Classify each of the following as either a one-time or recurring costs: training personnel initial programming and testing system design-one hardware costs software maintenance costs site preparation rent for facilities data conversion from old system to new system insurance costs installation of original equipment hardware upgrades ANS: training personnel-one-time initial programming and testing-one-time system design-one-time hardware costs-one-time software maintenance costs-recurring site preparation-one-time rent for facilities-recurring data conversion from old system to new system-one-time insurance costs-recurring installation of original equipment-one-time hardware upgrades-recurring PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 5

Explain how application version numbers can be used as an audit to0l for assessing program change controls. ANS: The SPLMS assigns a version number automatically to each program stored on the SPL. When programs are first placed in the libraries (at implementation), they are assigned version number zero. With each modification to the program, the version number is increased by one. This feature, when combined with audit trail reports, provides a basis for detecting unauthorized changes to the application program. An unauthorized change is signaled by a version number on the production load module that cannot be reconciled to the number of authorized changes. For example, if 10 changes were authorized but the production program is Version 11, then two possible control violations may have happened: (1) an authorized change occurred, which for some reason went undocumented, or (2) an unauthorized change was made, which incremented the version number. PTS: 1

IT Auditing 4th Ed. —Test Bank, Chapter 6

Chapter 6— Transaction Processing and Financial Reporting Systems Overview TRUE/FALSE 1. Processing more transactions at a lower unit cost makes batch processing more efficient than real-time systems. ANS: T

PTS: 1

2. The process of acquiring raw materials is part of the conversion cycle. ANS: F

PTS: 1

3. Directing work-in-process through its various stages of manufacturing is part of the conversion cycle. ANS: T

PTS: 1

4. The portion of the monthly bill from a credit card company is an example of a turn-around document. ANS: T

PTS: 1

5. The general journal is used to record recurring transactions that are similar in nature. ANS: F

PTS: 1

6. Document flowcharts are used to represent systems at different levels of detail. ANS: F

PTS: 1

7. Data flow diagrams represent the physical system. ANS: F

PTS: 1

8. System flowcharts represent the input sources, programs, and output products of a computer system. ANS: T

PTS: 1

9. Program flowcharts are used to describe the logic represented in system flowcharts. ANS: T

PTS: 1

10. Batch processing systems can store data on direct access storage devices. ANS: T

PTS: 1

11. The box symbol represents a temporary file. ANS: F

PTS: 1

IT Auditing 4th Ed. —Test Bank, Chapter 6

12. Auditors may prepare program flowcharts to verify the correctness of program logic. ANS: T

PTS: 1

13. A control account is a general ledger account which is supported by a subsidiary ledger. ANS: T

PTS: 1

14. Real time processing is used for routine transactions in large numbers. ANS: F

PTS: 1

15. An inverted triangle with the letter “N” represents a file in “name” order. ANS: F

PTS: 1

16. Real-time processing in systems that handle large volumes of transactions each day can create operational inefficiencies. ANS: T

PTS: 1

17. Operational inefficiencies occur because accounts common to many concurrent transactions need to be updated in real time. ANS: T

PTS: 1

18. The block code is the coding scheme most appropriate for a chart of accounts. ANS: T

PTS: 1

19. Sequential codes may be used to represent complex items or events involving two or more pieces of related data. ANS: F

PTS: 1

20. For a given field size, a system that uses alphabetic codes can represent far more situations than a system with that uses numeric codes. ANS: T

PTS: 1

21. Mnemonic codes are appropriate for items in either an ascending or descending sequence, such as the numbering of checks or source documents. ANS: F

PTS: 1

22. The most common means of making entries in the general ledger is via the journal voucher. ANS: T

PTS: 1

IT Auditing 4th Ed. —Test Bank, Chapter 6

23. Individuals with access authority to general ledger accounts should not prepare journal vouchers. ANS: T

PTS: 1

24. Each account in the chart of accounts has a separate record in the general ledger master file. ANS: T

PTS: 1

MULTIPLE CHOICE 1. Which system is not part of the expenditure cycle? a. cash disbursements b. payroll c. production planning/control d. purchases/accounts payable ANS: C

PTS: 1

2. Which system produces information used for inventory valuation, budgeting, cost control, performance reporting, and make-buy decisions? a. sales order processing b. purchases/accounts payable c. cash disbursements d. cost accounting ANS: D

PTS: 1

3. Which of the following is a turn-around document? a. remittance advice b. sales order c. purchase order d. payroll check ANS: A

PTS: 1

4. The order of the entries made in the general journal is by a. date b. account number c. user d. customer number ANS: A

PTS: 1

5. In general, a special journal would not be used to record a. sales b. cash disbursements c. depreciation d. purchases ANS: C

PTS: 1

IT Auditing 4th Ed. —Test Bank, Chapter 6

6. A journal is used in manual accounting environments. What file is comparable to a journal in a computerized environment? a. archive file b. reference file c. transaction file d. master file ANS: A

PTS: 1

7. Data flow diagrams a. depict logical tasks that are being performed, but not who is performing them b. illustrate the relationship between processes, and the documents that flow between them and trigger activities c. represent relationships between key elements of the computer system d. describe in detail the logic of the process ANS: A

PTS: 1

8. System flowcharts a. depict logical tasks that are being performed, but not who is performing them b. illustrate the relationship between database entities in systems. c. represent relationships between key elements of both manual and computer systems. d. describe the internal logic of computer applications in systems. . ANS: C

PTS: 1

9. In contrast to a batch processing system, in a real-time system a. a lag occurs between the time of the economic event and when the transaction is recorded b. relatively fewer hardware, programming, and training resources are required c. a lesser resource commitment per unit of output is required d. processing takes place when the economic event occurs ANS: D

PTS: 1

10. Both the revenue and the expenditure cycle can be viewed as having two key parts. These are a. manual and computerized b. physical and financial c. input and output d. batch and real-time ANS: B

PTS: 1

11. All of the following can provide evidence of an economic event except a. source document b. turn-around document c. master document d. product document ANS: C

PTS: 1

IT Auditing 4th Ed. —Test Bank, Chapter 6

12. Which method of processing does not use the destructive update approach? a. batch processing using direct access files b. real-time processing c. batch processing using sequential files d. all of the above use the destructive update approach ANS: C

PTS: 1

13. Which symbol represents a manual operation? a.

ANS: D

PTS: 1

14. Which symbol represents accounting records? a.

ANS: A

PTS: 1

IT Auditing 4th Ed. —Test Bank, Chapter 6

15. Which symbol represents a document? a.

ANS: B

PTS: 1

16. Which symbol represents a decision? a.

b. c.

ANS: A

PTS: 1

17. A file that stores data used as a standard when processing transactions is a. a reference file b. a master file c. a transaction file d. an archive file ANS: A

PTS: 1

IT Auditing 4th Ed. —Test Bank, Chapter 6

18. Sequential storage means a. data is stored on tape b. access is achieved through an index c. access is direct d. reading record 100 requires first reading records 1 to 99 ANS: D

PTS: 1

19. Real-time processing would be most beneficial in handling a firm’s a. fixed asset records b. retained earnings information c. merchandise inventory d. depreciation records ANS: C

PTS: 1

20. Which accounting application is least suited to batch processing? a. general ledger b. vendor payments c. sales order processing d. payroll ANS: C

PTS: 1

21. Operational inefficiencies occur because a. accounts both common and unique to many concurrent transactions need to be updated in real time. b. accounts common to many concurrent transactions need to be updated in real time. c. accounts unique to many concurrent transactions need to be updated in real time. d. None of the above are true statements ANS: B

PTS: 1

22. The coding scheme most appropriate for a chart of accounts is a. sequential code b. block code c. group code d. mnemonic code ANS: B

PTS: 1

23. The most important advantage of sequential coding is that a. missing or unrecorded documents can be identified b. the code itself lacks informational content c. items cannot be inserted d. deletions affect the sequence ANS: A

PTS: 1

IT Auditing 4th Ed. —Test Bank, Chapter 6

24. When a firm wants its coding system to convey meaning without reference to any other document, it would choose a. an alphabetic code b. a mnemonic code c. a group code d. a block code ANS: B

PTS: 1

25. The most important advantage of an alphabetic code is that a. meaning is readily conveyed to users b. sorting is simplified c. the capacity to represent items is increased d. missing documents can be identified ANS: C

PTS: 1

26. Which statement is not true? a. The journal voucher is the only source of input into the general ledger. b. A journal voucher can be used to represent summaries of similar transactions or a single unique transaction. c. Journal vouchers are not used to make adjusting entries and closing entries in the general ledger. d. Journal vouchers offer a degree of control against unauthorized general ledger entries. ANS: C

PTS: 1

27. What type of data is found in the general ledger master file? a. a chronological record of all transactions b. the balance of each account in the chart of accounts c. budget records for each account in the chart of accounts d. subsidiary details supporting a control account ANS: B

PTS: 1

28. Which report is not an output of the Financial Reporting System (FRS)? a. variance analysis report b. statement of cash flows c. tax return d. comparative balance sheet ANS: A

PTS: 1

29. Risk exposures in the General Ledger and Financial Reporting Systems include all of the following except a. loss of the audit trail b. unauthorized access to the general ledger c. loss of physical assets d. general ledger account out of balance with the subsidiary account ANS: C

PTS: 1

IT Auditing 4th Ed. —Test Bank, Chapter 6

30. Which situation indicates an internal control risk in the General Ledger/Financial Reporting Systems (GL/FRS)? a. the employee who maintains the cash journal computes depreciation expense b. the cash receipts journal voucher is approved by the Treasurer c. the cash receipts journal vouchers are prenumbered and stored in a locked safe d. the employee who maintains the cash receipts journal records transactions in the accounts receivable subsidiary ledger ANS: D

PTS: 1

31. With a limited work force and a desire to maintain strong internal control, which combination of duties performed by a single individual presents the least risk exposure? a. maintaining the inventory ledger and recording the inventory journal voucher in the general ledger b. recording the inventory journal voucher in the general ledger and maintaining custody of inventory c. maintaining the cash disbursements journal and recording direct labor costs applied to specific jobs d. preparing the accounts payable journal voucher and recording it in the general ledger ANS: C

PTS: 1

32. XBRL a. is the basic protocol that permits communication between Internet sites. b. controls Web browsers that access the Web. c. is the document format used to produce Web pages. d. was designed to provide the financial community with a standardized method for preparing e. is a low-level encryption scheme used to secure transmissions in higher-level (HTTP) format. ANS: D

PTS: 1

SHORT ANSWER 1. List two of the three transaction cycles. ANS: expenditure cycle, conversion cycle, revenue cycle PTS: 1 2. Documents that are created at the beginning of the transaction are called __________________________. ANS: source documents PTS: 1

IT Auditing 4th Ed. —Test Bank, Chapter 6

3. ______________________________________ are the two data processing approaches used in modern systems. ANS: Batch processing and real-time processing PTS: 1 4. Give a specific example of a turn-around document. ANS: credit card, electricity, water, or telephone bill, etc. PTS: 1 5. Explain when it is appropriate to use special journals. ANS: Special journals are used to record large volumes of recurring transactions that are similar in nature. PTS: 1

6. What are the subsystems of the revenue cycle? ANS: sales order processing, cash receipts PTS: 1 7. What are the subsystems of the expenditure cycle? ANS: purchasing, cash disbursements, payroll, fixed asset system PTS: 1 8. Name four documentation techniques. ANS: entity-relationship diagrams, data flow diagrams, system flowcharts, program flowcharts PTS: 1

IT Auditing 4th Ed. —Test Bank, Chapter 6

9. Why is the audit trail important? ANS: The audit trail is used to track transactions from the source document to the financial statements and vice versa. Accountants use the audit trail to correct errors, answer queries, and perform audits. PTS: 1 10. Only four symbols are used in data flow diagrams. What are they? ANS: process, data store, data flow, entity PTS: 1 11. Which documentation technique depicts data relationship in databases? ANS: Entity relationship diagram PTS: 1

12. In one sentence, what does updating a master file record involve? ANS: Updating a master file record involves changing the value of one or more of its variable fields to reflect the effects of a transaction. PTS: 1 13. What is destructive update? ANS: Destructive update involves replacing an old data value with a new value and thus destroying the original. PTS: 1

IT Auditing 4th Ed. —Test Bank, Chapter 6

14. List, in order, the steps in the Financial Accounting Process. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. ANS: 1. Capture the transaction on source documents. 2. Record in special journals. 3. Post to subsidiary ledger. 4. Post to general ledger (using journal vouchers). 5. Prepare the unadjusted trial balance. 6. Make adjusting entries. 7. Journalize and post adjusting entries. 8. Prepare adjusted trial balance. 9. Prepare financial statements. 10. Journalize and post closing entries. 11. Prepare the post-closing trial balance. PTS: 1 15. List two duties that the general ledger clerk should not perform. ANS: make entries in special journals or subsidiary ledgers; prepare journal vouchers; maintain custody of physical assets PTS: 1

IT Auditing 4th Ed. —Test Bank, Chapter 6

16. Explain the purpose and contents of the general ledger master file. ANS: The general ledger master file is the main file on the general ledger database. It is based on the firm’s chart of accounts. Each record is either a general ledger account (e.g., sales) or a control account (e.g., the accounts payable control) for one of the subsidiary ledgers. The general ledger master file contains the following for each account: the account number, description, account class (e.g., asset), the normal balance (debit or credit), beginning balance, total debits for period, total credits for period, and current balance. PTS: 1 17. What is XML? ANS: XML (eXtensible Markup Language) is a meta-language for describing markup languages. The term extensible means that any markup language can be created using XML. This includes the creation of markup languages capable of storing data in relational form, where tags (formatting commands) are mapped to data values. PTS: 1 18. Why do many firms no longer use a general journal? What has taken its place? ANS: Many firms have replaced a traditional general journal with a journal voucher system. Each entry is documented on a prenumbered journal voucher which contains additional information, such as authorization, which enhances control. A voucher may contain information on a number of related transactions. PTS: 1 19. What are the major exposures in the general ledger/financial reporting system? ANS: The primary exposures are: a defective or lost audit trail, unauthorized access, GL accounts out of balance with subsidiary ledger accounts, and incorrect account balances due to unauthorized or incorrect entries. PTS: 1 20. Why is the audit trail necessary? ANS: The audit trail is needed for several reasons: to provide the ability to answer inquiries from customers and suppliers, to reconstruct files if lost, to provide historical data to auditors, to satisfy government regulations, and for error control. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed. —Test Bank, Chapter 6

ESSAY 1. Describe the key activities in the revenue, conversion, and expenditure cycles. ANS: Revenue cycle: Sales order processing involves preparation of sales orders, credit granting, shipment and billing. Cash receipts collects cash and makes bank deposits. Conversion cycle: Production system involves planning, scheduling, and control of the manufacturing process. Cost accounting system monitors the flow of cost information related to production. Expenditure cycle: Purchases/accounts payable involves the acquisition of physical inventory. Cash disbursements authorizes payment and disburses funds. Payroll monitors labor usage and disburses paychecks to employees. PTS: 1 2. Categorize each of the following activities into the expenditure, conversion or revenue cycles and identify the applicable subsystem. a. Preparing the weekly payroll for manufacturing personnel. b. Releasing raw materials for use in the manufacturing cycle. c. Recording the receipt of payment for goods sold. d. Recording the order placed by a customer. e. Ordering raw materials. f. Determining the amount of raw materials to order. ANS: a. Expenditure cycle-payroll subsystem. b. Conversion cycle-production system subsystem. c. Revenue cycle-cash receipts subsystem. d. Revenue cycle-sales order processing subsystem. e. Expenditure cycle-purchases subsystem. f. Conversion cycle-production subsystem. PTS: 1 3. What does an entity-relationship diagram represent? Why do accountants need to understand them? ANS: Entity relationship diagrams represent the relationship between entities in a system. An entity is either 1) a resource (such as cash or inventory), 2) an event (such as a sale or a receipt of cash), or 3) an agent (such as a customer or vendor). ERDs represent the relationship between entities graphically. ERDs are used in the design of databases. PTS: 1

IT Auditing 4th Ed. —Test Bank, Chapter 6

4. Time lag is one characteristic used to distinguish between batch and real-time systems. Explain. Give an example of when each is a realistic choice. ANS: Batch processing collects similar transactions into groups (batches) and processes them all at once. Hence, affected files are up to date immediately after the update, but can be expected to be out of date until the next run. Hence, there is a time lag between the event and its recording in the system. A payroll system is often handled with batch processing since it must be up to date at fixed time periods and need not be modified between pay dates. Real-time systems process each transaction as it occurs and files are always up to date–there is no time lag. This is preferred when there may be a need to query the system for the status of transactions. A sales order processing system would benefit from real-time processing. Hence, customer questions could be answered easily, without waiting for the next update (as would be required if the system was batch). PTS: 1 5. The revenue cycle has two subsystems. What are they and what occurs within each? ANS: The two subsystems of the revenue cycle are sales order processing and cash receipts. In the sales order processing subsystem, the sales order is processed, credit granted, goods are shipped, customer is billed, and related files updated (sales, accounts receivable, inventory, etc.). In the cash receipts subsystem, cash is collected and deposited in the bank and files updated (cash, accounts receivable, etc.). PTS: 1 6. Give a brief description of each of the following documentation techniques: systems flowchart, and program flowchart. ANS: System flowcharts portray the relationships between source data, transaction files, computer programs, master files, and output, including the form or type of media of each. Program flowcharts represent the logic of a particular program. Each step is represented by a separate symbol, each of which represents one or more lines of computer instructions. The order of the steps is represented by the flow lines. PTS: 1

IT Auditing 4th Ed. —Test Bank, Chapter 6

7. Give an example of how cardinality relates to business policy. ANS: Cardinality reflects normal business rules as well as organizational policy. For instance, the 1:1 cardinality between the entities “Salesperson” and “Company Car” suggests that each salesperson in the organization is assigned one company car. If instead the organization’s policy were to assign a single automobile to one or more salespersons who share it, this policy would be reflected by a 1:M relationship. PTS: 1 8. For what purpose are ER diagrams used? ANS: An entity relationship (ER) diagram is a documentation technique used to represent the relationship between entities. One common use for ER diagrams is to model an organization’s database. PTS: 1 9. With regard to an entity relationship diagram, what is an entity? ANS: Entities are physical resources (automobiles, cash, or inventory), events (ordering inventory, receiving cash, shipping goods) and agents (salesperson, customer, or vendor) about which the organization wishes to capture data. PTS: 1 10. Is a DFD an effective documentation technique for identifying who or what performs a particular task? Explain. ANS: No. A DFD shows which tasks are being performed, but not who performs them. It depicts the logical system. PTS: 1 11. Is a flowchart an effective documentation technique for identifying who or what performs a particular task? Explain. ANS: Yes. A flowchart depicts the physical system and illustrates who, what, and where a task is performed. PTS: 1

