Chapter 1

1. Corporate management (including the CEO) must certify monthly and annually their
organization's internal controls over financial reporting.
ANS: F

2. Both the SEC and the PCAOB require management to use the COBIT framework for
assessing internal control adequacy.
ANS: F

3. Both the SEC and the PCAOB require management to use the COSO framework for
assessing internal control adequacy.
ANS: F

4. A qualified opinion on management's assessment of internal controls over the financial

reporting system necessitates a qualified opinion on the financial statements?
ANS: F

5. The same internal control objectives apply to manual and computer-based information
systems.
ANS: T

6. The external auditor is responsible for establishing and maintaining the internal control
system.
ANS: F

7. Segregation of duties is an example of an internal control procedure.

ANS: T

8. Preventive controls are passive techniques designed to reduce fraud.

ANS: T

9. The Sarbanes-Oxley Act requires only that a firm keep good records.
ANS: F

10. A key modifying assumption in internal control is that the internal control system is the
responsibility of management.
ANS: T

11. While the Sarbanes-Oxley Act prohibits auditors from providing non-accounting services
to their audit clients, they are not prohibited from performing such services for non-audit
clients or privately held companies.
ANS: T

12. The Sarbanes-Oxley Act requires the audit committee to hire and oversee the external
auditors.
ANS: T
13. Section 404 requires that corporate management (including the CEO) certify their
organization's internal controls on a quarterly and annual basis.
ANS: F

14. Section 302 requires the management of public companies to assess and formally report
on the effectiveness of their organization's internal controls.
ANS: F

15. Application controls apply to a wide range of exposures that threaten the integrity of all
programs processed within the computer environment.
ANS: F

16. IT auditing is a small part of most external and internal audits.

ANS: F

17. Advisory services is an emerging field that goes beyond the auditor's traditional
attestation function.
ANS: T

18. An IT auditor expresses an opinion on the fairness of the financial statements.

ANS: F

19. External auditing is an independent appraisal function established within an organization

to examine and evaluate its activities as a service to the organization.
ANS: F

20. External auditors can cooperate with and use evidence gathered by internal audit
departments that are organizationally independent and that report to the Audit
Committee of the Board of Directors.
ANS: T

21. Tests of controls determine whether the database contents fairly reflect the
organization's transactions.
ANS: F

22. Audit risk is the probability that the auditor will render an unqualified opinion on financial
statements that are materially misstated.
ANS: T

23. A strong internal control system will reduce the amount of substantive testing that must
be performed.
ANS: T

24. Substantive testing techniques provide information about the accuracy and
completeness of an application's processes.
ANS: F
1. The concept of reasonable assurance suggests that
a. the cost of an internal control should be less than the benefit it provides
b. a well-designed system of internal controls will detect all fraudulent activity
c. the objectives achieved by an internal control system vary depending on the data
processing method
d. the effectiveness of internal controls is a function of the industry environment
ANS: A

2. Which of the following is not a limitation of the internal control system?

a. errors are made due to employee fatigue
b. fraud occurs because of collusion between two employees
c. the industry is inherently risky
d. management instructs the bookkeeper to make fraudulent journal entries
ANS: C

3. The most cost-effective type of internal control is

a. preventive control
b. accounting control
c. detective control
d. corrective control
ANS: A

4. Which of the following is a preventive control?

a. Credit check before approving a sale on account
c. physical inventory count
d. comparing the accounts receivable subsidiary ledger to the control account
ANS: A

5. A well-designed purchase order is an example of a

a. preventive control
b. detective control
c. corrective control
d. none of the above
ANS: A

6. A physical inventory count is an example of a

a. preventive control
b. detective control
c. corrective control
d. Feed-forward control
ANS: B

7. The bank reconciliation uncovered a transposition error in the books. This is an example
of a
a. preventive control
b. detective control
c. corrective control
d. none of the above
ANS: B

8. Which of the following is not an element of the internal control environment?

 a.management philosophy and operating style
b. organizational structure of the firm
c. well-designed documents and records
d. the functioning of the board of directors and the audit committee
ANS: C

9. Which of the following suggests a weakness in the internal control environment?

a. the firm has an up-to-date organizational chart
b. monthly reports comparing actual performance to budget are distributed to managers
c. performance evaluations are prepared every three years
d. the audit committee meets quarterly with the external auditors
ANS: C

10. Which of the following indicates a strong internal control environment?

a. the internal audit group reports to the audit committee of the board of directors
b. there is no segregation of duties between organization functions
c. there are questions about the integrity of management
d. adverse business conditions exist in the industry
ANS: A

11. According to COSO, an effective accounting system performs all of the following except
a. identifies and records all valid financial transactions
b. records financial transactions in the appropriate accounting period
c. separates the duties of data entry and report generation
d. records all financial transactions promptly
ANS: C

12. Which of the following is the best reason to separate duties in a manual system?
a. to avoid collusion between the programmer and the computer operator
b. to ensure that supervision is not required
c. to prevent the record keeper from authorizing transactions
d. to enable the firm to function more efficiently
ANS: C

13. Which of the following is not an internal control procedure?

a. authorization
b. management's operating style
c. independent verification
d. accounting records
ANS: B

14. The decision to extend credit beyond the normal credit limit is an example of
a. independent verification
b. authorization
c. segregation of functions
d. supervision
ANS: B

15. When duties cannot be segregated, the most important internal control procedure is
a. supervision
 b. independent verification
c. access controls
d. accounting records
ANS: A

16. An accounting system that maintains an adequate audit trail is implementing which
internal control procedure?
a. access controls
b. segregation of functions
c. independent verification
d. accounting records
ANS: D

17. The importance to the accounting profession of the Sarbanes-Oxely Act is that
a. bribery will be eliminated
b. management will not override the company's internal controls
c. management are required to certify their internal control system
d. firms will not be exposed to lawsuits
ANS: C
18. The board of directors consists entirely of personal friends of the chief executive officer.
This indicates a weakness in
a. the accounting system
b. the control environment
c. control procedures
d. this is not a weakness
ANS: B

19. The office manager forgot to record in the accounting records the daily bank deposit.
Which control procedure would most likely prevent or detect this error?
a. segregation of duties
b. independent verification
c. accounting records
d. supervision
ANS: B

20. Control activities under SAS 109/COSO include

a. IT Controls, preventative controls, and Corrective controls
b. physical controls, preventative controls, and corrective controls.
c. general controls, application controls, and physical controls.
d. transaction authorizations, segregation of duties, and risk assessment
ANS: C

21. Internal control system have limitations. These include all of the following except
a. possibility of honest error
b. circumvention
c. management override
d. stability of systems
ANS: D
22. Management can expect various benefits to follow from implementing a system of strong
internal control. Which of the following benefits is least likely to occur?
a. reduced cost of an external audit.
b. prevents employee collusion to commit fraud.
c. availability of reliable data for decision-making purposes.
d. some assurance of compliance with the Foreign Corrupt Practices Act of 1977.
e. some assurance that important documents and records are protected.
ANS: B

23. Which of the following situations is not a segregation of duties violation?

a. The treasurer has the authority to sign checks but gives the signature block to the
assistant treasurer to run the check-signing machine.
b. The warehouse clerk, who has the custodial responsibility over inventory in the
warehouse, selects the vendor and authorizes purchases when inventories are low.
c. The sales manager has the responsibility to approve credit and the authority to write
off accounts.
d. The department time clerk is given the undistributed payroll checks to mail to absent
employees.
e. The accounting clerk who shares the record keeping responsibility for the accounts
receivable subsidiary ledger performs the monthly reconciliation of the subsidiary ledger
and the control account.
ANS: B

24. Which concept is not an integral part of an audit?

a. evaluating internal controls
b. preparing financial statements
c. expressing an opinion
d. analyzing financial data
ANS: B

25. Which statement is not true?

a. Auditors must maintain independence.
b. IT auditors attest to the integrity of the computer system.
IT auditing is independent of the general financial audit.
d. IT auditing can be performed by both external and internal auditors.
ANS: C

26. Typically, internal auditors perform all of the following tasks except
a. IT audits
b. evaluation of operational efficiency
c. review of compliance with legal obligations
d. internal auditors perform all of the above tasks
ANS: D

27. The fundamental difference between internal and external auditing is that
a. internal auditors represent the interests of the organization and external auditors
represent outsiders
b. internal auditors perform IT audits and external auditors perform financial statement
audits
 c. internal auditors focus on financial statement audits and external auditors focus on
operational audits and financial statement audits
d. external auditors assist internal auditors but internal auditors cannot assist external
auditors
ANS: A

28. Internal auditors assist external auditors with financial audits to

a. reduce audit fees
b. ensure independence
c. represent the interests of management
the statement is not true; internal auditors are not permitted to assist external auditors
with financial audits
ANS: A

29. Which statement is not correct?

a. Auditors gather evidence using tests of controls and substantive tests.
b. The most important element in determining the level of materiality is the mathematical
formula.
c. Auditors express an opinion in their audit report.
d. Auditors compare evidence to established criteria.
ANS: B

30. All of the following are steps in an IT audit except

a. substantive testing
b. tests of controls
c. post-audit testing
d. audit planning
ANS: C

31. When planning the audit, information is gathered by all of the following methods except
a. completing questionnaires
b. interviewing management
c. observing activities
d. confirming accounts receivable
ANS: D

32. Substantive tests include

a. examining the safety deposit box for stock certificates
b. reviewing systems documentation
c. completing questionnaires
d. observation
ANS: A

33. Tests of controls include

a. confirming accounts receivable
b. counting inventory
c. completing questionnaires
d. counting cash
ANS: C
34. All of the following are components of audit risk except
a. control risk
b. legal risk
c. detection risk
d. inherent risk
ANS: B

35. Control risk is

a. the probability that the auditor will render an unqualified opinion on financial
statements that are materially misstated
b. associated with the unique characteristics of the business or industry of the client
c. the likelihood that the control structure is flawed because controls are either absent or
inadequate to prevent or detect errors in the accounts
d. the risk that auditors are willing to take that errors not detected or prevented by the
control structure will also not be detected by the auditor
ANS: C

36. Which of the following is true?

a. In the CBIS environment, auditors gather evidence relating only to the contents of
databases, not the reliability of the computer system.
b. Conducting an audit is a systematic and logical process that applies to all forms of
information systems.
c. Substantive tests establish whether internal controls are functioning properly.
d. IT auditors prepare the audit report if the system is computerized.
ANS: B

37. Inherent risk

a. exists because all control structures are flawed in some ways.

b. is the likelihood that material misstatements exist in the financial statements of the
firm.
c. is associated with the unique characteristics of the business or industry of the client.
d. is the likelihood that the auditor will not find material misstatements.
ANS: C

38. Attestation services require all of the following except

a. written assertions and a practitioner's written report
b. the engagement is designed to conduct risk assessment of the client's systems to
verify their degree of SOX compliance
c. the formal establishment of measurements criteria
d. the engagement is limited to examination, review, and application of agreed-upon
procedures
ANS: B

39. The financial statements of an organization reflect a set of management assertions

about the financial health of the business. All of the following describe types of
assertions except
a. that all of the assets and equities on the balance sheet exist
b. that all employees are properly trained to carry out their assigned duties
c. that all transactions on the income statement actually occurred
 d. that all allocated amounts such as depreciation are calculated on a systematic and
rational basis
ANS: B

40. Which of the following is NOT an implication of section 302 of the Sarbanes-Oxley Act?
a. Auditors must determine, whether changes in internal control has, or is likely to,
materially affect internal control over financial reporting.
b. Auditors must interview management regarding significant changes in the design or
operation of internal control that occurred since the last audit.
c. Corporate management (including the CEO) must certify monthly and annually their
organization's internal controls over financial reporting.
d. Management must disclose any material changes in the company's internal controls
that have occurred during the most recent fiscal quarter.
ANS: C
Chapter 2

1. To fulfill the segregation of duties control objective, computer processing functions (like
authorization of credit and billing) are separated.
ANS: F

2. To ensure sound internal control, program coding and program processing should be
separated.
ANS: T

3. Some systems professionals have unrestricted access to the organization's programs

and data.
ANS: T

4. IT governance focuses on the management and assessment of strategic IT resources

ANS: T

5. Distributed data processing places the control IT recourses under end users.
ANS: T

6. An advantage of distributed data processing is that redundant tasks are greatly

eliminated
ANS: F

7. Certain duties that are deemed incompatible in a manual system may be combined in a
computer-based information system environment.
ANS: T

8. To improve control and efficiency, the CBIS tasks of new systems development and
program maintenance should be performed by the same individual or group.
ANS: F

9. In a CBIS environment, data consolidation protects corporate data from computer fraud
and losses from disaster.
ANS: F

10. The database administrator should be separated from systems development.

ANS: T

11. A disaster recovery plan is a comprehensive statement of all actions to be taken after a
disaster.
ANS: T

12. RAID is the use of parallel disks that contain redundant elements of data and
applications.
ANS: T
13. Transaction cost economics (TCE) theory suggests that firms should outsource specific
noncore IT assets
ANS: F

14. Commodity IT assets easily acquired in the marketplace and should be outsourced
under the core competency theory
ANS: F

15. A database administrator is responsible for the receipt, storage, retrieval, and custody of
data files.
ANS: F

16. A ROC usually involves two or more user organizations that buy or lease a building and
remodel it into a computer site, but without the computer and peripheral equipment.
ANS: F

17. Fault tolerance is the ability of the system to continue operation when part of the system
fails due to hardware failure, application program error, or operator error.
ANS: T

18. An often-cited benefit of IT outsourcing is improved core business performance.

ANS: T

19. Commodity IT assets include such things are network management.

ANS: T

20. Specific IT assets support an organization's strategic objectives.

ANS: T

21. A generally accepted advantage of IT outsourcing is improved security.

ANS: F

22. An advantage of distributed data processing is that individual end user groups set
specific IT standards without concern for the broader corporate needs.
ANS: F

23. A mutual aid is the lowest cost disaster recovery option, but has shown to be effective
and low risk.
ANS: F

24. Critical applications should be identified and prioritized by the user departments,
accountants, and auditors.
ANS: T

25. A widespread natural disaster is a risk associated with a ROC.

ANS: T

1. All of the following are issues of computer security except

a. releasing incorrect data to authorized individuals

 b. permitting computer operators unlimited access to the computer room
c. permitting access to data by unauthorized individuals
d. providing correct data to unauthorized individuals
ANS: B

2. Segregation of duties in the computer-based information system includes

a. separating the programmer from the computer operator
b. preventing management override
c. separating the inventory process from the billing process
d. performing independent verifications by the computer operator
ANS: A

3. In a computer-based information system, which of the following duties needs to be

separated?
a. program coding from program operations
b. program operations from program maintenance
c. program maintenance from program coding
d. all of the above duties should be separated
ANS: D

4. Supervision in a computerized environment is more complex than in a manual

environment for all of the following reasons except
a. rapid turnover of systems professionals complicates management's task of assessing
the competence and honesty of prospective employees
b. many systems professionals have direct and unrestricted access to the organization's
programs and data
c. rapid changes in technology make staffing the systems environment challenging
d. systems professionals and their supervisors work at the same physical location
ANS: D

5. Adequate backups will protect against all of the following except

a.natural disasters such as fires
b. unauthorized access
c. data corruption caused by program errors
d. system crashes
ANS: B

6. Which is the most critical segregation of duties in the centralized computer services
function?
a. systems development from data processing
b. data operations from data librarian
c. data preparation from data control
d. data control from data librarian
ANS: A

7. Systems development is separated from data processing activities because failure to do

so
a. weakens database access security
b. allows programmers access to make unauthorized changes to applications during
execution
 c. results in inadequate documentation
d. results in master files being inadvertently erased
ANS: B

8. Which organizational structure is most likely to result in good documentation

procedures?
a. separate systems development from systems maintenance
b. separate systems analysis from application programming
c. separate systems development from data processing
d. separate database administrator from data processing
ANS: A

