BAC 517

Auditing in CIS Environment

1. An auditor would be least like to use computer software to:

A. Access client data files C. Assess CIS control risk
B. Prepare spreadsheets D. Construct parallel simulations
2. S1 The audit of computerized data processing does not affect the amount of audit evidence
required by the auditor, but it may affect the methods of obtaining evidence
S2 When planning the audit, the auditor must determine the extent of data processing done by
computer the complexity of that processing (e.g., used of sophisticated on-line system)
A. True, false B. False, True C. True, true D. False, false
3. This environment exists when a computer of any type or size is involved in the processing by the entity
of financial information of significance to the audit, whether that computer is operated by the entity or
by a third party, such as service bureau.
A. Information system B. CIS environment C. Process alignment D. Database areas
4. This component of an IT system refers to the electronic devices or equipment used to accomplish each
IT function (input, processing, storage, output)
A. Software B. Hardware C. Dataware D. Liveware
5. This refers to the computer programs that perform the functions of controlling and coordinating the use
of hardware components.
A. Software B. Systems software C. Application software D. Dataware
6. This refers to the computer programs designed to perform specific data processing tasks such as
payroll, billing, or inventory processing.
A. Software B. Systems software C. Application software D. Dataware
7. S1 Most entities make use of IT systems for financial reporting and operation purposes
S2 There will always be manual elements to the systems that a client uses
A. True. False B. False, true C. True, true D. False, false
8. S1 Manual controls may be more reliable than automated controls because they can be less easily
bypassed
S2 Consistency of application of manual control element can be assumed.
A. True. False B. False, true C. True, true D. False, false
9. Which of the following characteristic distinguishes computer processing from manual processing?
A. Computer processing virtually eliminates the occurrence of computational error normally
associated with manual processing
B. Error or irregularities in computer processing will be detected soon after their occurrence
C. The potential for systematic error is ordinarily greater in manual processing than in computerized
processing
D. Most computer systems are designed so that transaction trails useful for audit purposes do not
exist.
10. Which of the following statements best describes a fundamental control weakness often associated with
computer systems?
A. Computer equipment is more subject to systems error than manual processing is subject to human
error
B. Computer equipment processes and records similar transactions in similar manner
C. Control procedures for detection of invalid and unusual transactions are less effective than manual
control procedures
D. Functions that would normally be separated in manual systems are combined in a computer
system.
11. Which of the following statements most like represents a disadvantage for an entity that keeps micro
computer-prepared data files rather that manually prepared files?
A. Random error associated with processing similar transactions in different ways is usually greater
B. It is usually more difficult to compare recorded accountability with physical count of assets.
C. Attention is focused on the accuracy of the programming process rather than errors in individual
transactions
D. It is usually easier for unauthorized person to access and alter the files
12. What is the computer process called when data processing is performed concurrently with particular
activity and the results are available soon enough to influence the particular course of action being take
or the decision being made?
A. Real-time processing
B. Batch processing
C. Random access processing
D. Integrated data processing

