Module 7 Solutions
Do Not Print
MC2 a. Incorrect. If business processes are not
changed to make use of the new technology and
address new control issues, it may increase
b. Incorrect. e-commerce activities expose a company to
different kinds of events like security and inability
to collect or deliver goods, that increases
c. Incorrect. Systems complexity and integration can increase
the kinds of errors that occur in the system and
how widely they spread to different part of the
a. Incorrect. The programmer creates the code.
b. Incorrect. The DP manager is the executive.
c. Correct. The systems analyst designs systems.
d. Incorrect. The internal auditor monitors systems.
a. Correct. The control group monitors error reports.
b. Incorrect. Systems analyst designs systems.
c. Incorrect. Supervisor of operations is a computer room
d. Incorrect. Programmer writes code.
a. Incorrect. Record totals suggest dollar amounts.
b. Correct. Hash totals involve nondollar totals.
1 c. Incorrect. Data totals suggest dollar amounts.
d. Incorrect. Field totals suggest dollar amounts.
a. Incorrect. Wrong arithmetic, see d.
b. Incorrect. Wrong arithmetic, see d.
c. Incorrect. Wrong arithmetic, see d.
d. Correct. Cash deposits + discounts = payments credit to
a. Incorrect. This is a software function.
b. Incorrect. This is a programmer function.
c. Incorrect. This is an input control function.
d. Correct. This is an automated hardware function.
a. Correct. A payroll processing program is "user" software.
b. Incorrect. The operating system program is a "system"
c. Incorrect. Data management system software is a "system"
d. Incorrect. Utility programs are "system" programs.
a. Incorrect. Compilers convert the programmers' source code
to machine readable code.
b. Incorrect. Supervisory programs police the use of
c. Correct. Utility programs are general-purpose programs.
d. Incorrect. User programs are the application programs.
2 EP4 Online sales, audit procedures
a) The question requires one to consider how data entry
controls can be designed in a setting where customers
input their own order data. Some examples of controls
Ranges of entry amount limits
Playback of data entry for check by data entry
customer and confirmation before updating the order
Valid data checks, e.g. credit cards start with certain
numbers and have a certain number of digits, phone
numbers and email addresses have certain features,
b) As the controls probably leave no documentary evidence
observation and enquiry would be used to establish that
effective control exist. CAATs would be used to test other
control procedures that are performed by the IT itself.
EP9 Testing computer processing
a) The statement is reasonable as long as the auditor can
obtain reasonable assurance that all invoices in the audit
period are produced under exactly the same conditi ons. The
possibility for errors always exists even if a process is
computerized, for example the data entered for processing
could be such that the program does not process it properly
(e.g. a 5 digit entry is made but the computer is only
programmed to read four digits and ignores the fifth one, or
the ‘Y2K’ type of problem). So, while not a lot is gained by
randomly sampling the population with statistical methods,
this does not mean that no errors can occur. If in fact the
program is producing the wrong calculations, the extent of
the resulting error will likely be huge.
b) The case scenario suggests there is a risk that the program
3 may have changed during the period. Statistical testing of
transactions from different periods could identify a program
change that had an impact on the output amounts, which
could result in a misstatement in the financial statements.
EP11 Control risk assessment, online input
The question requires one to apply principles of control to a
non-business situation. The response requires one to consider
the objectives of tax return filing more generally, what can go
wrong in terms of efficiency, accuracy and appropriateness of
tax information submitted, and then identify how the e-file
system may provide greater control and eff iciency, and what
new risks it might introduce.
DC1 Back-up procedures, impact on internal control risk
The case involves auditee company procedures for backing up
computer files, and the implications of this on internal control
risk. Management’s cost-benefit decision has resulted in a
system that appears to operate well enough considering t