9. All of the following are control risks associated with the distributed data processing
structure except
a. lack of separation of duties
b. system incompatibilities
c. system interdependency
d. lack of documentation standards
ANS: C

10. Which of the following is not an essential feature of a disaster recovery plan?
a. off-site storage of backups
b. computer services function
c. second site backup
d. critical applications identified
ANS: B

11. A cold site backup approach is also known as

a. internally provided backup
b. recovery operations center
c. empty shell
d. mutual aid pact
ANS: C

12. The major disadvantage of an empty shell solution as a second site backup is
a. the host site may be unwilling to disrupt its processing needs to process the critical
applications of the disaster stricken company
b. intense competition for shell resources during a widespread disaster
c. maintenance of excess hardware capacity
d. the control of the shell site is an administrative drain on the company
ANS: B

13. An advantage of a recovery operations center is that

a. this is an inexpensive solution
b. the initial recovery period is very quick
c. the company has sole control over the administration of the center
d. none of the above are advantages of the recovery operations center
ANS: B
14. For most companies, which of the following is the least critical application for disaster
recovery purposes?
a. month-end adjustments
b. accounts receivable
c. accounts payable
d. order entry/billing
ANS: A

15. The least important item to store off-site in case of an emergency is

a. backups of systems software
b. backups of application software
c. documentation and blank forms
d. results of the latest test of the disaster recovery program
ANS: D

16. Some companies separate systems analysis from programming/program maintenance.

All of the following are control weaknesses that may occur with this organizational
structure except
a. systems documentation is inadequate because of pressures to begin coding a new
program before documenting the current program
b. illegal lines of code are hidden among legitimate code and a fraud is covered up for a
long period of time
c. a new systems analyst has difficulty in understanding the logic of the program
d. inadequate systems documentation is prepared because this provides a sense of job
security to the programmer
ANS: C

17. All of the following are recommended features of a fire protection system for a computer
center except
a. clearly marked exits
b. an elaborate water sprinkler system
c. manual fire extinguishers in strategic locations
d. automatic and manual alarms in strategic locations
ANS: B

18. All of the following tests of controls will provide evidence about the physical security of
the computer center except
a. review of fire marshal records
b. review of the test of the backup power supply
c. verification of the second site backup location
d. observation of procedures surrounding visitor access to the computer center
ANS: C

19. All of the following tests of controls will provide evidence about the adequacy of the
disaster recovery plan except
a. inspection of the second site backup
b. analysis of the fire detection system at the primary site
c. review of the critical applications list
d. composition of the disaster recovery team
ANS: B
20. The following are examples of commodity assets except
a. network management
b. systems operations
c. systems development
d. server maintenance
ANS: C

21. The following are examples of specific assets except

a. application maintenance
b. data warehousing
c. highly skilled employees
d. server maintenance
ANS: D

22. Which of the following is true?

a. Core competency theory argues that an organization should outsource specific core
assets.
b. Core competency theory argues that an organization should focus exclusively on its
core business competencies
c. Core competency theory argues that an organization should not outsource specific
commodity assets.
d. Core competency theory argues that an organization should retain certain specific
noncore assets in-house.
ANS: B

23. Which of the following is not true?

a. Large-scale IT outsourcing involves transferring specific assets to a vendor
b. Specific assets, while valuable to the client, are of little value to the vendor
c. Once an organization outsources its specific assets, it may not be able to return to its
pre-outsource state.
d. Specific assets are of value to vendors because, once acquired, vendors can achieve
economies of scale by employing them with other clients
ANS: D

24. Which of the following is not true?

a. When management outsources their organization's IT functions, they also outsource
responsibility for internal control.
b. Once a client firm has outsourced specific IT assets, its performance becomes linked
to the vendor's performance.
c. IT outsourcing may affect incongruence between a firm's IT strategic planning and its
business planning functions.
d. The financial justification for IT outsourcing depends upon the vendor achieving
economies of scale.
ANS: A

25. Which of the following is not true?

a. Management may outsource their organizations' IT functions, but they cannot
outsource their management responsibilities for internal control.
b. section 404 requires the explicit testing of outsourced controls,
 c. The SAS 70 report, which is prepared by the outsourcer's auditor, attests to the
adequacy of the vendor's internal controls.
d. Auditors issue two types of SAS 70 reports: SAS 70 Type I report and SAS 70 Type II
report.
ANS: C

26. Segregation of duties in the computer-based information system includes

a. separating the programmer from the computer operator
b. preventing management override
c. separating the inventory process from the billing process
d. performing independent verifications by the computer operator
ANS: A

27. A disadvantage of distributed data processing is

a. the increased time between job request and job completion
b. the potential for hardware and software incompatibility among users
c. the disruption caused when the mainframe goes down
d. that users are not likely to be involved
ANS: B

28. Which of the following is NOT a control implication of distributed data processing?
a. redundancy
b. user satisfaction
c. incompatibility
d. lack of standards
ANS: B

29. Which of the following disaster recovery techniques may be least optimal in the case of a
disaster?
a. empty shell
b. mutual aid pact
c. internally provided backup
d. they are all equally beneficial
ANS: B

30. Which of the following is a feature of fault tolerance control?

a. interruptible power supplies
b. RAID
c. DDP
d. MDP
ANS: B

31. Which of the following disaster recovery techniques is has the least risk associated with
it?
a. empty shell
b. ROC
c. internally provided backup
d. they are all equally risky
ANS: C

32. Which of the following is NOT a potential threat to computer hardware and peripherals?
 a. low humidity
b. high humidity
c. carbon dioxide fire extinguishers
d. water sprinkler fire extinguishers
ANS: C

33. Which of the following would strengthen organizational control over a large-scale data
processing center?
a. Requiring the user departments to specify the general control standards necessary for
processing transactions.
b. Requiring that requests and instructions for data processing services be submitted
directly to the computer operator in the data center.
c. Having the database administrator report to the manager of computer operations.
d. Assigning maintenance responsibility to the original system designer who best knows
its logic.
ANS: A

34. Which of the following is true?

a. Core competency theory argues that an organization should outsource specific core
assets.
b. Core competency theory argues that an organization should focus exclusively on its
core business competencies
c. Core competency theory argues that an organization should not outsource specific
commodity assets.
d. Core competency theory argues that an organization should retain certain specific
non-core assets in-house.
ANS: B
Chapter 3

1. In a computerized environment, the audit trail log must be printed onto paper documents.
ANS: F

2. Disguising message packets to look as if they came from another user and to gain
access to the host’s network is called spooling.
ANS: F

3. A formal log-on procedure is the operating system’s last line of defense against
unauthorized access.
ANS: F

4. Computer viruses usually spread throughout the system before being detected.
ANS: T

5. A worm is software program that replicates itself in areas of idle memory until the system
fails.
ANS: T

6. Viruses rarely attach themselves to executable files.

ANS: F

7. Operating system controls are of interest to system professionals but should not concern
accountants and auditors.
ANS: F

8. The most frequent victims of program viruses are microcomputers.

ANS: T

9. Audit trails in computerized systems are comprised of two types of audit logs: detailed
logs of individual keystrokes and event-oriented logs.
ANS: T

10. In a telecommunications environment, line errors can be detected by using an echo

check.
ANS: T

11. The message authentication code is calculated by the sender and the receiver of a data
transmission.
ANS: T
​
12. The request-response technique should detect if a data communication transmission has
been diverted.
ANS: T

13. Electronic data interchange translation software interfaces with the sending firm and the
value added network.
ANS: F
14. A value added network can detect and reject transactions by unauthorized trading
partners.
ANS: T

15. Electronic data interchange customers may be given access to the vendor’s data files.
ANS: T

16. The audit trail for electronic data interchange transactions is stored on magnetic media.
ANS: T

17. A firewall is a hardware partition designed to protect networks from power surges.
ANS: F

18. To preserve audit trails in a computerized environment, transaction logs are permanent
records of transactions.
ANS: T

19. The network paradox is that networks exist to provide user access to shared resources
while one of its most important objectives is to control access.
ANS: T

20. IP spoofing is a form of masquerading to gain unauthorized access to a Web server.

ANS: T

21. The rules that make it possible for users of networks to communicate are called
protocols.
ANS: T

22. A factor that contributes to computer crime is the reluctance of many organizations to
prosecute criminals for fear of negative publicity.
ANS: T

23. Because of network protocols, users of networks built by different manufacturers are
able to communicate and share data.
ANS: T

24. The client-server model can only be applied to ring and star topologies.
ANS: F

25. Only two types of motivation drive DoS attacks: 1) to punish an organization with which
the perpetrator had a grievance; and 2) to gain bragging rights for being able to do it.
ANS: F

26. The bus topology connects the nodes in parallel.

ANS: T
​
27. A network topology is the physical arrangement of the components of the network.
ANS: T
​
28. A digital signature is a digital copy of the sender’s actual signature that cannot be forged.
ANS: F
29. A smurf attack involves three participants: a zombie, an intermediary, and the victim.
ANS: F

30. In a hierarchical topology, network nodes communicate with each other via a central host
computer.
ANS: T

31. Polling is one technique used to control data collisions.

ANS: T

32. The more individuals that need to exchange encrypted data, the greater the chance that
the key will become known to an intruder. To overcome this problem, private key
encryption was devised.
ANS: F

33. A ping is used to test the state of network congestion and determine whether a particular
host computer is connected and available on the network.
ANS: T

34. HTML tags are customized to delimit attributes, the content of which can be read and
processed by computer applications.
ANS: F' PTS:' 1

MULTIPLE CHOICE

1. The operating system performs all of the following tasks except

a. translates third-generation languages into machine language
b. assigns memory to applications
c. authorizes user access
d. schedules job processing
ANS: C

2. Which of the following is considered an unintentional threat to the integrity of the

operating system?
a. a hacker gaining access to the system because of a security flaw
b. a hardware flaw that causes the system to crash
c. a virus that formats the hard drive
d. the systems programmer accessing individual user files
ANS: B
​
3. A software program that replicates itself in areas of idle memory until the system fails is
called a
a. Trojan horse
b. worm
c. logic bomb
d. none of the above
ANS: B
​
4. A software program that allows access to a system without going through the normal
logon procedures is called a
a. logic bomb
b. Trojan horse
c. worm
d. back door
ANS: D
​
5. All of the following will reduce the exposure to computer viruses except
a. install antivirus software
b. install factory-sealed application software
c. assign and control user passwords
d. install public-domain software from reputable bulletin boards
ANS: D

6. Hackers can disguise their message packets to look as if they came from an authorized
user and gain access to the host's network using a technique called
a. spoofing.
b. spooling.
c. dual-homed.
d. Screening.
ANS: A

7. Passwords are secret codes that users enter to gain access to systems. Security can be
compromised by all of the following except
a. failure to change passwords on a regular basis
b. using obscure passwords unknown to others
c. recording passwords in obvious places
d. selecting passwords that can be easily detected by computer criminals
ANS: B

8. Which control will not reduce the likelihood of data loss due to a line error?
a. echo check
b. Encryption
c. vertical parity bit
d. horizontal parity bit
ANS: B
​
9. Which method will render useless data captured by unauthorized receivers?
a. echo check
b. parity bit
c. public key encryption
d. message sequencing
ANS: C
​
10. Which method is most likely to detect unauthorized access to the system?
a. message transaction log
b. data encryption standard
c. vertical parity check
d. request-response technique
ANS: A
11. All of the following techniques are used to validate electronic data interchange
transactions except
a. value added networks can compare passwords to a valid customer
b. prior to converting the message, the translation software of the rec password against
a validation file in the firm’s database
c. the recipient’s application software can validate the password PRIOR
d. the recipient’s application software can validate the password AFTER
ANS: D

12. All of the following tests of controls will provide evidence that adequate computer virus
control techniques are in place and functioning except
a. verifying that only authorized software is used on company computers
b. reviewing system maintenance records
c. confirming that antivirus software is in use
d. examining the password policy including a review of the authority table

13. Audit objectives for communications controls include all of the following except
a. detection and correction of message loss due to equipment failure
b. prevention and detection of illegal access to communication channels
c. procedures that render intercepted messages useless
d. all of the above

14. When auditors examine and test the call-back feature, they are testing which audit
objective?
a. incompatible functions have been segregated
b. application programs are protected from unauthorized access
c. physical security measures are adequate to protect the organization
d. illegal access to the system is prevented and detected

​
15. In an electronic data interchange (EDI) environment, when the auditor compares the
terms of the trading partner agreement against the access privileges stated in the
database authority table, the auditor is testing which audit objective?
a. all EDI transactions are authorized
b. unauthorized trading partners cannot gain access to database reco
c. authorized trading partners have access only to approved data
d. a complete audit trail is maintained

​
16. In determining whether a system is adequately protected from attacks by computer
viruses, all of the following policies are relevant except
a. the policy on the purchase of software only from reputable vendors
b. the policy that all software upgrades are checked for viruses before
c. the policy that current versions of antivirus software should be ava
d. the policy that permits users to take files home to work on them

​
17. In an electronic data interchange environment, customers routinely
 a. access the vendor’s accounts receivable file with read/write author
b. access the vendor’s price list file with read/write authority
c. access the vendor’s inventory file with read-only authority
d. access the vendor’s open purchase order file with read-only authori

18. In an electronic data interchange environment, the audit trail

a. is a printout of all incoming and outgoing transactions
b. is an electronic log of all transactions received, translated, and processed by
the system
c. is a computer resource authority table
d. consists of pointers and indexes within the database

19. All of the following are designed to control exposuresfrom subversive threats except
a. Firewalls
b. one-time passwords
c. field interrogation
d. data encryption

20. Many techniques exist to reduce the likelihood and effects of data communication
hardware failure. One of these is
a. hardware access procedures
b. antivirus software
c. parity checks
d. data encryption

21. Which of the following deal with transaction legitimacy?

a. transaction authorization and validation
b. access controls
c. EDI audit trail
d. all of the above

​
22. Firewalls are
a. special materials used to insulate computer facilities
b. a system that enforces access control between two networks
c. special software used to screen Internet access
d. none of the above

23. Which of the following is true?

a. Deep Packet Inspection uses a variety of analytical and statistical techniques to
evaluate the contents of message packets.
b. An Intrusion prevention system works in parallel with a firewall at t filer that removes
malicious packets from the flow before they can
c. A distributed denial of service attack is so named because it is cap simultaneously
who are distributed across the internet.
d. None of the above are true statements.
24. A system of computers that connects the internal users of an organization that is
distributed over a wide geographic area is a(n)
a. LAN
b. decentralized network
c. multidrop network
d. Intranet

25. Network protocols fulfill all of the following objectives except

a. facilitate physical connection between network devices
b. provide a basis for error checking and measuring network performance
c. promote compatibility among network devices
d. result in inflexible standards

26. To physically connect a workstation to a LAN requires a

a. file server
b. network interface card
c. multiplexer
d. bridge

27. Packet switching

a. is used to establish temporary connections between network devices for the
duration of a communication session.
b.is a denial of service technique that disassembles various incoming messages to
targeted users into small packages and then reassembles them in random order to
create a useless garbled message.
c. combines the messages of multiple users into one packet for transmission. At the
receiving end, the packet is disassembled into the individual messages and distributed
to the intended users.
d. is a method for partitioning a database into packets for easy access where no
identifiable primary user exists in the organization.