Page 1 of 11
BAC 517

13. When a computer software or files can be accessed from OL terminals, users should be required to
enter a(an):
A. Parity Check C. A self-diagnosis test
B. A personal identification code D. An echo check
14. Which of the following is not a characteristic of a batch processed computer system?
A. The collection of like transactions that are sorted and processed sequentially against a master file
B. Keypunching of transactions, followed by machine processing
C. The production of numerous print outs
D. The posting of transaction, as it occurs, to several files, without intermediate printouts
15. Error in data processed in a batch computer system may not be detected immediately because
A. Transaction trails in batch system are available only for a limited period of time
B. There are time delays in processing transactions in a batch system
C. Errors in some transactions cause rejection of other transactions in the batch
D. Random errors are more likely in a batch system than in an on-line system
16. These control procedures relate to all computer activities
A. General IT controls C. Overall controls
B. IT application controls D. Pervasive IT system
17. The purpose of this category of controls is to establish specific control procedures over the application
systems in order to provide reasonable assurance that all transactions are authorized and recorded,
and are processed completely, accurately and on a timely basis
A. General IT controls C. IT input controls
B. IT application controls D. IT processing controls
18. Auditors usually evaluate the effectiveness of:
A. Hardware controls first C. Sales cycle controls first
B. General controls before application controls D. Applications control first
19. Which of the following activities would most likely be performed in the IT department?
A. Initiation of changes to master records
B. Conversion of information to machine-readable form
C. Correction of transactional errors
D. Initiation of changes to existing application
20. Preventing someone with sufficient technical skill from circumventing security procedures and making
changes to production programs is best accomplished by
A. Reviewing reports of jobs completed
B. Comparing production programs with independently controlled copies
C. Running test data periodically
D. Providing suitable segregation of duties
21. Internal control is ineffective when computer department personnel
A. Participate in computer software acquisition decisions
B. Design documentation for computerized software
C. Originate changes in master files
D. Provide physical security program files
22. Which of the following employees in a company’s computer department should be responsible for
designing new or improved data processing procedures?
A. Flowchart editor B. Programmer C. System Analyst D. Control group head
23. Which of the following is a general IT control that would most likely assist an entity whose system
analyst left the entity in the middle of a major project?
A. Grandfather-father-son record retention C. Systems and documentation
B. Input and output D. Check digit verification
24. Control which are built in by the manufacturer to detect equipment failure are called:
A. Input controls B. Manufacturer’s control C. Hardware controls D. Fall-safe controls
25. An echo check is best described as
A. A component that signals the control unit that an operation has been performed
B. Two units that provide read-after-write and dual-read capabilities
C. Double writing of the CPU and peripheral unit form communicating with the CPU at the same
time
D. None of these statements describe an echo check
26. Adequate control over access to data processing is required to:
A. Deter improper use or manipulation of data files and programs
B. Ensure that only console operator have access to program documentation
C. Minimize the need for backup data files
D. Ensure that hardware controls are operating effectively and as designed by the computer
manufacturer

Page 2 of 11
BAC 517

27. Which of the following is the auditor’s concern regarding a distributed data processing set-up?
A. Hardware controls C. System documentation control
B. Access controls D. Organization control
28. Controls which are designed to assure that the information processed by the computer is valid,
complete and accurate are called
A. Input control B. Processing controls C. Output controls D. General controls
29. Totals of amounts in computer-recorded data fields, which are not usually added but are used only for
data processing control purposes are called:
A. Record totals B. Hash totals C. Haas-larzen totals D. Field totals
30. If a control total were to be computed on each of the following data items, which total would best be
identified as a hash total for a payroll application processed by computer?
A. Net pay B. Department numbers C. Total Debits D. Hours worked
31. The detection and correction of errors in the data should be responsibility of
A. The data processing manager C. The IT department control group
B. The operator D. The independent public accountant
32. The information technology (IT) system may affect:
A. The procedures followed by the auditor in obtaining sufficient understanding of the account and
internal control system
B. The consideration of inherent risk and control risk
C. The auditor’s design and performance of test of control and substantive audit procedures
D. All of these
33. S1 Significance of IT processing relates to the materiality of the FS assertions affected by there
computer processing
S2 An application may be considered complex if the volume of transactions is such that user
would find it difficult to identify and correct errors in processing.
A. True, false B. False, true C. True, true D. False, false
34. Auditing by testing the input and output of an IT system instead of computer program itself:
A. Will not detect program errors which do not show up in the output sampled
B. Will detect all program errors, regardless of the nature of the output
C. Will provide the auditor with the same type of evidence
D. Will not provide the auditor with confidence in the results of auditing procedures
35. Auditing through the computer must be used when
A. Input transactions are batched and system logic is straight forward
B. Processing primarily consists of sorting the input data and updating the master file sequentially
C. Processing is primarily online and updating in real-time
D. Generalized audit software is not available
36. Which of the following computer documentation would an auditor most likely utilized in obtaining an
understanding of an entity’s internal control structure?
A. System flowcharts B. Record counts C. Program listing D. Record layouts
37. Test of controls in an advanced computer system
A. Can be performed using only actual transactions since testing of simulated transactions if of no
consequence
B. Can be performed using actual transactions or simulated transactions
C. Is impractical since many procedures within the computer activity leave no visible evidence of
having been performed
D. Is inadvisable because it may distort the evidence in master files
38. An auditor’s investigation of a company’s computer control procedures has disclosed the following four
circumstances. Indicate which circumstances constitute significant deficiency in internal control
structure.
A. Computer operators do not have access to the complete software support documentation
B. Machine operators are closely supervised by programmers
C. Programmers do not have the authorization to operate computer equipment
D. Only one generation of back up files is stored in an off-premises location
39. Which of the following is a computer test made to ascertain whether a given characteristic belongs to a
group?
A. Parity check B. Validity check C. Echo check D. Limit check
40. The application of audit procedure using the computer as an audit tool refer to:
A. Integrated test facility C. Computer-assisted audit techniques
B. Auditing around the computer D. Information technology auditing

