CEBU CPAR CENTER without theknowledge of the user.a. Virusc. System management programb.

Utility
Mandaue City, Cebu program d. Encryption
AUDITING THEORY 16. Which statement is incorrect regarding internal control in personal computer
AUDITINGINACOMPUTERINFORMATIONSYSTEMS(CIS)ENVIRONMENT environment?a. Generally, the CIS environment in which personal computers are used is
Related PSAs/PAPSs:  less structuredthan a centrally-controlled CIS environment.b. Controls over the system
PSA 401; PAPS 1001, 1002, 1003, 1008 and 1009PSA 401 – Auditing in a Computer development process and operations may not be viewed by thedeveloper, the user or
Information Systems (CIS) Environment management as being as important or cost-effective.c. In almost all commercially
1. Which statement is incorrect when auditing in a CIS environment?a. A CIS available operating systems, the built-in security provided hasgradually increased over
environment exists when a computer of any type or size is involved in the processingby the years.d. In a typical personal computer environment, the distinction between
the entity of financial information of significance to the audit, whether that computer general CIS controlsand CIS application controls is easily ascertained.
isoperated by the entity or by a third party.b. The auditor should consider how a CIS 17. Personal computers are susceptible to theft, physical damage, unauthorized access
environment affects the audit.c. The use of a computer changes the processing, storage or misuseof equipment. Which of the following is least likely a physical security to
and communication of financialinformation and may affect the accounting and internal restrict access topersonal computers when not in use?a. Using door locks or other
control systems employed by theentity.d. A CIS environment changes the overall security protection during non-business hours.b. Fastening the personal computer to a
objective and scope of an audit. table using security cables.c. Locking the personal computer in a protective cabinet or
2. Which of the following standards or group of standards is mostly affected by a shell.d. Using anti-virus software programs. 
computerizedinformation system environment?a. General standards c. Reporting
standardsb. Second standard of field workd. Standards of fieldwork  Page 3 of 15 
3. Which of the following is least considered if the auditor has to determine whether AT-030507
specializedCIS skills are needed in an audit?a. The auditor needs to obtain a sufficient 18. Which of the following is not likely a control over removable storage media to
understanding of the accounting and internal controlsystem affected by the CIS preventmisplacement, alteration without authorization or destruction?a. Using
environment.b. The auditor needs to determine the effect of the CIS environment on cryptography, which is the process of transforming programs and information into
the assessment ofoverall risk and of risk at the account balance and class of transactions anunintelligible form.b. Placing responsibility for such media under personnel whose
level.c. Design and perform appropriate tests of controls and substantive procedures.d. responsibilities include dutiesof software custodians or librarians.c. Using a program and
The need of the auditor to make analytical procedures during the completion stage of data file check-in and check-out system and locking the designatedstorage locations.d.
audit Keeping current copies of diskettes, compact disks or back-up tapes and hard disks in
.4. It relates to materiality of the financial statement assertions affected by the afireproof container, either on-site, off-site or both.
computerprocessing.a. Threshold b. Relevance c. Complexityd. Significance  19. Which of the following least likely protects critical and sensitive information from
5. Which of the following least likely indicates a complexity of computer processing?a. unauthorizedaccess in a personal computer environment?a. Using secret file names and
Transactions are exchanged electronically with other organizations without manual hiding the files.b. Keeping of back up copies offsite.c. Employing passwords.d.
reviewof their propriety.b. The volume of the transactions is such that users would find Segregating data into files organized under separate file directories.
it difficult to identify and correcterrors in processing.c. The computer automatically 20. It refers to plans made by the entity to obtain access to comparable hardware,
generates material transactions or entries directly to anotherapplications.d. The system software anddata in the event of their failure, loss or destruction.a. Back-upb.
generates a daily exception report. Encryption c. Anti-virus d. Wide Area Network (WAN)
6. The nature of the risks and the internal characteristics in CIS environment that the 21. The effect of personal computers on the accounting system and the associated risks
auditors aremostly concerned include the following except:a. Lack of segregation of will leastlikely depend ona. The extent to which the personal computer is being used to
functions. c. Lack of transaction trails.b.Dependence of other control over computer process accountingapplications.b. The type and significance of financial transactions
processing.d. Cost-benefit ratio. 7. Which of the following is least likely a risk being processed.c. The nature of files and programs utilized in the applications.d. The
characteristic associated with CIS environment?a. Errors embedded in an application’s cost of personal computers.
program logic maybe difficult to manually detect on atimely basis.b. Many control 22. The auditor may often assume that control risk is high in personal computer systems
procedures that would ordinarily be performed by separate individuals inmanual system since , itmay not be practicable or cost-effective for management to implement
maybe concentrated in CIS.c. The potential unauthorized access to data or to alter them sufficient controls toreduce the risks of undetected errors to a minimum level. This least
without visible evidence maybegreater.d. Initiation of changes in the master file is likely entaila. More physical examination and confirmation of assets.b. More analytical
exclusively handled by respective users. procedures than tests of details.c. Larger sample sizes.d. Greater use of computer-
8. Which of the following significance and complexity of the CIS activities should an assisted audit techniques, where appropriate.PAPS 1002 – CIS Environments – On-Line
auditor leastunderstand?a. The organizational structure of the client’s CIS activities.b. Computer Systems
Lack of transaction trails.c. The significance and complexity of computer processing in 23. Computer systems that enable users to access data and programs directly
each significant accountingapplication.d. The use of software packages instead of throughworkstations are referred to as a. On-line computer systemsc. Personal
customized software. computer systemsb. Database management systems (DBMS) d. Database systems
24. On-line systems allow users to initiate various functions directly. Such functions
include:I. Entering transactions III. Requesting reportsII. Making inquiries IV. Updating
PAPS 1001 – CIS Environments – Stand-Alone Personal Computers master filesa.I, II, III and IVc. I and IIb. I, II and III d. I and IV
9. Which statement is correct regarding personal computer systems?a. Personal 25. Many different types of workstations may be used in on-line computer systems. The
computers or PCs are economical yet powerful self-contained general functionsperformed by these workstations least likely depend on theira. Logic b.
purposecomputers consisting typically of a central processing unit (CPU), memory, Transmission c. Storaged. Cost 
monitor, diskdrives, printer cables and modems.b. Programs and data are stored only on 26. Types of workstations include General Purpose Terminals and Special Purpose
non-removable storage media.c. Personal computers cannot be used to process Terminals.Special Purpose Terminals includea. Basic keyboard and monitorc. Point of
accounting transactions and producereports that are essential to the preparation of sale devices b. Intelligent terminal d. Personal computers
financial statements.d. Generally, CIS environments in which personal computers are 27. Special Purpose Terminal used to initiate, validate, record, transmit and complete
used are the same withother CIS environments. variousbanking transactionsa. Automated teller machinesc. Intelligent terminalb. Point
10. A personal computer can be used in various configurations, includinga. A stand- of sale devices d. Personal computers
alone workstation operated by a single user or a number of users at different times.b. A 28. Which statement is incorrect regarding workstations?a. Workstations may be
workstation which is part of a local area network of personal computers.c. A located either locally or at remote sites.b. Local workstations are connected directly to
workstation connected to a server.d. All of the above. the computer through cables.c. Remote workstations require the use of
11. Which statement is incorrect regarding personal computer configurations?a. The telecommunications to link them to the computer.