28. A virtual private network:

a.is a private network within a public network.
b.is an expensive zippie de doo dah
c.is an Internet facility that links user sites locally and around the world.
d.is a password-controlled network for private users rather than the general public.
e.defines the path to a facility or file on the web

29. An integrated group of programs that supports the applications and facilitates their
access to specified resources is called a (an)
a.utility system.
b.object system.
c.operating system.
d.database management system.
e.facility system.
30. A user's application may consist of several modules stored in separate memory
locations, each with its own data. One module must not be allowed to destroy or corrupt
another module. This is an objective of
a.data resource controls
b.application controls
c.operating system controls
d.computer center and security controls

31. A DDos attack

a.is more intensive than a Dos attack because it emanates from single source
b.none of the other items is correct
c.is so named because it affects many victims simultaneously, which are distributed
across the Internet
d.may take the form of either a SYN flood or smurf attack
e.turns the target victim's computers into zombies that are unable to access the Internet

32. A software program that replicates itself in areas of idle memory until the system fails is
called a
a.Trojan horse
b.super duper replicator
c.worm
d.logic bomb
e.lone replicator

33. Passwords are secret codes that users enter to gain access to systems. Security can be
compromised by all of the following except
a.using obscure passwords unknown to others
b.selecting passwords that can be easily detected by computer criminals
c.recording passwords in obvious places
d.failure to change passwords on a regular basis

34. Network protocols fulfill all of the following objectives except

a.provide a basis for error checking and measuring network performance
b.facilitate physical connection between network devices
c.promote compatibility among network devices
d.result in inflexible standards

35. In a star topology, when the central site fails

a.individual workstations can communicate with each other
b.the functions of the central site are taken over by a designated workstation
c.individual workstations can function locally but cannot communicate with other
workstations
d.individual workstations cannot function locally and cannot communicate with other
workstations

36. Which method will render useless any data captured by unauthorized receivers?
a.parity bit
b.echo check
c.message sequencing
 d.public key encryption

37. Audit objectives for communications controls include which of the following?
a.detection and correction of message loss due to equipment failure
b.procedures that render intercepted messages useless
c.prevention and detection of illegal access to communication channels
d.all of the other listed items are valid audit objectives regarding communications
controls

38. An IP Address: unauthorized

a.is represented by a 64-bit data packet.
b.is the destination of an internet pumpkin toss
c.is the unique address that every computer node and host attached to the
Internet must have.
d.defines the path to a facility or file on the web.
e.is the address of the protocol rules and standards that governing the design of internet
hardware and software.

39. To physically connect a workstation to a LAN requires a

a.network interface card
b.multiplexor
c.file server
d.wire
e.bridge

40. All of the following techniques are used to validate electronic data interchange
transactions except
a.value added networks can compare passwords to a valid customer file before
message transmission
b.prior to converting the message, the translation software of the receiving company can
compare the password against a validation file in the firm's database
c.the recipient's application software can validate the password after the
transaction has been processed
d.the recipient's application software can validate the password prior to processing

41. Which method is most likely to detect unauthorized access to the system?
a.message transaction log
b.data encryption standard
c.vertical parity check
d.request-response technique

42. Firewalls are

a.a system that enforces access control into/from a private network
b.special software used to screen Internet access
c.none of the other items is correct
d.special materials used to insulate computer facilities

43. Which of the following statements is correct? TCP/IP

a.is the file format used to produce Web pages.

b.controls Web browsers that access the WWW.
 c.is a low-level encryption scheme used to secure transmissions in HTTP format
d.is the basic protocol that permits communication between Internet sites

44. All of the following are objectives of operating system control except

a.protecting users from themselves

b.protecting the environment from users
c.protecting the OS from users
d.protecting users from each other

45. In a ring topology

a.the network consists of a central computer which manages all communications

between nodes
b.all nodes are of equal status; responsibility for managing communications is
distributed among the nodes
c.has a host computer connected to several levels of subordinate computers
d.information processing units rarely communicate with each other

46. To ensure privacy in a public key encryption system, knowledge of which of the following
keys is required to decode the received message?

I. Private
II. Public

a.I
b.Neither I nor II
c.Both I and II
d.II

47. The encryption technique that requires two keys, a public key that is available to anyone
for encrypting messages and a private key that is known only to the recipient for
decrypting messages, is

a.Advanced encryption standard (AES).

b.A cypher lock.
c.Modulator-demodulator.
d.Rivest, Shamir, and Adelman (RSA).

48. An organization installed antivirus software on all its personal computers. The software
was designed to prevent initial infections, stop replication attempts, detect infections
after their occurrence, mark affected system components, and remove viruses from
infected components. The major risk in relying on antivirus software is that antivirus
software may

a. Consume too many system resources.

b. Make software installation overly complex.
c. Interfere with system operations.
d. Not detect certain viruses.
49. An insurance firm uses a wide area network (WAN) to allow agents away from the home
office to obtain current rates and client information and to submit approved claims using
notebook computers and dial-in modems. In this situation, which of the following
methods will provide the best data security?

a. End-to-end data encryption.

b. Dedicated phone lines.
c. Call-back features.
d. Frequent changes of user IDs and passwords.

50. Managers at a consumer products company purchased personal computer software only
from recognized vendors and prohibited employees from installing nonauthorized
software on their personal computers. To minimize the likelihood of computer viruses
infecting any of its systems, the company should also

a. Institute program change control procedures.

b. Recompile infected programs from source code backups.
c. Test all new software on a stand-alone personal computer.
d. Restore infected systems with authorized versions.

51. Which of the following is an indication that a computer virus is present?

a. Frequent power surges that harm computer equipment.

b. Numerous copyright violations due to unauthorized use of purchased software.
c. Unexplainable losses of or changes to data.
d. Inadequate backup, recovery, and contingency plans.

52. A control feature designed to negate the use of utility programs to read files that contain
all authorized access user codes for the network is

a. A password hierarchy.
b. Internally encrypted passwords.
c. Logon passwords.
d. A peer-to-peer network.

53. The telecommunication control of dial-up/disconnect/dial-back can be circumvented by

using

a. Encryption algorithms.
b. Dedicated line technology.
c. High baud rate lines.
d. Automatic call forwarding.

54. What do you call a system of computers that connects the internal users of an
organization that is distributed over a wide geographic area?
 a.multidrop network
b.LAN
c.decentralized network
d.Intranet

55. HTML

a. is used to transfer text files, programs, spreadsheets, and databases across the
Internet.
b. is used to connect to Usenet groups on the Internet.
controls Web browsers that access the Web.
c. is a low-level encryption scheme used to secure transmissions in higher-level format.
d. is the document format used to produce Web pages.

56. FTP

a. is used to transfer text files, programs, spreadsheets, and databases across the
Internet.
b. is used to connect to Usenet groups on the Internet.
controls Web browsers that access the Web.
c. is a low-level encryption scheme used to secure transmissions in higher-level ()
format.
d. is the document format used to produce Web pages.

57. Transmitting numerous SYN packets to a targeted receiver, but NOT responding to an
ACK, is

a. IP Spoofing.
b. a smurf attack.
c. a ping attack.
d. an ACK echo attack
e. none of the other listed items

Correct Answer: Denial of service attacks

58. All of the following are designed to control exposures from subversive threats except

a. deep packet inspection

b. data encryption
c. firewalls
d. field interrogation

59. HTTP

a. is used to transfer text files, programs, spreadsheets, and databases across the
Internet.
b. is a low-level encryption scheme used to secure transmissions in higher-level ()
format.
c. is the document format used to produce Web pages.
 d. controls Web browsers that access the Web.
e. is used to connect to Usenet groups on the Internet

60. Which control will not reduce the likelihood of data loss due to a line error?

a. vertical parity bit

b. horizontal parity bit
c. echo check
d. encryption

61. Audit trails cannot be used to

a. detect unauthorized access to systems

b. facilitate reconstruction of events
c. reduce the need for other forms of security
d. promote personal accountability

62. A distributed denial of service (

63. ) attack

a. turns the target victim's computers into zombies that are unable to access the Internet
b. none of the other items makes any sense
c. is so named because it effects many victims simultaneously, which are distributed
across the internet
d. is more intensive that a Dos attack because it emanates from single source
e. may take the form of either a SYN flood or smurf attack

64. Which of the following statements is correct? The client-server model

a. is most effective used with a bus topology.

b. is more efficient than the bus or ring topologies.
c. distributes processing between the user's computer and the central file server.
d. is best suited to the token-ring topology because the random-access method used e.
by this model detects data collisions.

Another possible answer:

a. distributes both data and processing tasks to the server‟s node.

65. An equipment manufacturer maintains a secure website for access to its order-entry
system for the convenience of its pre-approved customers worldwide so they may order
parts. Because of the cost and sensitive nature of certain electronic parts, the
manufacturer maintains secure access to its order-entry system. The best technique for
monitoring the security of access is

a. Integrated test facility for the order-entry system.

b. Logging of unsuccessful access attempts.
c. Tracing of transactions through the order-entry system.
 d. Transaction selection of order-entry transactions.

66. In an electronic data interchange environment, the audit trail

a. is a printout of all incoming and outgoing transactions

b. is a computer resource authority table
consists of pointers and indexes within the database
c. is very, very long
d. is an electronic log of all transactions received, translated, and processed by
the system

67. Which of the following might be used to secretly capture IDs and passwords from users?

a. Trojan horse
b. virus
c. logic bomb
d. worm

68. All of the following will reduce the exposure to computer viruses except

a. install factory-sealed application software

b. install public-domain software from reputable bulletin boards
c. assign and control user passwords
d. install antivirus software

69. Audit objectives in the electronic data interchange (EDI) environment include all of the
following except

a. unauthorized trading partners cannot gain access to database records

b. complete audit trail of EDI transactions is maintained
c. backup procedures are in place and functioning properly
d. all EDI transactions are authorized

70. When auditors examine and test the call-back feature, they are testing which audit
objective?

a. application programs are protected from unauthorized access

b. incompatible functions have been segregated
c. physical security measures are adequate to protect the organization from natural
disaster
d. illegal access to the system is prevented and detected

71. A message that is made to look as though it is coming from a trusted source but is not is
called
 a. a denial of service attack
b. URL masquerading
c. digital signature forging
d. Internet protocol spoofing

72. In an electronic data interchange environment, customers routinely access

a. none of the other listed items

b. the vendor's open purchase order file
c. the vendor's accounts payable file
d. the vendor's price list file

73. An Internet firewall is designed to provide adequate protection against which of the
following

a. Unauthenticated logins from outside users.

b. A computer virus.
c. A Trojan horse application.
d. Insider leaking of confidential information.

74. A software program that allows access to a system without going through the normal
logon procedures is called a

a. logic bomb
b. worm
c. Trojan horse
d. trap door
e. back door
back door

75. Which of the following deal with transaction legitimacy in an EDI environment

a. access controls
b. EDI audit trail
c. all of the other listed items
d. transaction authorization and validation

76. An attack where outgoing messages from the client are reflected back onto the client,
preventing outside access, as well as flooding the client with the sent packets is know as
a(n)

a. reflected attack
b. unintentional attack
c. brute force attack
d. buffer overflow attack
e. spamming attack
f. packet replay
 g. trap door attack
h. banana attack

77. Personal computers generally configured with minimal hardware features with the intent
being that most processing occurs at the server level using software are know as

a. LAN computers
b. WAN computers
c. thin client computers
d. PDA processors
e. laptop computers
f. mainframe computers
g. high end computers

78. If you were maintaining your company's data on a series of connected storage devices
and servers, you would be using what is best described as a(n)

a. PDN
b. MAN
c. PAN
d. SAN
e. WAN
f. LAN

79. Wireless access presents a number of exposures and risks. Which of the following would
not be considered one of those exposures or risks?

a. loss of data
b. misuse of devices
c. disclosure of sensitive information
d. loss of device
e. user authentication
f. brain cancer
g. data collisions

80. An executable, machine-independent software program run on the server that can be
called and executed by a web server is called a(n)

a. cookie
b. bookmark
c. script
d. apple
e. servlet
f. botnet
g. server
81. If you were using a system where processing may take place on different machines with
each processing component being mutually dependent on the others, you would be
using which of the following network architectures?

a. distributed data processing architecture

b. star architecture
c. centralized data processing architecture
d. DHCP architecture
e. client server architecture
f. wireless architecture
g. LAN architecture

82. The use of digital tools in pursuit of nonviolent political gains is called

a. hactivism
b. scrip kiddies
c. heroic
d. crackers
e. hackers

83. If your company has an automated communication channel that acts in response to
receipt of a stream of data, the company may be vulnerable to which of the following
types of attack

a. War dialing attack

b. unintentional attack
c. packet replay
d. reflected attack
e. banana attack
f. spamming attack
g. trap door attack

84. Bluetooth is the most dominant form of which of the following technologies?

a. WPANs
b. LANs
c. All of the other items are d. capable of wireless configurations
e. ad hoc networks
f. WANs

85. If there are inadequate protection mechanisms in place for peer-to-peer connections, the
major risk involved would be

a. infection by trojan horses

b. infection by a virus
c. peer access to sensitive data
d. IP spoofing
 e. flipping
f. eavesdropping

86. If you wanted to build a computer system to predict hurricanes, which type of computer
would you use?

a. laptop
b. smartphone
c. supercomputer
d. server
e. personal computer
f. mainframe

87. One advantage of network technology is

a. a single universal topology facilitates the transfer of data among all networks
b. bridges and gateways connect one workstation with another workstation
c. the network interface card permits different networks to share data
d. file servers permit software and data to be shared with other network users
file servers permit software and data to be shared with other network users

88. Advance encryption standard (AES) is a 128-bit encryption technique that has become a
U.S. government standard for private key encryption.

89. Which of the following is not a test of access controls?

a. biometric controls
b. encryption controls
c. backup controls
d. inference controls

90. A star topology is appropriate

a. when the central database does not have to be concurrent with the nodes
b. for a wide area network with a mainframe for a central computer
c. for environments where network nodes routinely communicate with each other
d. for centralized databases only
for a wide area network with a mainframe for a central computer

91. Which one of the following statements is correct?

a. Cookies always contain encrypted data.

b. Web browsers cannot function without cookies.
c. Cookies contain the URLs of sites visited by the user.
d. Cookies are text files and never contain encrypted data.

92. In an electronic data interchange environment, customers routinely access

 a. none of the other listed items
b. the vendor's open purchase order file
c. the vendor's accounts payable file
d. the vendor's price list file

93. Which is not a biometric device?

a. password
b. retina prints
c. voice prints
d. signature characteristics

94. Which of the following statements is correct?

a. Packet switching combines the messages of multiple users into a "packet" for
transmission. At the receiving end, the packet is disassembled into the individual
messages and distributed to the intended users.
b. The decision to partition a database assumes that no identifiable primary user exists
in the organization.
c. Packet switching is used to establish temporary connections between network
devices for the duration of a communication session.
d. A deadlock is a temporary phenomenon that disrupts transaction processing. It will
resolve itself when the primary computer completes processing its transaction and
releases the data needed by other users.

