GENERAL AND APPLICATION CONTROLS

1. Which of the following procedures would an entity most likely include in its disaster
recovery plan?
a. Convert all data from external formats to an internal company format.
b. Maintain a program to prevent illegal activity.
c. Develop an auxiliary power supply to provide uninterrupted electricity.
d. Store duplicate copies of files in a location away from the computer center.

2. Which of the following is least likely to be a general control over computer activities?
a. Procedures for developing new programs and systems
b. Requirements for system documentation
c. A change request log
d. A control total

3. Which of the following is an example of general computer control?

a. Input validation checks
b. Control total
c. Operations manual
d. Generalized audit software

4. When designing the physical layout of a data processing center, which of the following
would be least likely to be a necessary control that is considered?
a. Design of controls to restrict access
b. Adequate physical layout space for the operating system
c. Inclusions of an adequate power supply system with surge protection
d. Consideration of risks related to other uses of electricity in the area

5. Auditing through the computer is most likely to be used when:

a. Input transactions are batched and system logic is straightforward.
b. Processing primarily consists of sorting the input data and updating the master file
sequentially.
c. Processing is primarily on line and updating is real-time.
d. Outputs are in hard copy form

6. Which of the following computer system risks would be increased by the installation of a
database system?
a. Programming errors
b. Data entry errors
c. Improper data access
d. Loss of power

7. Parallel simulation programs used by the auditors for testing programs:

a. Must simulate all functions of the production computer-application system.
 b. Cannot be developed with the aid of generalized audit software.
c. Can use live data or test data.
d. Is generally restricted to data base environments.

8. Auditing by testing the input and output of a computer system instead of the computer
program itself will:
a. Not detect program errors which do not show up in the output sampled.
b. Detect all program errors, regardless of the nature of the output.
c. Provide the auditors with the same type of evidence.
d. Not provide the auditors with the confidence in the results of the auditing procedures.

9. If a control total were to be computed on each of the following data items, which would best
be identified as a hash total for a payroll computer application?
a. Net pay
b. Department numbers
c. Hours worked
d. Total debits and total credits

10. In their consideration of a client's IT controls, the auditors will encounter general controls
and application controls. Which of the following is an application control?
a. The operations manual
b. Hash total
c. Systems documentation
d. Control over program changes

11. When erroneous data are detected by computer program controls, such data may be excluded
from processing and printed on an exception report. The exception report should most
probably be reviewed and followed up on by the:
a. Supervisor of computer operations
b. Systems analyst
c. Data control group
d. Computer programmer

12. The purpose of using generalized computer programs is to test and analyze a client's
computer:
a. Systems.
b. Equipment.
c. Records.
d. Processing logic.

13. The completeness of computer-generated sales figures can be tested by comparing the
number of items listed on the daily sales report with the number of items billed on the actual
invoices. This process uses:
 a. Self-checking numbers
b. Control totals
c. Validity tests
d. Process tracing data

14. Internal control is ineffective when computer department personnel:

a. Participate in computer software acquisition decisions.
b. Design documentation for computerized systems.
c. Originate changes in master files.
d. Provide physical security for program files.

15. Which of the following is likely to be of least importance to an auditor in considering the
internal control in a company with computer processing?
a. The segregation of duties within the computer center.
b. The control over source documents.
c. The documentation maintained for accounting applications.
d. The cost/benefit of data processing operations.

16. Passwords for microcomputer software programs are designed to prevent:

a. Inaccurate processing of data.
b. Unauthorized access to the computer.
c. Incomplete updating of data files.
d. Unauthorized use of the software.

17. When conducting field work for a physical inventory, an auditor cannot perform which of the
following steps using a generalized audit software package?
a. Observing inventory
b. Selecting sample items of inventory
c. Analyzing data resulting from inventory
d. Recalculating balances in inventory reports

18. Which of the following is a password security problem?

a. Users are assigned passwords when accounts are created, but do not change them.
b. Users have accounts on several systems with different passwords.
c. Users copy their passwords on note paper, which is kept in their wallets.
d. Users select passwords that are not listed in any online dictionary.

19. The capability for computers to communicate with physically remote terminals is an
important feature in the design of modern business information systems. Which of the
following risks associated with the use of telecommunications systems is minimized through
the use of a password control system?
a. Unauthorized access to system program and data files
b. Unauthorized physical availability of remote terminals
 c. Physical destruction of system program and data files
d. Physical destruction of remote terminals

20. Consider the following computer applications:

i. At a catalog sales firm, as phone orders are entered into their computer, both
inventory and credit are immediately checked.
ii. A manufacturer's computer sends the coming week's production schedule and parts
orders to a supplier's computer.
Which statement below is true for these applications?
a. Both applications are examples of EDI.
b. Both applications are examples of on-line real-time processing.
c. The first application is an example of EDI and the second is an example of on-line real-
time.
d. The first application is an example of on-line real-time and the second is an example of
EDI.