stand-alone workstation can be operated by a single user or a number of users  
atdifferent times accessing the same or different programs.b. A stand-alone workstation Page 4 of 15 
may be referred to as a distributed system.c. A local area network is an arrangement AT-030507
where two or more personal computers are linkedtogether through the use of special d. Workstations cannot be used by many users, for different purposes, in different
software and communication lines.d. Personal computers can be linked to servers and locations,all at the same time.
used as part of such systems, forexample, as an intelligent on-line workstation or as part 29. On-line computer systems may be classified according toa. How information is
of a distributed accounting system. entered into the system.b. How it is processed.c. When the results are available to the
12. Which of the following is the least likely characteristic of personal computers?a. user.d. All of the above.
They are small enough to be transportable.b. They are relatively expensive.c. They can 30. In an on-line/real time processing systema. Individual transactions are entered at
be placed in operation quickly.d. The operating system software is less comprehensive workstations, validated and used to update relatedcomputer files immediately.b.
than that found in larger computerenvironments. Individual transactions are entered at a workstation, subjected to certain validation
13. Which of the following is an inherent characteristic of software package?a. They are checksand added to a transaction file that contains other transactions entered during
typically used without modifications of the programs.b. The programs are tailored-made the period.c. Individual transactions immediately update a memo file containing
according to the specific needs of the user.c. They are developed by software information which hasbeen extracted from the most recent version of the master file.d.
manufacturer according to a particular user’sspecifications.d. It takes a longer time of The master files are updated by other systems.
implementation. 31. It combines on-line/real time processing and on-line/batch processing.a. On-
14. Which of the following is not normally a removable storage media?a. Compact disk Line/Memo Update (and Subsequent Processing)b. On-Line Downloading/Uploading
c. Tapesb. Diskettesd. Hard disk  Processingc. On-Line/Inquiryd. On-Line/Combined Processing
15. It is a computer program (a block of executable code) that attaches itself to a
legitimateprogram or data file and uses its as a transport mechanism to reproduce itself
32. It is a communication system that enables computer users to share computer AT-030507
equipment,application software, data and voice and video transmissions.a. Networkb. QUIZZERS
File server c. Host d. Client 1. An internal auditor noted the following points when conducting a preliminary survey
33. A type of network that multiple buildings are close enough to create a campus, but inconnection with the audit of an EDP department. Which of the following would be
the spacebetween the buildings is not under the control of the company isa. Local Area considered asafeguard in the control system on which the auditor might rely?a.
Network (LAN)c. Metropolitan Area Network (MAN) b. Wide Area Network (WAN) d. Programmers and computer operators correct daily processing problems as they arise.b.
World Wide Web (WWW) The control group works with user organizations to correct rejected input.c. New
34. Which of the following is least likely a characteristic of Wide Area Network (WAN)?a. systems are documented as soon as possible after they begin processing live data.d. The
Created to connect two or more geographically separated LANs.b. Typically involves one average tenure of employees working in the EDP department is ten months
or more long-distance providers, such as a telephone company toprovide the .2. An on-line access control that checks whether the user’s code number is authorized
connections.c. WAN connections tend to be faster than LAN.d. Usually more expensive to initiate aspecific type of transaction or inquiry is referred to asa. Passwordc.
than LAN Compatibility test b. Limit check d. Reasonableness test
.35. Gateway isa. A hardware and software solution that enables communications 3. A control procedure that could be used in an on-line system to provide an immediate
between two dissimilarnetworking systems or protocols.b. A device that forwards check onwhether an account number has been entered on a terminal accurately is aa.
frames based on destination addresses.c. A device that connects and passes packets Compatibility test c. Record countb. Hash totald. Self-checking digit
between two network segments that use thesame communication protocol.d. A device  4. A control designed to catch errors at the point of data entry isa. Batch totalc. Self-
that regenerates and retransmits the signal on a network. checking digit b. Record count d. Checkpoints
36. A device that works to control the flow of data between two or more network 5. Program documentation is a control designed primarily to ensure thata. Programmers
segmentsa. Bridgeb. Routerc. Repeater d. Switch have access to the tape library or information on disk files.b. Programs do not make
37. The undesirable characteristics of on-line computer systems least likely includea. mathematical errors.c. Programs are kept up to date and perform as intended.d. Data
Data are usually subjected to immediate validation checks.b. Unlimited access of users have been entered and processed.
to all of the functions in a particular application.c. Possible lack of visible transaction 6. Some of the more important controls that relate to automated accounting
trail.d. Potential programmer access to the system. information systemsare validity checks, limit checks, field checks, and sign tests. These
38. Certain general CIS controls that are particularly important to on-line processing are classified asa. Control total validation routines c. Output controlsb. Hash totalingd.
least likelyincludea. Access controls.b. System development and maintenance controls.c. Input validation routines 
Edit, reasonableness and other validation tests.d. Use of anti-virus software program. 7. Most of today’s computer systems have hardware controls that are built in by the
39. Certain CIS application controls that are particularly important to on-line processing computermanufacturer. Common hardware controls area. Duplicate circuitry, echo
least likelyincludea. Pre-processing authorization.c. Transaction logs. b. Cut-off check, and internal header labelsb. Tape file protection, cryptographic protection, and
procedures. d. Balancing limit checksc. Duplicate circuitry, echo check, and dual readingd. Duplicate circuitry,
echo check, tape file protection, and internal header labels
8. Computer manufacturers are now installing software programs permanently inside
thecomputer as part of its main memory to provide protection from erasure or loss if
Page 5 of 15  there isinterrupted electrical power. This concept is known asa. File integrity c. Random
AT-030507 access memory (RAM)b. Software controld. Firmware 
40. Risk of fraud or error in on-line systems may be reduced in the following 9. Which one of the following represents a lack of internal control in a computer-based
circumstances, excepta. If on-line data entry is performed at or near the point where informationsystem?a. The design and implementation is performed in accordance with
transactions originate, there isless risk that the transactions will not be recorded.b. If management’s specificauthorization.b. Any and all changes in application programs
invalid transactions are corrected and re-entered immediately, there is less risk that have the authorization and approval ofmanagement.c. Provisions exist to protect data
suchtransactions will not be corrected and re-submitted on a timely basis.c. If data entry files from unauthorized access, modification, or destruction.d. Both computer operators
is performed on-line by individuals who understand the nature of thetransactions and programmers have unlimited access to the programs anddata files.