95. A digital signature is

a. the encrypted mathematical value of the message sender's name

b. derived from the digest of a document that has been encrypted with the
sender's private key
c. the computed digest of the sender's digital certificate
d. allows digital messages to be sent over analog telephone lines

96. Which topology has a large central computer with direct connections to a periphery of
smaller computers? Also in this topology, the central computer manages and controls
data communications among the network nodes.

a. star topology
b. bus topology
c. ring topology
d. client/server topology

97. A ping signal is used to initiate

a. a smurf attack.
b. Internet protocol spoofing.
c. digital signature forging
d. URL masquerading
e. a SYN-ACK packet.
Chapter 4

1. The database approach to data management is sometimes called the flat file approach.
ANS: F

2. The database management system provides a controlled environment for accessing the
database.
ANS: T

3. To the user, data processing procedures for routine transactions, such as entering sales
orders, appear to be identical in the database environment and in the traditional environment.
ANS: T

4. An important feature associated with the traditional approach to data management is the
ability to produce ad hoc reports.
ANS: F

5. The data definition language is used to insert special database commands into application
programs. ANS: F

6. There is more than one conceptual view of the database.

ANS: F

7. In the database method of data management, access authority is maintained by systems

programming. DATA MANAGEMENT SYSTEM
ANS: F

8. The physical database is an abstract representation of the database. USE, INTERNAL,

CONCEPTUAL
ANS: F

9. A customer name and an unpaid balance is an example of a one-to-many relationship. ONE

TO ONE
ANS: F

10. In the relational model, a data element is called a relation. TURPLE

ANS: F

11. Subschemas are used to authorize user access privileges to specific data elements.
ACCESS CONTROL
ANS: F
12. A recovery module suspends all data processing while the system reconciles its journal files
against the database. CHECKPOINT FEATURE
ANS: F

13. The database management system controls access to program files. ACCESS CONTROL
ANS: F

14. Examining programmer authority tables for information about who has access to Data
Definition Language commands will provide evidence about who is responsible for creating
subschemas.
ANS: T

15. Data normalization groups data attributes into tables in accordance with specific design
objectives.
ANS: T

16. Under the database approach, data is viewed as proprietary or owned by users.
ANS: F

17. The data dictionary describes all of the data elements in the database.
ANS: T

18. A join builds a new table by creating links. RELATION

ANS: F

19. A deadlock is a phenomenon that prevents the processing of transactions.

ANS: T

20. Timestamping is a control that is used to ensure database partitioning.

ANS: F

21. A lockout is a software control that prevents multiple users from simultaneous access to
data.
ANS: T

22. An entity is any physical thing about which the organization wishes to capture data.

23. An ER diagram is a graphical representation of a data model.

ANS: T

24. The term occurrence is used to describe the number of attributes or fields pertaining to a
specific entity. RECORD
ANS: F
25. Cardinality describes the number of possible occurrences in one table that are associated
with a single occurrence in a related table.
ANS: T

MULTIPLE CHOICE:

1.All of the following are basic data management tasks except

a. data deletion
b. data storage
c. data attribution
d. data retrieval

2. The task of searching the database to locate a stored record for processing is called
a. data deletion
b. data storage
c. data attribution
d. data retrieval

3. Which of the following is not a problem usually associated with the flat-file approach to data
management?
a. data redundancy
b. restricting access to data to the primary user
c. data storage
d. currency of information

4. Which characteristic is associated with the database approach to data management?

a. data sharing
b. multiple storage procedures
c. data redundancy
d. excessive storage costs

5. Which characteristic is not associated with the database approach to data management?
a. the ability to process data without the help of a programmer
b. the ability to control access to the data
c. constant production of backups
d. the inability to determine what data is available

6. The textbook refers to four interrelated components of the database concept. Which of the
following is
not one of the components?
a. the database management system
b. the database administrator
c. the physical database
d. the conceptual database

7. Which of the following is not a responsibility of the database management system?

a. provide an interface between the users and the physical database
b. provide security against a natural disaster
c. ensure that the internal schema and external schema are consistent
d. authorize access to portions of the database

8. A description of the physical arrangement of records in the database is

a. the internal view
b. the conceptual view
c. the subschema
d. the external view

9. Which of the following may provide many distinct views of the database?
a. the schema
b. the internal view
c. the user view
d. the conceptual view

10. Users access the database

a. by direct query
b. by developing operating software
c. by constantly interacting with systems programmers
d. all of the above

11. The data definition language

a. identifies, for the database management system, the names and relationships of all
data elements, records, and files that comprise the database
b. inserts database commands into application programs to enable standard programs to
interact with and manipulate the database
c. permits users to process data in the database without the need for conventional programs
d. describes every data element in the database

12. The data manipulation language

a. defines the database to the database management system
b. transfers data to the buffer area for manipulation
c. enables application programs to interact with and manipulate the database
d. describes every data element in the database

13. Which statement is not correct? A query language like SQL

a. is written in a fourth-generation language
b. requires user familiarity with COBOL
c. allows users to retrieve and modify data
d. reduces reliance on programmers

14. Which duty is not the responsibility of the database administrator?

a. to develop and maintain the data dictionary
b. to implement security controls
c. to design application programs
d. to design the subschema

15. In a hierarchical model

a. links between related records are implicit
b. the way to access data is by following a predefined data path
c. an owner (parent) record may own just one member (child) record
d. a member (child) record may have more than one owner (parent)

16. Which term is not associated with the relational database model?
a. tuple
b. attribute
c. collision
d. relation

17. In the relational database model

a. relationships are explicit
b. the user perceives that files are linked using pointers
c. data is represented on two-dimensional tables
d. data is represented as a tree structure

18. In the relational database model all of the following are true except
a. data is presented to users as tables
b. data can be extracted from specified rows from specified tables
c. a new table can be built by joining two tables
d. only one-to-many relationships can be supported

19. In a relational database

a. the users view of the physical database is the same as the physical database
b. users perceive that they are manipulating a single table
c. a virtual table exists in the form of rows and columns of a table stored on the disk
d. a programming language (COBOL) is used to create a users view of the database

20. Which of the following is not a common form of conceptual database model?
a. hierarchical
b. network
c. sequential
d. relational
21. Which statement is false?
a. The DBMS is special software that is programmed to know which data elements each user
is authorized to access.
b. User programs send requests for data to the DBMS.
c. During processing, the DBMS periodically makes backup copies of the physical database.
d. The DBMS does not control access to the database.

22. All of the following are elements of the DBMS which facilitate user access to the database
except
a. query language
b. data access language
c. data manipulation language
d. data definition language

23. Which of the following is a level of the database that is defined by the data definition
language?
a. user view
b. schema
c. internal view
d. all are levels or views of the database

24. An example of a distributed database is

a. partitioned database
b. centralized database
c. networked database
d. all are examples of distributed databases

25. Data currency is preserved in a centralized database by

a. partitioning the database
b. using a lockout procedure
c. replicating the database
d. implementing concurrency controls

26. Which procedure will prevent two end users from accessing the same data element at the
same time?
a. data redundancy
b. data replication
c. data lockout
d. none of the above

27. The advantages of a partitioned database include all of the following except
a. user control is enhanced
b. data transmission volume is increased
c. response time is improved
d. risk of destruction of entire database is reduced

28. A replicated database is appropriate when

a. there is minimal data sharing among information processing units
b. there exists a high degree of data sharing and no primary user
c. there is no risk of the deadlock phenomenon
d. most data sharing consists of read-write transactions

29. What control maintains complete, current, and consistent data at all information processing
units?
a. deadlock control
b. replication control
c. concurrency control
d. gateway control

30. Data concurrency

a. is a security issue in partitioned databases
b. is implemented using timestamping
c. may result in data lockout
d. occurs when a deadlock is triggered

31. All of the following are advantages of a partitioned database except

a. increased user control by having the data stored locally
b. deadlocks are eliminated
c. transaction processing response time is improved
d. partitioning can reduce losses in case of disaster

32. Which backup technique is most appropriate for sequential batch systems?
a. grandparent-parent-child approach
b. staggered backup approach
c. direct backup
d. remote site, intermittent backup

33. When creating and controlling backups for a sequential batch system,
a. the number of backup versions retained depends on the amount of data in the file
b. off-site backups are not required
c. backup files can never be used for scratch files
d. the more significant the data, the greater the number of backup versions

34. In a direct access file system

a. backups are created using the grandfather-father-son approach
b. processing a transaction file against a maser file creates a backup file
c. files are backed up immediately before an update run
d. if the master file is destroyed, it cannot be reconstructed
35. Which of the following is not an access control in a database system?
a. antivirus software
b. database authorization table
c. passwords
d. voice prints

36. Which of the following is not a basic database backup and recovery feature?
a. checkpoint
b. backup database
c. transaction log
d. database authority table

37. Audit objectives for the database management system include all of the following except
a. verifying that the security group monitors and reports on fault tolerance violations
b. confirming that backup procedures are adequate
c. ensuring that authorized users access only those files they need to perform their duties
d. verifying that unauthorized users cannot access data files

38. All of the following tests of controls will provide evidence that access to the data files is
limited except
a. inspecting biometric controls
b. reconciling program version numbers
c. comparing job descriptions with access privileges stored in the authority table
d. attempting to retrieve unauthorized data via inference queries

39. Which of the following is not a test of access controls?

a. biometric controls
b. encryption controls
c. backup controls
d. inference controls

40. The database attributes that individual users have permission to access are defined in
a. operating system.
b. user manual.
c. database schema.
d. user view.
e. application listing.
Chapter 5

1. When the auditor reconciles the program version numbers, which audit objective is being
tested?

protect applications from unauthorized changes

protect production libraries from unauthorized access
ensure applications are free from error
ensure incompatible functions have been identified and segregated

2. Computer operators should have access to all of the following types of documentation
except

a list of required hardware devices

a list of all master files used in the system
a list of users who receive output
a program code listing

3. Which test of controls will provide evidence that the system as originally implemented
was free from material errors and free from fraud? Review of the documentation
indicates that

problems detected during the conversion period were corrected in the maintenance
phase
the detailed design was an appropriate solution to the user's problem
tests were conducted at the individual module and total system levels prior to
implementation
a cost-benefit analysis was conducted

4. The detailed design report contains all of the following except

alternative conceptual designs

process logic
input screen formats
report layouts

5. Evaluators of the detailed feasibility study should not include

the internal auditor

the project manager
a user representative
 the system designer

6. Which control is not associated with new systems development activities?

internal audit participation

reconciling program version numbers
user involvement
program testing

7. When determining the operational feasibility of a new system, the expected ease of
transition from the old system to the new system should be considered.

True
False

8. The role of the accountant/internal auditor in the conceptual design phase of the
Systems Development Life Cycle includes all of the following except

the accountant is responsible for designing the physical system

the accountant is responsible to ensure that audit trails are preserved
the accountant is responsible to make sure that the accounting conventions that apply to
the module are considered by the system designers
the internal auditor is responsible to confirm that embedded audit modules are included
in the conceptual design

9. When the nature of the project and the needs of the user permit, most organizations will
seek a pre-coded commercial software package rather than develop a system in-house.

True
False

System documentation is designed for all of the following groups except

systems designers and programmers

end users

all of these require systems documentation

accountants
Which control ensures that production files cannot be accessed without specific permission?

Source Program Library Management System

Computer Services Function

Recovery Operations Function

Database Management System

Instead of implementing an application in a single big-bang release, modern systems are

delivered in parts continuously and quickly
True

False

Project planning includes all of the following except

Group of answer choices

producing a project schedule

selecting hardware vendors

specifying system objectives

preparing a formal project proposal

Aspects of project feasibility include all of the following except

Group of answer choices

economic feasibility

technical feasibility

schedule feasibility

logistic feasibility

Which technique is least likely to be used to quantify intangible benefits?

Group of answer choices
professional judgment

simulation models

opinion surveys

review of accounting transaction data

Routine maintenance activities require all of the following controls except

testing

formal authorization

documentation updates

internal audit approval

Which is not a level of a data flow diagram?

elementary level

context level

intermediate level

conceptual level

An example of an intangible benefit is

Group of answer choices

more efficient operations

reduced equipment maintenance

reduction in supplies and overhead

expansion into other markets

A cost-benefit analysis is a part of the detailed

Group of answer choices

operational feasibility study

economic feasibility study

legal feasibility study

schedule feasibility study

Maintenance access to systems increases the risk that logic will be corrupted either by the
accident or intent to defraud.
Group of answer choices

True

False

Which of the following is not an advantage of commercial software? Commercial software

Group of answer choices

is less likely to have errors than an equivalent system developed in-house

can be easily modified to the user’s exact specifications

can be installed faster than a custom system

is significantly less expensive than a system developed in-house

Which type of documentation shows the detailed relationship of input files, programs, and output
files?

system flowchart

overview diagram

structure diagrams

program flowchart
Systems analysis involves all of the following except
Group of answer choices

gathering facts

reviewing key documents

surveying the current system

redesigning bottleneck activities

The accountant’s role in systems analysis includes all of the following except
Group of answer choices

specify audit trail requirements

prepare data gathering questionnaires

suggest inclusion of advanced audit features

ensure mandated procedures are part of the design

The objective of systems planning is to link systems projects to the strategic objectives of the
firm.
Group of answer choices

True

False

The formal product of the systems evaluation and selection phase of the Systems Development
Life Cycle is
Group of answer choices

the report of systems analysis

the systems plan

the detailed system design

the systems selection report

One time costs include all of the following except

Group of answer choices

site preparation

data conversion

programming and testing

insurance

The user test and acceptance procedure is the last point at which the user can determine the
system’s acceptability prior to it going into service.
Group of answer choices

True

False

Site preparation costs include all of the following except

Group of answer choices

supplies

crane used to install equipment

freight charges

reinforcement of the building floor

When preparing a cost-benefit analysis, design costs incurred in the systems planning, systems
analysis and conceptual design phases of the Systems Development Life Cycle are relevant
costs.
Group of answer choices

True

False
The systems analysis report does not
Group of answer choices

identify user needs

specify the system processing methods

specify requirements for the new system

formally state the goals and objectives of the system

A disadvantage of surveying the current system is

Group of answer choices

it pinpoints the causes of the current problems

it constrains the generation of ideas about the new system

all of the above are advantages of surveying the current system

it highlights elements of the current system that are worth preserving

Project feasibility includes all of the following except

Group of answer choices

conceptual feasibility

technical feasibility

schedule feasibility

operational feasibility

Which task is not essential during a data conversion procedure?

Group of answer choices

reconciliation of new and old databases

validating the database

backing up the original files

decomposing the system

Intangible benefits are not physical, but can be measured and expressed in financial terms.
Group of answer choices

True

False

The presence of a SPLMS effectively guarantees program integrity.

Group of answer choices

True

False
The payback method is often more useful than the net present value method for evaluating
systems projects because the effective lives of information system tend to be short and shorter
payback projects are often desirable.
Group of answer choices

True

False

A tangible benefit
Group of answer choices

can be measured and expressed in financial terms

might decrease costs

might increase revenues

all of these

Typical contents of a run manual include all of the following except

Group of answer choices
explanation of error messages

file requirements

logic flowchart

run schedule

Source program library controls should prevent and detect unauthorized access to application
programs.
Group of answer choices

True

False

Program testing
Group of answer choices

is primarily concerned with usability

need not be repeated once the system is implemented

involves individual modules only, not the full system

requires creation of meaningful test data

Which statement is not correct? The structured design approach

Group of answer choices

starts with an abstract description of the system and redefines it to produce a more detailed
description of the system

is a top-down approach

assembles reusable modules rather than creating systems from scratch

is documented by data flow diagrams and structure diagrams

The benefits of the object-oriented approach to systems design include all of the following
except
Group of answer choices

this approach does not require input from accountants and auditors

development time is reduced

system maintenance activities are simplified

a standard module once tested does not have to be retested until changes are made

The testing of individual program modules is a part of

Group of answer choices

systems design costs

software acquisition costs

data conversion costs

programming costs

Which statement is not true?

Group of answer choices

An audit objective for systems maintenance is to verify that user requests for maintenance
reconcile to program version numbers.

An audit objective for systems maintenance is to detect unauthorized access to application

databases.

An audit objective for systems maintenance is to ensure that the production libraries are
protected from unauthorized access.

An audit objective for systems maintenance is to ensure that applications are free from errors.

