Universidad De Manila

College of Business, Accountancy & Economics

CIS Audit
Midterm Examination

Instruction: Choose whether:

a.If both statements are true c. If only Statement 1 is true

b.If both statements are false d. If only Statement 2 is true

1. Statement 1 - Corporate management (including the CEO) must certify monthly and annually their
organization’s internal controls over financial reporting.
Statement 2 - A qualified opinion on management’s assessment of internal controls over the financial
reporting system necessitates a qualified opinion on the financial statements?

2. Statement 1 - The same internal control objectives apply to manual and computer-based information
systems.
Statement 2 - The external auditor is responsible for establishing and maintaining the internal control
system.

3. Statement 1 - Segregation of duties is an example of an internal control procedure.

Statement 2 - Preventive controls are passive techniques designed to reduce fraud.

4. Statement 1 - A key modifying assumption in internal control is that the internal control system is the
responsibility of management.
Statement 2 - While the Sarbanes-Oxley Act prohibits auditors from providing non-accounting services
to their audit clients, they are not prohibited from performing such services for non-audit clients or
privately held companies.

5. Statement 1 - The Sarbanes-Oxley Act requires the audit committee to hire and oversee the external
auditors.
Statement 2 - Section 404 requires that corporate management (including the CEO) certify their
organization’s internal controls on a quarterly and annual basis.

6. Statement 1 - Section 302 requires the management of public companies to assess and formally report
on the effectiveness of their organization’s internal controls.
Statement 2 - Application controls apply to a wide range of exposures that threaten the integrity of all
programs processed within the computer environment.

7. Statement 1 - Advisory services is an emerging field that goes beyond the auditor’s traditional
attestation function.
Statement 2 - An IT auditor expresses an opinion on the fairness of the financial statements.

8. Statement 1 - External auditing is an independent appraisal function established within an organization

to examine and evaluate its activities as a service to the organization.
Statement 2 - External auditors can cooperate with and use evidence gathered by internal audit
departments that are organizationally independent and that report to the Audit Committee of the Board of
Directors.

9. Statement 1 - Tests of controls determine whether the database contents fairly reflect the organization's
transactions.
Statement 2 - Audit risk is the probability that the auditor will render an unqualified opinion on financial
statements that are materially misstated.
10. Statement 1 - A strong internal control system will reduce the amount of substantive testing that must be
performed.
Statement 2 - Substantive testing techniques provide information about the accuracy and completeness
of an application's processes.

11. Statement 1 - To fulfill the segregation of duties control objective, computer processing functions (like
authorization of credit and billing) are separated.
Statement 2 - To ensure sound internal control, program coding and program processing should be
separated.

12. Statement 1 - Some systems professionals have unrestricted access to the organization's programs and
data.
Statement 2 - IT governance focuses on the management and assessment of strategic IT resources
44

13. Statement 1 - Distributed data processing places the control IT recourses under end users.
Statement 2 - An advantage of distributed data processing is that redundant tasks are greatly eliminated

14. Statement 1 - Certain duties that are deemed incompatible in a manual system may be combined in a
computer-based information system environment.
Statement 2 - To improve control and efficiency, new systems development and program maintenance
should be performed by the same individual or group.

15. Statement 1 - Distributed data processing reduces the risk of operational inefficiencies.
Statement 2 - The database administrator should be separated from systems development.

16. Statement 1 - A disaster recovery plan is a comprehensive statement of all actions to be taken after a
disaster.
Statement 2 - RAID is the use of parallel disks that contain redundant elements of data and applications.

17 Statement 1 - Transaction cost economics (TCE) theory suggests that firms should outsource specific
noncore IT assets
Statement 2 - Commodity IT assets easily acquired in the marketplace and should be outsourced under
the core competency theory.

18. Statement 1 - A database administrator is responsible for the receipt, storage, retrieval, and custody of
data files.
Statement 2 - Virtualization is the technology that unleased cloud computing.

19. Statement 1 - Fault tolerance is the ability of the system to continue operation when part of the system
fails due to hardware failure, application program error, or operator error.
Statement 2 - An often-cited benefit of IT outsourcing is improved core business performance.

20. Statement 1 - Commodity IT assets include such things are network management.
Statement 2 - Specific IT assets support an organization’s strategic objectives.

21. Statement 1 - A generally accepted advantage of IT outsourcing is improved security.

Statement 2 - An advantage of distributed data processing is that individual end user groups set specific
IT standards without concern for the broader corporate needs.

22. Statement 1 - A mutual aid is the lowest cost disaster recovery option, but has shown to be effective and
low risk.
Statement 2 - Critical applications should be identified and prioritized by the user departments,
accountants, and auditors.

23. Statement 1 - A ROC is generally shared with multiple companies.

Statement 2 - In a computerized environment, the audit trail log must be printed onto paper documents.
24. Statement 1 - Disguising message packets to look as if they came from another user and to gain access
to the host’s network is called spooling.
Statement 2 - A formal log-on procedure is the operating system’s last line of defense against
unauthorized access.