21. Which of the following is not a category of an application control?

a. Processing controls
b. Output controls
c. Hardware controls
d. Input controls

22. Which of the following statements related to application controls is correct?

a. Application controls relate to various aspects of the IT function including software
acquisition and the processing of transactions.
b. Application controls relate to various aspects of the IT function including physical
security and the processing of transactions in various cycles.
c. Application controls relate to all aspects of the IT function.
d. Application controls relate to the processing of individual transactions.

23. General controls include all of the following except:

a. Systems development
b. Online security
c. Processing controls
d. Hardware controls

24. Typical controls developed for manual systems which are still important in IT systems
include:
a. Proper authorization of transactions
b. Competent and honest personnel
c. Careful and complete preparation of source documents
d. All of the above

25. Which of the following statements about general controls is not correct?
a. Disaster recovery plans should identify alternative hardware to process company data.
 b. Successful IT development efforts require the involvement of IT and non-IT personnel.
c. The chief information officer should report to senior management and the board.
d. Programmers should have access to computer operations to aid users in resolving
problems.

26. Which one of the following control functions is not the responsibility of the input-output
control group of the data processing department?
a. Review of the efficiency and effectiveness of systems design
b. Scanning the console log
c. Review and distribution of computer output and resolution of control totals
d. Maintenance of an error log

27. In obtaining an understanding of an entity=s internal control structure, an auditor is required

to obtain knowledge about the

Operating effectiveness of Design of policies and procedures

policies and procedures
a. Yes Yes
b. No Yes
c. Yes No
d. No No

28. Auditors usually obtain information about general and application controls through:
a. Interviews with IT personnel
b. Examination of systems documentation
c. Reading program change requests
d. All of the above methods

29. The most cost-effective type of internal control is:

a. Preventive control
b. Accounting control
c. Detective control
d. Corrective control

30. Which of the following is a preventive control?

a. Credit check before approving a sale on account
b. Bank reconciliation
c. Physical inventory count
d. Comparing the accounts receivable subsidiary ledger to the control account

31. A well-designed purchase order is an example of a

a. Preventive control
b. Detective control
c. Corrective control
d. None of the above
32. A physical inventory count is an example of a
a. Preventive control
b. Detective control
c. Corrective control
d. Feedforward control

33. The bank reconciliation uncovered a transposition error in the books. This is an example of a
a. Preventive control
b. Detective control
c. Corrective control
d. None of the above

34. Which subsystem is not part of the expenditure cycle?

a. Cash disbursements
b. Payroll
c. Production planning/control
d. Purchases/Accounts payable

35. In contrast to a real-time system, in a batch processing system:

a. There is a lag between the time when the economic event occurs and the financial records
are updated.
b. Relatively more resources are required.
c. A greater resource commitment per unit of output is required.
d. Processing takes place when the economic event occurs.

36. The type of transaction most suitable for batch processing is

a. Airline reservations
b. Credit authorization
c. Payroll processing
d. Adjustments to perpetual inventory

37. Which of the following is a subsystem of conversion cycle?

a. Preparing the weekly payroll for manufacturing personnel.
b. Releasing raw materials for use in the manufacturing cycle.
c. Recording the receipt of payment for goods sold.
d. Recording the order placed by a customer.

38. The purpose of the purchase requisition is to

a. Order goods from vendors.
b. Record receipt of goods from vendors.
c. Authorize the purchasing department to order goods.
 d. Bill for goods delivered.

39. The purpose of the receiving report is to

a. Order goods from vendors.
b. Record receipt of goods from vendors.
c. Authorize the purchasing department to order goods.
d. Bill for goods delivered.

40. The reason that a blind copy of the purchase order is sent to receiving is to
a. Inform receiving when a shipment is due.
b. Force a count of the items delivered.
c. Inform receiving of the type, quantity, and price of items to be delivered.
d. Require that the goods delivered are inspected.
ANSWERS:

1. D 21. C
2. D 22. D
3. C 23. C
4. B 24. D
5. C 25. D
6. C 26. A
7. C 27. B
8. A 28. D
9. B 29. A
10. B 30. A
11. C 31. A
12. C 32. B
13. B 33. B
14. C 34. C
15. D 35. A
16. D 36. C
17. A 37. B
18. A 38. C
19. A 39. B
20. D 40. B