Page 3 of 11
BAC 517

41. Which of the following statements is not true of the test data approach when testing a computerized
accounting system?
A. The test data needs to consist of only those valid and invalid conditions that interest the auditor
B. Only one transaction of each type needs to be tested
C. The test data must consist of all possible valid and invalid conditions
D. Test data are processed by the client’s computer software under the auditor’s control
42. Which of the following computer-assisted audit techniques allows fictitious and real transactions to be
processed together without client-operating personnel being aware of testing process
A. Parallel simulation C. Mapping
B. Integrated test facility D. Test data
43. Using parallel simulation, ___________ transactions are processing using _____________
A. Live transactions, live programs C. Test transactions, test programs
B. Live transactions, test master file D. Live transactions, test programs
44. Which of the following would an auditor ordinarily consider the greater risk regarding an entity’s use of
electronic data interchange (EDI)?
A. Authorization of EDI transactions C. Improper distribution of EDI transaction
B. Duplication of EDI transmissions D. Elimination of paper documents
45. A company using the electronic data interchange (EDI) made it a practice to track to the functional
acknowledgements from trading partners and to issue warning messages if acknowledgements did not
occur within a reasonable length of time. What risk was the company attempting to address by this
practice?
A. Transactions that have not originated from a legitimate trading partner may be inserted into the
EDI network
B. Transmission of EDI transactions to trading partners may sometimes fail
C. There may be disagreement between parties as to whether the EDI transactions from a legal
contract
D. EDI data may not be accurately and completely processed by the EDI software
46. A client is concerned that a power outage or disaster could impair the computer hardware’s ability to
function as designed. The client desires off0stie backup hardware facilities that are fully configured and
ready to operate within several hours. The client most likely should consider a
A. Cold site B. Cool site C. Warm sit D. Hot site
47. Which of the following would an entity most likely include in its computer disaster recovery plan?
A. Develop an auxiliary power supply to provide uninterrupted electricity
B. Store duplicate copies of critical files in a location away from the computer center
C. Maintain a listing of entity passwords with the network manager
D. Translate data for storage purposes with cryptographic secret code
48. Which of the following controls most likely would assure that an entity can reconstruct it financial
records?
A. Hardware controls are built into the computer by the computer manufacturer
B. Backup CDs of critical files which are stored away from originals
C. Personnel who are independent of data input perform parallel simulations
D. System flowcharts provide accurate descriptions of input and output operations.
49. The policies and procedures that the entity implements and the IT infrastructure (hardware, operating
systems, etc) and application software that it uses to support business operations and achieve business
strategies.
A. IT environment B. Internal Control C. General IT controls D. Application controls
50. The use of computer in data processing systems frequently eliminates the basic control of:
A. Using vouchers for authorization of disbursements C. Information processing
B. Appropriate segregation of duties D. Cost should not exceed benefit
51. One of the conditions of peculiar to an IT system is that:
A. Transactions will be processed in uniform matter
B. The audit trail is frequently retained like in a manual system
C. Decreased management supervision
D. Potential for human element errors is increased significantly
52. When the IT system is significant, the auditor should also obtain an understanding of the IT
environment and whether it may influence assessment of
A. Inherent and control risks C. Inherent and detection risks
B. Control and detection risks D. General and application controls
53. Which of the following is a hardware device not associated with input?
A. Printer B. Optical Scanner C. CRT terminal D. Card reader
54. These are economical yet powerful self-contained general purpose computers.
A. Cray II supercomputer C. Personal Computers or PCs
B. Pentium computers and multimedia station D. RISOgraph and application controls