System maintenance is often viewed as the first phase of a new development cycle.
Group of answer choices
True

False

Which control is not a part of the source program library management system?
Group of answer choices

combining access to the development and maintenance test libraries

using passwords to limit access to application programs

assigning version numbers to programs to record program modifications

assigning a test name to all programs undergoing maintenance

A commercial software system that is completely finished, tested, and ready for implementation
is called a
Group of answer choices

backbone system

benchmark system

turnkey system

vendor-supported system

Typically a systems analysis

Group of answer choices

results in a formal project schedule

identifies user needs and specifies system requirements

is performed by the internal auditor

does not include a review of the current system

The role of the steering committee includes
Group of answer choices

designing the system outputs

resolving conflicts that arise from a new system

selecting the programming techniques to be used

approving the accounting procedures to be implemented

Which level of a data flow diagram is used to produce program code and database tables?
Group of answer choices

intermediate level

elementary level

prototype level

context level

The first step in the SDLC is to develop a systems strategy

Group of answer choices

True

False

Which step is least likely to occur when choosing a commercial software package?
Group of answer choices

contact with user groups

preparation of a request for proposal

a detailed review of the source code

comparison of the results of a benchmark problem

During the detailed feasibility study of the project, the systems professional who proposed the
project should be involved in performing the study.
Group of answer choices

True

False

In the conceptual design phase of the Systems Development Life Cycle (SDLC), task force
members are focused on selecting the new system design.
Group of answer choices

True

False

An accountant’s responsibility in the SDLC is to ensure that the system applies proper
accounting conventions and rules and possesses adequate control.
Group of answer choices

True

False

Recurring costs include: hardware maintenance, software acquisition, software maintenance,

insurance, supplies, personnel costs.
Group of answer choices

True

False

Examples of recurring costs include

Group of answer choices

systems design
software acquisition

data conversion

personnel costs

When developing the conceptual design of a system,

Group of answer choices

structure diagrams are commonly used

inputs, processes, and outputs that distinguish one alternative from another are identified

the format for input screens and source documents is decided

all similarities and differences between competing systems are highlighted

Firms with an independent internal audit staff may conduct tests of the system development life
cycle on an ongoing basis.
Group of answer choices

True

False

Which statement is correct?

Group of answer choices

modifications are made to programs in machine code language

modifications are made to programs in machine code language

compiled programs are very susceptible to unauthorized modification

the source program library stores application programs in source code form

When converting to a new system, which cutover method is the most conservative?
Group of answer choices
phased cutover

parallel operation cutover

data coupling cutover

cold turkey cutover

Programs in their compiled state are very susceptible to the threat of unauthorized modification.
Group of answer choices

True

False

Intangible benefits
Group of answer choices

when measured, do not lend themselves to manipulation

are of relatively little importance in making information system decisions

are sometimes estimated using customer satisfaction surveys

are easily measured

All of the steps in the Systems Development Life Cycle apply to software that is developed
in-house and to commercial software.
Group of answer choices

True

False

A tangible benefit can be measured and expressed in financial terms.

Group of answer choices

True
False

After the systems analysis phase of the System Development Life Cycle (SDLC) is complete,
the company will have a formal systems analysis report on
Group of answer choices

a comparison of alternative implementation procedures for the new system

users’ needs and requirements for the new system

the conceptual design of the new system

an evaluation of the new system

The Systems Development Life Cycle (SDLC) concept applies to specific applications and not to
strategic systems planning.
Group of answer choices

True

False

An example of a tangible benefit is

Group of answer choices

faster response to competitor actions

more current information

reduced inventories

increased customer satisfaction

Examples of one-time costs include all of the following except

Group of answer choices

hardware acquisition
site preparation

programming

insurance

Legal feasibility identifies conflicts between the proposed system and the company’s ability to
discharge its legal responsibilities
Group of answer choices

True

False

The output of the detailed design phase of the Systems Development Life Cycle (SDLC) is a
Group of answer choices

detailed system design report

systems selection report

fully documented system report

systems analysis report

Mixing technologies from many vendors improves technical feasibility.

Group of answer choices

True

False

When implementing a new system, the costs associated with transferring data from one storage
medium to another is an example of
a programming cost
a data conversion cost
a systems design cost
a recurring cost
Recurring costs include all of the following except
data conversion
insurance
supplies
software maintenance

Which of the following is not a tool of systems analysts?

observation
task participation
audit reports
personal interviews

Routine maintenance activities require all of the following controls except

documentation updates
testing
formal authorization
internal audit approval

Intangible benefits are not physical, but can be measured and expressed in financial terms.
True
False

One-time costs include operating and maintenance costs.

True
False

Strategic systems planning is important because the plan

provides authorization control for the Systems Development Life Cycle
will eliminate any crisis component in systems development
provides a static goal to be attained within a five-year period
all of the above
Chapter 6

TRUE/FALSE:
1. Processing more transactions at a lower unit cost makes batch processing more efficient than
real-time systems.
ANS: T

2. The process of acquiring raw materials is part of the conversion cycle.

ANS: F

3. Directing work-in-process through its various stages of manufacturing is part of the

conversion cycle.
ANS: T

4. The portion of the monthly bill from a credit card company is an example of a turn-around
document.
ANS: T

5. The general journal is used to record recurring transactions that are similar in nature.
ANS: F

6. Document flowcharts are used to represent systems at different levels of detail.

ANS: F

7. Data flow diagrams represent the physical system.

ANS: F

8. System flowcharts are often used to depict processes that are handled in batches.
ANS: T

9. Program flowcharts depict the type of media being used (paper, magnetic tape, or disks) and
terminals.
ANS: F

10. System flowcharts represent the input sources, programs, and output products of a
computer system.
ANS: T

11. Program flowcharts are used to describe the logic represented in system flowcharts.
ANS: T

12. Batch processing systems can store data on direct access storage devices.
ANS: T
13. Backups are automatically produced in a direct access file environment.
ANS: F

14. The box symbol represents a temporary file.

ANS: F

15. Auditors may prepare program flowcharts to verify the correctness of program logic.
ANS: T

16. A control account is a general ledger account which is supported by a subsidiary ledger.
ANS: T

17. The most significant characteristic of direct access files is access speed.
ANS: T

18. Real time processing is used for routine transactions in large numbers.
ANS: F

19. Batch processing is best used when timely information is needed because this method
processes data efficiently.
ANS: F

20. An inverted triangle with the letter “N” represents a file in “name” order.
ANS: F

21. Real-time processing in systems that handle large volumes of transactions each day can
create operational inefficiencies.
ANS: T

22. Operational efficiencies occur because accounts unique to many concurrent transactions
need to be updated in real time.
ANS: F

23. Operational inefficiencies occur because accounts common to many concurrent transactions
need to be updated in real time.
ANS: T

24. Batch processing of non-critical accounts improves operational efficiency.

ANS: T

25. Batch processing of accounts common to many concurrent transactions reduces operational
efficiency.
ANS: F
26. The block code is the coding scheme most appropriate for a chart of accounts.
ANS: T

27. Sequential codes may be used to represent complex items or events involving two or more
pieces of related data.
ANS: F

28. Block codes restrict each class to a pre-specified range.

ANS: T

29. For a given field size, a system that uses alphabetic codes can represent far more situations
than a system with that uses numeric codes.
ANS: T

30. Mnemonic codes are appropriate for items in either an ascending or descending sequence,
such as the numbering of checks or source documents.
ANS: F

31. The most common means of making entries in the general ledger is via the journal voucher.
ANS: T

32. Individuals with access authority to general ledger accounts should not prepare journal
vouchers.
ANS: T

33. The journal voucher is the document that authorizes entries to be made to the general
ledger.
ANS: T

34. Each account in the chart of accounts has a separate record in the general ledger master
file.
ANS: T
MULTIPLE CHOICE:

1.Which system is not part of the expenditure cycle?

a. cash disbursements
b. payroll
c. production planning/control
d. purchases/accounts payable

2. Which system produces information used for inventory valuation, budgeting, cost control,
performance reporting, and make-buy decisions?
a. sales order processing
b. purchases/accounts payable
c. cash disbursements
d. cost accounting

3. Which of the following is a turn-around document?

a. remittance advice
b. sales order
c. purchase order
d. payroll check

4. The order of the entries made in the ledger is by

a. transaction number
b. account number
c. date
d. user

5. The order of the entries made in the general journal is by

a. date
b. account number
c. user
d. customer number

6. In general, a special journal would not be used to record

a. sales
b. cash disbursements
c. depreciation
d. purchases
7. Which account is least likely to have a subsidiary ledger?
a. sales
b. accounts receivable
c. fixed assets
d. inventory

8. Subsidiary ledgers are used in manual accounting environments. What file is

comparable to a subsidiary ledger in a computerized environment?
a. archive file
b. reference file
c. transaction file
d. master file

9. A journal is used in manual accounting environments. What file is comparable to a journal in

a computerized environment?
a. archive file
b. reference file
c. transaction file
d. master file

10. In a computerized environment, a list of authorized suppliers would be found in the

a. master file
b. transaction file
c. reference file
d. archive file

11. Which of the following is an archive file?

a. an accounts payable subsidiary ledger
b. a cash receipts file
c. a sales journal
d. a file of accounts receivable that have been written off

12. Which document is not a type of source document?

a. a sales order
b. an employee time card
c. a paycheck
d. a sales return receipt

13. The most important purpose of a turnaround document is to

a. serve as a source document
b. inform a customer of the outstanding amount payable
c. provide an audit trail for the external auditor
d. inform the bank of electronic funds deposits
14. Which type of graphical documentation represents systems at different levels of
detail?
a. data flow diagram
b. document flowchart
c. system flowchart
d. program flowchart

15. Data flow diagrams

a. depict logical tasks that are being performed, but not who is performing them
b. illustrate the relationship between processes, and the documents that flow between them
and trigger activities
c. represent relationships between key elements of the computer system
d. describe in detail the logic of the process

16. System flowcharts

a. depict logical tasks that are being performed, but not who is performing them
b. illustrate the relationship between database entities in systems.
c. represent relationships between key elements of both manual and computer systems.
d. describe the internal logic of computer applications in systems. .

17. When determining the batch size, which consideration is the least important?
a. achieving economies by grouping together large numbers of transactions
b. complying with legal mandates
c. providing control over the transaction process
d. balancing the trade off between batch size and error detection

18. In contrast to a real-time system, in a batch processing system

a. there is a lag between the time when the economic event occurs and the financial
records are updated
b. relatively more resources are required
c. a greater resource commitment per unit of output is required
d. processing takes place when the economic event occurs

19. In contrast to a batch processing system, in a real-time system

a. a lag occurs between the time of the economic event and when the transaction is recorded
b. relatively fewer hardware, programming, and training resources are required
c. a lesser resource commitment per unit of output is required
d. processing takes place when the economic event occurs

20. The type of transaction most suitable for batch processing is

a. airline reservations
b. credit authorization
c. payroll processing
d. adjustments to perpetual inventory
21. The type of transaction most suitable for real-time processing is
a. recording fixed asset purchases
b. recording interest earned on long-term bonds
c. adjusting prepaid insurance
d. recording a sale on account

22. Which step is not found in batch processing using sequential files?
a. control totals
b. sort runs
c. edit runs
d. immediate feedback of data entry errors

23. Both the revenue and the expenditure cycle can be viewed as having two key parts. These
are
a. manual and computerized
b. physical and financial
c. input and output
d. batch and real-time

24. All of the following can provide evidence of an economic event except
a. source document
b. turn-around document
c. master document
d. product document

25. Which method of processing does not use the destructive update approach?
a. batch processing using direct access files
b. real-time processing
c. batch processing using sequential files
d. all of the above use the destructive update approach

26. Which symbol represents a data store?

ANS: B

27. Which symbol represents a manual operation?

ANS: D

28. Which symbol represents accounting records?

ANS: A

29. Which symbol represents a document?

30. Which symbol represents a magnetic tape (sequential storage device)?

ANS: D

31. Which symbol represents a decision?

ANS: A

32. The characteristics that distinguish between batch and real-time systems include all of
the following except
a. time frame
b. resources used
c. file format
d. efficiency of processing

33. A file that stores data used as a standard when processing transactions is
a. a reference file
b. a master file
c. a transaction file
d. an archive file

34. Sequential storage means

a. data is stored on tape
b. access is achieved through an index
c. access is direct
d. reading record 100 requires first reading records 1 to 99

35. Real-time processing would be most beneficial in handling a firm’s

a. fixed asset records
b. retained earning information
c. merchandise inventory
d. depreciation records

36. Which accounting application is least suited to batch processing?

a. general ledger
b. vendor payments
c. sales order processing
d. payroll

37. Which accounting application is best suited to batch processing?

a. general ledger
b. updating inventory reductions to the subsidiary ledger
c. sales order processing
d. credit checking

38. Operational inefficiencies occur because

a. accounts both common and unique to many concurrent transactions need to be updated in
real time.
b. accounts common to many concurrent transactions need to be updated in real time.
c. accounts unique to many concurrent transactions need to be updated in real time.
d. None of the above are true statements

39. Operational efficiencies can be improved by

a. updating accounts both common and unique to many concurrent transactions in real time.
b. updating accounts both common and unique to many concurrent transactions in batch
mode.
c. updating accounts unique to many concurrent transactions in real time and updating
common accounts in batch mode.
d. None of the above are true statements

40. The coding scheme most appropriate for a chart of accounts is

a. sequential code
b. block code
c. group code
d. mnemonic code

42. A common use for sequential coding is

a. creating the chart of accounts
b. identifying inventory items
c. identifying documents
d. identifying fixed assets

42. The most important advantage of sequential coding is that

a. missing or unrecorded documents can be identified
b. the code itself lacks informational content
c. items cannot be inserted
d. deletions affect the sequence

43. When a firm wants its coding system to convey meaning without reference to any
other document, it would choose
a. an alphabetic code
b. a mnemonic code
c. a group code
d. a block code

44. The most important advantage of an alphabetic code is that

a. meaning is readily conveyed to users
b. sorting is simplified
c. the capacity to represent items is increased
d. missing documents can be identified

45. Which statement is not true/

a. The journal voucher is the only source of input into the general ledger.
b. A journal voucher can be used to represent summaries of similar transactions or a single
unique transaction.
c. Journal vouchers are not used to make adjusting entries and closing entries in the
general ledger.
d. Journal vouchers offer a degree of control against unauthorized general ledger entries.

46. Entries into the General Ledger System (GLS) can be made using information from
a. the general journal
b. a journal voucher which represents a summary of similar transactions
c. a journal voucher which represents a single, unusual transaction
d. all of the above
47. Which statement is not correct? The general ledger master file
a. is based on the firm’s chart of account
b. contains a record for control accounts
c. is an output of the Financial Reporting System (FRS)
d. supplies information for management decision making

48. What type of data is found in the general ledger master file?
a. a chronological record of all transactions
b. the balance of each account in the chart of accounts
c. budget records for each account in the chart of accounts
d. subsidiary details supporting a control account

49. Which report is not an output of the Financial Reporting System (FRS)?
a. variance analysis report
b. statement of cash flows
c. tax return
d. comparative balance sheet

50. Which steps in the Financial Accounting Process are in the correct sequence?
a. record the transaction, post to the ledger, prepare the adjusted trial balance, enter adjusting
entries, prepare financial statements
b. record the transaction, prepare the unadjusted trial balance, record adjusting journal entries,
record closing entries, prepare financial statements
c. record the transaction, post to the ledger, record adjusting entries, prepare the unadjusted
trial balance, prepare financial statements
d. record the transaction, post to the ledger, prepare the adjusted trial balance, prepare
financial statements, record closing entries

51. Which statement is not correct?

a. the post-closing trial balance reports the ending balance of each account in the general
ledger
b. one purpose of preparing the unadjusted trial balance is to ensure that debits equal credits
c. financial statements are prepared based on the unadjusted trial balance
d. the unadjusted trial balance reports control account balances but omits subsidiary ledger
detail

52. What account appears on the post closing trial balance?

a. income summary
b. machinery
c. rent expense
d. interest income

53. Financial statements are prepared from the

a. trial balance
b. adjusted trial balance
c. general ledger
d. general journal

54. Risk exposures in the General Ledger and Financial Reporting Systems include all of the
following except
a. loss of the audit trail
b. unauthorized access to the general ledger
c. loss of physical assets
d. general ledger account out of balance with the subsidiary account

55. Which situation indicates an internal control risk in the General Ledger/Financial Reporting
Systems (GL/FRS)?
a. the employee who maintains the cash journal computes depreciation expense
b. the cash receipts journal voucher is approved by the Treasurer
c. the cash receipts journal vouchers are prenumbered and stored in a locked safe
d. the employee who maintains the cash receipts journal records transactions in the
accounts receivable subsidiary ledger

56. With a limited work force and a desire to maintain strong internal control, which
combination of duties performed by a single individual presents the least risk exposure?
a. maintaining the inventory ledger and recording the inventory journal voucher in the general
ledger
b. recording the inventory journal voucher in the general ledger and maintaining custody of
inventory
c. maintaining the cash disbursements journal and recording direct labor costs applied
to specific jobs
d. preparing the accounts payable journal voucher and recording it in the general ledger

57. XBRL
a. is the basic protocol that permits communication between Internet sites.
b. controls Web browsers that access the Web.
c. is the document format used to produce Web pages.
d. was designed to provide the financial community with a standardized method for
preparing
e. is a low-level encryption scheme used to secure transmissions in higher-level (HTTP)
format.