involved, the data entry process may be less prone to errors than when it isperformed 10. In an automated payroll processing environment, a department manager substituted
by individuals unfamiliar with the nature of the transactions.d. On-line access to data the timecard for a terminated employee with a time card for a fictitious employee. The
and programs through telecommunications may provide greateropportunity for access fictitiousemployee had the same pay rate and hours worked as the terminated
to data and programs by unauthorized persons. employee. The bestcontrol technique to detect this action using employee identification
41. Risk of fraud or error in on-line computer systems may be increased for the numbers would be aa. Batch totalb. Hash totalc. Record count d. Subsequent check
following reasons,excepta. If workstations are located throughout the entity, the 11. An employee in the receiving department keyed in a shipment from a remote
opportunity for unauthorized use of aworkstation and the entry of unauthorized terminal andinadvertently omitted the purchase order number. The best systems
transactions may increase.b. Workstations may provide the opportunity for control to detect this errorwould bea. Batch total c. Sequence checkb. Completeness
unauthorized uses such as modification ofpreviously entered transactions or balances.c. testd. Reasonableness test
If on-line processing is interrupted for any reason, for example, due to  
faultytelecommunications, there may be a greater chance that transactions or files may Page 9 of 15 
be lostand that the recovery may not be accurate and complete.d. If transactions are AT-030507
processed immediately on-line, there is less risk that they will beprocessed in the wrong 12. The reporting of accounting information plays a central role in the regulation of
accounting period. businessoperations. Preventive controls are an integral part of virtually all accounting
42. The following matters are of particular importance to the auditor in an on-line processingsystems, and much of the information generated by the accounting system is
computer system,excepta. Authorization, completeness and accuracy of on-line used forpreventive control purposes. Which one of the following is not an essential
transactions.b. Integrity of records and processing, due to on-line access to the system element of a soundpreventive control system?a. Separation of responsibilities for the
by many users andprogrammers.c. Changes in the performance of audit procedures recording, custodial, and authorization functions.b. Sound personnel policies.c.
including the use of CAAT's.d. Cost-benefit ratio of installing on-line computer Documentation of policies and procedures.d. Implementation of state-of-the-art
system.PAPS 1003 – CIS Environments – Database Systems software and hardware.
43. A collection of data that is shared and used by a number of different users for 13. The most critical aspect regarding separation of duties within information systems is
differentpurposes.a. Databaseb. Information file c. Master file d. Transaction file betweena. Project leaders and programmers c. Programmers and systems analystsb.
44. Which of the following is least likely a characteristic of a database system?a. Programmers and computer operatorsd. Data control and file librarians
Individual applications share the data in the database for different purposes.b. Separate 14. Whether or not a real time program contains adequate controls is most effectively
data files are maintained for each application and similar data used by determinedby the use ofa. Audit software c. A tracing routineb. An integrated test
severalapplications may be repeated on several different files.c. A software facility is facilityd. A traditional test deck
required to keep track of the location of the data in the database.d. Coordination is 15. Compatibility tests are sometimes employed to determine whether an acceptable
usually performed by a group of individuals whose responsibility is typicallyreferred to user isallowed to proceed. In order to perform compatibility tests, the system must
as "database administration. maintain anaccess control matrix. The one item that is not part of an access control
"45. Database administration tasks typically includeI. Defining the database structure.II. matrix is aa. List of all authorized user code numbers and passwords.b. List of all files
Maintaining data integrity, security and completeness.III. Coordinating computer maintained on the system.c. Record of the type of access to which each user is
operations related to the database.IV. Monitoring system performance.V. Providing entitled.d. Limit on the number of transaction inquiries that can be made by each user in
administrative support.a. All of the aboveb. All except I c. II and V only d. II, III and V only a specifiedtime period.
46. Due to data sharing, data independence and other characteristics of database 16. Which one of the following input validation routines is not likely to be appropriate in
systemsa. General CIS controls normally have a greater influence than CIS application a real timeoperation?a. Field checkc. Sequence check b. Sign check d. Redundant data
controls ondatabase systems.b. CIS application controls normally have a greater check
influence than general CIS controls ondatabase systems.c. General CIS controls normally 17. Which of the following controls is a processing control designed to ensure the
have an equal influence with CIS application controls ondatabase systems.d. CIS reliability andaccuracy of data processing?Limit test Validity check testa. Yes Yesb.No
application controls normally have no influence on database systems. Noc. No Yesd. Yes No
47. Which statement is incorrect regarding the general CIS controls of particular 18. Which of the following characteristics distinguishes computer processing from
importance in adatabase environment?a. Since data are shared by many users, control manualprocessing?a. Computer processing virtually eliminates the occurrence of
may be enhanced when a standard approachis used for developing each new computational error normallyassociated with manual processing.b. Errors or
application program and for application programmodification. irregularities in computer processing will be detected soon after their occurrences.c. The
potential for systematic error is ordinarily greater in manual processing than
  incomputerized processing.d. Most computer systems are designed so that transaction
Page 8 of 15  trails useful for audit do not exist.
19. Which of the following most likely represents a significant deficiency in the internal substantive testing if the tests ofcontrols show the controls to be operative.d.The
controlstructure?a. The systems analyst review applications of data processing and controls appear adequate
maintains systemsdocumentation.b. The systems programmer designs systems for .34. Which of the following client electronic data processing (EDP) systems generally can
computerized applications and maintainsoutput controls.c. The control clerk establishes beaudited without examining or directly testing the EDP computer programs of the
control over data received by the EDP department andreconciles control totals after system?
processingd. The accounts payable clerk prepares data for computer processing and a.A system that performs relatively uncomplicated processes and produces detailed
enters the data intothe computer. output.
20. Which of the following activities would most likely be performed in the EDP b.A system that affects a number of essential master files and produces a limited
Department?a. Initiation of changes to master records.b. Conversion of information to output.
machine-readable form.c. Correction of transactional errors.d. Initiation of changes to c.A system that updates a few essential master files and produces no printed output
existing applications. otherthan final balances.d.A system that performs relatively complicated processing and
  produces very little detailedoutput.
Page 10 of 15  35. Computer systems are typically supported by a variety of utility software packages
AT-030507 that areimportant to an auditor because they
21. For control purposes, which of the following should be organizationally segregated a.May enable unauthorized changes to data files if not properly controlled.
from thecomputer operations function?a. Data conversionc. Systems development b. b.Are very versatile programs that can be used on hardware of many manufacturers.
Surveillance of CRT messages d. Minor maintenance according to a schedule c.May be significant components of a client’s application programs.