Page 4 of 11
BAC 517

55. A personal computer can be used in any of the following configurations, except:
A. A stand-alone workstation operated by a single users pr a number of users at the different times
B. A workstation which is part of a local area network of personal computers
C. A workstation connected to a server
D. A server connected to another server
56. The following are common characteristics of PCs, except:
A. Provide users with substantial computing capabilities
B. Portability (small enough to be transportable)
C. Relatively inexpensive
D. Must be configured for a long time before use.
57. This is arrangement where two or more personal computers are linked together through the use of
special software and communication lines. This may also be referred to as distributed system.
A. Local area network C. World Wide Web
B. Wide area network D. Unit to unit workstation
58. The two requirements crucial to achieving audit efficiency and effectiveness with a personal computer
are selecting:
A. The appropriate audit tasks for personal computer applications and the appropriate software to
perform the selected audit task.
B. The appropriate software to perform the selected audit tasks and data that can be accessed by the
auditor’s personal computer.
C. Company data that can be accessed by the auditor’s personal computer and the appropriate audit
tasks for personal computer applications.
D. The appropriate sample of company data to test with the auditor’s personal computer and the
appropriate software to perform the selected tasks.
59. S1: In a personal computer, it may not be practicable or cost effective for management to implement
sufficient controls to reduce the risks of undetected errors to a minimum level.
S2: The auditor may often assume the control that risk is high personal computer environments with
insufficient internal controls.
A. True, false B. False, true C. True, true D. False, false
60. Which of the following is not an example of operating system software?
A. MS Disk Operating System v.6.22 C. Microsoft office 2003
B. Linux OS D. Microsoft windows XP Professional
61. Removable storage media include:
A. Diskettes C. Removable hard disks
B. Compact disks (CDs) D. All of the answers
62. A group of related records in a data-processing system is a:
A. Character B. Field C. Cluster D. File
63. In a computerized system, procedure or problem oriented language is converted to machine language
through a(n):
A. Interpreter B. Verifier C. Compiler D. Converter
64. Which of the following statements is incorrect?
A. The purpose of CIS application is to establish specific control procedures over the application
systems in order to provide reasonable assurance that all transactions are authorized and
recorded, and are processed accurately and on a timely basis.
B. It may be more efficient to review the design of the general CIS control before reviewing the CIS
application controls.
C. If general CIS controls are not effective, there may be a risk that misstatements might occur and
go undetected in the application systems.
D. The purpose of general CIS controls is to establish framework of overall control over the CIS
activities and to provide absolute level of assurance that the overall objectives of internal control
are achieved.
65. Which if the following terms best describes the type of control evidenced by a segregation of duties
between computer programmers and computer operators?
A. System development control C. Applications control
B. Hardware control D. Organizational control
66. While general controls relate to all client IT activities, application controls relate:
A. To all client non-IT activities
B. To specific task or programs performed by IT
C. To assignment and supervision of personnel
D. Only to systems with database environments
67. When personal computer are accessible to many users, the concern is on the risk relation to
A. Custody B. Authorization C. Recording D. Alteration