58. An XBRL taxonomy:

a. is the document format used to produce web pages.
b. is the final product (report).
c. is a classification scheme.
d. is a tag stored in each database record.
e. none of the above is true.
Chapter 7

TRUE/FALSE:
1. The three groups of application controls are batch controls, run-to-run controls, and audit trail
controls.
ANS: F

2. A reasonableness check determines if a value in one field is reasonable when considered

along with data in other fields of the record
ANS: T

3. A truncation error is a form of transcription error.

ANS: T

4. A check digit is a method of detecting data coding errors.

ANS: T

5. Input controls are intended to detect errors in transaction data after processing.
ANS: F

6. The black box approach to testing computer applications allows the auditor to explicitly review
program logic.
ANS: F
7. The black box approach to testing computer applications require a detailed knowledge of the
the program logic being tested.
ANS: F

8. A run-to-run control is an example of an output control.

ANS: F

9. Shredding computer printouts is an example of an output control.

ANS: T

10. In a computerized environment, all input controls are implemented after data is input.
ANS: F

11. Achieving batch control objectives requires grouping similar types of input transactions (such
as sales orders) together in batches and then controlling the batches throughout data
processing.
ANS: T

12. The white box tests of program controls are also known as auditing through the computer.
ANS: T

13. Incorrectly recording sales order number 123456 as 124356 is an example of a transcription
error
ANS: F

14. When using the test data method, the presence of multiple error messages indicates a flaw
in the preparation of test transactions.
ANS: F

15. The base case system evaluation is a variation of the test data method.
ANS: T

16. Tracing is a method used to verify the logical operations executed by a computer
application.
ANS: T

18. The results of a parallel simulation are compared to the results of a production run in order
to judge the quality of the application processes and controls.
ANS: T

19. Input controls are programmed procedures that perform tests on master file data to ensure
they are free from errors.
ANS: F
20. The integrated test facility (ITF) is an automated approach that permits auditors to test an
application's logic and controls during its normal operation.
ANS: T

21. Use of the integrated test facility poses no threat to organizational data files.
ANS: F

22. Spooling is a form of processing control.

ANS: F

23. A salami fraud affects a large number of victims, but the harm to each appears to be very
small.
ANS: T

24. An input control that tests time card records to verify than no employee has worked more 50
hours in a pay period is an example of a range test.
ANS: F
25. The black box approach to testing computer program controls is also known as auditing
around the computer.
ANS: T
MULTIPLE CHOICE:

1. Which statement is not correct? The audit trail in a computerized environment

a. consists of records that are stored sequentially in an audit file
b. traces transactions from their source to their final disposition
c. is a function of the quality and integrity of the application programs
d. may take the form of pointers, indexes, and embedded keys

2. All of the following concepts are associated with the black box approach to auditing computer
applications except
a. the application need not be removed from service and tested directly
b. auditors do not rely on a detailed knowledge of the application's internal logic
c. the auditor reconciles previously produced output results with production input
transactions
d. this approach is used for complex transactions that receive input from many sources

3. Which test is not an example of a white box test?

a. determining the fair value of inventory
b. ensuring that passwords are valid
c. verifying that all pay rates are within a specified range
d. reconciling control totals

4. When analyzing the results of the test data method, the auditor would spend the least amount
of time reviewing
a. the test transactions
b. error reports
c. updated master files
d. output reports

5. All of the following are advantages of the test data technique except
a. auditors need minimal computer expertise to use this method
b. this method causes minimal disruption to the firm's operations
c. the test data is easily compiled
d. the auditor obtains explicit evidence concerning application functions

6. All of the following are disadvantages of the test data technique except
a. the test data technique requires extensive computer expertise on the part of the
auditor
b. the auditor cannot be sure that the application being tested is a copy of the current
application used by computer services personnel
c. the auditor cannot be sure that the application being tested is the same application used
throughout the entire year
d. preparation of the test data is time-consuming
7. Program testing
a. involves individual modules only, not the full system
b. requires creation of meaningful test data
c. need not be repeated once the system is implemented
d. is primarily concerned with usability

8. The correct purchase order number,is123456. All of the following are transcription errors
except
a. 1234567
b. 12345
c. 124356
d. 123454

9. Which of the following is correct?

a. check digits should be used for all data codes
b. check digits are always placed at the end of a data code
c. check digits do not affect processing efficiency
d. check digits are designed to detect transcription and transposition errors

10. Which statement is not correct? The goal of batch controls is to ensure that during
processing
a. transactions are not omitted
b. transactions are not added
c. transactions are free from clerical errors
d. an audit trail is created

11. An example of a hash total is

a. total payroll checks—$12,315
b. total number of employees—10
c. sum of the social security numbers—12,555,437,251
d. none of the above

12. Which statement is not true? A batch control record

a. contains a transaction code
b. records the record count
c. contains a hash total
d. control figures in the record may be adjusted during processing
e. All the above are true

13. Which of the following is not an example of a processing control?

a. hash total.
b. record count.
c. batch total.
d. check digit
14. Which of the following is an example of input control test?
a. sequence check
b. zero value check
c. spooling check
d. range check

15. Which input control check would detect a payment made to a nonexistent vendor?
a. missing data check
b. numeric/alphabetic check
c. range check
d. validity check

16. Which input control check would detect a posting to the wrong customer account?
a. missing data check
b. check digit
c. reasonableness check
d. validity check

17. The employee entered "40" in the "hours worked per day" field. Which check would detect
this unintentional error?
a. numeric/alphabetic data check
b. sign check
c. limit check
d. missing data check

18. An inventory record indicates that 12 items of a specific product are on hand. A customer
purchased two of the items, but when recording the order, the data entry clerk mistakenly
entered 20 items sold. Which check could detect this error?
a. numeric/alphabetic data checks
b. limit check
c. range check
d. reasonableness check

19. Which check is not an input control?

a. reasonableness check
b. validity check.
c. spooling check
d. missing data check
20. A computer operator was in a hurry and accidentally used the wrong master file to process a
transaction file. As a result, the accounts receivable master file was erased. Which control would
prevent this from happening?
a. header label check
b. expiration date check
c. version check
d. validity check

21. Run-to-run control totals can be used for all of the following except
a. to ensure that all data input is validated
b. to ensure that only transactions of a similar type are being processed
c. to ensure the records are in sequence and are not missing
d. to ensure that no transaction is omitted

22. Methods used to maintain an audit trail in a computerized environment include all of the
following
except
a. transaction logs
b. Transaction Listings.
c. data encryption
d. log of automatic transactions

23. Risk exposures associated with creating an output file as an intermediate step in the printing
process
(spooling) include all of the following actions by a computer criminal except
a. gaining access to the output file and changing critical data values
b. using a remote printer and incurring operating inefficiencies
c. making a copy of the output file and using the copy to produce illegal output reports
d. printing an extra hardcopy of the output file

24. Which statement is not correct?

a. only successful transactions are recorded on a transaction log
b. unsuccessful transactions are recorded in an error file
c. a transaction log is a temporary file
d. a hardcopy transaction listing is provided to users

25. Input controls include all of the following except

a. check digits
b. Limit check.
c. spooling check
d. missing data check

26. Which of the following is an example of an input error correction technique?

a. immediate correction
b. rejection of batch
c. creation of error file
d. all are examples of input error correction techniques

27. All of the following statements are true about the integrated test facility (ITF) except
a. production reports are affected by ITF transactions
b. ITF databases contain "dummy" records integrated with legitimate records
c. ITF permits ongoing application auditing
d. ITF does not disrupt operations or require the intervention of computer services personnel

28. Which of the following is an input control?

a. Reasonableness check
b. Run-to-run check
c. Spooling check
d. Batch check
e. None are input controls

29. Which of the following is not an input control?

a. Range check
b. Limit check
c. Spooling check
d. Validity check
e. They are all input controls

30. When auditors do not rely on a detailed knowledge of the application's internal logic, they
are performing
a. black box tests of program controls
b. white box tests of program controls
c. substantive testing
d. intuitive testing

Chapter 8
TRUE/FALSE:

1. The database approach to data management is sometimes called the flat file approach.
ANS: F

2. The two fundamental components of data structures are organization and access method.
ANS: T

3. When a large portion of the file is to be processed in one operation such as payroll,
sequential data structures are an inefficient method of organizing a file.
ANS: F

4. An advantage of using an indexed random file structure is that records are easily added and
deleted.
ANS: T

5. The hierarchical database model forces users to navigate between data elements using
predefined structured paths.
ANS: T

6. A network model does not allow children files to have multiple parent files.
ANS: F

8. The physical database is an abstract representation of the database.

ANS: F

9. A customer name and an unpaid balance is an example of a one-to-many relationship.

ANS: F

10. In the relational model, a data element is called a relation.

ANS: F

11. Data normalization groups data attributes into tables in accordance with specific
design objectives.
ANS: T

12. Under the database approach, data is viewed as proprietary or owned by users.
ANS: F

13. VSAM file structures are most effective where rapid access to individual records is a priority
need.
ANS: F

14. A join builds a new table by creating links.

ANS: F

15. The deletion anomaly is the least important of the problems affecting unnormalized
databases.
ANS: F
16. EAM’s allow auditors to identify significant transactions for substantive testing.
ANS: T

17. Generalized audit software packages are used to assist the auditor in performing
substantive tests.
ANS: T

18. GAS can be used with simple data structures but not complex structures.
ANS: F

19. Logical database design is the foundation of the conceptual design.

ANS: F

20. An entity is any physical thing about which the organization wishes to capture data.
ANS: F

21. An ER diagram is a graphical representation of a data model.

ANS: T

22. The term occurrence is used to describe the number of attributes or fields pertaining to a
specific entity.
ANS: F

23. Cardinality describes the number of possible occurrences in one table that are associated
with a single occurrence in a related table.
ANS: T

24. A table in third normal form is free of partial dependencies, multiple dependencies, and
transitive dependencies.
ANS: F

25. Improperly normalized databases are associated with three types of anomalies: the update
anomaly, the insertion anomaly, and the deletion anomaly.
ANS: T

MULTIPLE CHOICE:
1. An inventory record contains part number, part name, part color, and part weight. These
individual items are called
a. fields
b. stored files
c. bytes
d. Occurrences

2. It is appropriate to use a sequential file structure when

a. records are routinely inserted
b. single records need to be retrieved
c. records need to be scanned using secondary keys
d. a large portion of the file will be processed in one operation

3. Which of the following statements is not true?

a. Indexed random files are dispersed throughout the storage device without regard for physical
proximity with related records
b. Indexed random files use disk storage space efficiently
c. Indexed random files are efficient when processing a large portion of a file at one time
d. Indexed random files are easy to maintain in terms of adding records

4. Which characteristic is associated with the database approach to data management?

a. data sharing
b. multiple storage procedures
c. data redundancy
d. excessive storage costs

5. Which statement is not correct? The VSAM structure

a. is used for very large files that need both direct access and batch processing
b. may use an overflow area for records
c. provides an exact physical address for each record
d. is appropriate for files that require few insertions or deletions

6. Which statement is true about a hashing structure?

a. The same address could be calculated for two records.
b. Storage space is used efficiently.
c. Records cannot be accessed rapidly.
d. A separate index is required.

7. In a hashing structure,
a. two records can be stored at the same address.
b. pointers are used to indicate the location of all records.
c. pointers are used to indicate the location of a record with the same address as another
record.
d. all locations on the disk are used for record storage.
8. Pointers can be used for all of the following except
a. to locate the subschema address of the record.
b. to locate the physical address of the record.
c. to locate the relative address of the record
d. locate the logical key of the record.

9. Pointers are used

a. to link records within a file.
b. to link records between files.
c. to identify records stored in overflow.
d. all of the above.

10. In a hierarchical model

a. links between related records are implicit
b. the way to access data is by following a predefined data path
c. an owner (parent) record may own just one member (child) record
d. a member (child) record may have more than one owner (parent)

11. Which term is not associated with the relational database model?
a. tuple
b. attribute
c. collision
d. relation

12. In the relational database model

a. relationships are explicit
b. the user perceives that files are linked using pointer
c. data is represented on two-dimensional tables
d. data is represented as a tree structure

13. In the relational database model all of the following are true except
a. data is presented to users as tables
b. data can be extracted from specified rows from specified tables
c. a new table can be built by joining two tables
d. only one-to-many relationships can be supported

14. In a relational database

a. the user’s view of the physical database is the same as the physical database
b. users perceive that they are manipulating a single table
c. a virtual table exists in the form of rows and columns of a table stored on the disk
d. a programming language (COBOL) is used to create a user’s view of the database

15. The update anomaly in unnormalized databases

a. occurs because of data redundancy
b. complicates adding records to the database
c. may result in the loss of important data
d. often results in excessive record insertions

16. The most serious problem with unnormalized databases is the

a. update anomaly
b. insertion anomaly
c. deletion anomaly
d. none of the above

17. The deletion anomaly in unnormalized databases

a. is easily detected by users
b. may result in the loss of important data
c. complicates adding records to the database
d. requires the user to perform excessive updates

18. Which statement is correct?

a. in a normalized database, data about vendors occur in several locations
b. the accountant is responsible for database normalization
c. in a normalized database, deletion of a key record could result in the destruction of the
audit trail
d. connections between M:M tables are provided by a link table

19. Which of the following is not a common form of conceptual database model?
a. hierarchical
b. network
c. sequential
d. relational

20. Which of the following is a relational algebra function?

a. restrict
b. project
c. join
d. all are relational algebra functions

21. Entities are

a. nouns that are depicted by rectangles on an entity relationship diagram
b. data that describe the characteristics of properties of resources
c. associations among elements
d. sets of data needed to make a decision

22. A user view

a. presents the physical arrangement of records in a database for a particular user
b. is the logical abstract structure of the database
c. specifies the relationship of data elements in the database
d. defines how a particular user sees the database

23. All of the following are advantages of a partitioned database except

a. increased user control by having the data stored locally
b. deadlocks are eliminated
c. transaction processing response time is improved
d. partitioning can reduce losses in case of disaster

24. Each of the following is a relational algebra function except

a. join
b. project
c. link
d. restrict

25. A table is in first normal form when it is

a. free of repeating group data
b. free of transitive dependencies
c. free of partial dependencies
d. free of update anomalies
e. none of the above

26. A table is in second normal form when it is

a. free of repeating group data
b. free of transitive dependencies
c. free of partial dependencies
d. free of insert anomalies
e. none of the above

27. A table is in third normal form when it is

a. free of repeating group data
b. free of transitive dependencies
c. free of partial dependencies
d. free of deletion anomalies
e. none of the above

28. Which statement is not true? Embedded audit modules

a. can be turned on and off by the auditor.
b. reduce operating efficiency.
c. may lose their viability in an environment where programs are modified frequently.
d. identify transactions to be analyzed using white box tests.