22. Which of the following is not a major reason for maintaining an audit trail for a d.Are written specifically to enable auditors to extract and sort data.
computersystem?a. Deterrent to irregularitiesc. Analytical procedures b. Monitoring 36. To obtain evidence that online access controls are properly functioning, an auditor
purposes d. Query answering most likelywould
23. In an automated payroll system, all employees in the finishing department were paid a.Create checkpoints at periodic intervals after live data processing to test for
the rate ofP75 per hour when the authorized rate was P70 per hour. Which of the unauthorizeduse of the system.
following controlswould have been most effective in preventing such an error?a. Access b.Examine the transaction log to discover whether any transactions were lost or entered
controls which would restrict the personnel department’s access to the payrollmaster twicedue to a system malfunction
file data.b. A review of all authorized pay rate changes by the personnel department.c. c.Enter invalid identification numbers or passwords to ascertain whether the system
The use of batch control totals by department.d. A limit test that compares the pay rejectsthem.
rates per department with the maximum rate for allemployees. d.Vouch a random sample of processed transactions to assure proper authorization
24. Which of the following errors would be detected by batch controls?a. A fictitious 37. Which of the following statements most likely represents a disadvantage for an
employee as added to the processing of the weekly time cards by the entity thatkeeps microcomputer-prepared data files rather than manually prepared
computeroperator.b. An employee who worked only 5 hours in the week was paid for files?
50 hours.c. The time card for one employee was not processed because it was lost in a.Attention is focused on the accuracy of the programming process rather than errors
transit betweenthe payroll department and the data entry function.d. All of the above inindividual transactions.b.It is usually easier for unauthorized persons to access and
.25. The use of a header label in conjunction with magnetic tape is most likely to prevent alter the files.
errors bythea. Computer operatorc. Computer programmerb. Keypunch operator d. c.Random error associated with processing similar transactions in different ways is
Maintenance technician usuallygreater.d.It is usually more difficult to compare recorded accountability with
26. For the accounting system of ACME Company, the amounts of cash disbursements physical count of assets.
enteredinto an EDP terminal are transmitted to the computer that immediately 38. An auditor would least likely use computer software to
transmits the amountsback to the terminal for display on the terminal screen. This a.Access client data filesc. Assess EDP controls b.Prepare spreadsheets d. Construct
display enables the operator to parallel simulations
a.Establish the validity of the account numberb.Verify the amount was entered Page 12 of 15 
accurately AT-030507
c.Verify the authorization of the disbursementsd.Prevent the overpayment of the 39. A primary advantage of using generalized audit software packages to audit the
account financialstatements of a client that uses an EDP system is that the auditor may
27. When EDP programs or files can be accessed from terminals, users should be a.Consider increasing the use of substantive tests of transactions in place of
required toenter a(an)a. Parity check c. Self-diagnostic testb. Personal identification analyticalprocedures.
coded. Echo check b.Substantiate the accuracy of data through self-checking digits and hash totals.
28. The possibility of erasing a large amount of information stored on magnetic tape c.Reduce the level of required tests of controls to a relatively small amount.
most likelywould be reduced by the use ofa. File protection ringc. Completeness tests b. d.Access information stored on computer files while having a limited understanding of
Check digits d. Conversion verification theclient’s hardware and software features.
29. Which of the following controls most likely would assure that an entity can 40. Auditors often make use of computer programs that perform routine processing
reconstruct itsfinancial records? functions suchas sorting and merging. These programs are made available by electronic
a.Hardware controls are built into the computer by the computer manufacturer. data processingcompanies and others and are specifically referred to as
b.Backup diskettes or tapes of files are stored away from originals. a.Compiler programsc. Utility programs b.Supervisory programs d. User programs
c.Personnel who are independent of data input perform parallel simulations. 41. Smith Corporation has numerous customers. A customer file is kept on disk storage.
d.System flowcharts provide accurate descriptions of input and output operations. Eachcustomer file contains name, address, credit limit, and account balance. The auditor
30. Mill Co. uses a batch processing method to process its sales transactions. Data on wishes totest this file to determine whether the credit limits are being exceeded. The
Mill’s salestransaction tape are electronically sorted by customer number and are best procedure forthe auditor to follow would be to
subject to programmededit checks in preparing its invoices, sales journals, and updated a.Develop test data that would cause some account balances to exceed the credit limit
customer account balances.One of the direct outputs of the creation of this tape most anddetermine if the system properly detects such situations.b.Develop a program to
likely would be a compare credit limits with account balances and print out the detailsof any account with
a.Report showing exceptions and control totals. a balance exceeding its credit limit.c.Request a printout of all account balances so they
b.Printout of the updated inventory records. can be manually checked against thecredit limits.d.Request a printout of a sample of
c.Report showing overdue accounts receivable. account balances so they can be individually checkedagainst the credit limits.
d.Printout of the sales price master file 42. The use of generalized audit software package
a.Relieves an auditor of the typical tasks of investigating exceptions, verifying sources
Page 11 of 15  ofinformation, and evaluating reports.b.Is a major aid in retrieving information from
AT-030507 computerized files.c.Overcomes the need for an auditor to learn much about
31. Using microcomputers in auditing may affect the methods used to review the work computers.
of staffassistants because d.Is a form of auditing around the computer.
a.The audit field work standards for supervision may differ.b.Documenting the 43. An auditor used test data to verify the existence of controls in a certain computer
supervisory review may require assistance of consulting servicespersonnel.c.Supervisory program.Even though the program performed well on the test, the auditor may still
personnel may not have an understanding of the capabilities and limitations have a concern that
ofmicrocomputers.d.Working paper documentation may not contain readily observable a.The program tested is the same one used in the regular production runs.b.Generalized
details of calculations. audit software may have been a better tool to use.c.Data entry procedures may change
32. An auditor anticipates assessing control risk at a low level in a computerized and render the test useless.d.The test data will not be relevant in subsequent audit
environment.Under these circumstances, on which of the following procedures would periods.
the auditor initiallyfocus?a. Programmed control procedures c. Output control 44. An auditor most likely would introduce test data into a computerized payroll system
proceduresb. Application control proceduresd. General control procedures to testinternal controls related to the
 33. After the preliminary phase of the review of a client’s EDP controls, an auditor may a.Existence of unclaimed payroll checks held by supervisors.b.Early cashing of payroll
decide notto perform tests of controls (compliance tests) related to the control checks by employees.c.Discovery of invalid employee I.D. numbers.
procedures within the EDPportion of the client’s internal control structure. Which of the d.Proper approval of overtime by supervisors.
following would not be a validreason for choosing to omit such tests? 45. When an auditor tests a computerized accounting system, which of the following is
a.The controls duplicate operative controls existing elsewhere in the structure.b.There true of thetest data approach?
appear to be major weaknesses that would preclude reliance on the a.Test data must consist of all possible valid and invalid conditions.
statedprocedure.c.The time and costs of testing exceed the time and costs in b.The program tested is different from the program used throughout the year by the
client.
c.Several transactions of each type must be tested. d.A limit check that an employee’s hours do not exceed 50 hours per work week.