Page 5 of 11
BAC 517

68. S1: When a system has multiple users or shared information across networks, advanced operating
system security controls and logical access controls are necessary/
S2: Controlled use requires a generalized definition of who has access right to specific systems, specific
resources, and specific capabilities:
A. True, false B. False, true C. True, true D. False, false
69. The following, except one, are internal control techniques which can be used for data and program
security:
A. Employing passwords
B. Using anti-virus software programs
C. Segregating data into files organized under separate file directories
D. Disconnecting from the office network
70. Management can contribute to the effective operation of sand-alone computers by prescribing and
enforcing policies for their control and use, such policies for:
A. Management responsibilities
B. Standards of report format and report distribution controls
C. Training requirements and personal usage policies
D. All of the answers
71. These are computer systems that enable users to access data and program through workstations:
A. In-line computer systems C. Transaction processing systems
B. On-line computer systems D. Personal computer environment
72. On-line systems allow users to initiate various functions directly. Such functions include the following,
except:
A. Entering transactions C. Requesting reports
B. Blocking inquiries D. Updating master files
73. There are two common types of workstations- general purpose terminal and special purpose terminals.
Which of the following is not a general purpose terminal?
A. Personal Computers C. Point of sale devices
B. Intelligent terminal D. Basic keyboard and monitor

For number 74-76, use the following choices:

A. On-line/ Real-time processing
B. On-line/ inquiry
C. On-line/ Memo update and subsequent processing
D. On-line downloading/ Uploading processing

74. In this system, users at workstations are restricted to making inquires of master files
75. This term refers to the transfer of data from master file to a workstation for further processing by the
user
76. It combines on-line/ real time processing and on-line/ batch processing

77. These are procedures designed to restrict access to on-line terminal devices, programs and data
A. Access controls C. User authentication
B. General IT controls D. User authorization
78. This access control typically attempts to identify a user through unique logon identifications,
passwords, access card or biometric data
A. Access controls C. User authentication
B. General IT controls D. User authorization
79. User authorization procedures are designed to prevent or detect the following, except:
A. Unauthorized access to on-line terminal devices, programs and data
B. Entry if authorized transactions
C. Unauthorized changes of data files
D. The use of computer programs by unauthorized personnel and the use of computer programs that
have not been authorized
80. These are manual or automated procedures that typically operate at a business process level. These
controls can be preventive or detective in nature and are designed to ensure that integrity of the
accounting records.
A. General IT controls C. Access controls
B. Application controls D. Internal controls
81. It is a communications system that enables computer users to share computer equipment, application
software, data and voice and video transmissions.
A. Network C. Client server system
B. Shared document system D. Electronic data interchange

Page 6 of 11
BAC 517

82. Which type of network is created to connect two or more geographically separated local area networks?
A. LAN B. WAN C. MAN D. Any of these.
83. A type of network where multiple building are close enough to create campus, but the space between
the buildings is not under the control of the company is
A. LAN B. WAN C. MAN D. Any of these
84. Which device works to control the flow of data between two or more network segments?
A. Gateway B. Bridge C. Router D. Repeater
For number 85-88, use the following choices:
A. Gateway D. Repeater
B. Bridge E. Switch
C. Router
85. A hardware and software solution that enable communications between to dissimilar networking
systems or protocols is called a __________
86. A device that connects and passes packets of data between two network segments that use the same
communication protocol is called a ___________
87. A device that regenerates and retransmits the signal on a network is known as a ___________
88. Communication media provides the vehicle to physically transmit the data signal from device to device.
A _________ forwards frames base on destination addresses.