29. Generalized audit software packages perform all of the following tasks except
a. recalculate data fields
b. compare files and identify differences
c. stratify statistical samples
d. analyze results and form opinions

30. A transitive dependency

a. is a database condition that is resolved through special monitoring software.
b. is a name given to one of the three anomalies that result from unnormalized database tables.
c. can exist only in a table with a composite primary key.
d. cannot exist in tables that are normalized at the 2NF level.

Chapter 9
TRUE/FALSE:

1. The packing slip is also known as the shipping notice.

ANS: F

2. The bill of lading is a legal contract between the buyer and the seller.
ANS: F

3. Another name for the stock release form is the picking ticket.
ANS: T

4. Warehouse stock records are the formal accounting records for inventory.
ANS: F

5. The purpose of the invoice is to bill the customer.

ANS: T

6. In most large organizations, the journal voucher file has replaced the formal general journal.
ANS: T

7. The cash receipts journal is a special journal.

ANS: T

8. In the revenue cycle, the internal control “limit access” applies to physical assets only.
ANS: F

9. In real-time processing systems, routine credit authorizations are automated.

ANS: T

10. In a computerized accounting system, segregation of functions refers to inventory control,

accounts receivable, billing, and general ledger tasks.
ANS: F

11. A written customer purchase order is required to trigger the sales order system.
ANS: F

12. Inventory control has physical custody of inventory.

ANS: F

13. The principal source document in the sales order system is the sales order.
ANS: T

14. Sales orders should be prenumbered documents.

ANS: T

15. Integrated accounting systems automatically transfer data between modules.

ANS: T

16. If a customer submits a written purchase order, there is no need to prepare a sales order.
ANS: F
17. Sales return involves receiving, sales, credit, and billing departments, but not accounts
receivable.
ANS: F
18. A remittance advice is a form of turn-around document.
ANS: T

19. A bill of lading is a request for payment for shipping charges.

ANS: F

20. In point of sale systems, authorization takes the form of validation of credit card charges.
ANS: T

21. The warehouse is responsible for updating the inventory subsidiary ledger.
ANS: F

22. In a manual system, the billing department is responsible for recording the sale in the sales
journal.
ANS: T

23. The stock release document is prepared by the shipping department to provide evidence
that the goods have been released to the customer.
ANS: F

24. The accounts receivable clerk is responsible for updating the AR Control accounts to reflect
each customer sale.
ANS: F

25. When customer payments are received, the mailroom clerk sends the checks to the cash
receipts clerk and the remittance advices to the AR clerk.
ANS: T

MULTIPLE CHOICE:

1. The revenue cycle consists of

a. one subsystem–order entry
b. two subsystems–sales order processing and cash receipts
c. two subsystems–order entry and inventory control
d. three subsystems–sales order processing, credit authorization, and cash receipts

2. The reconciliation that occurs in the shipping department is intended to ensure that
a. credit has been approved
b. the customer is billed for the exact quantity shipped
c. the goods shipped match the goods ordered
d. inventory records are reduced for the goods shipped

3. The adjustment to accounting records to reflect the decrease in inventory due to a sale
occurs in the
a. warehouse
b. shipping department
c.billing department
d.inventory control department
4. Which document triggers the revenue cycle?
a.the sales order
b.the customer purchase order
c.the sales invoice
d.the journal voucher

5. Copies of the sales order can be used for all of the following except
a.purchase order
b.credit authorization
c.shipping notice
d.packing slip

6. The purpose of the sales invoice is to

a.record reduction of inventory
b.transfer goods from seller to shipper
c.bill the customer
d.select items from inventory for shipment

7. The customer open order file is used to

a. respond to customer queries
b. fill the customer order
c. ship the customer order
d. authorize customer credit

8. The stock release copy of the sales order is not used to

a. locate and pick the items from the warehouse shelves
b.record any out-of-stock items
c.authorize the warehouse clerk to release custody of the inventory to shipping
d.record the reduction of inventory

9. The shipping notice

a.is mailed to the customer
b.is a formal contract between the seller and the shipping company
c.is always prepared by the shipping clerk
d.informs the billing department of the quantities shipped

10. The billing department is not responsible for

a.updating the inventory subsidiary records
b.recording the sale in the sales journal
c.notifying accounts receivable of the sale
d.sending the invoice to the customer

11. Customers should be billed for back-orders when

a.the customer purchase order is received
b.the backordered goods are shipped
c.the original goods are shipped
d.customers are not billed for backorders because a backorder is a lost sale

12. Usually specific authorization is required for all of the following except
a.sales on account which exceed the credit limit
b.sales of goods at the list price
c.a cash refund for goods returned without a receipt
d.write off of an uncollectible account receivable

13. Which of following functions should be segregated?

a.opening the mail and making the journal entry to record cash receipts
b.authorizing credit and determining reorder quantities
c.maintaining the subsidiary ledgers and handling customer queries
d.providing information on inventory levels and reconciling the bank statement

14. Which situation indicates a weak internal control structure?

a.the mailroom clerk authorizes credit memos
b.the record keeping clerk maintains both accounts receivable and accounts payable
subsidiary ledgers
c.the warehouse clerk obtains a signature before releasing goods for shipment
d.the accounts receivable clerk prepares customer statements every month

15. The most effective internal control procedure to prevent or detect the creation of fictitious
credit memoranda for sales returns is to
a.supervise the accounts receivable department
b.limit access to credit memoranda
c.prenumber and sequence check all credit memoranda
d.require management approval for all credit memoranda

16. The accounts receivable clerk destroys all invoices for sales made to members of her family
and does not record the sale in the accounts receivable subsidiary ledger. Which procedure will
not detect this fraud?
a. prenumber and sequence check all invoices
b. reconcile the accounts receivable control to the accounts receivable subsidiary ledger
c. prepare monthly customer statements
d. reconcile total sales on account to the debits in the accounts receivable subsidiary ledger

17. Which department is least likely to be involved in the revenue cycle?

a. credit
b. accounts payable
c. billing
d. shipping

18. Which document is included with a shipment sent to a customer?

a. sales invoice
b. stock release form
c. packing slip
d. shipping notice

19. Good internal controls in the revenue cycle should ensure all of the following except
a.all sales are profitable
b.all sales are recorded
c.credit is authorized
d.inventory to be shipped is not stolen
20. Which control does not help to ensure that accurate records are kept of customer accounts
and inventory?
a. reconcile accounts receivable control to accounts receivable subsidiary
b. authorize credit
c. segregate custody of inventory from record keeping
d.segregate record keeping duties of general ledger from accounts receivable

21. Internal controls for handling sales returns and allowances do not include
a.computing bad debt expense using the percentage of credit sales
b.verifying that the goods have been returned
c.authorizing the credit memo by management
d.using the original sales invoice to prepare the sales returns slip

22. The printer ran out of preprinted sales invoice forms and several sales invoices were not
printed. The best internal control to detect this error is
a. a batch total of sales invoices to be prepared compared to the actual number of sales
invoices prepared
b. sequentially numbered sales invoices
c. visual verification that all sales invoices were prepared
d. none of the above will detect this error

23. Which department prepares the bill of lading?

a.sales
b.warehouse
c.shipping
d.credit

24. A remittance advice is

a.used to increase (debit) an account receivable by the cash received
b.is a turn-around document
c.is retained by the customer to show proof of payment
d.none of the above

25. A weekly reconciliation of cash receipts would include comparing

a.the cash prelist with bank deposit slips
b.the cash prelist with remittance advices
c.bank deposit slips with remittance advices
d.journal vouchers from accounts receivable and general ledger

26. At which point is supervision most critical in the cash receipts system?
a.accounts receivable
b.general ledger
c.mail room
d.cash receipts

27. EDI trading partner agreements specify all of the following except
a.selling price
b.quantities to be sold
c.payment terms
d.person to authorize transactions
28. A cash prelist is
a.a document that records sales returns and allowances
b.a document returned by customers with their payments
c.the source of information used to prepare monthly statements
d.none of the above

29. An advantage of real-time processing of sales is

a.the cash cycle is lengthened
b.current inventory information is available
c.hard copy documents provide a permanent record of the transaction
d.data entry errors are corrected at the end of each batch

30. Commercial accounting systems have fully integrated modules. The word “integrated”
means that
a.segregation of duties is not possible
b.transfer of information among modules occurs automatically
c.batch processing is not an option
d.separate entries are made in the general ledger accounts and the subsidiary ledgers

31. The data processing method that can shorten the cash cycle is
a.batch, sequential file processing
b.batch, direct access file processing
c.real-time file processing
d.none of the above

32. Which of the following is not a risk exposure in a PC accounting system?

a.reliance on paper documentation is increased
b.functions that are segregated in a manual environment may be combined in a
microcomputer accounting system
c.backup procedures require human intervention
d.data are easily accessible

33. Which journal is not used in the revenue cycle?

a.cash receipts journal
b.sales journal
c.purchases journal
d.general journal

34. Periodically, the general ledger department receives all of the following except
a.total increases to accounts receivable
b.total of all sales backorders
c.total of all sales
d.total decreases in inventory

35. The credit department

a.prepares credit memos when goods are returned
b.approves credits to accounts receivable when payments are received
c.authorizes the granting of credit to customers
d.none of the above

36. Adjustments to accounts receivable for payments received from customers is based upon
a.the customer’s check
b.the cash prelist
c.the remittance advice that accompanies payment
d.a memo prepared in the mailroom

37. The revenue cycle utilizes all of the following files except
a.credit memo file
b.sales history file
c.shipping report file
d.cost data reference file

38. All of the following are advantages of real-time processing of sales except
a.The cash cycle is shortened
b.Paper work is reduced
c.Incorrect data entry is difficult to detect
d.Up-to-date information can provide a competitive advantage in the marketplace

39. Which document is NOT prepared by the sales department?

a.packing slip
b.shipping notice
c.bill of lading
d.stock release

40. Which type of control is considered a compensating control?

a.segregation of duties
b.access control
c.supervision
d.accounting records
Chapter 10

TRUE/FALSE:
1. In non-manufacturing firms, purchasing decisions are authorized by inventory control.
ANS: T

2. The blind copy of the purchase order that goes to the receiving department contains no
item descriptions.
ANS: F

3. Firms that wish to improve control over cash disbursements use a voucher system.
ANS: T

4. In a voucher system, the sum of all unpaid vouchers in the voucher register equals the
firm’s total voucher payable balance.
ANS: T

5. The accounts payable department reconciles the accounts payable subsidiary ledger to
the control account.
ANS: F

6. The use of inventory reorder points suggests the need to obtain specific authorization.
ANS: F

7. Proper segregation of duties requires that the responsibility approving a payment be

separated from posting to the cash disbursements journal.
ANS: T

8. A major risk exposure in the expenditure cycle is that accounts payable may be
overstated at the end of the accounting year.
ANS: F

9. When a trading partner agreement is in place, the traditional three way match may be
eliminated.
ANS: T

10. Authorization of purchases in a merchandising firm occurs in the inventory control

department.
ANS: T

11. A three way match involves a purchase order, a purchase requisition, and an invoice.
ANS: F

12. Authorization for a cash disbursement occurs in the cash disbursement department
upon receipt of the supplier’s invoice.
ANS: F

13. An automated cash disbursements system can yield better cash management since
payments are made on time.
ANS: T

14. Permitting warehouse staff to maintain the only inventory records violates separation
of duties.
ANS: T

15. A purchasing system that employs electronic data interchange does not use a purchase
order.
ANS: F

16. Inventory control should be located in the warehouse.

ANS: F

17. Inspection of shipments in the receiving department would be improved if the

documentation showed the value of the inventory.
ANS: F

18. One reason for authorizing purchases is to enable efficient inventory management.
ANS: T

19. If accounts payable receives an invoice directly from the supplier it needs to be
reconciled with the purchase order and receiving report.
ANS: T

20. Supervision in receiving is intended to reduce the theft of assets.

ANS: T

21. The inventory procurement process begins with the purchasing clerk preparing a purchase
order.
ANS: F

22. The warehouse is responsible for updating the inventory subsidiary ledger.
ANS: F

23. The receiving report is prepared by the vendor to provide evidence that the purchase order
was received.
ANS: F

24. The accounts payable clerk is responsible for updating the AP Control accounts to reflect
each vendor liability.
ANS: F

25. When goods are received, the receiving clerk sends copies of the receiving report to the
inventory control clerk and the AP clerk.
ANS: T

26. Time cards are used by cost accounting to allocate direct labor charges to work in
process.
ANS: F

27. The personnel department authorizes changes in employee pay rates.

ANS: T

28. Most payroll systems for mid-size firms use real-time data processing.
ANS: F

29. To improve internal control, paychecks should be distributed by the employee's

supervisor.
ANS: F
30. Employee paychecks should be drawn against a special checking account.
ANS: T

31. Because a time clock is used, no supervision is required when employees enter and
leave the work place.
ANS: F

32. Work-in-process records are updated by payroll personnel.

ANS: F

33. Ideally, payroll checks are written on a special bank account used only for payroll.
ANS: T

34. The supervisor is the best person to determine the existence of a “phantom employee”
and should distribute paychecks.
ANS: F

35. Payroll processing can be automated easily because accounting for payroll is very
simple.
ANS: F

36. Timekeeping is part of the personnel function.

ANS: F

37. The payroll department is responsible for both updating the employee records and writing
paychecks.
ANS: T

38. The paymaster distributes paychecks to work center supervisors.

ANS: F
MULTIPLE CHOICE:

1. The purpose of the purchase requisition is to

a. order goods from vendors
b. record receipt of goods from vendors
c. authorize the purchasing department to order goods
d. bill for goods delivered

2. The purpose of the receiving report is to

a. order goods from vendors
b. record receipt of goods from vendors
c. authorize the purchasing department to order goods
d. bill for goods delivered

3. All of the following departments have a copy of the purchase order except
a. the purchasing department
b. the receiving department
c. accounts payable
d. general ledger

4. The purpose of the purchase order is to

a. order goods from vendors
b. record receipt of goods from vendors
c. authorize the purchasing department to order goods
d. approve payment for goods received

5. The open purchase order file in the purchasing department is used to determine
a. the quality of items a vendor ships
b. the best vendor for a specific item
c. the orders that have not been received
d. the quantity of items received

6. The purchase order

a. is the source document to make an entry into the accounting records
b. indicates item description, quantity, and price
c. is prepared by the inventory control department
d. is approved by the end-user department

7. The reason that a blind copy of the purchase order is sent to receiving is to
a. inform receiving when a shipment is due
b. force a count of the items delivered
c. inform receiving of the type, quantity, and price of items to be delivered
d. require that the goods delivered are inspected

8. The receiving report is used to

a. accompany physical inventories to the storeroom or warehouse
b. advise the purchasing department of the dollar value of the goods delivered
c. advise general ledger of the accounting entry to be made
d. advise the vendor that the goods arrived safely

9. When a copy of the receiving report arrives in the purchasing department, it is used to
a. adjust perpetual inventory records
b. record the physical transfer of inventory from receiving to the warehouse
c. analyze the receiving department’s process
d. recognize the purchase order as closed

10. The financial value of a purchase is determined by reviewing the

a. packing slip
b. purchase requisition
c. receiving report
d. supplier’s invoice

11. Which document is least important in determining the financial value of a purchase?
a. purchase requisition
b. purchase order
c. receiving report
d. supplier’s invoice

12. In a merchandising firm, authorization for the payment of inventory is the responsibility of
a. inventory control
b. purchasing
c. accounts payable
d. cash disbursements

13. In a merchandising firm, authorization for the purchase of inventory is the responsibility of
a. inventory control
b. purchasing
c. accounts payable
d. cash disbursements

14. When purchasing inventory, which document usually triggers the recording of a
liability?
a. purchase requisition
b. purchase order
c. receiving report
d. supplier’s invoice

15. Because of time delays between receiving inventory and making the journal entry
a. liabilities are usually understated
b. liabilities are usually overstated
c. liabilities are usually correctly stated
d. none of the above