IT Auditing 4th Ed. —Test Bank, Chapter 6

12. How may batch processing be used to improve operational efficiency? ANS: A single transaction may affect several different accounts. Some of these accounts, however, may not need to be updated in real-time. In fact, the task of doing so takes time which, when multiplied by hundreds or thousands of transactions, can cause significant processing delays. Batch processing of non-critical accounts, however, improves operational efficiency by eliminating unnecessary activities at critical points in the process. PTS: 1 13. If an organization processes large numbers of transactions that use common data records, what type of system would work best (all else being equal)? ANS: Large-scale systems that process high volumes of transactions, often use real-time data collection and batch updating. Master file records that are unique to a transaction such as customer accounts and individual inventory records can be updated in real time without causing operational delays. Common accounts should be updated in batch mode. Real-time processing is better suited to systems that process lower transaction volumes and those that do not share common records. PTS: 1 14. Why might an auditor use a program flowchart? ANS: When testing an application program, the auditor needs details about its internal logic provided by the program flowchart to design the audit tests. PTS: 1 15. How are computer system flowcharts and program flowcharts related? ANS: The system flowchart shows the relationship between two computer programs, the files that they use, and the outputs that they produce. However, this level of documentation does not provide the operational details that are sometimes needed. An auditor wishing to assess the correctness a program’s logic cannot do so from the system flowchart. A program flowchart provides this detail. Every program represented in a system flowchart should have a supporting program flowchart that describes its logic. PTS: 1

IT Auditing 4th Ed. —Test Bank, Chapter 6

16. What are the key distinguishing features of legacy systems? ANS: Legacy systems tend to have the following distinguishing features: they are mainframe based applications; they tend to be batch oriented; early legacy systems use flat-files for data storage, however, hierarchical and network databases are often associated with later era legacy systems. These highly structured and inflexible storage systems promote a single-user environment that discourages information integration within business organizations. PTS: 1 17. What information is provided by a record layout diagram? ANS: Record layout diagrams are used to reveal the internal structure of the records that constitute a file or database table. The layout diagram usually shows the name, data type, and length of each attribute (or field) in the record. PTS: 1 18. How is backup of database files accomplished? ANS: The destructive update approach leaves no backup copy of the original master file. Only the current value is available to the user. To preserve adequate accounting records in case the current master becomes damaged or corrupted, separate backup procedures must be implemented. Prior to each batch update or periodically (for example, every 15 minutes), the master file being updated is copied to create a backup version of the original file. Should the current master be destroyed after the update process, reconstruction is possible in two stages. First, a special recovery program uses the backup file to create a pre-update version of the master file. Second, the file update process is repeated using the previous batch of transactions to restore the master to its current condition. Because of the potential risk to accounting records, accountants are naturally concerned about the adequacy of all backup procedures. PTS: 1 19. What are the reasons companies use coding schemes in their accounting information systems? ANS: Companies use coding schemes in their AISs because codes concisely represent large amounts of complex information that would otherwise be unmanageable. They also provide a means of accountability over the completeness of the transactions processed and identify unique transactions and accounts within a file. In addition, coding supports the audit function by providing an effective audit trail. PTS: 1

IT Auditing 4th Ed. —Test Bank, Chapter 6

20. Compare and contrast the relative advantages and disadvantages of sequential, block, group, alphabetic and mnemonic codes. ANS: Sequential codes are appropriate for items in either an ascending or descending sequence, such as the numbering of checks or source documents. An advantage is that during batch processing, any gap detected in the sequence is a signal that a transaction may be missing. A disadvantage is that the codes carry little, if any, information other than the sequence order. Another disadvantage is that sequential codes are difficult to manage when items need to be added; the sequence needs either to be reordered or the items must be added to the end of the list. Block codes provide some remedies to sequential codes by restricting each class to a pre-specified range. The first digit typically represents a class, whereas the following digits are sequential items which may be spaced in intervals in case of future additions. An example of block coding is a chart of accounts. A disadvantage of block coding is that the information content does not provide much meaning, i.e. an account number only means something if the chart of accounts is known. Group codes may be used to represent complex items or events involving two or more pieces of related data. The code is comprised of fields which possess specific meaning. The advantages of group codes over sequential and block codes are 1) they facilitate the representation of large amounts of diverse data, 2) they allow complex data structures to be represented in a hierarchical form that is logical and thus more easily remembered by humans, and 3) they permit detailed analysis and reporting both within an item class and across different classes of items. A disadvantage is that the codes may be overused to link classes which do not need to be linked, and thus creating a more complex coding system that is necessary. Alphabetic codes may be used sequentially or in block or group codes. An advantage is that a system which uses alphabetic codes can represent far more situations than a system with numeric codes given a specific field size. Some disadvantages are that sequentially assigned codes mostly have little meaning. Also, humans typically find alphabetic codes more difficult to sort than numeric data. Lastly, mnemonic codes are alphabetic characters in the form of acronyms, abbreviations or other combinations that convey meaning. The meaning aspect is its advantage. A disadvantage of mnemonic codes is that they are limited in their ability to represents items within a class i.e. names of all of American Express's customers. PTS: 1

IT Auditing 4th Ed. —Test Bank, Chapter 6

21.

List and explain the six basic files in the general ledger database. ANS: The general ledger master file is the main file on the general ledger database. It is based on the firm’s chart of accounts. Each record is either a separate general ledger account (e.g., sales) or a control account (e.g., the accounts payable control) for one of the subsidiary ledgers. The general ledger history file contains the same information for prior periods. The journal voucher file contains all of the journal vouchers processed in the current period. The journal voucher history file contains journal vouchers for past periods. The responsibility center file contains the revenues, expenses, and other data for individual responsibility centers. The budget master file contains budgeted amounts for responsibility centers. PTS: 1

22. Discuss the primary advantage of XBRL over traditional HTML as a means of on-line reporting of financial information to users. Online reporting of financial data has become a competitive necessity for publicly traded organizations. Currently, most organizations accomplish this by placing their financial statements and other financial reports on their respective Web sites as HTML (Hyper Text Markup Language) documents. These documents can then be downloaded by users such as the SEC, financial analysts, and other interested parties. The HTML reports, however, cannot be conveniently processed through IT automation. Performing any analysis on the data contained in the reports requires them to be manually entered into the user’s information system. The solution to this problem is eXtensible Business Reporting Language (XBRL), which is the Internet standard specifically designed for business reporting and information exchange. The objective of XBRL is to facilitate the publication, exchange, and processing of financial and business information. XBRL documents can thus be downloaded, interpreted, and analyzed using computer software with no additional manual data input necessary. PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 7

Chapter 7—Computer-Assisted Audit Tools and Techniques TRUE/FALSE 1. The three groups of application controls are batch controls, run-to-run controls, and audit trail controls. ANS: F

PTS: 1

2. A reasonableness check determines if a value in one field is reasonable when considered along with data in other fields of the record ANS: T

PTS: 1

3. A truncation error is a form of transcription error. ANS: T

PTS: 1

4. A check digit is a method of detecting data coding errors. ANS: T

PTS: 1

5. Input controls are intended to detect errors in transaction data after processing. ANS: F

PTS: 1

6. The black box approach to testing computer applications allows the auditor to explicitly review program logic. ANS: F

PTS: 1

7. The black box approach to testing computer applications require a detailed knowledge of the the program logic being tested. ANS: F

PTS: 1

8. A run-to-run control is an example of an output control. ANS: F

PTS: 1

9. Shredding computer printouts is an example of an output control. ANS: T

PTS: 1

10. In a computerized environment, all input controls are implemented after data is input. ANS: F

PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 7 11. Achieving batch control objectives requires grouping similar types of input transactions (such as sales orders) together in batches and then controlling the batches throughout data processing. ANS: T

PTS: 1

12. The white box tests of program controls are also known as auditing through the computer. ANS: T

PTS: 1

13. Incorrectly recording sales order number 123456 as 124356 is an example of a transcription error ANS: F

PTS: 1

14. When using the test data method, the presence of multiple error messages indicates a flaw in the preparation of test transactions. ANS: F

PTS: 1

15. The base case system evaluation is a variation of the test data method. ANS: T

PTS: 1

16. Tracing is a method used to verify the logical operations executed by a computer application. ANS: T

PTS: 1

17. The results of a parallel simulation are compared to the results of a production run in order to judge the quality of the application processes and controls. ANS: T

PTS: 1

18. Input controls are programmed procedures that perform tests on master file data to ensure they are free from errors. ANS: F

PTS: 1

19. The integrated test facility (ITF) is an automated approach that permits auditors to test an application's logic and controls during its normal operation. ANS: T

PTS: 1

20. Use of the integrated test facility poses no threat to organizational data files. ANS: F

PTS: 1

21. Spooling is a form of processing control. ANS: F

PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 7 22. A salami fraud affects a large number of victims, but the harm to each appears to be very small. ANS: T

PTS: 1

23. An input control that tests time card records to verify than no employee has worked more 50 hours in a pay period is an example of a range test. ANS: F

PTS: 1

24. The black box approach to testing computer program controls is also known as auditing around the computer. ANS: T

PTS: 1

MULTIPLE CHOICE 1. Which statement is not correct? The audit trail in a computerized environment a. consists of records that are stored sequentially in an audit file b. traces transactions from their source to their final disposition c. is a function of the quality and integrity of the application programs d. may take the form of pointers, indexes, and embedded keys ANS: A

PTS: 1

2. All of the following concepts are associated with the black box approach to auditing computer applications except a. the application need not be removed from service and tested directly b. auditors do not rely on a detailed knowledge of the application's internal logic c. the auditor reconciles previously produced output results with production input transactions d. this approach is used for complex transactions that receive input from many sources ANS: D

PTS: 1

3. Which test is not an example of a white box test? a. determining the fair value of inventory b. ensuring that passwords are valid c. verifying that all pay rates are within a specified range d. reconciling control totals ANS: A

PTS: 1

4. When analyzing the results of the test data method, the auditor would spend the least amount of time reviewing a. the test transactions b. error reports c. updated master files d. output reports ANS: A

PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 7 5. All of the following are advantages of the test data technique except a. auditors need minimal computer expertise to use this method b. this method causes minimal disruption to the firm's operations c. the test data is easily compiled d. the auditor obtains explicit evidence concerning application functions ANS: C

PTS: 1

6. All of the following are disadvantages of the test data technique except a. the test data technique requires extensive computer expertise on the part of the auditor b. the auditor cannot be sure that the application being tested is a copy of the current application used by computer services personnel c. the auditor cannot be sure that the application being tested is the same application used throughout the entire year d. preparation of the test data is time-consuming ANS: A

PTS: 1

7. Recalculation of hash totals is an example of a a. completeness test b. redundancy test c. both a. and b. d. neither a. nor b. ANS: C

PTS: 1

8. The correct purchase order number is123456. All of the following are transcription errors except a. 1234567 b. 12345 c. 124356 d. 123454 ANS: C

PTS: 1

9. Which of the following is correct? a. Check digits should be used for all data codes. b. Check digits are always placed at the end of a data code. c. Check digits do not affect processing efficiency. d. Check digits are designed to detect transcription and transposition errors. ANS: D

PTS: 1

10. Which of the following does not influence the length of time a hard copy report is retained? a. Statutory requirements. b. The number of copies in existence. c. The number of pages of the report. d. All of these factors influence the length of time a hard copy report is retained. ANS: C

PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 7 11. An example of a hash total is a. total payroll checks–$12,315 b. total number of employees–10 c. sum of the social security numbers–12,555,437,251 d. none of the above ANS: C

PTS: 1

12. Which statement is not true? A batch control record a. contains a transaction code b. records the record count c. contains a hash total d. control figures in the record may be adjusted during processing e. All the above are true ANS: E

PTS: 1

13. Which of the following is not an example of a processing control? a. hash total. b. record count. c. batch total. d. check digit ANS: D

PTS: 1

14. Which of the following is an example of input control test? a. sequence check b. zero value check c. spooling check d. range check ANS: D

PTS: 1

15. Which input control check would detect a payment made to a nonexistent vendor? a. missing data check b. numeric/alphabetic check c. range check d. validity check ANS: D

PTS: 1

16. Which input control check would detect a posting to the wrong customer account? a. missing data check b. check digit c. reasonableness check d. validity check ANS: B

PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 7 17. The employee entered "40" in the "hours worked per day" field. Which check would detect this unintentional error? a. numeric/alphabetic data check b. sign check c. limit check d. missing data check ANS: C

PTS: 1

18. An inventory record indicates that 12 items of a specific product are on hand. A customer purchased two of the items, but when recording the order, the data entry clerk mistakenly entered 20 items sold. Which check could detect this error? a. numeric/alphabetic data checks b. limit check c. range check d. reasonableness check ANS: B

PTS: 1

19. Which check is not an input control? a. reasonableness check b. validity check. c. spooling check d. missing data check ANS: C

PTS: 1

20. A computer operator was in a hurry and accidentally used the wrong master file to process a transaction file. As a result, the accounts receivable master file was erased. Which control would prevent this from happening? a. header label check b. expiration date check c. version check d. validity check ANS: A

PTS: 1

21. Run-to-run control totals can be used for all of the following except a. to ensure that all data input is validated b. to ensure that only transactions of a similar type are being processed c. to ensure the records are in sequence and are not missing d. to ensure that no transaction is omitted ANS: A

PTS: 1

22. Methods used to maintain an audit trail in a computerized environment include all of the following except a. transaction logs b. transaction listings c. data encryption d. log of automatic transactions ANS: C

PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 7 23. Risk exposures associated with creating an output file as an intermediate step in the printing process (spooling) include all of the following actions by a computer criminal except a. gaining access to the output file and changing critical data values b. using a remote printer and incurring operating inefficiencies c. making a copy of the output file and using the copy to produce illegal output reports d. printing an extra hardcopy of the output file ANS: B

PTS: 1

24. Which statement is not correct? a. Only successful transactions are recorded on a transaction log. b. Unsuccessful transactions are recorded in an error file. c. A transaction log is a temporary file. d. A hardcopy transaction listing is provided to users. ANS: C

PTS: 1

25. Input controls include all of the following except a. check digits b. limit check c. spooling check d. missing data check ANS: C

PTS: 1

26. Which of the following is an example of an input error correction technique? a. immediate correction b. rejection of batch c. creation of error file d. all are examples of input error correction techniques ANS: D

PTS: 1

27. All of the following statements are true about the integrated test facility (ITF) except a. production reports are affected by ITF transactions b. ITF databases contain "dummy" records integrated with legitimate records c. ITF permits ongoing application auditing d. ITF does not disrupt operations or require the intervention of computer services personnel ANS: C

PTS: 1

28. Which of the following is an input control? a. Reasonableness check b. Run-to-run check c. Spooling check d. Batch check e. None are input controls ANS: A

PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 7 29. Which of the following is not an input control? a. Range check b. Limit check c. Spooling check d. Validity check e. They are all input controls ANS: C

PTS: 1

30. When auditors do not rely on a detailed knowledge of the application's internal logic, they are performing a. black box tests of program controls b. white box tests of program controls c. substantive testing d. intuitive testing ANS: A

PTS: 1

SHORT ANSWER 1. The firm allows no more than 10 hours of overtime a week. An employee entered “15” in the field. Which control will detect this error? ANS: Limit check PTS: 1 2. The password was “CANARY”; the employee entered “CAANARY.” Which control will detect this error? ANS: Validity check PTS: 1 3. The order entry system will allow a 10 percent variation in list price. For example, an item with a list price of $1 could be sold for 90 cents or $1.10 without any system interference. The cost of the item is $3, but the cashier entered $2. Which control would detect this error? ANS: Range check PTS:

4. What are the three broad categories of application controls? ANS: input, processing, and output controls PTS:

IT Audit 4th Ed—Test Bank, Chapter 7 5. How does privacy relate to output control? ANS: If the privacy of certain types of output, e.g., sensitive information about clients or customers, is violated a firm could be legally exposed. PTS:

6. What are the three categories of processing control? ANS: Batch controls, run-to-run controls, and audit trail controls. PTS:

7. What control issue is related to reentering corrected error records into a batch processing system? What are the two methods for doing this? ANS: Errors detected during processing require careful handling, since these records may already be partially processed. Simply resubmitting the corrected records at the data input stage may result in processing portions of these transactions twice. Two methods are: (1) reverse the effects of the partially processed transactions and resubmit the corrected records to the data input stage. The second method is to reinsert corrected records into the processing stage at which the error was detected. PTS: 1 8. Output controls ensure that output is not lost, misdirected, or corrupted and that privacy is not violated. What are some output exposures or situations where output is at risk? ANS: output spooling, delayed printing, waste, report distribution PTS:

9. Name four input controls and describe what they test? ANS: 1. numeric-alphabetic checks look for the correct type of character content in a field, numbers or letters; 2. limit checks verify that values are within preset limits; 3. range checks verify the values fall with in an acceptable range 4. reasonableness check determines if a value in one field, which has already passed a limit check and a range check, is reasonable when considered along with data in other fields of the record. PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 7 10. A __________________________ fraud affects a large number of victims but the harm to each appears to be very small. ANS: salami PTS:

11. Give one example of an error that is detected by a check digit control. ANS: Check digits can effectively be used to determine that all of the numbers in a numeric data stream were entered. This method involves adding up the numbers in the data stream in order to determine the check digit. Consider the following number, 789. The check digit would be: 7 + 8 + 9 = 24 = 6. If a 7, an 8, and a 9 are not entered, then chances are that the check digit will be incorrect. This method will not detect a transposition error. For example, if 879 were entered, the check digit would still be 6. PTS:

12. Auditors do not rely on detailed knowledge of the application's internal logic when they use the __________________________ approach to auditing computer applications. ANS: black box or audit around the computer PTS: 1 13. Describe parallel simulation. ANS: The auditor writes a program that simulates the application under review. The simulation is used to reprocess production transactions that were previously processed by the production application. The results of the simulation are compared to the results of the original production run. PTS: 1 14. What is meant by auditing around the computer versus auditing through the computer? Why is this so important? ANS: Auditing around the computer involves black box testing in which the auditors do not rely on a detailed knowledge of the application's internal logic. Input is reconciled with corresponding output. Auditing through the computer involves obtaining an in-depth understanding of the internal logic of the computer application. As transactions become increasingly automated, the inputs and outputs may become decreasingly visible. Thus, the importance of understanding the programming components of the system is crucial. PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 7 15. Classify each of the following as a field, record, or file interrogation: a. Limit check b. Validity check c. Version check d. Missing data check e. Sign checks f. Expiration date check g. Numeric-alphabetic data check h. Sequence check i. Zero-value check j. Header label check k. Range check l. Reasonableness check ANS: a. field b. field c. file d. file e. record f. file g. field h. record i. field j. file k. field l. record PTS: 1 16. If all of the inputs have been validated before processing, then what purpose do run-to-run controls serve? ANS: The run-to-run control is a control device to ensure that no records are lost, unprocessed, or processed more than once for each of the computer runs (processes) that the records must flow through. PTS: 1 17. Explain input controls. ANS: Input controls are programmed procedures (routines) that perform tests on transaction data to ensure they are free from errors. PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 7 18. Name three types of transcription errors. ANS: 1. Addition errors occur when an extra digit or character is added to the code. For example, inventory item number 83276 is recorded as 832766. 2. Truncation errors occur when a digit or character is removed from the end of a code. In this type of error, the inventory item above would be recorded as 8327. 3. Substitution errors are the replacement of one digit in a code with another. For example, code number 83276 is recorded as 83266. PTS: 1 19. Describe two types of transposition errors. ANS: 1. Single transposition errors occur when two adjacent digits are reversed. For instance, 83276 is recorded as 38276. 2. Multiple transposition errors occur when nonadjacent digits are transposed. For example, 83276 is recorded as 87236. PTS: 1 ESSAY 1. Discuss the three categories of input of input controls. ANS: Field interrogation involves programmed procedures that examine the characteristics of the data in the field and include check digits, missing data checks, numeric-alphabetic checks, limit checks, range checks and validity checks. Record interrogation procedures validate the entire record by examining the interrelationship of its field values and include reasonableness checks, sign checks and sequence checks. File interrogation is used to ensure the correct file is being processed by the system and include internal and external label checks and version checks. PTS: 1 2. Explain the three methods used to correct errors in data entry. ANS: Correct immediately. In the direct data validation approach, error detection and correction take place during data entry. When an error or illogical relationship is entered, the system should halt the data entry procedure until the error is corrected. Create an error file. In the delayed data validation approach, errors are flagged and placed in an error file. Records with errors will not be processed until the error is investigated and corrected.