25. Statement 1 - Computer viruses usually spread throughout the system before being detected.
Statement 2 - A worm is software program that replicates itself in areas of idle memory until the system
fails.

26. Statement 1 - Viruses rarely attach themselves to executable files.

Statement 2 - Operating system controls are of interest to system professionals but should not concern
accountants and auditors.

27. Statement 1 - The most frequent victims of program viruses are microcomputers.

Statement 2 - Audit trails in computerized systems are comprised of two types of audit logs: detailed
logs of individual keystrokes and event-oriented logs.

28. Statement 1 - In a telecommunications environment, line errors can be detected by using an echo check.
Statement 2 - The message authentication code is calculated by the sender and the receiver of a data
transmission.

29. Statement 1 - The request-response technique should detect if a data communication transmission has
been diverted.
. Statement 2 - Electronic data interchange translation software interfaces with the sending firm and the
value added network.

30. Statement 1 - A value added network can detect and reject transactions by unauthorized trading partners.
Statement 2 - Electronic data interchange customers may be given access to the vendor's data files.

31. Statement 1 - The audit trail for electronic data interchange transactions is stored on magnetic media.
Statement 2 - A firewall is a hardware partition designed to protect networks from power surges.

32. Statement 1 - To preserve audit trails in a computerized environment, transaction logs are permanent
records of transactions.
Statement 2 - The network paradox is that networks exist to provide user access to shared resources
while one of its most important objectives is to control access.

33. Statement 1 - IP spoofing is a form of masquerading to gain unauthorized access to a Web server.
Statement 2 - The rules that make it possible for users of networks to communicate are called protocols.

34. Statement 1 - A factor that contributes to computer crime is the reluctance of many organizations to
prosecute criminals for fear of negative publicity.
Statement 2 - Because of network protocols, users of networks built by different manufacturers are able
to communicate and share data.

35. Statement 1 - The client-server model can only be applied to ring and star topologies.
Statement 2 - Only two types of motivation drive DoS attacks: 1) to punish an organization with which
the perpetrator had a grievance; and 2) to gain bragging rights for being able to do it.

36. Statement 1 - The bus topology connects the nodes in parallel.

Statement 2 - A network topology is the physical arrangement of the components of the network.

37. Statement 1 - A digital signature is a digital copy of the sender’s actual signature that cannot be forged.
Statement 2 - A smurf attack involves three participants: a zombie, an intermediary, and the victim.
38. Statement 1 - In a hierarchical topology, network nodes communicate with each other via a central host
computer.
Statement 2 - Polling is one technique used to control data collisions.

39. Statement 1 - The more individuals that need to exchange encrypted data, the greater the chance that the
key will become known to an intruder. To overcome this problem, private key encryption was devised.
. Statement 2 - A ping is used to test the state of network congestion and determine whether a particular
host computer is connected and available on the network.

40. Statement 1 - HTML tags are customized to delimit attributes, the content of which can be read and
processed by computer applications.
Statement 2 - The database approach to data management is sometimes called the flat file approach.

41. Statement 1 - The database management system provides a controlled environment for accessing the
database.
Statement 2 - To the user, data processing procedures for routine transactions, such as entering sales
orders, appear to be identical in the database environment and in the traditional environment.

42. Statement 1 - An important feature associated with the traditional approach to data management is the
ability to produce ad hoc reports.
Statement 2 - The data definition language is used to insert special database commands into application
programs.

43. Statement 1 - There is more than one conceptual view of the database.
Statement 2 - In the database method of data management, access authority is maintained by systems
programming.

44. Statement 1 - The physical database is an abstract representation of the database.

Statement 2 - A customer name and an unpaid balance is an example of a one-to-many relationship.

45. Statement 1 - In the relational model, a data element is called a relation.

Statement 2 - Subschemas are used to authorize user access privileges to specific data elements.

46. Statement 1 - A recovery module suspends all data processing while the system reconciles its journal
files against the database.
Statement 2 - A major difference between the database and flat-file models is the pooling of data into a
common shared database.

47. Statement 1 - Examining programmer authority tables for information about who has access to Data
Definition Language commands will provide evidence about who is responsible for creating subschemas.
Statement 2 - Data normalization groups data attributes into tables in accordance with specific design
objectives.

48. Statement 1 - Under the database approach, data is viewed as proprietary or owned by users.
Statement 2 - The data dictionary describes all of the data elements in the database.

49. Statement 1 - When information system needs arise, users send formal requests for computer
applications to the database administrator of the organization.
Statement 2 - A deadlock is a phenomenon that prevents the processing of transactions.

50. Statement 1 - Time stamping is a control that is used to ensure database partitioning.
Statement 2 - A lockout is a software control that prevents multiple users from simultaneous access to
data.

51. Statement 1 - An entity is any physical thing about which the organization wishes to capture data.
 Statement 2 - Data access methods allow records to be located, stored and retrieved. .

52. Statement 1 - The term occurrence is used to describe the number of attributes or fields pertaining to a
specific entity.
Statement 2 - The earliest DBAs were based on the hierarchical data model.

The End!