Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Accounting Information Systems, 13e (Romney/Steinbart)
Chapter 11 Auditing Computer-Based Information Systems
11.1 Describe the nature, scope and objective of audit work, and identify the major steps in the
audit process.
1) Auditing involves the
A) collection, review, and documentation of audit evidence.
B) planning and verification of economic events.
C) collection of audit evidence and approval of economic events.
D) testing, documentation, and certification of audit evidence.
2) What is not a typical responsibility of an internal auditor?
A) helping management to improve organizational effectiveness
B) assisting in the design and implementation of an AIS
C) preparation of the company's financial statements
D) implementing and monitoring of internal controls
3) Which type of work listed below is not typical of internal auditors?
A) operational and management audits
B) information system audits
C) financial statement audit
D) financial audit of accounting records
4) The ________ audit examines the reliability and integrity of accounting records.
A) financial
B) informational
C) information systems
D) operational
5) The ________ audit reviews the general and application controls of an AIS to assess its
compliance with internal control policies and procedures and its effectiveness in safeguarding
assets.
A) financial
B) information systems
C) management
D) internal control
6) A(n) ________ audit is concerned with the economical and efficient use of resources and the
accomplishment of established goals and objectives.
A) operational or management
B) financial
C) information systems
D) internal control
7) The ________ audit is concerned with the economical and efficient use of resources and the
accomplishment of established goals and objectives.
A) financial
B) informational
C) information systems
D) operational
8) The purpose of ________ is to determine why, how, when, and who will perform the audit.
A) audit planning
B) the collection of audit evidence
C) the communication of audit results
D) the evaluation of audit evidence
9) Organizing the audit team and the physical examination of assets are components of which
two separate audit stages?
A) planning; evaluating audit evidence
B) planning; collecting audit evidence
C) collecting audit evidence; communicating audit results
D) communicating audit results; evaluating audit evidence
10) Consideration of risk factors and materiality is most associated with which audit stage?
A) collection of audit evidence
B) communication of audit results
C) audit planning
D) evaluation of audit evidence
11) A system that employs various types of advanced technology has more ________ risk than
traditional batch processing.
A) control
B) detection
C) inherent
D) investing
12) Control risk is defined as the
A) susceptibility to material risk in the absence of controls.
B) risk that a material misstatement will get through the internal control structure and into the
financial statements.
C) risk that auditors and their audit procedures will not detect a material error or misstatement.
D) risk auditors will not be given the appropriate documents and records by management who
wants to control audit activities and procedures.
13) The possibility that a material error will occur even though auditors are following audit
procedures and using good judgment is referred to as
A) control risk.
B) detection risk.
C) inherent risk.
D) investigating risk.
14) The ________ stage of the auditing process involves (among other things) the auditors
observing the operating activities and having discussions with employees.
A) audit planning
B) collection of audit evidence
C) communication of audit results
D) evaluation of audit evidence
15) Verifying the accuracy of certain information, often through communication with third
parties, is known as
A) reperformance.
B) confirmation.
C) substantiation.
D) documentation.
16) The evidence collection method that examines all supporting documents to determine the
validity of a transaction is called
A) review of documentation.
B) vouching.
C) physical examination.
D) analytical review.
17) The evidence collection method that considers the relationships and trends among
information to detect items that should be investigated further is called
A) review of the documentation.
B) vouching.
C) physical examination.
D) analytical review.
18) Assessing the quality of internal controls, the reliability of information, and operating
performance are all part of
A) audit planning.
B) collection of audit evidence.
C) communication of audit results.
D) evaluation of audit evidence.
19) The auditor's objective is to seek ________ that no material error exists in the information
audited.
A) absolute reliability
B) reasonable objectivity
C) reasonable evidence
D) reasonable assurance
20) Which of the choices below best describes a risk-based audit approach?
A) a four-step approach to internal control evaluation.
B) a three-step approach to internal control evaluation.
C) a four-step approach to financial statement review and recommendations.
D) a three-step approach to financial statement review and recommendations.
21) The first step in a risk-based audit approach is to
A) evaluate the control procedures.
B) determine the threats facing the AIS.
C) identify the control procedures that should be in place.
D) evaluate weaknesses to determine their effect on the audit procedures.
22) ________can determine whether the necessary control procedures are in place.
A) A systems review
B) A systems overhaul
C) Tests of controls
D) both B and C
23) When a control deficiency is identified, the auditor should inquire about
A) tests of controls.
B) compensating controls.
C) the feasibility of a systems review.
D) materiality and inherent risk factors.
24) The ________ to auditing provides auditors with a clear understanding of possible errors and
irregularities and the related risks and exposures.
A) risk-based approach
B) risk-adjusted approach
C) financial audit approach
D) information systems approach
25) Increasing the effectiveness of internal controls would have the greatest effect on
A) reducing inherent risk.
B) reducing control risk.
C) reducing detection risk.