IT Audit 4th Ed—Test Bank, Chapter 7 Reject the batch. Some errors are associated with the entire batch and are not attributable to individual records. An example of this is a control total that does not balance. The entire batch is placed in the error file and will be reprocessed when the error is corrected. PTS: 1 3. The presence of an audit trail is critical to the integrity of the accounting information system. Discuss three of the techniques used to preserve the audit trail. ANS: Transaction logs list all transactions successfully processed by the system and serve as journals, permanent records. Transactions that were not processed successfully should be recorded in an error file. Logs and listings of automatic transactions should be produced for transactions received or initiated internally by the system. Unique transaction identifiers should be attached to each transaction processed. Error listing should document all errors and be sent to appropriate users to support error correction. PTS: 1 4. Define each of the following input controls and give an example of how they may be used: a. Missing data check b. Numeric/alphabetic data check c. Limit check d. Range check e. Reasonableness check f. Validity check ANS: Missing data check is useful because some programming languages are restrictive as to the justification (right or left) of data within the field. If data are not properly justified or if a character is missing (has been replaced with a blank), the value in the field will be improperly processed. For example, the presence of blanks in a numeric data field may cause a system failure. When the control routine detects a blank where it expects to see a data value, the error is flagged. A numeric-alphabetic check control identifies when data in a particular field are in the wrong form. For example, a customer’s account balance should not contain alphabetic data and the presence of it will cause a data processing error. Therefore, if alphabetic data are detected, the error record flag is set. Limit checks are used to identify field values that exceed an authorized limit. For example, assume the firm’s policy is that no employee works more than 44 hours per week. The payroll system input control program can test the hours-worked field in the weekly payroll records for values greater than 44. Range checks exit when data have upper and lower limits to their acceptable values. For example, if the range of pay rates for hourly employees in a firm is between 8 and 20 dollars, this control can examine the pay rate field of all payroll records to ensure that they fall within this range.

IT Audit 4th Ed—Test Bank, Chapter 7 A reasonableness check determines if a value in one field, which has already passed a limit check and a range check, is reasonable when considered along with data in other fields of the record. For example, assume that an employee’s pay rate of 18 dollars per hour falls within an acceptable range. This rate is excessive, however, when compared to the employee’s job skill code of 693; employees in this skill class should not earn more than 12 dollars per hour. A validity check compares actual field values against known acceptable values. For example, this control may be used to verify such things as valid vendor codes, state abbreviations, or employee job skill codes. If the value in the field does not match one of the acceptable values, the record is flagged as an error. PTS: 1 5. After data is entered into the system, it is processed. Processing control exists to make sure that the correct things happen during processing. Discuss processing controls. ANS: Processing controls take three forms–batch controls, run-to-run controls, and audit trail controls. Batch controls are used to manage the flow of high volumes of transactions through batch processing systems. The objective of batch control is to reconcile output produced by the system with the input originally entered into the system. This provides assurance that: _ All records in the batch are processed. _ No records are processed more than once. _ An audit trail of transactions is created from input through processing to the output stage of the system. Run-to-run controls use batch figures and new balances to monitor the batch as it goes through the system–i.e. from run-to-run. These are to assure that no transactions are lost and that all are processed completely. Audit trail controls are designed to document the movement of transactions through the system. The most common techniques include the use of transaction logs and transaction listings, unique transaction identifiers, logs and listings of automatic transactions, and error listings. PTS: 1 6. If input and processing controls are adequate, why are output controls needed? ANS: Output controls are designed to ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Great risk exists if checks are misdirected, lost, or stolen. Certain types of data must be kept private–trade secrets, patents pending, customer records, etc. PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 7 7. Describe and contrast the test data method with the integrated test facility. ANS: In the test data method, a specially prepared set of input data is processed; the results of the test are compared to predetermined expectations. To use the test data method, a copy of the current version of the application must be obtained. The auditor will review printed reports, transaction listings, error reports, and master files to evaluate application logic and control effectiveness. The test data approach results in minimal disruption to the organization's operations and requires little computer expertise on the part of auditors. The integrated test facility (ITF) is an automated approach that permits auditors to test an application's logic and controls during its normal operation. ITF databases contain test records integrated with legitimate records. During normal operations, test transactions are entered into the stream of regular production transactions and are processed against the test records. The ITF transactions are not included with the production reports but are reported separately to the auditor for evaluation. The auditor compares ITF results against expected results. In contrast to the test data approach, the ITF technique promotes ongoing application auditing and does not interfere with the normal work of computer services employees. In the test data approach, there is a risk that the auditor might perform the tests on a version of the application other than the production version; this cannot happen in the ITF approach. Both versions are relatively costly to implement. The major risk with the ITF approach is that ITF data could become combined with live data and the reports would be misstated; this cannot happen in the test data approach. PTS: 1 8.

Contrast the black box approach to IT auditing and the white box approach. Which is preferred? ANS: The black box approach is not concerned with the application's internal workings. The auditor examines documentation of the system, interviews personnel, and bases the evaluation on the logical consistency between input and output. This method is often referred to as "auditing-around-thecomputer" because there is no examination of data as it is processed. The white box approach, also called "auditing-through-the-computer," relies on knowledge of the internal workings of the systems and actually tests the application in action with test data having known results. Several white box techniques are available. These include the test data method, base case evaluation, tracing, the integrated test facility, and parallel simulation. This method makes the computer a tool of the audit as well as its target. PTS: 1 9. Discuss what is involved in creating test data. ANS: Auditors must prepare a complete set of both valid and invalid transactions that test every possible input error, logical process and irregularity. While it can take a considerable amount of time, the efficiency of the task can be improved through careful planning during system development. The auditor should save test data used during the implementation phase for future use. When applications are modified, additional test data can be created that focus on the area of the program changes. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 8

Chapter 8—Data Structures and CAATTs for Data Extraction TRUE/FALSE 1. The database approach to data management is sometimes called the flat file approach. ANS: F

PTS: 1

2. The two fundamental components of data structures are organization and access method. ANS: T

PTS: 1

3. When a large portion of the file is to be processed in one operation such as payroll, sequential data structures are an inefficient method of organizing a file. ANS: F

PTS: 1

4. An advantage of using an indexed random file structure is that records are easily added and deleted. ANS: T

PTS: 1

5. The hierarchical database model forces users to navigate between data elements using predefined structured paths. ANS: T

PTS: 1

6. View modeling begins by identifying the primary entities of the business function in question. ANS: T

PTS: 1

7. The physical database is an abstract representation of the database. ANS: F

PTS: 1

8. A customer name and an unpaid balance is an example of a one-to-many relationship. ANS: F

PTS: 1

9. In the relational model, a data element is called a relation. ANS: F

PTS: 1

10. Data normalization groups data attributes into tables in accordance with specific design objectives. ANS: T

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 8 11. Under the database approach, data is viewed as proprietary or owned by users. ANS: F

PTS: 1

12. VSAM file structures are most effective where rapid access to individual records is a priority need. ANS: F

PTS: 1

13. A join builds a new table by creating links. ANS: F

PTS: 1

14. The deletion anomaly is the least important of the problems affecting unnormalized databases. ANS: F

PTS: 1

15. EAM’s allow auditors to identify significant transactions for substantive testing. ANS: T

PTS: 1

16. Generalized audit software packages are used to assist the auditor in performing substantive tests. ANS: T

PTS: 1

17. GAS can be used with simple data structures but not complex structures ANS: F

PTS: 1

18. View integration combines the data needs to all users into a single-entity wide schema. ANS: T

PTS: 1

19. An entity is any physical thing about which the organization wishes to capture data. ANS: F

PTS: 1

20. An ER diagram is a graphical representation of a data model. ANS: T

PTS: 1

21. The term occurrence is used to describe the number of attributes or fields pertaining to a specific entity. ANS: F

PTS: 1

22. Cardinality describes the number of possible occurrences in one table that are associated with a single occurrence in a related table. ANS: T

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 8 23. A table in third normal form is free of partial dependencies, multiple dependencies, and transitive dependencies. ANS: F

PTS: 1

24. Improperly normalized databases are associated with three types of anomalies: the update anomaly, the insertion anomaly, and the deletion anomaly. ANS: T

PTS: 1

MULTIPLE CHOICE 1.

An inventory record contains part number, part name, part color, and part weight. These individual items are called a. fields. b. stored files. c. bytes. d. occurrences. ANS: A

It is appropriate to use a sequential file structure when a. records are routinely inserted. b. single records need to be retrieved. c. records need to be scanned using secondary keys. d. a large portion of the file will be processed in one operation. ANS: D

PTS: 1

Which of the following statements is not true? a. Indexed random files are dispersed throughout the storage device without regard for physical proximity with related records. b. Indexed random files use disk storage space efficiently. c. Indexed random files are efficient when processing a large portion of a file at one time. d. Indexed random files are easy to maintain in terms of adding records. ANS: C

PTS: 1

4. Which characteristic is associated with the database approach to data management? a. data sharing b. multiple storage procedures c. data redundancy d. excessive storage costs ANS: A

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 8 5. Which statement is not correct? The VSAM structure a. is used for very large files that need both direct access and batch processing. b. may use an overflow area for records. c. provides an exact physical address for each record. d. is appropriate for files that require few insertions or deletions. ANS: C

PTS: 1

6. Which statement is true about a hashing structure? a. The same address could be calculated for two records. b. Storage space is used efficiently. c. Records cannot be accessed rapidly. d. A separate index is required. ANS:

PTS:

7. In a hashing structure, a. two records can be stored at the same address. b. pointers are used to indicate the location of all records. c. pointers are used to indicate the location of a record with the same address as another record. d. all locations on the disk are used for record storage. ANS: C

PTS: 1

8. Pointers can be used for all of the following except a. to locate the subschema address of the record. b. to locate the physical address of the record. c. to locate the relative address of the record. d. to locate the logical key of the record. ANS: A

PTS: 1

9. Pointers are used a. to link records within a file. b. to link records between files. c. to identify records stored in overflow. d. all of the above. ANS: D

PTS: 1

10. View modeling includes a. constructing a data model showing entity associations. b. constructing the physical database. c. preparing the user views. d. all of the above. ANS: D

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 8

11. Database anomalies are symptoms of structural problems within tables called a. tuples b. dependencies c. collisions d. Attributes ANS: C

PTS: 1

12. In the relational database model a. relationships are explicit b. the user perceives that files are linked using pointers c. data is represented on two-dimensional tables d. data is represented as a tree structure ANS: C

PTS: 1

13. In the relational database model all of the following are true except a. data is presented to users as tables b. data can be extracted from specified rows from specified tables c. a new table can be built by joining two tables d. only one-to-many relationships can be supported ANS: D

PTS: 1

14. In a relational database a. the user’s view of the physical database is the same as the physical database b. users perceive that they are manipulating a single table c. a virtual table exists in the form of rows and columns of a table stored on the disk d. a programming language (COBOL) is used to create a user’s view of the database ANS: B

PTS: 1

15. The update anomaly in unnormalized databases a. occurs because of data redundancy b. complicates adding records to the database c. may result in the loss of important data d. often results in excessive record insertions ANS: A

PTS: 1

16. The most serious problem with unnormalized databases is the a. update anomaly b. insertion anomaly c. deletion anomaly d. none of the above ANS: C

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 8 17. The deletion anomaly in unnormalized databases a. is easily detected by users b. may result in the loss of important data c. complicates adding records to the database d. requires the user to perform excessive updates ANS: B

PTS: 1

18. Which statement is correct? a. in a normalized database, data about vendors occur in several locations b. the accountant is responsible for database normalization c. in a normalized database, deletion of a key record could result in the destruction of the audit trail d. connections between M:M tables are provided by a link table ANS: D

PTS: 1

19. Which of the following is not a common form of conceptual database model? a. hierarchical b. network c. sequential d. relational ANS: C

PTS: 1

20. Which of the following is a relational algebra function? a. restrict b. project c. join d. all are relational algebra functions ANS: D

PTS: 1

21. Entities are a. nouns that are depicted by rectangles on an entity relationship diagram b. data that describe the characteristics of properties of resources c. associations among elements d. sets of data needed to make a decision ANS: A

PTS: 1

22. A user view a. presents the physical arrangement of records in a database for a particular user b. is the logical abstract structure of the database c. specifies the relationship of data elements in the database d. defines how a particular user sees the database ANS: D

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 8 23. Each of the following is a relational algebra function except a. join b. project c. link d. restrict ANS: C

PTS: 1

24. A table is in first normal form when it is a. free of repeating group data b. free of transitive dependencies c. free of partial dependencies d. free of update anomalies e. none of the above ANS: A

PTS: 1

25. A table is in second normal form when it is a. free of repeating group data b. free of transitive dependencies c. free of partial dependencies d. free of insert anomalies e. none of the above ANS: C

PTS: 1

26. A table is in third normal form when it is a. free of repeating group data b. free of transitive dependencies c. free of partial dependencies d. free of deletion anomalies e. none of the above ANS: B

PTS: 1

27. Which statement is not true? Embedded audit modules a. can be turned on and off by the auditor. b. reduce operating efficiency. c. may lose their viability in an environment where programs are modified frequently. d. identify transactions to be analyzed using white box tests. ANS: D

PTS: 1

28. Generalized audit software packages perform all of the following tasks except a. recalculate data fields b. compare files and identify differences c. stratify statistical samples d. analyze results and form opinions ANS: D

PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 8 29. A transitive dependency a. is a database condition that is resolved through special monitoring software. b. is a name given to one of the three anomalies that result from unnormalized database tables. c. can exist only in a table with a composite primary key. d. cannot exist in tables that are normalized at the 3NF level. e. is none of the above. ANS: D PTS: 1 SHORT ANSWER 1. What are the two fundamental components of data structures? ANS: Organization and access method. PTS: 1 2. Give an advantage and a disadvantage of the sequential data structure ANS: An advantage is that sequential data structures are simple and easy to process. A disadvantage is that processing only a small portion of a large sequential file is inefficient. PTS: 1 3. What are the three physical components of a VSAM file? ANS: The three components are the indexes, the prime data storage area, and the overflow area. PTS: 1 4. Give two limitations of the hierarchical database model? ANS: The hierarchical database model forces users to navigate between data elements using predefined structured paths. Hierarchical database models also limit the degree of process integration and data sharing that can be achieved. PTS: 1 5. Comment on the following statement: “Legacy systems use flat file structures.” ANS: A flat-file structure is a single-view model that characterizes legacy systems in which data files are structured, formatted, and arranged to suit the specific needs of the owner or primary user of the system. Such structuring, however, may omit or corrupt data attributes that are essential to other users, thus preventing successful integration of systems across the organization. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed—Test Bank, Chapter 8 6. What are the six phases of view modeling? ANS: Identify entities. Construct a data model showing entity associations. Add primary keys and attributes to the model. Normalize the data model and add foreign keys. Construct the physical database. Prepare the user view. PTS: 1 7. What is the relationship between a database table and a user view? ANS: User views are derived database tables. A single table may contribute data to several different views On the other hand, simple views may be constructed from a single table. PTS: 1 8. How does the database approach solve the problem of data redundancy? ANS: Data redundancy is not a problem with the database approach because individual data elements need to be stored only once yet be available to multiple users. PTS: 1 9. Explain how linkages between relational tables are accomplished. ANS: Tables that are logically related in the data model need to be physically linked. The degree of association between the tables (i.e., 1:1, 1:M, or M:M) determines how the linking occurs. The keyassignment rules for linking tables are discussed below. Where a true 1:1 association exists between tables, either (or both) primary keys may be embedded as foreign keys in the related table. Where a 1:M (or 1:0,M) association exists, the primary key of the 1 side is embedded in the table of the M side. To represent the M:M association between tables, a link table needs to be created that has a combined (composite) key consisting of the primary keys of two related tables. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 8

10. Explain the basic results that come from the restrict, project, and join functions. ANS: A restrict extracts selected rows from a table–records that satisfy prescribed conditions–to create a new table. A project extracts selected attributes (columns) from a table to create a new table. A join builds a new table, from two existing tables, by matching rows on a value of a common attribute. PTS: 1 11. Explain the purpose of an ER diagram in database design. ANS: The entity relationship (ER) diagram is the graphical representation technique used to depict a data model. Each entity in a ER diagram is named in the singular noun form such as Customer rather than Customers. The labeled line connecting two entities describes the nature of the association between them. This association is represented with a verb such as shipped, requests, or receives. The ER diagram also represents cardinality (the degree of association between two entities). Four basic forms of cardinality are possible: zero or one (0,1), one and only one (1,1), zero or many (0,M), and one or many (1,M). These are combined to represent logical associations between entities such as 1:1, 1:0,M, and M:M. PTS: 1 12. What is view integration? ANS: A modern company uses hundreds or thousands of views and associated tables. Combining the data needs of all users into a single schema or enterprise-wide view is called view integration PTS: 1 13. How does the embedded audit module support the auditor? ANS: The EAM approach allows selected transactions to be captured throughout the audit period. Captured transactions are made available to the auditor in real time, at period end, or any time during the period, significantly reducing the amount of work the auditor must do to identify significant transactions for substantive testing. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 8 14. Outline some of the key advantages of GAS. ANS: GAS allows auditors to access electronically coded data files of their clients, both simple and complex structures, and to perform various operations on their contents. GAS is popular for the following reasons: a. GAS languages are easy to use and require little computer background on the part of the auditor. b. Many GAS products can be used on both mainframe and PC systems. c. Auditors can perform their tests independent of the client’s computer service staff. d. GAS can be used to audit the data stored in most file structures and formats. PTS: 1

15. How can a poorly designed database result in unintentional loss of critical records? ANS: The deletion anomaly may cause data to be deleted unintentionally from incorrectly normalized tables. In such situations, records that are legitimately deleted from the table may result in the deletion of other data not intended for deletion. PTS:

16. What is repeating group data? ANS: Each unique primary key value is associated with multiple values for nonkey attributes. PTS: 1 17. What is a partial dependency? ANS: A partial dependency occurs when one or more nonkey attributes are dependent on (defined by) only part of the primary key, rather than the whole key. This can occur only in tables that have composite (two or more attribute) primary keys. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 8 18. What is a transitive dependency? ANS: A transitive dependency occurs in a table where nonkey attributes are dependent on another nonkey attribute and independent of the table’s primary key. PTS: 1 19. What is the update anomaly? ANS: The update anomaly results from data redundancy in an unnormalized table. The data attributes pertaining to particular entity (for example: Vendor Name, Address, and Tele Num) are repeated in every record in every record pertaining to the vendor. Any change in the supplier’s name, address, or telephone number must then be made to each of these records. This causes an update problem that results in excessive overhead costs. PTS: 1 20. Give an example of the insertion anomaly. ANS: The insertion anomaly occurs when certain types of new records can not be added. For example, if the primary key for the vendor file is PART NUMBER, a new vendor cannot be added until a purchase is made. 21. When is a table in third normal form (3NF)? ANS: A table is in third normal form when it meets the two conditions below: 1. All nonkey (data) attributes in the table are dependent on (defined by) the primary key. 2. All nonkey attributes are independent of the other nonkey attributes. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 8 ESSAY 1.