89. Which of the following situations most likely to illustrate a risk of fraud or error in online systems?
I. On-line data entry is performed at or near the point where transactions originate
II. Invalid transactions are corrected and re-entered immediately.
III. On-line access to data and programs is possible through telecommunications systems
IV. Workstations are located throughout the entity
V. Data entry is performed on-line by individual who understand the nature of the transactions
involved
VI. Transactions are not processed immediately by the computer system.
A. I, III, IV, VI B. I, IV, VI C. III, IV, VI D. IV, V, VI
90. Internal controls in an on-line computer systems include the following:
A. Access controls C. Transaction logs
B. Controls over User IDs and passwords D. All of these
91. These are programmed routines that check the input data and processing results for completeness,
accuracy and reasonableness
A. Pre-processing authorization C. Master file controls
B. Cut-off procedures D. Edit, reasonableness and validation
controls
92. This process of establishing control totals over data being submitted for processing through
workstations and comparing the control totals during and after processing to ensure that complete and
accurate data are transferred to each processing phase.
A. Footing B. Cross casting C. Balancing D. Posting
93. The electronic transmission of documents between organizations in machine-readable form.
A. Cryptography C. Computer processing
B. Short messaging service D. Electronic data interchange
94. A combination of hardware and software that protects a WAN, LAN or PC from unauthorized access
through the Internet and from the introduction of unauthorized or harmful software, data or other
material in electronic form.
A. Anti-virus program B. Security update C. Firewall D. Access monitor
95. The purpose of input control is to ensure the:
A. Authorization of access to data files C. Completeness, accuracy and validity update
B. Authorization of access to program files D. Completeness, accuracy and validity of input
96. Procedures designed to prevent or detect changes to computer programs that are accessed through on-
line terminal devices
A. Limit checks C. IT application controls
B. Edit checks D. Programming controls
97. A company uses the account code 614 for maintenance expense. However, one of the company clerks
often codes maintenance expense as 641. The highest account code in the system is 620. What would be
the best internal control check to build into the company’s computer system to detect this error?
A. A manual re-check of the code C. Sequence check
B. Valid- character test D. Valid-code test

Page 7 of 11
BAC 517

98. Parity check, read after write check, and duplicate circuitry are IT controls that are designed to detect:
A. Erroneous internal handling of data
B. Lack of sufficient documentation for computer processes
C. Illogical programming commands
D. Illogical uses of hardware
99. Reports that are designed to create an audit trail for each on-line transaction. Such reports often
document the source of a transaction (Terminal, time and user) as well as the transaction’s details
A. Batch processing logs C. Transmittal sheets
B. Transaction logs D. Embedded audit modules
100. This is the individual responsible in preparing specifications for the systems to guide programmer, and
writes procedures and user instructions.
A. Network administrator C. IT control group supervisor
B. System analyst D. None of these
101. This is the individual responsible for the development and management of data communications
system, and reviews documentation to ensure compliance with the standards and provides approval of
documentation when standards are met.
A. Network administrator C. IT control group supervisor
B. System analyst D. None of these
102. A computer programmer has written program for updating perpetual inventory records. Responsibility
for initial testing (debugging) of the program should be assigned to the:
A. IT department control group C. Programmer
B. Internal audit control group D. Machine operator
103. More than one file may be stored on a single magnetic memory disk. Several programs may be in the
core storage unit simultaneously. In both cases it is important to prevent the mixing of data. One way
to do this is:
A. To use file integrity control C. to use Interleaving
B. To use boundary protection D. to use Paging
104. Which of the following is not an advantage of converting from manual to an IT-based system?
A. It usually centralizes data
B. It permits higher quality controls over operations
C. It may eliminate the control proved by division of duties of independent persons who performed
related functions and compare results
D. It may take the record-keeping function and the document preparation function away from those
who have custody of assets and put those function into the IT center
105. In-micro computer systems, the most important aspect for auditors to consider is the:
A. Audit techniques C. Control environment
B. Computer technology D. Computer software
106. In comparing the control environment in complex versus non-complex IT systems, the control
environment in complex IT systems is:
A. More critical because there is greater potential for errors and irregularities.
B. Less critical because the complexity ensures the control will be built into the system
C. More critical because of the high degree of technical competence needy by the programmers and
operators
D. Less critical because non-experts do not have the opportunity to interact with the system and mess
it up.
107. The most important output control is:
A. Distribution control, which assures that only authorized personnel receive the reports generated by
the system.
B. Review of the data for reasonableness by someone who knows that the output should look like
C. Control totals, which are used to verify that the computer’s results are correct
D. Logical tests, which verify that no mistakes were made in processing
108. During one processing run, several transactions have been rejected by the IT system. Accordingly, the
IT department:
A. Should not contact the user department and inform them of the rejection
B. Should re-encode the inputs previously made by computer operators and reprocess the
transactions.
C. Is responsible for ensuring that these transactions are in fact resubmitted and re-entered for
processing
D. Is not responsible for the resolution of rejected transactions.
109. This refers to a collection of data that is shared and used by a number of different users for different
purposes.
A. Database B. Information file C. Master file D. Transaction file