D) reducing audit risk.
26) Expanding a firm's operations to include a manufacturing facility in Russia will
A) reduce inherent risk.
B) reduce control risk.
C) increase inherent risk.
D) increase control risk.
27) Increasing the effectiveness of auditing software will
A) reduce detection risk.
B) reduce control risk.
C) increase detection risk.
D) increase control risk.
28) An auditor examines all documents related to the acquisition, repair history, and disposal of a
firm's delivery van. This is an example of collecting audit evidence by
A) confirmation.
B) reperformance.
C) vouching.
D) analytical review.
29) An auditor manually calculates accumulated depreciation on a delivery van and compares
her calculation with the accounting records. The auditor is performing
A) vouching.
B) confirmation.
C) reperformance.
D) analytical review.
30) An auditor finds that employee absentee rates are significantly higher on Mondays and
Fridays than on other work days. This is an example collecting audit evidence by
A) confirmation.
B) reperformance.
C) vouching.
D) analytical review.
31) Which of the following is not one of the types of internal audits?
A) reviewing corporate organizational structure and reporting hierarchies
B) examining procedures for reporting and disposing of hazardous waste
C) reviewing source documents and general ledger accounts to determine integrity of recorded
transactions
D) comparing estimates and analysis made before purchase of a major capital asset to actual
numbers and results achieved
32) Explain the differences between each type of audit risk.
33) How and to whom does an auditor communicate the audit results?
34) How is a financial audit different from an information systems audit?
35) Why do all audits follow a sequence of events that can be divided into four stages, and what
are the four stages?
36) Name and describe the different types of audits.
37) Describe the risk-based audit approach.
38) Describe how audit evidence can be collected.
11.2 Identify the six objectives of an information system audit, and describe how the risk-based
audit approach can be used to accomplish these objectives.
1) What is the purpose of an information systems audit?
A) to determine the inherent risk factors found in the system
B) to review and evaluate the internal controls that protect the system
C) to examine the reliability and integrity of accounting records
D) to examine whether resources have been used in an economical and efficient manner in
keeping with organization goals and objectives
2) The information systems audit objective that pertains to source data being processed into some
form of output is known as
A) overall security.
B) program development.
C) program modifications.
D) processing.
3) Which of the following is not one of the six objectives of an information systems audit?
A) Security provisions exist to protect data from unauthorized access, modification, or
destruction.
B) Obtaining evidence to provide reasonable assurance the financial statements are not
materially misstated
C) Programs have been developed and acquired in accordance with management's authorization.
D) Program modifications have received management's authorization and approval.
4) Which of the following is not an information systems audit test of controls?
A) Observe computer-site access procedures.
B) Investigate how unauthorized access attempts are handled.
C) Review logical access policies and procedures.
D) Examine the results of disaster recovery plan simulations.
5) Which of the following is an information systems audit review procedure?
A) Verify the extent and effectiveness of encryption.
B) Inspect computer sites.
C) Test assignment procedures for user IDs.
D) Observe the preparation of backup files.
6) Which of the following is not a control procedure for preventing inadvertent programming
errors?
A) Review software license agreements.
B) Test new programs, including user acceptance testing.
C) Purchase hardware only from management approved vendors.
D) Require management approval of programming specifications.
7) You are the head of the IT department at Panther Designs, Inc. A systems review reveals that
your firm has poor control procedures for preventing inadvertent programming errors. However,
you are not concerned because you feel Panther Designs has strong compensating controls. What
control likely exists to give you this confidence?
A) The internal audit department processes test data at Panther Designs.
B) Panther Designs pays its employees well, decreasing the likelihood of errors.
C) Panther Designs only hires competent programmers, decreasing the likelihood of errors.
D) All of Panther Design's IT applications are less than 2 years old.
8) You are an internal auditor for Ron Burgandy Suits. The CEO has asked you to perform an
audit of the program modifications process. Identify one procedure you might use to test controls
surrounding the program modification process.
A) Review logical access control policies.
B) Discuss modification policies with management, users, and systems personnel.
C) Verify logical access controls are in effect for program changes.
D) Separate development, test, and production versions of programs.
9) What is a test data generator?
A) an application that records how well systems personnel have performed on company
competency examinations
B) an application that prepares data that can be used for auditing the effectiveness of computer
processing
C) an application that records which professional examinations systems personnel have obtained
D) a backup generator application that can be used to generate data if the original storage device
fails
10) True or False: Embedded audit molecules can be used to continually monitor the system and
collect audit evidence.
11.3 Describe the different tools and techniques auditors use to test software programs and
program logic.
1) Identify the activity below that the external auditor should not be involved.
A) examining system access logs
B) developing the information system
C) examining logical access policies and procedures
D) making recommendations to management for improvement of existing internal controls
2) What role should an auditor play in system development?
A) an independent reviewer only
B) a developer of internal controls
C) an advisor and developer of internal control specifications
D) A and B above