Discuss the two fundamental components of data structures. ANS: Organization refers to the way records are physically arranged on the secondary storage device. This may be either sequential or random. The records in sequential files are stored in contiguous locations that occupy a specified area of disk space. Records in random files are stored without regard for their physical relationship to other records in the same file. Random files may have records distributed throughout a disk. The access method is the technique used to locate records and to navigate through the database or file. While several specific techniques are used, in general, they can be classified as either direct access or sequential access methods. PTS: 1 2. What is a hashing structure? What are the advantage(s) and disadvantage(s) associated with it? ANS: A hashing structure employs an algorithm that converts the primary key of a record directly into a storage address. Hashing eliminates the need for a separate index. By calculating the address, rather than reading it from an index, records can be retrieved more quickly. The principal advantage of hashing is access speed. The hashing technique has two disadvantages. It does not use storage space efficiently. The storage location chosen for a record is a mathematical function of its primary key value. The algorithm will never select some disk locations because they do not correspond to legitimate key values. Different record keys may generate the same (or similar) residual, which translates to the same address. This is called a collision because two records cannot be stored at the same location. PTS: 1

3. Explain the following three types of pointers: physical address pointer, relative address pointer, and logical key pointer. ANS: A physical address pointer contains the actual disk storage location (cylinder, surface, and record number) needed by the disk controller. This approach allows the system to access the record directly without obtaining further information. A relative address pointer contains the relative position of a record in the file. This address (i.e., the 200th record on the file) must be further manipulated to convert it to the actual physical address. The conversion software determines this by using the physical address of the beginning of the file, the length of each record in the file, and the relative address of the record being sought. A logical key pointer contains the primary key of the related record. This key value is then converted into the record’s physical address by a hashing algorithm. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed—Test Bank, Chapter 8 4. Give three examples that illustrate how cardinality reflects an organization’s underlying business rules. ANS: 1) When an organization decides to purchases the same items of inventory from different suppliers, the cardinality between the Supplier and Inventory tables is M:M. 2) When a the company purchases all items of a certain type from only one supplier, the cardinality between Supplier and Inventory tables is 1:M respectively. 3) A policy that a separate receiving report is prepared for the receipt of goods specified on a single purchase order will result in a 1:1 cardinality between the receiving report and purchase order tables. If, however, multiple purchase orders are combined on a single receiving report then the cardinality between these tables will be 1: M respectively. PTS: 1

5. Explain the three types of anomalies associated with database tables that have not been normalized. ANS: The update anomaly is the result of data redundancy. If a data element is stored in more than one place, it must be updated in all places. If this does not happen, the data are inconsistent. The insertion anomaly occurs when too much data is stored together–when vendor information is only stored with specific inventory items. Until items are purchased from a given vendor, the vendor cannot be added to the database. The deletion anomaly is the opposite of the insertion anomaly–if a vendor supplies only one item, and the firm discontinues that item, all information on the vendor is lost when vendor information is only stored with specific inventory items.

PTS: 1

6. What are the key control implications of the absence of database normalization? ANS: When considering the quality of the data in a database, accountants should be aware of the outcomes of typical anomalies. The update anomaly can yield conflicting data in the database. The insertion anomaly can result in unrecorded transactions. The deletion anomaly can cause loss of accounting information and destruction of the audit trail. PTS: 1

IT Auditing 4th Ed—Test Bank, Chapter 8 7. Contrast embedded audit modules with generalized audit software.

ANS: Both techniques permit auditors to access, organize, and select data in support of the substantive phase of the audit. The embedded audit module (EAM) technique embeds special audit modules into applications. The EAM captures specific transactions for auditor review. EAMs reduce operational efficiency and are not appropriate for environments with a high level of program maintenance. Generalized audit software (GAS) permits auditors to electronically access audit files and to perform a variety of audit procedures. For example the GAS can recalculate, stratify, compare, format, and print the contents of files. The EAM is an internal program that is designed and programmed into the application. The GAS is an external package that does not affect operational efficiency of the program. GASs are easy to use, require little IT background on the part of the user, are hardware independent, can be used without the assistance of computer service employees, and are not application-specific. On the other hand, EAMs are programmed into a specific application by computer service professionals.

PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 9

Chapter 9—Auditing the Revenue Cycle TRUE/FALSE 1. The packing slip is also known as the shipping notice. ANS: F

PTS: 1

2. The bill of lading is a legal contract between the buyer and the seller. ANS: F

PTS: 1

3. Another name for the stock release form is the picking ticket. ANS: T

PTS: 1

4. Warehouse stock records are the formal accounting records for inventory. ANS: F

PTS: 1

5. The purpose of the invoice is to bill the customer. ANS: T

PTS: 1

6. In most large organizations, the journal voucher file has replaced the formal general journal. ANS: T

PTS: 1

7. The cash receipts journal is a special journal. ANS: T

PTS: 1

8. In the revenue cycle, the internal control “limit access” applies to physical assets only. ANS: F

PTS: 1

9. In real-time processing systems, routine credit authorizations are automated. ANS: T

PTS: 1

10. In a computerized accounting system, segregation of functions refers to inventory control, accounts receivable, billing, and general ledger tasks. ANS: F

PTS: 1

11. A written customer purchase order is required to trigger the sales order system. ANS: F

PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 9

12. Determining that the AR balance states its net realizable value tests the management assertion of existence of occurrence. ANS: F

PTS: 1

13. The principal source document in the sales order system is the sales order. ANS: T

PTS: 1

14. Sales orders should be prenumbered documents. ANS: T

PTS: 1

15. Batch control continues through all stages of data processing. ANS: T

PTS: 1

16. If a customer submits a written purchase order, there is no need to prepare a sales order. ANS: F

PTS: 1

17. Sales return involves receiving, sales, credit, and billing departments, but not accounts receivable. ANS: F

PTS: 1

18. A remittance advice is a form of turn-around document. ANS: T

PTS: 1

19. A bill of lading is a request for payment for shipping charges. ANS: F

PTS: 1

20. In point of sale systems, authorization takes the form of validation of credit card charges. ANS: T

PTS: 1

21. The warehouse is responsible for updating the inventory subsidiary ledger. ANS: F

PTS: 1

22. In a manual system, the billing department is responsible for recording the sale in the sales journal. ANS: T

PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 9

23. The stock release document is prepared by the shipping department to provide evidence that the goods have been released to the customer. ANS: F

PTS: 1

24. The accounts receivable clerk is responsible for updating the AR Control accounts to reflect each customer sale. ANS: F

PTS: 1

25. When customer payments are received, the mailroom clerk sends the checks to the cash receipts clerk and the remittance advices to the AR clerk. ANS: T

PTS: 1

MULTIPLE CHOICE 1. The revenue cycle consists of a. one subsystem–order entry b. two subsystems–sales order processing and cash receipts c. two subsystems–order entry and inventory control d. three subsystems–sales order processing, credit authorization, and cash receipts ANS: B

PTS: 1

2. The reconciliation that occurs in the shipping department is intended to ensure that a. credit has been approved b. the customer is billed for the exact quantity shipped c. the goods shipped match the goods ordered d. inventory records are reduced for the goods shipped ANS: C

PTS: 1

3. The adjustment to accounting records to reflect the decrease in inventory due to a sale occurs in the a. warehouse b. shipping department c. billing department d. inventory control department ANS: D

PTS: 1

4. Which document triggers the revenue cycle? a. the sales order b. the customer purchase order c. the sales invoice d. the journal voucher ANS: B

PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 9

5. Copies of the sales order can be used for all of the following except a. purchase order b. credit authorization c. shipping notice d. packing slip ANS: A

PTS: 1

6. The purpose of the sales invoice is to a. record reduction of inventory b. transfer goods from seller to shipper c. bill the customer d. select items from inventory for shipment ANS: C

PTS: 1

7. The customer open order file is used to a. respond to customer queries b. fill the customer order c. ship the customer order d. authorize customer credit ANS: A

PTS: 1

8. The stock release copy of the sales order is not used to a. locate and pick the items from the warehouse shelves b. record any out-of-stock items c. authorize the warehouse clerk to release custody of the inventory to shipping d. record the reduction of inventory ANS: D

PTS: 1

9. The shipping notice a. is mailed to the customer b. is a formal contract between the seller and the shipping company c. is always prepared by the shipping clerk d. informs the billing department of the quantities shipped ANS: D

PTS: 1

10. The billing department is not responsible for a. updating the inventory subsidiary records b. recording the sale in the sales journal c. notifying accounts receivable of the sale d. sending the invoice to the customer ANS: A

PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 9

11. Customers should be billed for back-orders when a. the customer purchase order is received b. the backordered goods are shipped c. the original goods are shipped d. customers are not billed for backorders because a backorder is a lost sale ANS: B

PTS: 1

12. Usually specific authorization is required for all of the following except a. sales on account which exceed the credit limit b. sales of goods at the list price c. a cash refund for goods returned without a receipt d. write off of an uncollectible account receivable ANS: B

PTS: 1

13. Which of following functions should be segregated? a. opening the mail and making the journal entry to record cash receipts b. authorizing credit and determining reorder quantities c. maintaining the subsidiary ledgers and handling customer queries d. providing information on inventory levels and reconciling the bank statement ANS: A

PTS: 1

14. Which situation indicates a weak internal control structure? a. the mailroom clerk authorizes credit memos b. the record keeping clerk maintains both accounts receivable and accounts payable subsidiary ledgers c. the warehouse clerk obtains a signature before releasing goods for shipment d. the accounts receivable clerk prepares customer statements every month ANS: A

PTS: 1

15. The most effective internal control procedure to prevent or detect the creation of fictitious credit memoranda for sales returns is to a. supervise the accounts receivable department b. limit access to credit memoranda c. prenumber and sequence check all credit memoranda d. require management approval for all credit memoranda ANS: D

PTS: 1

16. The accounts receivable clerk destroys all invoices for sales made to members of her family and does not record the sale in the accounts receivable subsidiary ledger. Which procedure will not detect this fraud? a. prenumber and sequence check all invoices b. reconcile the accounts receivable control to the accounts receivable subsidiary ledger c. prepare monthly customer statements d. reconcile total sales on account to the debits in the accounts receivable subsidiary ledger ANS: C

PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 9

17. Which department is least likely to be involved in the revenue cycle? a. credit b. accounts payable c. billing d. shipping ANS: B

PTS: 1

18. Which document is included with a shipment sent to a customer? a. sales invoice b. stock release form c. packing slip d. shipping notice ANS: C

PTS: 1

19. Good internal controls in the revenue cycle should ensure all of the following except a. all sales are profitable b. all sales are recorded c. credit is authorized d. inventory to be shipped is not stolen ANS: A

PTS: 1

20. Which control does not help to ensure that accurate records are kept of customer accounts and inventory? a. reconcile accounts receivable control to accounts receivable subsidiary b. authorize credit c. segregate custody of inventory from record keeping d. segregate record keeping duties of general ledger from accounts receivable ANS: B

PTS: 1

21. Internal controls for handling sales returns and allowances do not include a. computing bad debt expense using the percentage of credit sales b. verifying that the goods have been returned c. authorizing the credit memo by management d. using the original sales invoice to prepare the sales returns slip ANS: A

PTS: 1

22. The printer ran out of preprinted sales invoice forms and several sales invoices were not printed. The best internal control to detect this error is a. a batch total of sales invoices to be prepared compared to the actual number of sales invoices prepared b. sequentially numbered sales invoices c. visual verification that all sales invoices were prepared d. none of the above will detect this error ANS: A

PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 9

23. Which department prepares the bill of lading? a. Sales b. Warehouse c. Shipping d. Credit ANS: C

PTS: 1

24. A weekly reconciliation of cash receipts would include comparing a. the cash prelist with bank deposit slips b. the cash prelist with remittance advices c. bank deposit slips with remittance advices d. journal vouchers from accounts receivable and general ledger ANS: A

PTS: 1

25. At which point is supervision most critical in the cash receipts system? a. accounts receivable b. general ledger c. mail room d. cash receipts ANS: C

PTS: 1

26. A cash prelist is a. a document that records sales returns and allowances b. a document returned by customers with their payments c. the source of information used to prepare monthly statements d. none of the above ANS: D

PTS: 1

27. An advantage of real-time processing of sales is a. the cash cycle is lengthened b. current inventory information is available c. hard copy documents provide a permanent record of the transaction d. data entry errors are corrected at the end of each batch ANS: B

PTS: 1

28. Commercial accounting systems have fully integrated modules. The word “integrated” means that a. segregation of duties is not possible b. transfer of information among modules occurs automatically c. batch processing is not an option d. separate entries are made in the general ledger accounts and the subsidiary ledgers ANS: B

PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 9

29. The data processing method that can shorten the cash cycle is a. batch, sequential file processing b. batch, direct access file processing c. real-time file processing d. none of the above ANS: C

PTS: 1

30. Which of the following is not a risk exposure in a PC accounting system? a. reliance on paper documentation is increased b. functions that are segregated in a manual environment may be combined in a microcomputer accounting system c. backup procedures require human intervention d. data are easily accessible ANS: A

PTS: 1

31. Which journal is not used in the revenue cycle? a. cash receipts journal b. sales journal c. purchases journal d. general journal ANS: C

PTS: 1

32. Periodically, the general ledger department receives all of the following except a. total increases to accounts receivable b. total of all sales backorders c. total of all sales d. total decreases in inventory ANS: B

PTS: 1

33. The credit department a. prepares credit memos when goods are returned b. approves credits to accounts receivable when payments are received c. authorizes the granting of credit to customers d. none of the above ANS: C

PTS: 1

34. Adjustments to accounts receivable for payments received from customers is based upon a. the customer’s check b. the cash prelist c. the remittance advice that accompanies payment d. a memo prepared in the mailroom ANS: C

PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 9

35. The revenue cycle utilizes all of the following files except a. credit memo file b. sales history file c. shipping report file d. cost data reference file ANS: D

PTS: 1

36. All of the following are advantages of real-time processing of sales except a. The cash cycle is shortened b. Paper work is reduced c. Incorrect data entry is difficult to detect d. Up-to-date information can provide a competitive advantage in the marketplace ANS: C

PTS: 1

37. Which document is NOT prepared by the sales department? a. packing slip b. shipping notice c. bill of lading d. stock release ANS: C

PTS: 1

38. Which type of control is considered a compensating control? a. segregation of duties b. access control c. supervision d. accounting records ANS: C

PTS: 1

SHORT ANSWER 1. Distinguish between a packing slip, shipping notice, and a bill of lading. ANS: The packing slip travels with the goods to the customer, and it describes the contents on the order. Upon filling the order, the shipping department sends the shipping notice to the billing department to notify them that the order has been filled and shipped. The shipping notice contains additional information that the packing slip may not contain, such as shipment date, carrier and freight charges. The bill of lading is a formal contract between the seller and the transportation carrier; it shows legal ownership and responsibility for assets in transit. PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 9

2. State two specific functions or jobs that should be segregated in the sales processing system. ANS: sales order processing and credit approval; inventory control (record keeping) from warehouse (custody); and general ledger from accounts receivable subsidiary ledger PTS: 1 3. State two specific functions or jobs that should be segregated in the cash receipts system. ANS: cash receipts (custody) from accounts receivable (record keeping); and general ledger from accounts receivable subsidiary ledger; mail room (receiving cash) and accounts receivable subsidiary ledger PTS: 1

4. For the revenue cycle, state two specific independent verifications that should be performed. ANS: shipping verifies that the goods sent from the warehouse are correct in type and quantity; billing reconciles the shipping notice with the sales order to ensure that customers are billed only for the quantities shipped; general ledger reconciles journal vouchers submitted by the billing department (sales journal), inventory control (inventory subsidiary ledger), and cash receipts (cash receipts journal) treasurer determines that all cash received got to the bank PTS: 1 5. What task can the accounts receivable department engage in to verify that all checks sent by the customers have been appropriately deposited and recorded? ANS: The company should periodically, perhaps monthly, send an account summary to each customer listing invoices and amounts paid by check number and date. This form allows the customer to verify the accuracy of the records. If any payments are not recorded, they will notify the company of the discrepancy. These reports should not be handled by the accounts receivable clerk or the cashier. PTS: 1 6. What specific internal control procedure would prevent the sale of goods on account to a fictitious customer? ANS: credit check PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 9

7. The clerk who opens the mail routinely steals remittances. Describe a specific internal control procedure that would prevent or detect this fraud. ANS: supervision (two people) when opening the mail; customer complaints when monthly statements mailed PTS: 1 8. A customer payment of $247 was correctly posted in the general ledger but was recorded as $274 in the customer’s account receivable. Describe a specific internal control procedure that would detect this error. ANS: reconcile the accounts receivable control account to the accounts receivable subsidiary ledger; compare control totals of cash received with total credits to A/R subsidiary ledger PTS: 1 9. A clerk embezzles customer payments on account and covers up the theft by making an adjustment to the accounts receivable ledger. Describe a specific internal control procedure that would prevent this fraud. ANS: segregation of duties; do not let one person have custody of payments and the ability to make adjustments to the records; all adjustments to accounts receivable records must be authorized PTS: 1 10. A credit sale is made to a customer, even though the customer’s account is four months overdue. Describe a specific internal control procedure that would prevent this from happening. ANS: perform a credit check and require management approval for all sales to accounts that are overdue PTS: 1 11. What specific internal control procedure would prevent a customer from being billed for all 50 items ordered although only 40 items were shipped? ANS: billing should reconcile the shipping report with the sales order PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 9

12. What specific internal control procedure would prevent the shipping clerk from taking goods from the storeroom and sending them to someone who had not placed an order? ANS: shipping clerk should not have access to the storeroom PTS: 1 13. What specific internal control procedure would prevent an accounts receivable clerk from issuing a fictitious credit memo to a customer (who is also a relative) for goods that were “supposedly” returned from previous sales? ANS: credit memo should be authorized after verifying the return of goods based on evidence from the person who received the goods PTS: 1 14. What specific internal control procedure would prevent an increase in sales returns since salesmen were placed on commission? ANS: customer credit should be verified by the credit department; reduce commissions for sales returns PTS: 1 15. What specific internal control procedure would detect the misplacement of a sales invoice after preparation and not mailed to the customer? The invoice was never found. ANS: all documents should be prenumbered PTS: 1 16. What function does the receiving department serve in the revenue cycle? ANS: The receiving department counts and inspects items which are returned by customers. The receiving department prepares a return slip of which a copy goes to the warehouse for restocking, and a copy goes to the sales order department so that a credit memo can be issued to the customer. PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 9

17. What are the three rules that ensure that no single employee or department processes a transaction in its entirety? ANS: The three rules that ensure segregation of functions are: 1. Transaction authorization should be separate from transaction processing 2. Asset custody should be separate from asset record keeping. 3. The organization structure should be such that the perpetration of a fraud requires collusion between 2 or more individuals. PTS: 1

