Some of the more important controls that relate to automated accounting information
systems are validity checks, limit checks, field checks, and sign tests. These are classified
Answer (D) is correct.
Validity checks, limit checks, field checks, and sign tests are all
examples of input controls (input validation routines).
Proper segregation of functional responsibilities to achieve effective internal control calls for separation of the functions of
Answer (B) is correct. One person should not be responsible for all phases of a transaction, i.e., for authorization of transactions, recording of transactions, and custodianship of the related assets. These duties should be performed by separate individuals to reduce the opportunities to allow any person to be in a position both to perpetrate and conceal errors or fraud in the normal course of his or her duties (AU 314).
A computer virus is different from a “Trojan horse” because the virus can
Answer (C) is correct. Viruses are computer programs that propagate themselves from one computer to another without the user’s knowledge. Trojan horses are voluntarily installed on a computer by the user because they are masquerading as programs the user wants. The Trojan horse contains codes that allow a hacker to later take over the computer or retrieve sensitive data from the computer.
In securing the client/server environment of an information system, a principal disadvantage of using a single level sign-on password is the danger of creating a(n)
Answer (B) is correct. Single sign-on can be the solution in well-managed systems environments. A single ID and password combination is required to allow a user access to all IT resources (s)he needs. A high level of maintenance and security consciousness is required to make single sign-on successful.
An internal information systems control questionnaire that includes computer input controls, the distribution of output media, and record-retention procedures is designed to review and assess which one of the following?
Answer (C) is correct. Computer operations is that section of the information systems function concerned with the day-to-day processing of data and distribution of results to the appropriate parties.
A company’s accounts payable supervisor assigned a vendor code to a storage facility owned by the supervisor, then instructed the company’s accounting system to pay monthly rent for a storage unit allegedly leased from the storage facility. This situation is an example of a failure of controls due to the lack of
Answer (C) is correct. When a supervisor can both approve a vendor as well as initiate a transaction, segregation of duties is not properly enforced. The two functions must either be separated or monitored.
Which one of the following procedures functions primarily as an output control over a
company’s payroll processing?
Answer (D) is correct.
The payroll distribution log containing a schedule of when checks and
reports are prepared with the names of individuals who are to receive the
report is an output control. Receiving checks and reports are outputs, so
the schedule of the receipts of the reports is an output control.
The director in charge of a company’s data center is reviewing the controls surrounding the
access to the hardware in the data center, which is located offsite. The control below
that best identifies what the director should consider in order to protect access to the
Answer (A) is correct.
Physical controls limit physical access and environmental damage to
computer equipment and important documents. In order to protect access
to hardware, the director should consider limitation of physical access,
since hardware is a tangible object.
A payroll accountant for a company checked the most recent payroll records and
discovered that the company had accidentally paid an employee for 400 hours instead of 40 hours.
Which one of the controls below would be the best control to prevent an error such as this one?
Answer (C) is correct.
Input controls provide reasonable assurance that data submitted for processing are (1)
authorized, (2) complete, and (3) accurate. If the company had an input control that looked
for unreasonable amounts, it would have flagged the 400 as an unreasonable number
before the data were processed into the system. The input control would not have allowed this amount.
To prevent or detect potential fraudulent actions that could result from unexecuted computer program code designed to be activated if an unscrupulous programmer becomes dissatisfied or is terminated, auditors seek to identify and review unexecuted program codes. Auditors can accomplish this through the use of which one of the following methods?
Answer (B) is correct. Mapping programs are used to search application source programs for code that is not used in the version of the program that is in use by the production system.