d.Test data are processed by the client’s computer programs under the auditor’s 60. In a computerized system, procedure or problem-oriented language is converted to
control. machinelanguage through a(an)
46. Which of the following statements is not true to the test data approach when testing a.Interpreter b. Verifierc. Compilerd. Converter
acomputerized accounting system?a.The test need consist of only those valid and invalid 61. A customer erroneously ordered Item No. 86321 rather than item No. 83621. When
conditions which interest the auditorb.Only one transaction of each type need be this orderis processed, the vendor’s EDP department would identify the error with what
tested. type of control?a.Key verifying c. Batch totalb.Self-checking digitd. Item inspection
c.The test data must consist of all possible valid and invalid conditions.d.Test data are 62. The computer process whereby data processing is performed concurrently with a
processed by the client’s computer programs under the auditor’s control. particularactivity and the results are available soon enough to influence the course of
47. Which of the following is not among the errors that an auditor might include in the action being takenor the decision being made is called:
test datawhen auditing a client’s EDP system? a.Random access samplingc. On-line, real-time system  b.Integrated data processing d.
a.Numeric characters in alphanumeric fields.b.Authorized code Batch processing system
Page 13 of 15  63. Internal control is ineffective when computer department personnel
AT-030507 a.Participate in computer software acquisition decisions.b.Design documentation for
c.Differences in description of units of measure.d.Illogical entries in fields whose logic is computerized systems.c.Originate changes in master file.d.Provide physical security for
tested by programmed consistency checks. program files.
48. An auditor who is testing EDP controls in a payroll system would most likely use test 64. Test data, integrated test data and parallel simulation each require an auditor to
data thatcontain conditions such as prepare dataand computer programs. CPAs who lack either the technical expertise or
a.Deductions not authorized by employees.b.Overtime not approved by time to prepareprograms should request from the manufacturers or EDP consultants for
supervisors.c.Time tickets with invalid job numbers.d.Payroll checks with unauthorized a. The program Codec. Generalized audit software 
signatures. b.Flowchart checks d. Application controls
49. Auditing by testing the input and output of an EDP system instead of the computer 65. Which of the following best describes a fundamental control weakness often
programitself willa.Not detect program errors which do not show up in the output associated withelectronic data processing system?a.EDP equipment is more subject to
sampled. system error than manual processing is subject tohuman error.b.Monitoring is not an
b.Detect all program errors, regardless of the nature of the output.c.Provide the auditor adequate substitute for the use of test data.c.EDP equipment processes and records
with the same type of evidence.d.Not provide the auditor with confidence in the results similar transactions in a similar manner.
of the auditing procedures. d.Functions that would normally be separated in a manual system are combined in the
50. Which of the following computer-assisted auditing techniques allows fictitious and EDPsystem like the function of programmers and operators
realtransactions to be processed together without client operating personnel being .66. Which of the following tasks could not be performed when using a generalized audit
aware of thetesting process? softwarepackage?
a.Integrated test facilityc. Parallel simulationb.Input controls matrix d. Data entry a.Selecting inventory items for observations.b.Physical count of
monitor inventories.c.Comparison of inventory test counts with perpetual
51. Which of the following methods of testing application controls utilizes a generalized records.d.Summarizing inventory turnover statistics for obsolescence analysis
auditsoftware package prepared by the auditors? .67. All of the following are “auditing through the computer” techniques except
a.Parallel simulationc. Test data approachb.Integrated testing facility approach d. a. Reviewing source codec. Automated tracking and mapping b.Test-decking d.
Exception report tests Integrated test facility
52. Misstatements in a batch computer system caused by incorrect programs or data 68. The output of a parallel simulation should always be
may not bedetected immediately because a.Printed on a report.b.Compared with actual results manually.c.Compared with actual
a.Errors in some transactions may cause rejection of other transactions in the batch. results using a comparison program.d.Reconciled to actual processing output. 
b.The identification of errors in input data typically is not part of the program. Page 15 of 15 
c.There are time delays in processing transactions in a batch system. AT-030507
d.The processing of transactions in a batch system is not uniform. 69. Generalized audit software is a computer-assisted audit technique. It is one of the
53. Which of the following is not a characteristic of a batch processed computer system? widely usedtechnique for auditing computer application systems. Generalized audit
a.The collection of like transactions which are sorted and processed sequentially against software is most oftenused to
amaster file.b.Keypunching of transactions, followed by machine processing.c.The a.Verify computer processing.b.Process data fields under the control of the operation
production of manager.
numerous printouts.d.The posting of a transaction, as it occurs, to several files, without c.Independently analyze data files.d.Both a and b.
immediate printouts 70. From an audit viewpoint, which of the following represents a potential disadvantage
54. Where disk files are used, thegrandfather-father-son updating backup concept is associatedwith the widespread use of microcomputers?
relativelydifficult to implement because th a.Their portability.b.Their ease of access by novice users.
ea.Location of information points on disks is an extremely time consuming task. c.Their easily developed programs using spreadsheets which do not have to be
b.Magnetic fields and other environmental factors cause off-site storage to be documented.
impractical. d.All of the above.7
c.Information must be dumped in the form of hard copy if it is to be reviewed before 1. Which of the following functions would have the least effect on an audit if it was not
used inupdating.d.Process of updating old records is destructive. properlysegregated?
55. An auditor would most likely be concerned with which of the following controls in a a.The systems analyst and the programmer functions.b.The computer operator and
distributeddata processing system?a.Hardware controlsc. Access controls  programmer functions.c.The computer operator and the user functions.d.The
b.Systems documentation controls d. Disaster recovery controls applications programmer and the systems programmer.
56. If a control total were computed on each of the following data items, which would 72. To obtain evidence that user identification and password control procedures are
best beidentified as a hash total for a payroll EDP application?a. Total debits and total functioning asdesigned, an auditor would most likely
credits c.Department numbers b.Net pay d. Hours worked a.Attempt to sign on to the system using invalid user identifications and passwords.
57. Which of the following is a computer test made to ascertain whether a given b.Write a computer program that simulates the logic of the client’s access control
characteristicbelongs to the group? software.
a.Parity check c. Echo check c.Extract a random sample of processed transactions and ensure that the transactions
b.Validity checkd. Limit check wereappropriately authorized.d.Examine statements signed by employees stating that
  they have not divulged their useridentifications and passwords to any other person.
Page 14 of 15  SUGGESTEDANSWERS
AT-030507 1. D2. D3. D4. D5. D6. D7. D8. D9. A10. D11. B12. B13. A14. D15. A16. D17. D18. A19.
58. A control feature in an electronic data processing system requires the central B20. A21. D22. B23. A24. A25. D26. C27. A28. D29. D30. A31. A32. A33. C34. C35. A36.
processing unit(CPU) to send signals to the printer to activate the print mechanism for B37. A38. C39. C40. D41. D42. D43. A44. B45. A46. A47. B48. B49. D50. D51. A52. D53.
each character. Theprint mechanism, just prior to printing, sends a signal back to the D54. D55. D56. D57. D58. D59. D60. D61. D62. A63. CQUIZZERS 1. B2. C3. D4. C5. C6. D7.