18. What are the key segregation of duties related to computer programs that process accounting transactions. ANS: Response: The tasks of design, maintenance, and operation of computer programs need to be segregated. The programmers who write the original computer programs should not also be responsible for making program changes. Both of these functions must also be separate from the daily task of operating the system. PTS: 1 19. What makes point-of-sale systems different from revenue cycles of manufacturing firms? ANS: In point-of-sale systems, the customer literally has possession of the items purchased, thus the inventory is in hand. Typically, for manufacturing firms, the order is placed and the good is shipped to the customer at some later time period. Thus, updating inventory at the time of sale is necessary in point-of-sale systems since the inventory is changing hands, while it is not necessary in manufacturing firms until the goods are actually shipped to the customer. Also, POS systems are used extensively in grocery stores, department stores, and other types of retail organizations. Generally, only cash, checks, and bank credit card sales are valid. Unlike manufacturing firms, the organization maintains no customer accounts receivable. Unlike some manufacturing firms, inventory is kept on the store’s shelves, not in a separate warehouse. The customers personally pick the items they wish to buy and carry them to the checkout location, where the transaction begins. Shipping, packing, bills of lading, etc. are not relevant to POS systems. PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 9

20. Give three examples of Access Control in a Point-of-Sale (POS) system. ANS: • Lock on the cash drawer • Internal cash register tape that can be accessed only by the manager • Physical security over the inventory. The following are examples: Steel cables to secure expensive leather coats to the clothing rack. Locked showcases to display jewelry and costly electronic equipment. Magnetic tags attached to merchandise, which will sound an alarm when removed from the store. Note to Instructor: Some physical security devices could also be classified as supervision PTS: 1 21. Describe the key tasks in the sales order process. ANS: Sales order procedures include the tasks involved in receiving and processing a customer order, filling the order and shipping products to the customer, billing the customer at the proper time, and correctly accounting for the transaction. PTS: 1 22. What is the purpose(s) of the stock release document? ANS: The stock release document (also called the picking ticket) is sent to the warehouse to identify the items of inventory that have been sold and must be located and picked from the warehouse shelves. It also provides formal authorization for warehouse personnel to release the specified items. PTS: 1 23. What is the role of the shipping notice? ANS: The shipping notice triggers the billing process. When the goods are shipped the shipping notice is forwarded to the billing function as evidence that the customer’s order was filled and shipped. This document conveys pertinent new facts such as the date of shipment, the items and quantities actually shipped, the name of the carrier, and freight charges. PTS: 1 24. What is a bill of lading? ANS: The bill of lading, is a formal contract between the seller and the shipping company (carrier) to transport the goods to the customer. This document establishes legal ownership and responsibility for assets in transit. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing, 4th Ed—Test Bank, Chapter 9

25. What is the purpose of the credit memo? ANS: This document is the authorization for the customer to receive credit for the merchandise returned. A credit memo may be similar in appearance to a sales order. Some systems may actually use a copy of the sales order marked credit memo. PTS: 1 ESSAY 1. When Clipper Mail Order Co. receives telephone and fax orders, the billing department prepares an invoice. The invoice is mailed immediately. A copy of the invoice serves as a shipping notice. The shipping department removes inventory from the warehouse and prepares the shipment. When the order is complete, the goods are shipped. The clerk checks the customer’s credit before recording the sale in the general journal and the account receivable subsidiary ledger. The receptionist opens the mail and lists all payments. The receptionist also handles all customer complaints and prepares sales return forms for defective merchandise. The cashier records all cash receipts in the general journal and makes the appropriate entry in the accounts receivable subsidiary ledger. The cashier prepares the daily bank deposit. Describe at least four internal control weaknesses at Clipper Mail Order Co. ANS: no sales order is prepared; credit should be checked before shipping the items; invoices are mailed before the goods are shipped; shipping has access to the warehouse; record keeping duties are not segregated (general ledger from subsidiary ledger); only one person opens the mail; sales return forms are not authorized by management; custody and record keeping duties are not separated; the cashier has custody of cash, makes journal entries, and maintains A/R ledger; Cashier has custody of cash and handles customer complaints (e.g., about unrecorded payments). PTS: 1 2. How may an employee embezzle funds by issuing an unauthorized sales credit memo if the appropriate segregation of functions and authorization controls were not in place? ANS: An employee who has access to incoming payments, either cash or check, as well as the authorization to issue credit memos may pocket the cash or check of a payment for goods received. This employee could then issue a credit memo to this person’s account so that the customer does not show a balance due. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing, 4th Ed—Test Bank, Chapter 9

3. For each of the following documents, describe its purpose, the functional area preparing it, and the key data included: sales order, bill of lading, credit memo. ANS: A sales order is used to collect information needed to initiate the sales process. It can be a copy of the customer’s purchase order prepared by the customer or a document prepared by a member of the sales staff in response to mail, phone or personal contact with the customer. It contains information about the customer, the type and quantity of merchandise being requested, price information, shipping information, etc. The bill of lading is prepared by the shipping clerk. It is a formal contract between the seller and the carrier who will transport the goods to the customer. It contains information about the carrier, the customer, descriptions of the package(s) being shipped, declared value of the goods, and information on freight charges, including how much and who will pay. A credit memo is a document authorizing issuance of credit to a customer for returned goods. It is prepared in the sales department after receipt of a return slip from receiving. It shows the customer’s name, reason for the return, a list of items and prices, and the total amount of credit. Many credit memos require additional authorization. PTS: 1 4. What role does each of the following departments play in the sales order processing subsystem: sales, credit, and shipping? Be complete. ANS: The sales department receives the order information from the customer, either by mail, phone, or in person. Information is captured on a sales order form which includes customer name, account number, name, number and description of items ordered, quantities and unit prices plus taxes, shipping info, discounts, freight terms. This form is usually prepared in multiple copies that are used for credit approval, packing, stock release, shipping, and billing. The credit department provides transaction authorization by approving the customer for a credit sale and returns and allowances. The shipping department receives information from the sales department in the form of packing slip and shipping notice. When the goods arrive from the warehouse, the documents are reconciled with the stock release papers. The goods are packed and labeled. The packing slip is included. The shipping notice is sent to billing. A bill of lading is prepared to accompany the shipment. PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 9

5. With regard to segregation of duties, rule one is that transaction authorization and transaction processing should be separated. What does this require in the revenue cycle? ANS: Within the revenue cycle, the credit department is separate from the rest of the process. Hence, the authorization of the transaction (granting of credit) is independent. If other people, e.g., sales staff, were able to authorize credit sales, there would be the temptation to approve sales to any customer, even those known to not be credit worthy. PTS: 1 6. With regard to segregation of duties, rule two is that asset custody and record keeping should be separated. What does this require in the revenue cycle? ANS: In the revenue cycle, the warehouse has custody of physical assets while accounting (especially general ledger and inventory control) maintains the records. Also, in the cash receipts subsystem, cash receipts has custody of the asset (cash) while general ledger and accounts receivable keep the records. PTS: 1 7. What role does each of the following departments play in the cash receipts subsystem: mail room, cash receipts, accounts receivable, and general ledger? Be complete. ANS: The mail room receives the customer’s payment–usually a check accompanied by a document called a remittance advice (which may be a copy of the invoice sent to the customer). Mail clerks separate the two, prepare a cash prelist or remittance list which lists all the payments received and sends the checks to the cashier and remittance advices to accounts receivable. In cash receipts someone (e.g., cashier) restrictively endorses the checks and records the payments in the cash receipts journal. A deposit slip is prepared which accompanies the checks to the bank. The accounts receivable department posts from the remittance advices to the customer accounts in the AR subsidiary ledger. The general ledger department records cash receipts to the cash and AR control accounts based on the list from the mailroom and the summary report of posting from A/R. PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 9

8. For each of the following documents, describe its purpose, the functional area preparing it, and the key data included: remittance advice, remittance list, deposit slip. ANS: A remittance advice is sent by the customer to accompany payment. However, it is often part of or a copy of the invoice previously sent by the billing department after the goods were shipped. A remittance list is often called a cash prelist and is prepared by the mail room clerk to record all cash received. It accompanies the checks to the cashier. A deposit slip is prepared by the cashier to accompany the checks to the bank. This is usually a preprinted bank form. PTS: 1 9. How is independent verification carried out in a manual revenue system? ANS: Independent verification occurs in several departments as part of the sales order processing system. The shipping department verifies that the goods released by the warehouse for shipment, as shown on the stock release document, match the packing slip. Billing compares the shipping notice with the invoice to be sure customers are billed only for goods shipped. And general ledger reconciles the journal vouchers prepared by billing, inventory control, cash receipts, and accounts receivable. This reconciliation focuses on a match between what was ordered, what was removed from the stockroom, what was shipped, what was billed, cash received, and credit to the customer account. PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 10

Chapter 10—Auditing the Expenditure Cycle TRUE/FALSE 1. In non-manufacturing firms, purchasing decisions are authorized by inventory control. ANS: T

PTS: 1

2. The blind copy of the purchase order that goes to the receiving department contains no item descriptions. ANS: F

PTS: 1

3. Firms that wish to improve control over cash disbursements use a voucher system. ANS: T

PTS: 1

4. In a voucher system, the sum of all unpaid vouchers in the voucher register equals the firm’s total voucher payable balance. ANS: T

PTS: 1

5. The accounts payable department reconciles the accounts payable subsidiary ledger to the control account. ANS: F

PTS: 1

6. The use of inventory reorder points suggests the need to obtain specific authorization. ANS: F

PTS: 1

7. Proper segregation of duties requires that the responsibility approving a payment be separated from posting to the cash disbursements journal. ANS: T

PTS: 1

8. A major risk exposure in the expenditure cycle is that accounts payable may be overstated at the end of the accounting year. ANS: F

PTS: 1

9. When a trading partner agreement is in place, the traditional three way match may be eliminated. ANS: T

PTS: 1

10. Authorization of purchases in a merchandising firm occurs in the inventory control department. ANS: T

PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 10 11. A three way match involves a purchase order, a purchase requisition, and an invoice. ANS: F

PTS: 1

12. Authorization for a cash disbursement occurs in the cash disbursement department upon receipt of the supplier’s invoice. ANS: F

PTS: 1

13. Permitting warehouse staff to maintain the only inventory records violates separation of duties. ANS: T

PTS: 1

14. A purchasing system that employs electronic data interchange does not use a purchase order. ANS: F

PTS: 1

15. Inventory control should be located in the warehouse. ANS: F

PTS: 1

16. Inspection of shipments in the receiving department would be improved if the documentation showed the value of the inventory. ANS: F

PTS: 1

17. One reason for authorizing purchases is to enable efficient inventory management. ANS: T

PTS: 1

18. If accounts payable receives an invoice directly from the supplier it needs to be reconciled with the purchase order and receiving report. ANS: T

PTS: 1

19. Supervision in receiving is intended to reduce the theft of assets. ANS: T

PTS: 1

20. The inventory procurement process begins with the purchasing clerk preparing a purchase order. ANS: F

PTS: 1

21. The receiving report is prepared by the vendor to provide evidence that the purchase order was received. ANS: F

PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 10 22. When goods are received, the receiving clerk sends copies of the receiving report to the inventory control clerk and the AP clerk. ANS: T

PTS: 1

23. Time cards are used by cost accounting to allocate direct labor charges to work in process. ANS: F

PTS: 1

24. The personnel department authorizes changes in employee pay rates. ANS: T

PTS: 1

25. Most payroll systems for mid-size firms use real-time data processing. ANS: F

PTS: 1

26. Because a time clock is used, no supervision is required when employees enter and leave the work place. ANS: F

PTS: 1

27. Work-in-process records are updated by payroll personnel. ANS: F

PTS: 1

28. Ideally, payroll checks are written on a special bank account used only for payroll. ANS: T

PTS: 1

29. The supervisor is the best person to determine the existence of a “phantom employee” and should distribute paychecks. ANS: F

PTS: 1

30. Payroll processing can be automated easily because accounting for payroll is very simple. ANS: F

PTS: 1

31. Timekeeping is part of the personnel function. ANS: F

PTS: 1

32. The payroll department is responsible for both updating the employee records and writing paychecks. ANS: T

PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 10 MULTIPLE CHOICE 1. The purpose of the purchase requisition is to a. order goods from vendors b. record receipt of goods from vendors c. authorize the purchasing department to order goods d. bill for goods delivered ANS: C

PTS: 1

2. All of the following departments have a copy of the purchase order except a. the purchasing department b. the receiving department c. accounts payable d. general ledger ANS: D

PTS: 1

3. The purpose of the purchase order is to a. order goods from vendors b. record receipt of goods from vendors c. authorize the purchasing department to order goods d. approve payment for goods received ANS: A

PTS: 1

4. The open purchase order file in the purchasing department is used to determine a. the quality of items a vendor ships b. the best vendor for a specific item c. the orders that have not been received d. the quantity of items received ANS: C

PTS: 1

5. The reason that a blind copy of the purchase order is sent to receiving is to a. inform receiving when a shipment is due b. force a count of the items delivered c. inform receiving of the type, quantity, and price of items to be delivered d. require that the goods delivered are inspected ANS: B

PTS: 1

6. The receiving report is used to a. accompany physical inventories to the storeroom or warehouse b. advise the purchasing department of the dollar value of the goods delivered c. advise general ledger of the accounting entry to be made d. advise the vendor that the goods arrived safely ANS: A

PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 10 7. When a copy of the receiving report arrives in the purchasing department, it is used to a. adjust perpetual inventory records b. record the physical transfer of inventory from receiving to the warehouse c. analyze the receiving department’s process d. recognize the purchase order as closed ANS: D

PTS: 1

8. The financial value of a purchase is determined by reviewing the a. packing slip b. purchase requisition c. receiving report d. supplier’s invoice ANS: D

PTS: 1

9. In a merchandising firm, authorization for the payment of inventory is the responsibility of a. inventory control b. purchasing c. accounts payable d. cash disbursements ANS: C

PTS: 1

10. In a merchandising firm, authorization for the purchase of inventory is the responsibility of a. inventory control b. purchasing c. accounts payable d. cash disbursements ANS: A

PTS: 1

11. When purchasing inventory, which document usually triggers the recording of a liability? a. purchase requisition b. purchase order c. receiving report d. supplier’s invoice ANS: D

PTS: 1

12. Because of time delays between receiving inventory and making the journal entry a. liabilities are usually understated b. liabilities are usually overstated c. liabilities are usually correctly stated d. none of the above ANS: A

PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 10

13. Usually the open voucher payable file is organized by a. vendor b. payment due date c. purchase order number d. transaction date ANS: B

PTS: 1

14. Which of the following statements is not correct? a. the voucher system is used to improve control over cash disbursements b. the sum of the paid vouchers represents the voucher payable liability of the firm c. the voucher system permits the firm to consolidate payments of several invoices on one voucher d. many firms replace accounts payable with a voucher payable system ANS: B

PTS: 1

15. In the expenditure cycle, general ledger does not a. post the journal voucher from the accounts payable department b. post the account summary from inventory control c. post the journal voucher from the purchasing department d. reconcile the inventory control account with the inventory subsidiary summary ANS: C

PTS: 1

16. The documents in a voucher packet include all of the following except a. a check b. a purchase order c. a receiving report d. a supplier’s invoice ANS: A

PTS: 1

17. To maintain a good credit rating and to optimize cash management, cash disbursements should arrive at the vendor’s place of business a. as soon as possible b. on the due date c. on the discount date d. by the end of the month ANS: C

PTS: 1

18. The cash disbursement clerk performs all of the following tasks except a. reviews the supporting documents for completeness and accuracy b. prepares checks c. signs checks d. marks the supporting documents paid ANS: C

PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 10

19. Of the following duties, it is most important to separate a. warehouse from stores b. warehouse from inventory control c. accounts payable and accounts receivable d. purchasing and accounts receivable ANS: B

PTS: 1

20. The receiving department is not responsible to a. inspect shipments received b. count items received from vendors c. order goods from vendors d. safeguard goods until they are transferred to the warehouse ANS: C

PTS: 1

21. The major risk exposures associated with the receiving department include all of the following except a. goods are accepted without a physical count b. there is no inspection for goods damaged in shipment c. inventories are not secured on the receiving dock d. the audit trail is destroyed ANS: D

PTS: 1

22. When searching for unrecorded liabilities at the end of an accounting period, the accountant would search all of the files except a. the purchase requisition file b. the cash receipts file c. the purchase order file d. the receiving report file ANS: B

PTS: 1

23. In regards to the accounts payable department, which statement is not true? a. the purchase requisition shows that the transaction was authorized b. the purchase order proves that the purchase was required c. the receiving report provides evidence of the physical receipt of the goods d. the supplier’s invoice indicates the financial value of the transaction ANS: B

PTS: 1

24. In a computerized system that uses an economic order quantity (EOQ) model and the perpetual inventory method, who determines when to reorder inventory? a. the inventory control clerk b. the purchasing department c. the vendor d. the computer system ANS: D

PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 10 25. In a real-time processing system with a high number of transactions, the best and most practical control over cash disbursements is to have a. all checks manually signed by the treasurer b. all checks signed by check-signing equipment c. checks over a certain dollar amount manually signed by the treasurer d. checks over a certain dollar amount manually signed by the cash disbursements clerk ANS: C

PTS: 1

26. If a company uses a standard cost system, inventory records can be updated from the a. vendor invoice b. purchase order c. receiving report d. purchase requisition ANS: C

PTS: 1

27. If a company uses an actual cost system, inventory records can first be updated from the a. vendor invoice b. purchase order c. receiving report d. purchase requisition ANS: A

PTS: 1

28. Copies of a purchase order are sent to all of the following except a. inventory control b. receiving c. general ledger d. accounts payable ANS: C

PTS: 1

29. A supplier invoice a. is included with the goods b. shows what was ordered even if all was not shipped c. is sent by vendor to accounts payable d. none of the above ANS: C

PTS: 1

30. The document that captures the total amount of time that individual workers spend on each production job is called a a. time card b. job ticket c. personnel action form d. labor distribution form ANS: B

PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 10 31. An important reconciliation in the payroll system is a. general ledger compares the labor distribution summary from cost accounting to the disbursement voucher from accounts payable b. personnel compares the number of employees authorized to receive a paycheck to the number of paychecks prepared c. production compares the number of hours reported on job tickets to the number of hours reported on time cards d. payroll compares the labor distribution summary to the hours reported on time cards ANS: A

PTS: 1

32. Which internal control is not an important part of the payroll system? a. Supervisors verify the accuracy of employee time cards. b. Paychecks are distributed by an independent paymaster. c. Accounts payable verifies the accuracy of the payroll register before transferring payroll funds to the general checking accounting. d. General ledger reconciles the labor distribution summary and the payroll disbursement voucher. ANS: C

PTS: 1

33. In the payroll subsystem, which function should distribute paychecks? a. personnel b. timekeeping c. paymaster d. payroll ANS: C

PTS: 1

34. Which of the following statements is not true? a. Routine payroll processing begins with the submission of time cards. b. Payroll clerks must verify the hours reported on the time cards. c. Payroll reconciles personnel action forms with time cards and prepares paychecks. d. Cash disbursements signs paychecks and forwards them to the paymaster for distribution. ANS: B

PTS: 1

35. Which department is responsible for approving changes in pay rates for employees? a. payroll b. treasurer c. personnel d. cash disbursements ANS: C

PTS: 1

36. Which of the following situations represents a serious control weakness? a. Timekeeping is independent of the payroll department. b. Paychecks are distributed by the employees immediate supervisor. c. Time cards are reconciled with job tickets. d. Personnel is responsible for updating employee records, including creation of records for new hires. ANS: B

PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 10 37. Why would an organization require the paymaster to deliver all unclaimed paychecks to the internal audit department? a. to detect a “phantom employee” for whom a check was produced b. to prevent an absent employee’s check from being lost c. to avoid paying absent employees for payday d. to prevent the paymaster from cashing unclaimed checks ANS: A

PTS: 1

38. Payroll uses time card data to do all of the following except a. prepare the payroll register b. update employee payroll records c. prepare the labor distribution summary d. prepare paychecks ANS: C

PTS: 1

39. Payroll checks are typically drawn on a. the regular checking account b. a payroll imprest account c. a wages payable account d. petty cash ANS: B

PTS: 1

40. The personnel action form provides authorization control by a. preventing paychecks for terminated employees b. verifying pay rates for employees c. informing payroll of new hires d. all of the above ANS: D

PTS: 1

SHORT ANSWER 1. Which internally generated documents should be compared to the supplier’s invoice to: (1) verify the price of an item and (2) verify the quantity being billed for? ANS: (1) purchase order and (2) receiving report PTS: 1 2. List specific jobs that should be segregated in (1) the purchases processing system and (2) the cash disbursements system. ANS: (1) inventory control from warehouse, general ledger from accounts payable subsidiary ledger (2) general ledger from accounts payable subsidiary ledger, accounts payable subsidiary ledger from cash disbursement PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing, 4th Ed—Test Bank, Chapter 10 3. Describe internal control procedures that would (1) detect that a vendor overcharged for goods delivered, (2) prevent payment for an invoice for goods that were never delivered and (3) prevent issuing two checks in payment of the same invoice. ANS: (1) Accounts payable should compare the price on the purchase order to the price on the supplier’s invoice. Accounts payable should recalculate the math (extensions and additions) and check all other charges such as freight, tax, etc. (2) Accounts payable should match every item on every invoice to a receiving report. (3) The supporting documents should be marked “paid” after the check is signed. A computerized system will tag the invoice number as paid. PTS: 1 4. Explain why supervision is so important in the receiving department. ANS: Receiving department employees have custody of the asset and record keeping responsibilities. Without proper supervision, employees may fail to count and inspect incoming shipments. Without proper supervision, shipments may disappear from the receiving dock before being transferred to the warehouse. PTS: 1 5. What type of errors or fraud might happen if (1) the accounts payable ledger is not periodically reconciled to the control account in the general ledger and (2) suppliers’ invoices are not compared to purchase orders or to receiving reports before payment? ANS: (1) errors in A/P processing would go undetected, overstated payments produce debit balances in A/P. (2) payment at higher than anticipated prices, payment for goods not received. PTS: 1 6. What internal accounting control(s) would be the most effective in preventing a storekeeper from taking inventory home at night? When shortages become apparent, he claims the goods were never received. ANS: receiving records items received on a receiving report, storekeeper initials receipt of goods PTS: 1 7. Why should the copy of a purchase order, which is sent to receiving, be a “blind” copy? ANS: to force workers in receiving to count and inspect the goods received PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing, 4th Ed—Test Bank, Chapter 10

8. What is(are) the purpose(s) of maintaining a valid vendor file? ANS: Inventories should only be acquired from valid vendors. This control procedure helps to deter the purchasing agent from buying inventories at excessive costs and receiving kickbacks or from buying from an entity in which the purchasing agent has a relationship, such a relative or a friend. PTS: 1 9. Name two major benefits of automating the purchasing effort. ANS: improved inventory control, better cash management, streamlining the purchasing effort PTS: 1 10. Where is access control exercised in the purchasing/cash disbursement functions? ANS: physical control of inventory and cash, access to documents that control physical assets–such as purchase requisitions, purchase orders, receiving reports, etc. PTS: 1 11. Explain why a three way match may not be required for transactions covered by a trading partner agreement. ANS: Under a trading partner agreement the parties contractually agree to terms of trade such as price, quantities to be shipped, discounts, and lead times. With these sources of potential discrepancy eliminated, financial information about purchases is known in advance and the vendor’s invoice provides no critical information that cannot be derived from the receiving report. Thus, a three way match is unnecessary. PTS: 1 12. Name the key tasks associated with purchases procedures. ANS: Purchases procedures include the tasks of identifying inventory needs, placing the order, receiving the inventory, and recognizing the liability. PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 10 13. What is the purpose of a receiving report? ANS: Upon completion of the physical count and inspection of the items received, the receiving clerk prepares a receiving report stating the quantity and condition of the inventories. This receiving report is sent to various other functions for reconciliation and updating of records. One copy of the receiving report accompanies the physical inventories to either the raw materials storeroom or finished goods warehouse for safekeeping. Another copy is filed in the open/closed PO file to close out the PO. A third copy of the receiving report is sent to the AP department, where it is filed in the AP pending file. A fourth copy of the receiving report is sent to inventory control for updating the inventory records. Finally, a copy of the receiving report is placed in the receiving report file. PTS: 1 14. What is the purpose of the suppliers invoice? ANS: The suppliers invoice triggers the three-way match and the AP recognition process. During the course of the transaction, the AP department has received and temporarily filed copies of the PO and receiving report. The organization has received inventories from the vendor and has realized an obligation to pay for them. The firm has not, however, received the supplier’s invoice which contains financial information needed to record the transaction. The firm will thus defer recording (recognizing) the liability until the invoice arrives. PTS: 1 15. What is the principle objective of the cash disbursement system? ANS: The principal objective of this system is to ensure that timely and accurate payments are made to only valid creditors. If the system makes payments early, the firm forgoes interest income that it could have earned on the funds. If obligations are paid late, however, the firm will lose purchase discounts or may damage its credit standing.

PTS: 1 16. What is a vouchers payable system and why is it used? ANS: Many firms use a vouchers payable system rather than a traditional AP system. Under this approach, the AP department uses cash disbursement vouchers and maintains a voucher register. After the AP clerk performs the three-way match, he or she prepares a cash disbursement voucher to approve payment. Vouchers provide improved control over cash disbursements and allow firms to consolidate several payments to the same supplier on a single voucher, thus reducing the number of checks written. PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 10 17. Describe internal control procedures that would (1) prevent an employee from punching the time clock for another, absent employee and (2) prevent a supervisor from stealing the unclaimed paychecks of employees who have been terminated. ANS: (1) Supervision of the time clock at the start of the shift. (2) Use a paymaster to distribute paychecks to employees in person. Any uncollected paychecks are then returned to payroll. Also, mail final paychecks to terminated employees. PTS: 1 18. Why should employee paychecks be drawn against a special checking account? ANS: A separate imprest account is established for the exact amount of the payroll based on the payroll summary. When the paychecks are cashed, this account should clear leaving a zero balance. Any errors in checks (additional checks or abnormal amounts) would result in a non-zero balance in the imprest account and/or some paycheck would not clear. This will alert management to the problem so corrective action can be taken. PTS: 1 19. In a manufacturing firm, employees typically fill out two different documents regarding their time worked. What are they? Why are there two? ANS: The two documents are the time card and the job ticket. Two are required because the time card records all the time worked by an employee during the period while the job ticket details the time by project. PTS: 1

20. Explain the purpose of each of the following documents used in the payroll system: the personnel action form, the job ticket, the time card. ANS: The personnel action form is a document which identifies employees who should receive a paycheck; reflects changes in pay rates, payroll deductions, and job classifications. The job ticket collects information on the time individual workers spend on each production job. The time card captures the total time that an employee is at work. PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 10 ESSAY 1. Differentiate between a purchase requisition and a purchase order. ANS: A purchase requisition is completed by the inventory control department when a need for inventory items is detected. Purchase requisitions for office supplies and other materials may also be completed by staff departments such as marketing, finance, accounting, and personnel. The purchasing department receives the purchase requisitions, and if necessary, determines the appropriate vendor. If various departments have requisitioned the same items, the purchasing department may consolidate all requests into one order so that any quantity discounts and lower freight charges may be taken. In any case, the purchasing department prepares the purchase order, which is sent to the vendor, accounts payable department, and the receiving department (blind copy). PTS: 1 2. The Soap Manufacturing Company has three employees who work in the warehouse. All of the warehouse workers are authorized to order inventory when it falls below the reorder level. The workers complete a purchase order and mail it to the supplier of their choice. The inventory is delivered directly to the warehouse. The workers send a memo to accounts payable reporting the receipt of inventory. Accounts payable compares the warehouse memo to the supplier’s invoice. Accounts payable prepares a check which the treasurer signs. Describe at least five needed internal control improvements. ANS: The warehouse workers should prepare a purchase requisition and send it to purchasing. Warehouse workers should make a note that the inventory has been requisitioned to avoid each of the workers requisitioning the same inventory items. Purchasing should prepare a purchase order. Purchasing should select a vendor based on price, quality of goods, delivery time, etc. Inventory should be delivered to the receiving department. The receiving department should prepare a receiving report. Accounts payable should receive a copy of the purchase requisition, purchase order, and receiving report and compare these documents to the supplier’s invoice. Cash disbursements should prepare the check. The supporting documents should be marked “paid” by cash disbursements. PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 10 3. How does a voucher payable system work? What documents are reconciled? Who prepares the voucher? How is the A/P balance determined? How does the voucher payable system improve control over cash? ANS: In place of a standard accounts payable system, many firms use a voucher payable system. The A/P department prepares cash disbursement vouchers which are recorded in a voucher register. A clerk would reconcile purchase requisition, purchase order, receiving report, and vendor invoice. If all agree, the clerk would prepare the voucher–which vouches the need to disburse cash. This would then be approved by a superior. The sum of all open (or unpaid) vouchers is the A/P balance. Control is improved over cash disbursements because of the itemization of items on the voucher and the authorization required. Without the data and authorization, no check is prepared. PTS: 1

4. What are the steps taken in the cash disbursement system? ANS: Accounts payable reviews the documents related to a liability: purchase requisition, purchase order, receiving report, and vendor invoice. If proper, cash disbursements is authorized to make payment. Cash disbursements prepares the check, a separate person signs it, sends it to the vendor, and notifies accounts payable. At the end of the period, cash disbursements and accounts payable send summary information to general ledger. PTS: 1 5. How does the procedure for determining inventory requirements differ between a basic batch processing system and batch processing with real-time data input of sales and receipts of inventory? What about for the procedures used by the receiving department? ANS: A system which employs real-time data entry of sales will update the inventory levels more frequently. Thus, when a sale depletes the inventory level to the reorder point, the system will flag it for reorder more quickly than if it had to wait for a batch update of the inventory records. The sooner the item is ordered, the sooner it will be received. With respect to the real-time receipt of inventory, the inventory will be updated immediately to show the accurate amount which is on hand. Thus, a customer wishing to know how soon they may have an item shipped will receive more accurate information regarding the status of the firm’s inventory levels. Thus, the customer benefits from better stocking of inventory and better information regarding the inventory levels. The receiving department uses real-time data entry; they enter the purchase order number and a receiving screen prompts the clerk for the quantities of goods received. This system should cause less discrepancies due to poor handwriting, carelessness, and loss of the receiving report form. PTS: 1

IT Auditing, 4th Ed—Test Bank, Chapter 10

6. Outline the key steps taken in the purchasing system. ANS: Inventory control monitors inventory and authorizes restocking with a purchase requisition. A copy is retained and one is sent to accounts payable. Purchasing acts on the purchase requisition and prepares a purchase order. The original is sent to a vendor. Copies go to inventory control and accounts payable. A blind copy is sent to receiving and another is filed in purchasing. When the goods are received, the receiving staff count and inspect the goods. The blind purchase order tells what goods were ordered. The count is a significant control check. Receiving prepares a receiving report. One copy accompanies the goods to the storeroom. Other copies go to purchasing, inventory control, and accounts payable. Accounts payable reconciles the purchase requisition, purchase order and receiving report. When the vendor invoice arrives, it is examined thoroughly and reconciled and if all documents agree, the transaction is recorded in the purchases journal and the accounts payable subsidiary ledger. The information is filed until the time arises to make payment. The general ledger department receives a journal voucher from accounts payable and a summary from inventory control. The inventory and accounts payable control accounts are updated. PTS: 1

7. The Golf Club Company makes custom golf clubs. The manufacturing supervisor interviews people who have specialized manufacturing skills, and he informs payroll when an employee is hired. The employees use a time clock to record the hours they work. The employees are also required to keep a record of the time they spend working on each order. The supervisor approves all time cards. The accountant analyzes the job tickets and prepares a labor distribution summary. Payroll prepares the payroll register and paychecks. The supervisor distributes the paychecks to the employees. Payroll informs cash disbursement of the funds required to cover the entire payroll amount. The cash disbursements clerk ensures that there are adequate funds in the company's regular checking account to cover the payroll. Describe at least three internal control weaknesses; for each weakness suggest an improvement to internal control. ANS: WEAKNESS: The supervisor could be creating fictitious employees. The supervisor has too many incompatible duties; he hires workers, approves the time cards, and distributes the paychecks. IMPROVEMENT: Segregate duties. Personnel should hire employees and a paymaster should distribute paychecks. WEAKNESS: Employees could be paid for time they do not work; a co-worker could record an absent worker as present (punch the time clock). IMPROVEMENT: Supervise the time clock. Reconcile time cards and job time tickets. © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing, 4th Ed—Test Bank, Chapter 10 WEAKNESS: Payroll has authorization and transaction processing responsibilities. Payroll is authorizing the disbursement to fund the entire payroll. Accounts payable is not part of the system. IMPROVEMENT: Segregate duties; accounts payable should verify the accuracy of the payroll register and create a disbursement voucher. WEAKNESS: Payroll is funded through the general checking account. IMPROVEMENT: Paychecks should be written on a separate payroll account. PTS: 1 8. Why does the payroll process lend itself to batch processing? ANS: Payroll lends itself to batch computerization because it is processed at fixed time intervals which permits some time lag. Processing the payroll file usually involves most employees each time it is processed, which is an efficient use of computer resources and can be accomplished with a single pass through the file. PTS: 1

IT Auditing 4th Ed-Test Bank Chapter 11

Chapter 11—Enterprise Resource Planning Systems TRUE/FALSE 1. The primary goal of installing an ERP system is reducing system maintenance costs. ANS: F

PTS: 1

2. The recommended data architecture for an ERP includes separate operational and data warehouse databases. ANS: T

PTS: 1

3. A closed database architecture shares data easily. ANS: F

PTS: 1

4. ERP systems support a smooth and seamless flow of information across organizations. ANS: T

PTS: 1

5. OLAP stands for on-line application processing. ANS: F

PTS: 1

6. Almost all ERP implementations involve an outside consultant. ANS: T

PTS: 1

7. Day-to-day transactions are stored in the operational database. ANS: T

PTS: 1

8. Data mining typically focuses on the operational databases. ANS: F

PTS: 1

9. Companies are more likely to modify an ERP to accommodate the company than to modify company processes to accommodate the ERP. ANS: F

PTS: 1

10. If a chosen ERP cannot handle a specific company process bolt-on software may be available. ANS: T

PTS: 1

11. Core applications are also called OLAP. ANS: F

PTS: 1

IT Auditing 4th Ed-Test Bank Chapter 11

12. The client/server model is a form of network topology in which user computers, called clients, access ERP programs and data via a host computer called a server. ANS: T

PTS: 1

13. A data warehouse is a relational or multi-dimensional database that may require hundreds of gigabytes of storage. ANS: T

PTS: 1

14. Drill-down capability is an OLAP feature of data mining tools. ANS: T

PTS: 1

15. Supply-chain management software is a type of program that supports efforts relative to moving goods from the raw material stage to the customer. ANS: T

PTS: 1

16. In two-tier architecture, the database and application functions are separated. ANS: F

PTS: 1

17. Slicing and dicing permits the disaggregation of data to reveal underlying details. ANS: F

PTS: 1

18. Data entered into the data warehouse must be normalized. ANS: F

PTS: 1

19. OLAP includes decision support, modeling, information retrieval, and what-if analysis. ANS: T

PTS: 1

20. Efficient supply-chain management provides firms with a competitive advantage. ANS: T

PTS: 1

21. The big-bang approach involves converting from old legacy systems to the new ERP in one implementation step. ANS: T

PTS: 1

22. In a two-tier architecture approach is used primarily for wide area network (WAN) applications. ANS: F

PTS: 1

IT Auditing 4th Ed-Test Bank Chapter 11 23. Data cleansing is a step performed by external auditors to identify and repairing invalid data prior to the audit. ANS: F

PTS: 1

24. Organizations using ERP systems employ an internal control tool called a role. ANS: T

PTS: 1

25. In spite of the high technology employed in ERP systems, critical business controls such as a three way match always performed manually. ANS: F

PTS: 1

26. The role model assigns specific access privileges directly to individuals. ANS: F

PTS: 1

27. An access control list specifies the user-ID, the resources available to the user, and the level of permission granted. ANS: T

PTS: 1

28. RBAC assigns access permissions to the role an individual plays in the organization rather than directly to the individual. ANS: T

PTS: 1

29. A problem with RBAC is that managers tend to create unnecessary roles ANS: T

PTS: 1

30. The implementation of an ERP creates an environment with a single point of failure, which places the organization at risk. ANS: T

PTS: 1

IT Auditing 4th Ed-Test Bank Chapter 11 MULTIPLE CHOICE 1. Goals of ERP include all of the following except a. improved customer service b. improvements of legacy systems c. reduced production time d. increased production ANS: B

PTS: 1

2. Core applications are a. sales and distribution b. business planning c. shop floor control and logistics d. all of the above ANS: D

PTS: 1

3. Data warehousing processes does not include a. modeling data b. condensing data c. extracting data d. transforming data ANS: B

PTS: 1

4. Which of the following is usually not part of an ERP’s core applications? a. OLTP applications b. sales and distribution applications c. business planning applications d. OLAP applications ANS: D

PTS: 1

5. Which of the following is usually not part of an ERP’s OLAP applications? a. logistics b. decision support systems c. ad hoc analysis d. what-if analysis ANS: A

PTS: 1

6. Which of the following statements is least likely to be true about a data warehouse? a. It is constructed for quick searching and ad hoc queries. b. It was an original part of all ERP systems. c. It contains data that are normally extracted periodically from the operating databases. d. It may be deployed by organizations that have not implemented an ERP. ANS: B

PTS: 1

IT Auditing 4th Ed-Test Bank Chapter 11 7. Which of the following statements is not true? a. In a typical two-tier client server system, the server handles both application and database duties. b. Client computers are responsible for presenting data to the user and passing user input back to the server. c. In three-tier client server architecture, one tier is for user presentations, one is for database and applications, and the third is for Internet access. d. The database and application functions are separate in the three-tier model. ANS: C

PTS: 1

8. Which statements about data warehousing is not correct? a. The data warehouse should be separate from the operational system. b. Data cleansing is a process of transforming data into standard form. c. Drill-down is a data-mining tool available to users of OLAP. d. Normalization is an requirement of databases included in a data warehouse. ANS: D

PTS: 1

9. Which statement about ERP installation is least accurate? a. For the ERP to be successful, process reengineering must occur. b. ERP fails because some important business process is not supported. c. When a business is diversified, little is gained from ERP installation. d. The phased-in approach is more suited to diversified businesses. ANS: C

PTS: 1

10. Which statement is true? a. ERPs are infinitely scalable. b. Performance problems usually stem from technical problems, not business process reengineering. c. The better ERP can handle any problems an organization can have. d. ERP systems can be modified using bolt-on software. ANS: D

PTS: 1

11. Legacy systems are a. old manual systems that are still in place. b. flat file mainframe systems developed before client-server computing became standard. c. stable database systems after debugging. d. advanced systems without a data warehouse. ANS: B 12.