Page 8 of 11
BAC 517

110. A database management system

A. Physically stores each element of data only once
B. Stores data on different files for different purposes, but always knows where they are and how to
retrieve them.
C. Allows quick retrieval of data but at a cost of inefficient use of file space
D. Allows quick retrieval of data but it needs to update files continually.
111. Which two important characteristics distinguish database systems?
A. Data integrity and data independence C. Data sharing and data interconnection
B. Data independence and data sharing D. Data integrity and user integrity
112. A. software within the database management system which is required to keep track of the location of
data in the database.
A. Data discussion C. Data dictionary
B. Data tracker D. Documentation dictionary
113. According to PAPS 1003, an important privilege that has to be considered regarding ownership is
a(the):
A. Administrator’s ability to grant privileges to another administrator
B. User’s ability to grant privileges to another user
C. User’s ability to grant privileges to the network administrator
D. Network administrator’s ability to grant privileges to users
114. User access to the various elements of a database may be controlled through the use of passwords.
These restrictions apply to
A. Defining the database structure
B. Maintaining data integrity, security and completeness
C. Programs but not to individuals and not to terminal devices
D. Individuals, terminal devices and programs
115. The database administration tasks include:
a. Defining the database structure
b. Maintaining data integrity, security and completeness
c. Coordinating computer operations related to the database
d. Monitoring system performance
e. Providing administrative support
A. a, b and c B. b, c and e C. b, c, d, e D. a, b, c, d, e
116. These controls require a database administrator to assign security attributes to data that cannot be
changed by database users.
A. Discretionary access controls C. Passwords controls
B. Mandatory access controls D. Distributed access controls
117. These controls allow users to specify who can access data they own and what action privileges they
have with respect to that data.
A. Discretionary access controls C. Context-dependent restrictions
B. Mandatory access controls D. History-dependent restrictions

For No.s 118-120, identify the discretionary access control being described. Use the following choices:
A. Name-dependent restrictions C. Context-dependent restrictions
B. Content-dependent restrictions D. History-dependent restrictions
118. Users either have access to named data resource or they do not have access to the resource
119. Users are permitted or denied access to data resource depending on the context in which they are
seeing access.
120. Users are permitted or denied access to data resource depending on the time series of accesses to and
actions they have undertaken on data resources.

121. The audit procedures in a database environment will be affected principally by:
A. The extent to which databases are being used by accounting applications
B. The type and significance of financial transactions being processed.
C. The nature of the database the DBMS, the database administration task and the applications.
D. The general IT controls which are particularly important in a database environment.
122. This refers to standards for handling of files, such as standards for file names, retention dates,
reconstruction procedures and storage location:
A. Physical controls C. Utility programs
B. Performance reviews D. File control standards