CPU verifying that the properprint position has been activated. This type of hardware C8. D9. D10. B11. B12. D13. B14. B15. D16. C17. A18. A19. B20. B21. C22. C23. D24. D25.
control is referred to as A26. B27. B28. A29. B30. A31. D32. D33. D34. A35. A36. C37. B38. C39. D40. C41. B42.
a.Echo checkc. Signal controlb.Validity control d. Check digit control B43. A44. C45. D46. C47. A48. C49. A50. A51. A52. C53. D54. D55. C56. C57. B58. A59.
59. Which of the following is an example of a check digit? B60. C61. B62. C63. C64. C65. D66. B67. A68. B69. C70. B71. D72. A
a.An agreement of the total number of employees to the total number of checks printed -endofAT-5916
by thecomputer.b.An algebraically determined number produced by the other digits of
the employee number.c.A logic test that ensures all employee numbers are nine digits.

CIS Auditing IS Auditing Objectives

Understanding the CIS environment Understanding the CIS Environment
The effect of computerization in general and on internal controls CIS Processing  – operational source of data, e.g transaction records, customer records, inventory
Types of general & application controls used in CIS processes records,
The audit process in a CIS environment  Recording of transactions and records
To know the techniques of auditing using CAATs  Processing of such records
UNDERSTANDING THE CIS ENVIRONMENT 1  Producing documents such as invoices, receipts
This first part outlines the following:  Recording financial data
 The CIS Environment  Reporting status of transactions and records
 Risk Assessment of the CIS Environment CIS Processing – results of operations or administrative accounting in accordance with accounting
 The CIS and Accounting System – characteristics of application systems vs manual policies and procedures
processes  Lack of physical documentation, source records for transactions (audit trail)
CIS Environment  Lack of evidence on supervisory check / verification processes
 Issues in storage and retrieval of transactional records
 Changes in processing, storage and communication of financial data
2 v 2  Lecture Objectives
Understanding the CIS environment
The effect of computerization in general and on internal controls
Types of general & application controls used in CIS processes
The audit process in a CIS environment
To know the techniques of auditing using CAATs
THE EFFECT OF CIS IN GENERAL AND ITS IMPACT ON INTERNAL CONTROL 2
Understanding the CIS Environment
This first part outlines the following:
 Internal Control
 The Internal Control Environment
 Impact of CIS on Internal Control
Internal Control
DEFINITION
Internal control is a company’s system, defined and implemented under its responsibility.
It comprises a set of resources, patterns of conduct, procedures and actions adapted to the
individual characteristics of each company which:
CIS audit digram  contributes to the control over its activities, to the efficiency of its operations and to
 Identify the computerized environment. the efficient utilization of its resources, and
 Extent of computerization in the organization.  enables it to take into consideration, in an appropriate manner, all major risks, be
 The pervasiveness of computerization. they operational, financial or compliance.
 CIS as part of the organizational infrastructure. COSO1 defines internal control as: “A process, effected by an organization’s board of directors,
 Importance of the CIS in the organization. management, and other personnel, designed to provide reasonable assurance regarding the
 Management’s view of the CIS environment. achievement of objectives in the following categories:
Analyzing the CIS Environment • Effectiveness and efficiency of operations.
Risk Assessment of the CIS Environment • Reliability of financial reporting.
 Identify the business processes, criticality. • Compliance with applicable laws and regulations.”
 The automation of business processes. Internal control is a company’s system, defined and implemented under its responsibility, which
 To identify where should there be control points. aims to ensure that:
 To analyze processes against internal control.  Laws and regulations are complied with;
 Effectiveness of internal control.  The instructions and directional guidelines fixed by Executive Management or the
 Benefits of internal control. Management Board are applied;
 Efficiency of operations.  The company’s internal processes are functioning correctly, particularly those
Risk Management Overview implicating the security of its assets;
Risk management is the process of ensuring that the impact of threats exploiting vulnerabilities is  Financial information is reliable;
within acceptable limits at an acceptable cost. At a high level, this is accomplished by balancing risk and generally, contributes to the control over its activities, to the efficiency of its operations and to
exposure against mitigation costs and implementing appropriate countermeasures and controls. the efficient utilisation of its resources.                            Internal Control Framework: IIA Website
Extracted from CISM Review Course, 2005 COSO Internal Control Integrated Network
Risk is a feature of business life and since it is impractical and uneconomical to eliminate all risks, every Internal Control Components
organization has a level of risk it will accept.  An organisation comprising a clear definition of responsibilities, with suitable resources
Faced with risk, organizations have four strategic choices: and competencies and supported by appropriate procedures, information systems, tools
 Terminate the activity giving rise to risk and practices;
 Transfer risk to another party  The in-house dissemination of relevant and reliable information, the awareness of
 Reduce risk by using of appropriate control measures or mechanisms which enables everyone to exercise their responsibilities;
 Accept the risk  A system for identifying and analysing the main identifiable risks in relation to the
Risk Analysis Framework company s objectives and for ensuring that procedures exist for managing those risks;
Risk Management Process – main elements Risk identification
–        Establish context  The company identifies the main identifiable risks, both internal and external, which
–        Identify risks could have an impact on the likelihood of it meeting the objectives it has fixed for itself.
–        Analyze risks This identification process, which is on-going, should cover those risks which could have
–        Evaluate risks a significant impact on its situation.
–        Treat risks Risk analysis
–        Monitor and Review  This involves taking into consideration the likelihood of the risks occurring and their
–        Communicate and consult potential seriousness, as well as considering the environment and existing control
Understanding the CIS Environment measures. These different
CIS, Financial Management Systems or Integrated Accounting Systems  elements are not static, on the contrary, they form part of the risk management
 What are the CIS application systems available. process.
 How does management utilizes CIS. Risk management procedures
 On a daily or monthly basis, for decision-making.  Executive Management or the Management Board, supported by a risk management
 For financial reporting, performance measurement. function, if there is one, should define risk management procedures.
 Effectiveness of the various application systems’ integration. Control activities proportionate to the implications of each individual process and designed to reduce
Characteristics of computerized accounting system the risks that could affect the company s ability to achieve its objectives;
Financial Management Systems Nature of Control vs Impact
Monitoring, Controlling, Reporting  On-going monitoring of the internal control system together with a regular review of
& Decision Making the way it is operating.
Sales, Purchasing, Inventory COSO Monitoring Process
Marketing  Another useful complement to the monitoring tools can be to keep an active watch on
Acc Payable internal control best practices.
Acc Receivable  Monitoring, together with the best practices watch, culminate, where required, in the
Bad Debts implementation of corrective actions and adjustments to the internal control system.
Depreciation  Executive Management or the Management Board should assess the parameters for
P&L informing the Board of the main results of the monitoring and reviews thus performed.
Interrelationships of CobiT These include physical protection of computer equipment, software and data and also loss of assets
Controls in CIS Environment and information through theft and unauthorised use. For example, special room for computer and
Impact on Internal Control environment equipments or separate building and accessible to the room or building must be limited to the
An example of impact of Internal Control in CIS would be the application of IT Controls. authorised personnel only. Also includes recovery procedures for lost data. Example:  Financial
IT Control Components Institutions.