16. Usually the open voucher payable file is organized by

a. vendor
b. payment due date
c. purchase order number
d. transaction date

17. Which of the following statements is not correct?

a. the voucher system is used to improve control over cash disbursements
b. the sum of the paid vouchers represents the voucher payable liability of the firm
c. the voucher system permits the firm to consolidate payments of several invoices on one
voucher
d. many firms replace accounts payable with a voucher payable system

18. In the expenditure cycle, general ledger does not

a. post the journal voucher from the accounts payable department
b. post the account summary from inventory control
c. post the journal voucher from the purchasing department
d. reconcile the inventory control account with the inventory subsidiary summary

19. The documents in a voucher packet include all of the following except
a. a check
b. a purchase order
c. a receiving report
d. a supplier’s invoice

20. To maintain a good credit rating and to optimize cash management, cash disbursements
should arrive at the vendor’s place of business
a. as soon as possible
b. on the due date
c. on the discount date
d. by the end of the month

21. The cash disbursement clerk performs all of the following tasks except
a. reviews the supporting documents for completeness and accuracy
b. prepares checks
c. signs checks
d. marks the supporting documents paid

22. When a cash disbursement in payment of an accounts payable is recorded

a. the liability account is increased
b. the income statement is changed
c. the cash account is unchanged
d. the liability account is decreased

23. Authorization for payment of an accounts payable liability is the responsibility of

a. inventory control
b. purchasing
c. accounts payable
d. cash disbursements

24. Of the following duties, it is most important to separate

a. warehouse from stores
b. warehouse from inventory control
c. accounts payable and accounts receivable
d. purchasing and accounts receivable

25. In a firm with proper segregation of duties, adequate supervision is most critical in
a. purchasing
b. receiving
c. accounts payable
d. general ledger

26. The receiving department is not responsible to

a. inspect shipments received
b. count items received from vendors
c. order goods from vendors
d. safeguard goods until they are transferred to the warehouse

27. The major risk exposures associated with the receiving department include all of the
following except
a. goods are accepted without a physical count
b. there is no inspection for goods damaged in shipment
c. inventories are not secured on the receiving dock
d. the audit trail is destroyed

28. When searching for unrecorded liabilities at the end of an accounting period, the
accountant would search all of the files except
a. the purchase requisition file
b. the cash receipts file
c. the purchase order file
d. the receiving report file

29. In regards to the accounts payable department, which statement is not true?
a. the purchase requisition shows that the transaction was authorized
b. the purchase order proves that the purchase was required
c. the receiving report provides evidence of the physical receipt of the goods
d. the supplier’s invoice indicates the financial value of the transaction

30. In a computerized system that uses an economic order quantity (EOQ) model and the
perpetual inventory method, who determines when to reorder inventory?
a. the inventory control clerk
b. the purchasing department
c. the vendor
d. the computer system

31. Firms can expect that proper use of a valid vendor file will result in all of the
following benefits except
a. purchasing agents will be discouraged from improperly ordering inventory from related
parties
b. purchases from fictitious vendors will be detected
c. the most competitive price will be obtained
d. the risk of purchasing agents receiving kickbacks and bribes will be reduced

32. In a real-time processing system with a high number of transactions, the best and most
practical control over cash disbursements is to have
a. all checks manually signed by the treasurer
b. all checks signed by check-signing equipment
c. checks over a certain dollar amount manually signed by the treasurer
d. checks over a certain dollar amount manually signed by the cash disbursements clerk

33. The document which will close the open purchase requisition file is the
a. purchase order
b. vendor invoice
c. receiving report
d. none of the above

34. Goods received are inspected and counted to

a. determine that the goods are in good condition
b. determine the quantity of goods received
c. preclude payment for goods not received or received in poor condition
d. all of the above

35. If a company uses a standard cost system, inventory records can be updated from the
a. vendor invoice
b. purchase order
c. receiving report
d. purchase requisition

36. If a company uses an actual cost system, inventory records can first be updated from
the
a. vendor invoice
b. purchase order
c. receiving report
d. purchase requisition
37. Copies of a purchase order are sent to all of the following except
a. inventory control
b. receiving
c. general ledger
d. accounts payable

38. The receiving report

a. is used to update the actual cost inventory ledger
b. accompanies the goods to the storeroom
c. is sent to general ledger
d. is returned to the vendor to acknowledge receipt of the goods

39. A supplier invoice

a. is included with the goods
b. shows what was ordered even if all was not shipped
c. is sent by vendor to accounts payable
d. none of the above

40. The cash disbursement function is

a. part of accounts payable
b. an independent accounting function
c. a treasury function
d. part of the general ledger department

41. The document that captures the total amount of time that individual workers spend on
each production job is called a
a. time card
b. job ticket
c. personnel action form
d. labor distribution form

42. An important reconciliation in the payroll system is

a. general ledger compares the labor distribution summary from cost accounting to the
disbursement voucher from accounts payable
b. personnel compares the number of employees authorized to receive a paycheck to the
number of paychecks prepared
c. production compares the number of hours reported on job tickets to the number of hours
reported on time cards
d. payroll compares the labor distribution summary to the hours reported on time cards

43. Which internal control is not an important part of the payroll system?
a. Supervisors verify the accuracy of employee time cards.
b. Paychecks are distributed by an independent paymaster.
c. Accounts payable verifies the accuracy of the payroll register before transferring
payroll funds to the general checking accounting.
d. General ledger reconciles the labor distribution summary and the payroll disbursement
voucher.

44. In the payroll subsystem, which function should distribute paychecks?

a. personnel
b. timekeeping
c. paymaster
d. payroll

45. Where does the responsibility lie for reconciling the labor distribution summary and
the payroll disbursement voucher?
a. cash disbursements
b. cost accounting
c. personnel
d. general ledger

46. Which of the following statements is not true?

a. Routine payroll processing begins with the submission of time cards.
b. Payroll clerks must verify the hours reported on the time cards.
c. Payroll reconciles personnel action forms with time cards and prepares paychecks.
d. Cash disbursements signs paychecks and forwards them to the paymaster for distribution.

47. In a manufacturing firm, employees use time cards and job tickets. Which of the following
statements is not correct?
a. Job tickets are prepared by employees for each job worked on, so an employee may have
more that one job ticket on a given day.
b. An individual employee will have only one time card.
c. The time reported on job tickets should reconcile with the time reported on time cards.
d. Paychecks should be prepared from the job tickets.

48. Which department is responsible for approving changes in pay rates for employees?
a. payroll
b. treasurer
c. personnel
d. cash disbursements

49. Which of the following situations represents a serious control weakness?

a. Timekeeping is independent of the payroll department.
b. Paychecks are distributed by the employees immediate supervisor.
c. Time cards are reconciled with job tickets.
d. Personnel is responsible for updating employee records, including creation of records for
new hires.

50. Why would an organization require the paymaster to deliver all unclaimed paychecks
to the internal audit department?
a. to detect a “phantom employee” for whom a check was produced
b. to prevent an absent employee’s check from being lost
c. to avoid paying absent employees for payday
d. to prevent the paymaster from cashing unclaimed checks

51. Payroll uses time card data to do all of the following except
a. prepare the payroll register
b. update employee payroll records
c. prepare the labor distribution summary
d. prepare paychecks

52. Payroll checks are typically drawn on

a. the regular checking account
b. a payroll imprest account
c. a wages payable account
d. petty cash

53. The personnel action form provides authorization control by

a. preventing paychecks for terminated employees
b. verifying pay rates for employees
c. informing payroll of new hires
d. all of the above
54. Accounting records that provide the audit trail for payroll include all of the following
except
a. time cards
b. job tickets
c. payroll register
d. accounts payable register

55. Personnel actions forms are used to do all of the following except
a. activate new employees
b. terminate employees
c. record hours worked
d. change pay rates

56. The payroll department performs all of the following except

a. prepares the payroll register
b. distributes paychecks
c. updates employee payroll records
d. prepares paychecks

57. The document that records the total amount of time spent on a production job is the
a. time card
b. job ticket
c. labor distribution summary
d. personnel action form
Chapter 11
Chapter 12

TRUE/FALSE:

1.The ethical principle of justice asserts that the benefits of the decision should be distributed
fairly to those who share the risks.
ANS: T

2.The ethical principle of informed consent suggests that the decision should be implemented
so as to minimize all of the risks and to avoid any unnecessary risks.
ANS: F

3.Employees should be made aware of the firm’s commitment to ethics.

ANS: T

4.Business ethics is the analysis of the nature and social impact of computer technology, and
the corresponding formulation and justification of policies for the ethical use of such technology.
ANS: F

5.Para computer ethics is the exposure to stories and reports found in the popular media
regarding the good or bad ramifications of computer technology.
ANS: F

6.Computer programs are intellectual property.

ANS: T

7.Copyright laws and computer industry standards have been developed jointly and rarely
conflict.
ANS: F

8.Business bankruptcy cases always involve fraudulent behavior.

ANS:F

9.Defalcation is another word for financial fraud.

ANS: T

10.The trend toward distributed data processing increases the exposure to fraud from remote
locations.
ANS: T

11.Of the three fraud factors (situational pressure, ethics, and opportunity), situational pressure
is the factor that actually facilitates the act.
ANS: F

12.Ethical issues and legal issues are essentially the same.

ANS: F

13.Internal control systems are recommended but not required to prevent fraud.
ANS: F
14.Collusion among employees in the commission of a fraud is difficult to prevent but easy to
detect.
ANS: F

15.Database management fraud includes altering, updating, and deleting an organization’s data.
ANS: F

16.The fraud triangle represents a geographic area in Southeast Asia where international fraud
is prevalent.
ANS: F

17.Situational pressure includes personal or job related stresses that could coerce an individual
to act dishonestly.
ANS: T

18.Opportunity involves direct access to assets and/or access to information that controls
assets.
ANS: T

19.Cash larceny involves stealing cash from an organization before it is recorded on the
organization’s books and records.
ANS: F

20.Skimming involves stealing cash from an organization after it is recorded on the

organization’s books and records
ANS: F

21. The most common access point for perpetrating computer fraud is at the data collection
stage.
ANS: T

22.Changing the Hours Worked field in an otherwise legitimate payroll transaction to increase
the amount of the paycheck is an example of data collection fraud.
ANS: T

23.Scavenging is a form of fraud in which the perpetrator uses a computer program to search
for key terms in a database and then steal the data.
ANS: F

24.The objective of SAS 99 is to seamlessly blend the auditor’s consideration of fraud into all
phases of the audit process.
ANS: T

MULTIPLE CHOICE:
1.Which ethical principle states that the benefit from a decision must outweigh the risks, and
that there is no alternative decision that provides the same or greater benefit with less risk?
a.minimize risk
b.justice
c.informed consent
d. proportionality

2.Individuals who acquire some level of skill and knowledge in the field of computer ethics are
involved in which level of computer ethics?
a.para computer ethics
b.pop computer ethics
c.theoretical computer ethics
d.practical computer ethics

3.All of the following are factors in the fraud triangle except

a.Ethical behavior of an individual
b.Pressure exerted on an individual at home and job related
c.Materiality of the assets
d.Opportunity to gain access to assets

4.Which characteristic is not associated with software as intellectual property?

a.uniqueness of the product
b.possibility of exact replication
c.automated monitoring to detect intruders
d.ease of dissemination

5.For an action to be called fraudulent, all of the following conditions are required
except
a.poor judgment
b.false representation
c.intent to deceive
d.injury or loss

6.One characteristic of employee fraud is that the fraud

a.is perpetrated at a level to which internal controls do not apply
b.involves misstating financial statements
c.involves the direct conversion of cash or other assets to the employee’s personal
benefit
d.involves misappropriating assets in a series of complex transactions involving third parties

7.Forces which may permit fraud to occur do not include

a.a gambling addiction
b.lack of segregation of duties
c.centralized decision making environment
d.questionable integrity of employees

8.Which of the following best describes lapping?

a.applying cash receipts to a different customer’s account in an attempt to conceal
previous thefts of funds
b.inflating bank balances by transferring money among different bank accounts
c.expensing an asset that has been stolen
d.creating a false transaction

9.Skimming involves
a. Stealing cash from an organization before it is recorded
b. Stealing cash from an organization after it has been recorded
C. manufacturing false purchase orders, receiving reports, and invoices
d.A clerk pays a vendor twice for the same products and cashes the reimbursement check
issued by the vendor.

10.Which of the following controls would best prevent the lapping of accounts receivable?
a.Segregate duties so that the clerk responsible for recording in the accounts receivable
subsidiary ledger has no access to the general ledger.
b.Request that customers review their monthly statements and report any unrecorded
cash payments.
c.Require customers to send payments directly to the company’s bank.
d.Request that customers make the check payable to the company.

11.In balancing the risks and benefits that are part of every ethical decision, managers receive
guidance from each of the following except
a.justice
b.self interest
c.risk minimization
d.proportionality

12.Cash larceny involves

a. Stealing cash from an organization before it is recorded
b. Stealing cash from an organization after it has been recorded
C. manufacturing false purchase orders, receiving reports, and invoices
d.A clerk pays a vendor twice for the same products and cashes the reimbursement check
issued by the vendor.

13.Employee fraud involves three steps. Of the following, which is not involved?
a.concealing the crime to avoid detection
b.stealing something of value
c.misstating financial statements
d.converting the asset to a usable form

14.What fraud scheme is similar to the “borrowing from Peter to pay Paul” scheme?
a.expense account fraud
b.kiting
c.lapping
d.transaction fraud

15.A shell company fraud involves

a. Stealing cash from an organization before it is recorded
b. Stealing cash from an organization after it has been recorded
C. manufacturing false purchase orders, receiving reports, and invoices
d.A clerk pays a vendor twice for the same products and cashes the reimbursement check
issued by the vendor.
16.When certain customers made cash payments to reduce their accounts receivable, the
bookkeeper embezzled the cash and wrote off the accounts as uncollectible. Which control
procedure would most likely prevent this irregularity?
a.segregation of duties
b.accounting records
c.accounting system
d.access controls

17.Business ethics involves

a.how managers decide on what is right in conducting business
b.how managers achieve what they decide is right for the business
c.both a and b
d.none of the above

18.All of the following are conditions for fraud except

a.false representation
b.injury or loss
c.intent
d.material reliance

19.The four principal types of fraud include all of the following except
a.bribery
b.gratuities
c.conflict of interest
d.economic extortion

20.Which of the following is not an issue to be addressed in a business code of ethics

required by the SEC?
a.Conflicts of interest
b.Full and Fair Disclosures
c.Legal Compliance
d.Internal Reporting of Code Violations
e.All of the above are issues to be addressed

21.Operations fraud includes

a.altering program logic to cause the application to process data incorrectly
b.misusing the firm’s computer resources
c.destroying or corrupting a program’s logic using a computer virus
d.creating illegal programs that can access data files to alter, delete, or insert values

22. Computer fraud can take on many forms, including each of the following except
a.theft or illegal use of computer-readable information
b.theft, misuse, or misappropriation of computer equipment
c.theft, misuse, or misappropriation of assets by altering computer-readable records and files
d.theft, misuse, or misappropriation of printer supplies

23.What does the underlying assumption of reasonable assurance regarding implementation of

internal control mean?
a.Auditor’s are reasonably assured that fraud has not occurred in the period.
b.Auditor’s are reasonably assured that employee carelessness can weaken an internal control
structure.
c.Implementation of the control procedure should not have a significant adverse effect
on efficiency or profitability.
d.Management assertions about control effectiveness should provide auditors with reasonable
assurance.

24. The importance to the accounting profession of the Sarbanes-Oxley Act of 2002 is that
a.bribery will be eliminated.
b.management will not be able to override the company’s internal controls.
c.firms are required to have an effective internal control system.
d.firms will not be exposed to lawsuits