PTS: 1

A data mart is a. another name for a data warehouse. b. a database that provides data to an organization’s customers. c. an enterprise resource planning system. d. a data warehouse created for a single function or department. ANS: D

PTS: 1

IT Auditing 4th Ed-Test Bank Chapter 11 13. Most ERPs are based on which network model? a. peer to peer b. client-server c. ring topology d. bus topology ANS: B

PTS: 1

14. On-line transaction processing programs a. are bolt-on programs used with commercially available ERSs. b. are available in two models–two-tier and three-tier. c. handle large numbers of relatively simple transactions. d. allow users to analyze complex data relationships. ANS: C

PTS: 1

15. Supply chain management software a. is typically under the control of external partners in the chain. b. links all of the partners in the chain, including vendors, carriers, third-party firms, and information systems providers. c. cannot be integrated into an overall ERP. d. none of the above ANS: B

PTS: 1

16. The setup of a data warehouse includes a. modeling the data b. extracting data from operational databases c. cleansing the data d. all of the above ANS: D

PTS: 1

17. Extracting data for a data warehouse a. cannot be done from flat files. b. should only involve active files. c. requires that the files be out of service. d. follows the cleansing of data. ANS: C

PTS: 1

18. Data cleansing involves all of the following except a. filtering out or repairing invalid data b. summarizing data for ease of extraction c. transforming data into standard business terms d. formatting data from legacy systems ANS: B

PTS: 1

IT Auditing 4th Ed-Test Bank Chapter 11 19. Separating the data warehouse from the operations databases occurs for all of the following reasons except a. to make the management of the databases more economical b. to increase the efficiency of data mining processes c. to integrate legacy system data into a form that permits entity-wide analysis d. to permit the integration of data from diverse sources ANS: A

PTS: 1

20. Closed database architecture is a. a control technique intended to prevent unauthorized access from trading partners. b. a limitation inherent in traditional information systems that prevents data sharing. c. a data warehouse control that prevents unclean data from entering the warehouse. d. a technique used to restrict access to data marts. e. a database structure that many of the leading ERPs use to support OLTP applications. ANS: B 21.

PTS: 1

Which of the following is NOT as a risk associated with ERP implementation? a. A drop in firm performance after implementation because the firm looks and works differently than it did while using a legacy system. b. Implementing companies have found that staff members, employed by ERP consulting firms, do not have sufficient experience in implementing new systems. c. Implementing firms fail to select systems that properly support their business activities. d. The selected system does not adequately meet the adopting firm’s economic growth. e. ERP’s are too large, complex, and generic for them to be well integrated into most company cultures. ANS: E

PTS: 1

22. Which statement is LEAST accurate? a. Implementing an ERP system has as much to do with changing the way an organization does business than it does with technology. b. The big-bang approach to ERP implementation is generally riskier than the phased in approach. c. To take full advantage of the ERP process, reengineering will need to occur. d. A common reason for ERP failure is that the ERP does not support one or more important business processes of the organization ANS: D

PTS: 1

IT Auditing 4th Ed-Test Bank Chapter 11 23. Auditors of ERP systems a. are concerned about segregation of duties just as they would be in traditional systems. b. focus on output controls such as independent verification because internal processing controls are known to be correct since best practices are used.. c. routinely audit data in the data warehouse because it is know to be clean and free from errors. d. need not review access levels granted to users since these are determined when the system is configured and never change. ANS: A

PTS: 1

24. Auditors of ERP systems a. need not be concerned about segregation of duties because these systems possess strong computer controls. b. focus on output controls such as independent verification to reconcile batch totals. c. are concerned that managers fail to exercise adequate care in assigning permissions. d. do not view the data warehouse as an audit or control issue at all because financial records are not stored there. e. need not review access levels granted to users because these are determined when the system is configured and never change. ANS: C PTS: 1 SHORT ANSWER 1. Define ERP. ANS: Enterprise resource planning systems are multiple module systems designed to integrate the key processes in an organization–order entry, manufacturing, procurement, human resources, etc. PTS: 1 2. Define the term “core applications” and give some examples. ANS: Core applications are those applications that support the day-to-day activities of the business, e.g., sales, distribution, shop floor control, logistics. PTS: 1 3. Define OLAP and give some examples. ANS: On-line analytical processing (OLAP) includes decision support, modeling, information retrieval, ad hoc reporting and analysis, and what-if analysis, e.g., determining sales within each region, determining relationship of sales to certain promotions. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed-Test Bank Chapter 11 4. What is “bolt-on” software? ANS: Bolt-on software is software produced by third-party vendors which can be added onto an ERP to provide function not built into the ERP. PTS: 1 5. What is SCM software? ANS: Supply-chain management software is designed to manage the activities that get the product to the customer. This software typically handles procurement, production scheduling, order processing, inventory management, etc. PTS: 1 6. What is a data warehouse? ANS: A data warehouse is a relational or multi-dimensional database that serves as a central archive of inactive, completed data from both ERP and legacy systems. It is created to permit extensive access capability, including data mining. PTS: 1 7. What is the “Big-Bang” approach? ANS: The big-bang approach to conversion to an ERP is the approach which converts from old legacy systems to the new in one step that implements the ERP across the entire company. PTS: 1 8. Describe the two-tier client server model. ANS: In a two-tier architecture, the server handles both application and database duties. Some ERP vendors use this approach for local area network (LAN) applications. Client computers are responsible for presenting data to the user and passing user input back to the server. PTS: 1 9. What is the client-server model? ANS: The client-server model is a form of network topology in which the users computer or terminal (the client) accesses the ERPs programs and data via a host computer called the server. While the servers may be centralized, the clients are usually located at multiple locations throughout the enterprise. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed-Test Bank Chapter 11 10. What is scalability? ANS: System scalability refers to the ability of a system to grow as the organization itself grows. This can involve four factors: size, speed, workload, and transaction cost. PTS: 1 11. What is data mining? ANS: Data mining is the process of selecting, exploring, and modeling large amounts of data to uncover unknown relationships and patterns. PTS: 1 12. Why do ERP systems need bolt-on software? Give an example. ANS: Depending on the unique characteristics of a company, an ERP may not be designed to drive all processes needed. Supply chain management software is a common bolt-on. PTS: 1 13. How can a firm acquire bolt-on software? What are the options? ANS: When a firm needs additional function not provided by the ERP, bolt-on applications may be available. These can often be obtained from third-party vendors with which the ERP provider has a partnership arrangement. The more risky alternative is to seek an independent source. PTS: 1 14. Why does data need to be “cleansed”? ANS: Data cleansing involves filtering out or repairing invalid data prior to its being stored in the data warehouse. It also involves standardizing the format. PTS: 1 15. What are the basic stages of the data warehousing process? ANS: modeling data for the data warehouse, extracting data from the operational databases, cleansing the extracted data, transforming data into the warehouse model, and loading the data into the data warehouse database PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Auditing 4th Ed-Test Bank Chapter 11 16. Describe the three-tier client server model. ANS: The database and application functions are separated in the three-tier model. This architecture is typical of large production ERP systems that use wide area networks (WANs) for connectivity. Satisfying a client requests requires two or more network connections. Initially, the client establishes communications with the application server. The application server then initiates a second connection to the database server. PTS: 1 17. Why must a data warehouse include both detail and summary data? ANS: Many decision makers need similar information and need it regularly. Prepared summary data and standard reports can take the pressure off the data warehouse and speed up the provision of regularly needed information. PTS: 1 18. What is the closed database architecture? ANS: The closed database architecture is similar in concept to the basic flat-file model. Under this approach a database management system is used to provide minimal technological advantage over flat-file systems. The DBMS is little more than a private but powerful file system. Each function has a private database. PTS: 1 19. What is meant by the OLAP term “consolidation”? ANS: Consolidation is the aggregation or roll-up of data. For example, sales offices data can be rolled up to districts and districts rolled up to regions. PTS: 1 20. What is meant by the OLAP term “drill-down”? ANS: Drill-down permits the disaggregation of data to reveal the underlying details that explain certain phenomena. For example, the user can drill down from total sales returns for a period to identify the actual products returned and the reasons for their return. PTS: 1

IT Auditing 4th Ed-Test Bank Chapter 11 21. What is meant by the OLAP term “slicing and dicing”? ANS: Slicing and dicing enables the user to examine data from different viewpoints. One slice of data might show sales within each region. Another slice might present sales by product across regions. Slicing and dicing is often performed along a time axis to depict trends and patterns. PTS: 1 22. What should management do to assess the potential benefits from implementing an ERP? ANS: To assess benefits, management first needs to know what they want and need from the ERP. They should establish key performance measures such as reductions in inventory levels, inventory turnover, stockouts, and average order fulfillment time that reflect their expectations. To monitor performance in such key areas, they should establish an independent value assessment group that reports to top management. PTS: 1 23. Internal efficiency is cited as one reason for separating the data warehouse from the operational database. Explain. ANS: The structural and operational requirements of transaction processing and data mining systems are fundamentally different, making it impractical to keep both operational (current) and archive data in the same database. Transaction processing systems need a data structure that supports performance, whereas data mining systems need data organized in a manner that permits broad examination and the detection of underlying trends. PTS: 1

24. Why are data in a data warehouse stored in unnormalized tables? ANS: Normalizing data in an operational database is necessary to reflect accurately the dynamic interactions among entities. While a fully normalized database provides the flexible model needed for supporting multiple users in operations environment, it also adds to complexity that translate into performance inefficiency. Because of the vast size of a data warehouse, such inefficiency can be devastating. A three-way join between tables in a large data warehouse may take an unacceptably long time to complete and may be unnecessary. In the data warehouse model, the relationship among attributes does not change. Because historical data are static in nature, nothing is gained by constructing normalized tables with dynamic links. PTS: 1

IT Auditing 4th Ed-Test Bank Chapter 11 25. What is the purpose of role- based governance systems? ANS: Role-based governance systems monitor role creation and permission granting to ensure compliance with internal control objectives. Systems can continually monitor for risks and issue alerts when violations are detected. Systems also maintain an audit trail of violations and evidence of compliance.

ESSAY 1. How are OLTP and OLAP different? Give examples of their use. ANS: On-line transaction processing (OLTP) involves large numbers of relatively simple day-to-day transactions. For example, this may involve order entry which collects data on customers and detail of sales. On-line analytical processing (OLAP) involves large amounts of data used to analyze relationships, involving aggregate data that can be analyzed, compared, and dissected. PTS: 1 2. Why does the data warehouse need to be separate from the operational databases? ANS: The conclusion that a data warehouse must be maintained separately from the operational database reflects several issues. The transaction processing system needs a data structure that supports performance. A normalized database aids users by adding complexity that can yield performance inefficiency. Data mining systems need an organization that permits broad queries. The data warehouse permits the integration of data still maintained in legacy systems. And the complexities of modern business can benefit from the ability to analyze data extensively in ways not permitted in traditional databases. PTS: 1 3. If an auditor suspected an “unusual” relationship between a purchasing agent and certain suppliers, how could “drill-down” be used to collect data? ANS: Drill-down capability permits a user to repeatedly extract detailed data at increasing levels of detail. An auditor would be able to examine purchasing transactions to determine any pattern of purchases with the supplier in question that were approved by the purchasing agent and tie such transactions to other characteristics like price variations relative to other vendors at the same time. PTS: 1

IT Auditing 4th Ed-Test Bank Chapter 11 4. Why must an organization expect the implementation of an ERP to disrupt operations? ANS: Successful implementation of an ERP requires that many business processes be reengineered. Once done, everything is different. If the organizational culture is not responsive to the changes, many problems can arise. PTS: 1 5. Scalability has several dimensions. What are they? What do they mean for ERP installation? ANS: Most organizations want to grow. When a new system of any type is installed, it should be expected to be able to handle a reasonable amount of growth. ERP systems are no different. Several dimensions of scalability can be considered. If size of the database doubles, access time may double. If system speed is increased, response time should decrease proportionately. If workload is increased, response time can be maintained by increasing hardware capacity accordingly. Transaction costs should not increase as capacity is increased. PTS: 1 6. Distinguish between the two-tier and three-tier client server model. Describe when each would be used? ANS: In a two-tier architecture, the server handles both application and database duties. Some ERP vendors use this approach for local area network (LAN) applications. Client computers are responsible for presenting data to the user and passing user input back to the server. In the three-tier model the database and application functions are separated. This architecture is typical of large production ERP systems that use wide area networks (WANs) for connectivity. Satisfying a client requests requires two or more network connections. Initially, the client establishes communications with the application server. The application server then initiates a second connection to the database server. PTS: 1 7. Data in a data warehouse are in a stable state. Explain how this can hamper data mining analysis? What can an organization do to alleviate this problem? ANS: Typically transaction data are loaded into the warehouse only when the activity on them has been completed–they are stable. Potentially important relationships between entities may, however, be absent from data that are captured in there stable state. For example, information about cancelled sales orders will probably not be reflected among the sales orders that have been shipped and paid for before they are placed in the warehouse. One way to reflect these dynamics is to extract the operations data in “slices of time”. These slices provide snapshots of business activity. PTS: 1

IT Auditing 4th Ed-Test Bank Chapter 11 8. This chapter stressed the importance of data normalization when constructing a relational database. Why then is it important to de-normalize data in a data warehouse? ANS: Wherever possible, normalized tables pertaining to selected events should be consolidated into de-normalized tables. Because of the vast size of a data warehouse, inefficiency caused by joining normalized data can be very detrimental to the performance of the system. A three-way join between tables in a large data warehouse may take an unacceptably long time to complete and may be unnecessary. Since historical data are static in nature, nothing is gained by constructing normalized tables with dynamic links. PTS: 1

9. ERP implementations are at risk to extensive cost overruns. Discuss three of the more commonly experienced problems area. ANS: Training. Training costs are invariably higher than estimated because management focuses primarily on the cost of teaching employees the new software. This is only part of the needed training. Employees also need to learn new procedures, which is often overlooked during the budgeting process. System Testing and Integration. In theory, ERP is a holistic model in which one system drives the entire organization. The reality, however, is that many organizations use their ERP as a backbone system that is attached to legacy systems and other bolt-on systems, which support unique needs of the firm. Integrating these disparate systems with the ERP may involve writing special conversion programs or even modifying the internal code of the ERP. Integration and testing are done on a case-by-case basis; thus, the cost is extremely difficult to estimate in advance. Database Conversion. A new ERP system usually means a new database. Data conversion is the process of transferring data from the legacy system’s flat files to the ERP’s relational database. When the legacy system’s data are reliable, the conversion process may be accomplished through automated procedures. Even under ideal circumstances, however, a high degree of testing and manual reconciliation is necessary to ensure that the transfer was complete and accurate. More often, the data in the legacy system are not reliable (sometimes called dirty). Empty fields and corrupted data values cause conversion problems that demand human intervention and data rekeying. Also, and more importantly, the structure of the legacy data is likely to be incompatible with the reengineered processes of the new system. Depending on the extent of the process reengineering involved, the entire database may need to be converted through manual data entry procedures. PTS: 1

IT Auditing 4th Ed-Test Bank Chapter 11 10. Explain the risks associated with the creation of unnecessary roles and why it can happen. ANS: Managers in ERP environments have significant discretion in creating new roles for individuals. This may be done for employees who need access to resources for special and/or one-time projects. Such access granting authority needs to be temper with judgment to prevent the number of roles from multiplying to the point of becoming dysfunctional and thus creating a control risk. Indeed, an oft cited problem in ERP environments is that roles tend to proliferate to a point where their numbers actually exceed the number of employees in the organization. Policies need to be in place to prevent the creation of unnecessary new roles and to ensure that temporary role assignments are deleted when the reason for them terminates. PTS: 1

11. What is the fundamental concept behind the rule of least access? Explain why this is a potential problem in an ERP environment. ANS: Access privileges (permissions) should be granted on a need to know basis only. Nevertheless, ERP users tend to accumulate unneeded permissions over time. This is often due to two problems: (1) Managers fail to exercise adequate care in assigning permissions as part of their role granting authority. Since, managers are not always experts in internal controls they may not recognize when excessive permissions are awarded to an individual. (2) Managers tend to be better at issuing privileges than removing them. As a result, an individual may retain unneeded access privileges from a previous job assignment that creates a segregation of duties violation when combined with a newly assigned role. PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 12

Chapter 12—Business Ethics, Fraud, and Fraud Detection TRUE/FALSE 1. The ethical principle of justice asserts that the benefits of the decision should be distributed fairly to those who share the risks. ANS: T

PTS: 1

2. Computers can be misused in many ways. ANS: T

PTS: 1

3. Employees should be made aware of the firm’s commitment to ethics. ANS: T

PTS: 1

4. Business ethics is the analysis of the nature and social impact of computer technology, and the corresponding formulation and justification of policies for the ethical use of such technology. ANS: F

PTS: 1

5. Para computer ethics is the exposure to stories and reports found in the popular media regarding the good or bad ramifications of computer technology. ANS: F

PTS: 1

6. Computer programs are intellectual property. ANS: T

PTS: 1

7. Copyright laws and computer industry standards have been developed jointly and rarely conflict. ANS: F

PTS: 1

8. Business bankruptcy cases always involve fraudulent behavior. ANS: F

PTS: 1

9. Defalcation is another word for financial fraud. ANS: T

PTS: 1

10. The trend toward distributed data processing increases the exposure to fraud from remote locations. ANS: T

PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 12

11. Of the three fraud factors (situational pressure, ethics, and opportunity), situational pressure is the factor that actually facilitates the act. ANS: F

PTS:

12. Ethical issues and legal issues are essentially the same. ANS: F

PTS: 1

13. Internal control systems are recommended but not required to prevent fraud. ANS: F

PTS: 1

14. Collusion among employees in the commission of a fraud is difficult to prevent but easy to detect. ANS: F

PTS:

15. Database management fraud includes altering, updating, and deleting an organization’s data. ANS: F

PTS: 1

16. The fraud triangle represents a geographic area in Southeast Asia where international fraud is prevalent. ANS: F

PTS: 1

17. Situational pressure includes personal or job related stresses that could coerce an individual to act dishonestly. ANS: T

PTS: 1

18. Opportunity involves direct access to assets and/or access to information that controls assets. ANS: T 19.

Cash larceny involves stealing cash from an organization before it is recorded on the organization’s books and records. ANS: F

20.