The audit process provides a formal structure for addressing IT controls within the overall system of Application Software Development, Acquisition and Maintenance Controls
internal controls. Figure 1, The Structure of IT Auditing, below, divides the assessment into a logical These are controls that ensure any software acquired to be of specific standards for integration and
series of steps. installation purposes into the current systems.  Any non-compliance may result in incompatible
The internal auditor’s role in IT controls begins with a sound conceptual understanding and culminates software acquired or failure of integration.
in providing the results of risk and control assessments. Application system acquisition, development and maintenance controls
Internal auditors interact with the people responsible for controls and must pursue continuous Application system; for example an accounting system for reporting and decision-making.
learning and reassessment as new technologies emerge and the organization’s opportunities, uses, Controls on these is critical for ensuring the reliability of information processing. It might be better to
dependencies, strategies, risks, and requirements change. have involvement of internal and external auditors in early stage to design the system to ensure proper
Assessing IT Controls GTAG1 control incorporate to the system.
IT Control Components These are usually defined as:
IT controls encompass those processes that provide assurance for information and information  Controls over input – source or primary data
services and help mitigate the risks associated with an organization’s use of technology.  Controls over processing – processing data and updating masterfiles.
These controls range from written corporate policies to their implementation within coded  Control over output – results of processing or updating, e.g. change in total, balances,
instructions; from physical access protection to the ability to trace actions and transactions to the transactions.
individuals who are responsible for them; and from automatic edits to reasonability analysis for large The objective is to ensure or preserve data integrity.
bodies of data. These are usually defined as:
IT Controls Input Controls
BUSINESS AND IT CONTROLS These are usually controls over source documents and can be in both physical and virtual forms. 
The enterprise’s system of internal controls impacts IT at three levels: Physical would be in form of restricted access or custody, serially pre-numbered, controlled items. 
 At the executive management level, business objectives are set, policies are established Virtual can be that upon keying in the systems assigns unique identification codes, transaction codes,
and decisions are made on how to deploy and manage the resources of the enterprise etc.
to execute the enterprise strategy. The overall approach to governance and control is Input Controls
established by the board and communicated throughout the enterprise. The IT control To ensure the following:
environment is directed by this top-level set of objectives and policies.  To ensure the transactions properly authorised before being processes by the computer.
 At the business process level, controls are applied to specific business activities. Most  To ensure transactions are accurately converted into machine readable form and
business processes are automated and integrated with IT application systems, resulting recorded in the computer data files.
in many of the controls at this level being automated as well. These controls are known  To ensure the transactions are not lost, added, duplicated and modified.
as application controls.  To ensure incorrect transactions are rejected, corrected and re-submit.
 However, some controls within the business process remain as manual procedures, such These are usually defined as:
as authorisation for transactions, separation of duties and manual reconciliations. Processing Controls
Therefore, controls at the business process level are a combination of manual controls These controls are in form of e.g. batch numbers, control totals, hash totals, hash count, system
operated by the business and automated business and application controls. assigned prefixes or suffixes to transaction numbers.  These controls will ensure that there are no
 To support the business processes, IT provides IT services, usually in a shared service to unauthorized or fraudulent transactions ‘inserted’ in the output or transaction listings.
many business processes, as many of the development and operational IT processes are These are usually defined as:
provided to the whole enterprise, and much of the IT infrastructure is provided as a Processing Controls
common service (e.g., networks, databases, operating systems and storage). The Control over processing and computer data files
controls applied to all IT service activities are known as IT general controls. The reliable  To ensure that all transactions keyed in are being processed by the computer and data
operation of these general controls is necessary for reliance to be placed on application files are properly stored and secured.
controls. For example, poor change management could jeopardise (accidentally or  Processing errors are identified and corrected in a timely basis.
deliberately) the reliability of automated integrity checks. These are usually defined as:
3 v 2    Lecture Objectives Output Controls
Understanding the CIS environment These are similar to processing controls but they are for output purposes to ensure accuracy and
The effect of computerization in general and on internal controls reliability of data generated.  With the output reports or listings generated or output files, there will be
Types of general & application controls used in CIS processes similar processing checks in form of control totals, hash counts, suffixes, integrity identifier codes
The audit process in a CIS environment generated.
To know the techniques of auditing using CAATs These are usually defined as:
TYPES OF CONTROL IN A CIS ENVIRONMENT 3 Output Controls
Understanding the CIS Environment Designed to provide reasonable assurance that:-
This third part outlines the following:  Result of processing are accurate
 Types of Control in CIS Environment  Access to output is restricted to authorised personnel
 General Controls  Output is provided to appropriate authorised personnel on a timely basis
 Application Controls Issuing of Purchase Requisition to Acccepting the Purchase Invoice
Controls in CIS Environment –        Segregation of duties between the user department ordering the goods, the goods received
In a CIS Environment, there are generally 2 categories of controls, General CIS Environmental Controls department, the procurement department and the accounts department
and Application System Controls –        Before issuing the purchase order, the buying department should check that the user department
Firstly, these controls are to address the computerized environment and secondly, there are specific is authorised to purchase the goods that have requested.
controls to address the different business applications in such an environment. –        Goods are only purchased from authorised supplier. If it is a new supplier, validation of that
General Controls in CIS Environment supplier should be done before the order.
These are usually defined as: Issuing of Purchase Requisition to Acccepting the Purchase Invoice cont’d
 Data Centre or Computer Operations controls –        Must be independent check from buying department on the quality, price and service of the
 System Development controls supplier.
 System Security controls (access security) –        The purchase order should be keyed into computer by procurement department, sent to
 General Application System / Software controls; acquisition, development and supplier, user department and accounts department.
maintenance –        Accounts department upon receipt of purchase invoice, match with purchase order.
 The objective is to ensure Confidentiality, Integrity and Availability of information. –        User department check the goods against requisitions and specifications.
General Controls in CIS Environment Business, General & Application Controls
Data Centre or Computer Operation Controls Application Controls Versus IT General Controls
These are primarily controls that relate to data processing security and controls.  These controls relate  It is important to understand the relationship and difference between application
to the security of the data centre, batch processing of data, backups and custody of storage media.  It controls and Information Technology General Controls (ITGCs).
is also important that such an environment is not accessed by unauthorized persons such as  Otherwise, an application control review may not be scoped appropriately, thereby
programmers and hackers as this could compromised the data integrity. impacting the quality of the audit and its coverage.
Software Development Controls  ITGCs apply to all systems components, processes, and data present in an organization
These are controls that ensure all program changes are duly authorized.  Unauthorized changes can be or systems environment.
due to attempts to defraud by exempting accounts from being processed or processed in an improper  The objectives of these controls are to ensure the appropriate development and
manner, inconsistent with authorized policies and procedures. implementation of applications, as well as the integrity of program and data files and of
System Security Controls (Access Security) computer operations.