Page 9 of 11
BAC 517

123. The purpose of segregation of responsibilities is to maintain, as far as possible, a separation of the
incompatible functions of which of the following?
I. Authorizing transactions
II. Executing transactions
III. Encoding transactions
IV. Custodial responsibility over assets involved in transactions.
A. I, III, IV B. I, II, V C. II, III, V D. I, II, III, IV
124. The lack of segregation of functions in a personal computer environment may:
A. Allow errors to be detected on a timely basis
B. Permit the detection and correction of fraud
C. Allow errors to go undetected
D. Improve the efficiency of company operation due to combined functions
125. This is the process of transforming programs and information into an unintelligible form.
A. Decryption process B. Cartography C. Criminology D. Cryptography
126. These programs now represent the most common threat to any computer security.
A. Electricity failure B. Natural disasters C. Computer hackers D. Computer viruses
127. If the same account application is used at various locations, application software integrity and
consistency may be improved when application programs are developed and maintained:
A. By each user dispersed throughout the entity C. By top management
B. At one place in the entity D. Under lock and key
128. This refers to plans made by the entity to obtain access to comparable hardware, software and data in
the event of their failure, loss or destruction:
A. IT recovery plan B. Back-up C. Xcopy command D. Replication
129. S1 Both removable and non-removable media may be potentially erased or damaged by viruses that
could attack the CIS
S2 A virus is a computer program (a block of non-executable code) that attaches itself to a legitimate
program or data file and uses it as a transport mechanism to reproduce itself without the knowledge of
the user.
A. True, false B. False, true C. True, true D. False, false
130. S1 Depending on the nature of the program and data files, it is appropriate to keep current copies of
diskettes, CDs or back-up tapes and hard disks in a fireproof container, either on site or off-site, or
both.
S2 Maintaining current copies applies to both operating system and utility software and backup copies
of hard disks
A. True, false B. False, true C. True, true D. False, false
131. When auditing “around” the computer, the independent auditor focuses solely upon the source
documents and
A. Test data B. IT techniques C. IT processing D. IT output
132. When computer were first used in information processing, many auditors felt that they would have
little impact on the audit process. They felt that the auditor would continue to ignore of bypass the
computer processing function of the entity’s IT system. This is known as the concept of
A. Auditing around the clock C. Auditing around the computer
B. Auditing through the computer D. Bypass operation
133. Audit and control specifications for an audit trail need to be established at the:
A. Planning stage of the audit
B. Time a system is designed, leased or purchased
C. Control risk assessment phase
D. Negotiation phase of accepting the client
134. The following statements relate to CAATs. Which one is incorrect?
A. CAATs may improve the effectiveness and efficiency of auditing procedures
B. CAATs may provide effective test of control, but not substantive procedures
C. CAATs are advisable where there are no input documents or a visible audit trail, or where
population and sample sizes are very large.
D. CAATs are used considering the principle of cost-benefit
135. Processing data through the use of simulated files provides an auditor with information about the
operating effectiveness of control policies and procedures. One of the techniques involved in this
approach makes use of
A. Input validation C. Controlled processing
B. Program code checking D. Integrated test facility
136. The re-processing of live data to test program controls is called:
A. Parallel simulation C. Test data
B. Generalized audit software D. Integrated test deck

Page 10 of 11
BAC 517

137. In parallel simulation, who (1) prepares the data and who (2) prepares the computer program?
A. (1) auditor; (2) client C. (1) auditor; (2) auditor
B. (1) client; (2) client D. (1) client; (2) auditor
138. The audit approach in which the auditor runs his/her own program on a controlled basis in order to
verify the client’s data recorded in a machine language is:
A. The test data approach C. The microcomputer aided auditing approach
B. The generalized audit software approach D. Called auditing around the computer
139. Over the past week long-distance calling for OsioOsio, Inc. has nearly tripled in comparison with its
usual weekly long-distance telephone traffic. Which of the following auditing techniques will detect this
exception on a real-time basis?
A. Auditing around the computer C. Parallel simulation
B. Embedded audit modules D. Test deck approach
140. The case of processing and analyzing quantities of data using computers provides the auditor with
opportunities to apply:
A. General or specialized computer audit techniques and tools
B. Major and minor computer audit techniques
C. Generally accepted auditing standards
D. Risk assessment procedures
141. Generalized audit software is useful for
A. B. C. D.
• Test of controls Yes No No Yes
• Substantive tests No Yes No Yes
142. Generalized audit software (GAS) is designed to allow auditors to
A. Monitor the execution of application programs
B. Process test data against master files that contain actually and fictitious entities
C. Select sample data from files and check computations
D. Insert special audit routines into regular application programs
143. Which of the following audit procedures would an auditor be least likely to perform using computer-
assisted audit techniques (CAATs) software?
A. Searching records of accounts receivable balances for credit balances
B. Investigating inventory balances for possible obsolescence
C. Selecting accounts receivable for positive and negative confirmation
D. Listing unusually large inventory balances

“END”

Page 11 of 11