PTS: 1

Skimming involves stealing cash from an organization after it is recorded on the organization’s books and records ANS: F

PTS: 1

21. The most common access point for perpetrating computer fraud is at the data collection stage. ANS: T

PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 12

22. Changing the Hours Worked field in an otherwise legitimate payroll transaction to increase the amount of the paycheck is an example of data collection fraud. ANS: T

PTS: 1

23. Scavenging is a form of fraud in which the perpetrator uses a computer program to search for key terms in a database and then steal the data. ANS: F

PTS: 1

24. The objective of SAS 99 is to seamlessly blend the auditor’s consideration of fraud into all phases of the audit process. ANS: T

PTS: 1

MULTIPLE CHOICE 1. Which ethical principle states that the benefit from a decision must outweigh the risks, and that there is no alternative decision that provides the same or greater benefit with less risk? a. minimize risk b. justice c. informed consent d. proportionality ANS: D

PTS: 1

2. Individuals who acquire some level of skill and knowledge in the field of computer ethics are involved in which level of computer ethics? a. para computer ethics b. pop computer ethics c. theoretical computer ethics d. practical computer ethics ANS: A

PTS: 1

3. All of the following are factors in the fraud triangle except a. Ethical behavior of an individual b. Pressure exerted on an individual at home and job related c. Materiality of the assets d. Opportunity to gain access to assets ANS: C

PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 12

4. Which characteristic is not associated with software as intellectual property? a. uniqueness of the product b. possibility of exact replication c. automated monitoring to detect intruders d. ease of dissemination ANS: C

PTS: 1

5. For an action to be called fraudulent, all of the following conditions are required except a. poor judgment b. false representation c. intent to deceive d. injury or loss ANS: A

PTS: 1

6. One characteristic of employee fraud is that the fraud a. is perpetrated at a level to which internal controls do not apply b. involves misstating financial statements c. involves the direct conversion of cash or other assets to the employee’s personal benefit d. involves misappropriating assets in a series of complex transactions involving third parties ANS: C

PTS: 1

7. Forces which may permit fraud to occur do not include a. a gambling addiction b. lack of segregation of duties c. centralized decision making environment d. questionable integrity of employees ANS: C

PTS: 1

8. Which of the following best describes lapping? a. applying cash receipts to a different customer’s account in an attempt to conceal previous thefts of funds b. inflating bank balances by transferring money among different bank accounts c. expensing an asset that has been stolen d. creating a false transaction ANS: A

PTS: 1

9. Skimming involves a. stealing cash from an organization before it is recorded b. Stealing cash from an organization after it has been recorded c. manufacturing false purchase orders, receiving reports, and invoices d. A clerk pays a vendor twice for the same products and cashes the reimbursement check issued by the vendor. ANS: A

PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 12

10. Which of the following controls would best prevent the lapping of accounts receivable? a. Segregate duties so that the clerk responsible for recording in the accounts receivable subsidiary ledger has no access to the general ledger. b. Request that customers review their monthly statements and report any unrecorded cash payments. c. Require customers to send payments directly to the company’s bank. d. Request that customers make the check payable to the company. ANS: C

PTS: 1

11. In balancing the risks and benefits that are part of every ethical decision, managers receive guidance from each of the following except a. justice b. self interest c. risk minimization d. proportionality ANS: B

PTS: 1

12. Cash larceny involves a. stealing cash from an organization before it is recorded. b. stealing cash from an organization after it has been recorded. c. manufacturing false purchase orders, receiving reports, and invoices. d. a clerk paying a vendor twice for the same products and cashing the reimbursement check issued by the vendor. ANS: B

PTS: 1

13. Employee fraud involves three steps. Of the following, which is not involved? a. concealing the crime to avoid detection b. stealing something of value c. misstating financial statements d. converting the asset to a usable form ANS: C

PTS: 1

14. What fraud scheme is similar to the “borrowing from Peter to pay Paul” scheme? a. b. c. d.

expense account fraud kiting lapping transaction fraud

ANS: C

PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 12

15. A shell company fraud involves a. stealing cash from an organization before it is recorded. b. stealing cash from an organization after it has been recorded. c. manufacturing false purchase orders, receiving reports, and invoices. d. a clerk paying a vendor twice for the same products and cashing the reimbursement check issued by the vendor. ANS: C

PTS: 1

16. When certain customers made cash payments to reduce their accounts receivable, the bookkeeper embezzled the cash and wrote off the accounts as uncollectible. Which control procedure would most likely prevent this irregularity? a. segregation of duties b. accounting records c. accounting system d. access controls ANS: A

PTS: 1

17. Business ethics involves a. how managers decide on what is right in conducting business b. how managers achieve what they decide is right for the business c. both a and b d. none of the above ANS: C

PTS: 1

18. All of the following are conditions for fraud except a. false representation b. injury or loss c. intent d. material reliance ANS: D

PTS: 1

19. The four principal types of fraud include all of the following except a. bribery b. gratuities c. conflict of interest d. economic extortion ANS: B

PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 12

20. Which of the following is not an issue to be addressed in a business code of ethics required by the SEC? a. Conflicts of interest b. Full and Fair Disclosures c. Legal Compliance d. Internal Reporting of Code Violations e. All of the above are issues to be addressed ANS: E 21.

Operations fraud includes a. altering program logic to cause the application to process data incorrectly b. misusing the firm’s computer resources c. destroying or corrupting a program’s logic using a computer virus d. creating illegal programs that can access data files to alter, delete, or insert values ANS: B

22.

PTS: 1

Sarbanes-Oxley (SOX) a. imposes new corporate disclosure requirements b. imposes new criminal penalties for fraud c. both a. and b. d. none of the above

ANS: C 24.

PTS: 1

Computer fraud can take on many forms, including each of the following except a. theft or illegal use of computer-readable information b. theft, misuse, or misappropriation of computer equipment c. theft, misuse, or misappropriation of assets by altering computer-readable records and files d. theft, misuse, or misappropriation of printer supplies ANS: D

23.

PTS: 1

When it comes to losses from fraud, a. the highest losses are from employees under 40 years of age b. women tend to commit more frauds then men. c. higher education levels mean higher losses from fraud d. all of the above ANS: C

PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 12

SHORT ANSWER 1. What are the main issues to be addressed in a business code of ethics required by the SEC? ANS: Conflicts of Interest, Full and Fair Disclosures, Legal Compliance, Internal Reporting of Code Violations, Accountability PTS: 1 2. What are the five conditions necessary for an act to be considered fraudulent? ANS: false representation, material fact, intent, justifiable reliance, and injury or loss PTS: 1 3. What is the objective of SAS 99? ANS: The objective of SAS 99 is to seamlessly blend the auditor’s consideration of fraud into all phases of the audit process. PTS: 1 4. When considering computer ethics, what are some of the environmental issues to consider? ANS: High speed printers may document reproduction easy. Paper comes from trees and ends up in landfills if not properly recycled. Should organizations limit nonessential hard copies? Can nonessential be defined? By whom? Should proper recycling be required? How can it be enforced? PTS: 1 5. Explain the characteristics of management fraud. ANS: Management fraud typically occurs at levels above where the internal control system is effective. Financial statements are frequently modified to make the firm appear healthier than it actually is. If any misappropriation of assets occurs, it is usually well hidden. PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 12

6. __________________________ are intentional mistakes while __________________________ are unintentional mistakes. ANS: Irregularities, Errors PTS: 1 7. The text discusses many questions about personal traits of executives which might help uncover fraudulent activity. What are three? ANS: executives: with high personal debt, living beyond their means, engaged in habitual gambling, appear to abuse alcohol or drugs, appear to lack personal codes of ethics, appear to be unstable, close associations with suppliers PTS: 1 8. Give two examples of employee fraud and explain how the theft might occur. ANS: Charges to expense accounts: Cash could be stolen and charged to a miscellaneous expense account. Once the account is closed, detection would be more difficult. Lapping: This involves converting cash receipts to personal use. If a customer’s check is taken, his/her balance will not reflect a payment and will be detected when a statement is sent. In order to conceal this fraud, a later payment is used to cover the stolen check. This is in effect a small scale Ponzi scheme. PTS: 1 9. What are some conclusions to be drawn from the ACFE fraud study regarding losses from fraud? ANS: Individuals in the highest positions are beyond an organization’s internal control structure and have the greatest access to company funds and assets. Men occupy high corporate positions more often than women and thus have greater access to assets. Older employees and those with higher levels of education tend to occupy higher positions and thus generally have greater access to assets. When individuals in critical positions collude they create opportunities to control or gain access to assets that otherwise would not exist.

PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 12

10. Explain the pass through fraud. ANS: The perpetrator creates a false vendor and issues purchases orders to it for inventory or supplies. The false vendor then purchases the needed inventory from a legitimate vendor. The false vendor charges the victim company a much higher than market price for the items, but pays only the market price to the legitimate vendor. The difference is the profit that the perpetrator pockets.

11. Explain the Pay and Return scheme. ANS: A pay-and-return scheme involves a clerk with check-writing authority who pays a vendor twice for the same products (inventory or supplies) received. The vendor, recognizing that its customer made a double payment, issues a reimbursement to the victim company. The clerk intercepts and cashes the reimbursement check. 12. What is check tampering? ANS: Check tampering involves forging or changing in some material way a check that the organization has written to a legitimate payee. One example of this is an employee who steals an outgoing check to a vendor, forges the payee’s signature, and cashes the check. A variation on this is an employee who steals blank checks from the victim company makes them out to himself or an accomplice.

13. Explain the shell company fraud. ANS: A shell company fraud first requires that the perpetrator establish a false supplier on the books of the victim company. The fraudster then manufactures false purchase orders, receiving reports, and invoices in the name of the vendor and submits them to the accounting system, which creates the allusion of a legitimate transaction. Based on these documents, the system will set up an account payable and ultimately issue a check to the false supplier (the fraudster). 14. Name three forms of computer fraud. ANS: Computer fraud includes: The theft, misuse, or misappropriation of assets by altering computer-readable records and files. The theft, misuse, or misappropriation of assets by altering the logic of computer software. The theft or illegal use of computer-readable information. The theft, corruption, illegal copying, or intentional destruction of computer software. The theft, misuse, or misappropriation of computer hardware. PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 12

15. Name three types of program fraud. ANS: Program fraud includes: (1) creating illegal programs that can access data files to alter, delete, or insert values into accounting records; (2) destroying or corrupting a program’s logic using a computer virus; or (3) altering program logic to cause the application to process data incorrectly. PTS: 1 16. Define operational fraud. ANS: Operational fraud is the misuse or theft of the firm’s computer resources. This often involves using the computer to conduct personal business. PTS: 1 17. Define database management fraud. ANS: Database management fraud includes altering, deleting, corrupting, destroying, or stealing an organization’s data. PTS: 1 18. What is scavenging? ANS: Scavenging involves searching through the trash of the computer center for discarded output. PTS: 1 19. As a form of computer fraud, what is eavesdropping? ANS: Eavesdropping involves listening to output transmissions over telecommunications lines. PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 12

ESSAY

1. What are the risk factors that relate to fraudulent financial reporting? What types of common schemes should auditors look for? ANS: Rick factors: (1) Management’s characteristics and influence over the control environment. This relates to management’s attitudes and style, situational pressures and the financial reporting process. (2) Industry condition. A company in a declining industry or with key customers experiencing business failures is at greater risk for fraud that one in a stable industry. (3) Operating characteristics and financial stability. This pertains to the nature of the entity and complexity of its transactions. Common schemes include improper revenue recognition, treatment of sales and asset valuation. PTS: 1 2. Contrast management fraud with employee fraud. ANS: Employee fraud is usually designed to directly convert cash or other assets to the employee’s personal benefit. Management fraud involves less of a direct benefit to the perpetrator. Management fraud may involve an attempt to misstate financial performance in order to gain additional compensation or to earn a promotion. Management fraud may also involve an attempt to misstate financial performance in order to increase the price of the company’s stock or to reduce the cost of debt. Management fraud is more insidious than employee fraud because it often escapes detection until the organization has suffered irreparable damage or loss. Management fraud usually does not involve the direct theft of assets. PTS: 1

3. Why are the computer ethics issues of privacy, security, and property ownership of interest to accountants? ANS: Privacy is a concern because the nature of computer data files makes it possible for unauthorized individuals to obtain information without it being recognized as “missing” from its original location. Security is a concern because its absence makes control from a privacy viewpoint questionable. In addition lack of security may permit unauthorized changes to data, therefore distorting information that is reported. Property ownership raises issues of legitimacy of organizational software, valuation of assets, and questions of lost revenues. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Audit 4th Ed—Test Bank, Chapter 12

4. According to common law, there are five conditions that must be present for an act to be deemed fraudulent. Name and explain each. ANS: In order for an act to be deemed fraudulent under common law, it must possess the following characteristics: false representation, meaning some misrepresentation or omission must have occurred, material facts, meaning that the facts must influence someone’s actions, intent, meaning there must have been the intention to deceive others, justifiable reliance, meaning it did affect someone’s decision, and injury or loss must have occurred. PTS: 1 5. How does the auditor’s judgements about the risk of material misstatements affect the audit? ANS: The knowledge, skill, and ability of personnel assigned to the engagement should be commensurate with the assessment of the level of risk of the engagement. The auditor should exercise professional skepticism. This involves maintaining an attitude that includes a questioning mind and critical assessment of audit evidence. Fraud risk factors that have control implications may limit the auditor’s ability to assess control risk below the maximum and thus reduce substantive testing. PTS: 1 6. Four principal types of corruption are discussed. Name all four and explain at least two. ANS: Corruption involves an executive, manager, or employee of a business working in collusion with an outsider. The four principal types of corruption are: bribery, illegal gratuities, conflicts of interest, and economic extortion. Bribery involves giving, offering, soliciting, or receiving things of value to influence an official in the performance of his or her lawful duties. An illegal gratuity involves giving. receiving, offering, or soliciting something of value because of an official act that has been taken. A conflict of interest occurs when an employee acts on behalf of a third party during the discharge of his or her duties or has self-interest in the activity being performed. Economic extortion is the use (or threat) of force (including economic sanctions) by an individual or organization to obtain something of value. PTS: 1 © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

IT Audit 4th Ed—Test Bank, Chapter 12

7. Misappropriation of assets can involve various schemes: expense reimbursement fraud, lapping, and payroll fraud. Explain each and give an example. ANS: Expense reimbursement fraud involve fictitious charges to such accounts as miscellaneous expense to offset theft of an asset. Because the expense account is closed to revenue at the end of the period, the period in which it could be detected is short. Lapping is a technique whereby an early theft is covered up by a later one, i.e., with the moves “lapping” over each other. The simplest example involves taking a customer’s payment. A later payment is then credited to the first customer’s account, not the second. And on it goes. This requires some control over billing to avoid tipping off the last customer. Payroll fraud is the distribution of fraudulent paychecks to existent and/or nonexistent employees. PTS: 1 8. Distinguish between skimming and cash larceny. Give an example of each ANS: Skimming involves stealing cash from an organization before it is recorded on the organization’s books and records. One example of skimming is an employee who accepts payment from a customer but does not record the sale. Another example is mail room fraud in which an employee opening the mail steals a customer’s check and destroys the associated remittance advice. Cash larceny involves schemes in which cash receipts are stolen from an organization after they have been recorded in the organization’s books and records. An example of this is lapping, in which the cash receipts clerk first steals and cashes a check from Customer A. To conceal the accounting imbalance caused by the loss of the asset, Customer A’s account is not credited. Later (the next billing period), the employee uses a check received from Customer B and applies it to Customer A’s account. Funds received in the next period from Customer C are then applied to the account of Customer B, and so on. PTS: 1 9. Explain why collusion between employees and management in the commission of a fraud is difficult to both prevent and detect. ANS: Collusion among employees in the commission of a fraud is difficult to both prevent and detect. This is particularly true when the collusion is between managers and their subordinate employees. Management plays a key role in the internal control structure of an organization. They are relied upon to prevent and detect fraud among their subordinates. When they participate in fraud with the employees over whom they are supposed to provide oversight, the organization’s control structure is weakened, or completely circumvented, and the company becomes more vulnerable to losses. PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 12

10.

Discuss what an auditor should look for in testing for payments to fictitious vendors and how ACL can be used to assist the process. ANS: Numbers from fictitious vendors may be in something close to an unbroken sequence. The ACL sort function can be used to identify sequentially numbered records that need review. Vendors with P.O. Boxes need to be investigated. They can be identified using a filter. Vendors with employee addresses can be identified by using join to link the employee and vendor files. Multiple companies with the same address can be identified using the duplicates command. Invoice amounts slightly below the review threshold merit review and can be identified by using ACL’s expression builder to create a value range close to the threshold. Identified records can be sorted for further review. PTS: 1

11. Explain the problems associated with lack of auditor independence. ANS: Auditing firms who are also engaged by their clients to perform non-accounting activities such as actuarial services, internal audit outsourcing services, and consulting lack independence. They are essentially auditing their own work. This risk is that as auditors they will not bring to management’s attention detected problems that may adversely affect their consulting fees. For example, Enron’s auditors – Arthur Andersen – were also their internal auditors and their management consultants. PTS: 1 12. Explain the problems associated with lack of director independence ANS: Many boards of directors are comprised of individuals who are not independent. Examples of lack of independence are directors who: have a personal relationship by serving on the boards of other directors companies; have a business trading relationship as key customers or suppliers of the company; have a financial relationship as primary stockholders or have received personal loans from the company; have an operational relationship as employees of the company. PTS: 1

IT Audit 4th Ed—Test Bank, Chapter 12

13. Explain the problems associated with Questionable Executive Compensation Schemes ANS: A survey by Thompson Financial revealed the strong belief that executives have abused stock-based compensation. The consensus is that fewer stock options should be offered than currently is the practice. Excessive use of short-term stock options to compensate directors and executives may result in short term thinking and strategies aimed at driving up stock prices at the expense of the firm’s longterm health. In extreme cases, financial statement misrepresentation has been the vehicle to achieve the stock price needed to exercise the option. PTS: 1

14. Explain the problems associated with inappropriate accounting practices. ANS: The use of inappropriate accounting techniques is a characteristic common to many financial statement fraud schemes. Enron made elaborate use of Special Purpose Entities (SPE) to hide liabilities through off balance sheet accounting. WorldCom management transferred transmission line costs from current expense accounts to capital accounts. This allowed them to defer some operating expenses and report higher earnings. Also, they reduced the book value of hard assets of MCI by $3.4 billion and increased goodwill by the same amount. Had the assets been left at book value, they would have been charged against earnings over four years. Goodwill, on the other hand, was amortized over much longer period. PTS: 1 15. Computer fraud is easiest at the data collection stage. Why? ANS: Computer fraud is easiest at the data collection stage because much of what occurs after the data collection or input stage is not visible to human eyes. Once entered, the system will presume that the input is legitimate and will process it as all others. PTS: 1

16. Describe the factors that constitute the fraud triangle. Why is it important to auditors? ANS: The fraud triangle consists of three factors that contribute to or are associated with management and employee fraud. These are: (1) situational pressure, which includes personal or job related stresses that could coerce an individual to act dishonestly; (2) opportunity, which involves direct access to assets and/or access to information that controls assets, and; (3) ethics, which pertains to one’s character and degree of moral opposition to acts of dishonesty.

IT Audit 4th Ed—Test Bank, Chapter 12

An individual with a high level of personal ethics, who is confronted by low pressure and limited opportunity to commit fraud, is more likely to behave honestly than one with weaker personal ethics, who is under high pressure and exposed to greater fraud opportunities. Research by forensic experts and academics has shown that the auditor’s evaluation of fraud is enhanced when the fraud triangle factors are considered. PTS: 1

17. Distinguish between errors and irregularities. Which are of greatest concern to auditors? ANS: Errors are unintentional mistakes; while irregularities are intentional misrepresentations to perpetrate a fraud or mislead users of financial statements. Errors are a concern if they are numerous or sizable enough to cause the financial statements to be materially misstated. All processes that involve human actions are highly susceptible to human error. Computer processes are subject to program errors, faulty systems operating procedures and system malfunction. Errors are typically easier to uncover than misrepresentations, thus auditors typically are more concerned about detecting all irregularities. Also, under SAS No. 99 and Sarbanes-Oxley, auditors are specifically charged with fraud detection. PTS: 1