These are controls that provides privileges or rights of access to specific individual or group of persons Information Technology General Controls
in accordance with their tasks and job functions.  Improper assignment of such access rights can result The most common ITGCs are:
in unauthorized access to data and other information and resources.  Logical access controls over infrastructure, applications, and data.
System Security Controls (Access Security)  System development life cycle controls.
Access Security Control  Program change management controls.
  Physical security controls over the data center.  Another valuable service internal auditors can provide during a new system
 System and data backup and recovery controls. implementation or significant upgrade is an extension of the independent risk
 Computer operation controls assessment.
Difference  More specifically, auditors can assist management with the design of controls to
 Because application controls relate to the transactions and data pertaining to each mitigate the risks identified during the risk assessment. The internal auditors assigned to
computer-based application system, they are specific to each individual application. this activity should be a part of the implementation team, not an adjunct.
 The objectives of application controls are to ensure the completeness and accuracy of  Therefore, the tasks, time, and number of internal audit resources required for the
records, as well as the validity of the entries made to each record, as the result of design of application controls need to be built into the overall project plan.
program processing. Controls Testing
 In other words, application controls are specific to a given application, whereas ITGCs  If the implementation team has designed and deployed controls based on the risk
are not. assessment, or without the benefit of one, internal auditors can provide value by
Nature of Application Controls independently testing the application controls.
 Cost effective and efficient means to manage risk  This test should determine if the controls are designed adequately and will operate
 Reliant on the effectiveness on the IT general control environment effectively once the application is deployed. If any of the controls are designed
 Approach varies for complex versus non-complex environments inadequately or do not operate effectively, auditors should present this information
Benefits of Application Controls along with any recommendations to management to prevent the presence of
 Reliability unmanaged risks when the application is fully deployed.
–        Reduces likelihood of errors due to manual intervention Application Reviews
 Benchmarking  Transactional and support applications require control reviews from time to time based
–        Reliance on IT general controls can lead to concluding the application controls are effective year on their significance to the overall control environment. The frequency, scope, and
to year without re-testing depth of these reviews should vary based on the application’s type and impact on
 Time and cost savings financial reporting, regulatory compliance, or operational requirements, and the
–        Typically application controls take less time to test and only require testing once as long as the IT organization’s reliance on the controls within the application for risk management
general controls are effective purposes.
Sample Detailed Review Program AUDIT RISK ASSESSMENT
 Suggested tests Assess Risk
–        Test input controls to ensure transactions are added into and accepted by the application,  The auditor should use risk assessment techniques to identify critical vulnerabilities
processed only once and have no duplications pertaining to the organization’s reporting, and operational and compliance
–        Test processing controls to ensure transactions are accepted by the application, processed with requirements when developing the risk assessment review plan.
valid logic, carried through all phases of processing and updated to the correct data files These techniques include:
Conclusion • The review’s nature, timing, and extent.
 Application controls are a cost effective and efficient means to manage risk. • The critical business functions supported by application controls.
 Internal auditors should determine that their organization’s application controls are • The extent of time and resources to be expended on the review.
designed appropriately and operating effectively. In addition, auditors should ask four key questions when determining
 Consider benchmarking as a way to further reduce the testing effort the review’s appropriate scope:
4 v 2 Lecture Objectives 1. What are the biggest organization wide risks and main audit committee concerns that
Understanding the CIS environment need to be assessed and managed while taking management views into account?
The effect of computerization in general and on internal controls 2.   Which business processes are impacted by these risks?
Types of general & application controls used in CIS processes 3.   Which systems are used to perform these processes?
The audit process in a CIS environment 4.   Where are processes performed
To know the techniques of auditing using CAATs  When identifying risks, auditors may find it useful to employ a top-down risk assessment
AUDITING IN A CIS ENVIRONMENT 4 to determine which applications to include as part of the control review and what tests
This fourth part outlines the following: need to be performed.
 How does the CIS Environment affects auditing  For instance, Figure 1 outlines an effective methodology for identifying financial
 Auditor’s skill and competency reporting risks and the scope of the review. Please note this illustration does not
 Risk assessment represent the only way to conduct all types of risk assessment.
 Audit planning Risk Assessment
 Audit procedures The nature of the risk in CIS environment includes:-
AUDIT APPROACH n      Lack of transaction trail. Audit trail may available for the short period or not in the form of
Auditing takes place usually after the risk analysis or evaluation and the implementation of internal computer readable form. Or if the transaction is too complex and high volume, errors may embedded
controls. in application’s program logic and  difficult to detect on a timely basis.
The purpose is to ensure that all risks are adequately addressed, shortcomings and weaknesses are n      Lack of segregation of duties. Many of control procedures are performed by separate individual in
duly reported on continuous basis. manual systems but may not in CIS.
Identified and understood the environment. n      Potential for errors and irregularities. Potential for human error and unable to detect the error
What are the risks and controls in such an environment? may be greater in CIS. Also the potential of unauthorised access to data without visible evidence may
What are the specific application controls in such an environment? be greater in CIS than manual system. Furthermore, decreased human involvement in handling
To review such risks and controls and plan an audit. transaction in CIS can reduce “check and balance” activities that may cause error unable to detect.
Auditing in CIS environment Risk Assessment
 The auditor need to consider how CIS environment affects the audit. The overall audit The nature of the risk in CIS environment includes:-
objective and scope does not change but the use of CIS have changed the processing, Initiation or execution of transaction. CIS may have capabilities to execution transaction automatically.
storage and communication of financial information and also may affect internal control For example calculation of depreciation. The authorization for transaction is not available.
of an entity. Lack of visible output. Certain transaction or result may not be printed. Thus, the lack of visible
 CIS may affect the audit process on the following: output may result in the need to access data retained on files readable only by computer.
–        Skill and Competence Ease of access to data and computer programs. Data and computer programs can be accessed and
–        Planning altered at the computer or from the remote location. Therefore, auditor should review the appropriate
–        Risk assessment, i.e. assessment of inherent risk and control risk control measure to prevented unauthorised access and alteration of the data.
–        Audit procedures What can go wrong?
 Procedures in obtaining understanding accounting and internal control, i.e. audit around Availability, security, integrity, confidentiality, effectiveness and efficiency
computer.  Type of risks
 Performing test of control and substantive test, i.e. audit through computer. –        Pervasive: impact the enterprise as a whole
AUDIT SKILL & COMPETENCY –        Specific risks
Skill and Competence  Consider three dimensions
 Auditor should have sufficient knowledge of CIS to plan, direct, supervise and review –        Each company will have a unique risk profile
work performed. The auditor needs:- –        IT-related risk is not static , but changing dynamically
1. Obtain sufficient understanding of the accounting and internal control affected by the –        Proliferation: when evaluating IT-related risk, keep in mind its additive nature
CIS environment  Consider impact and likelihood
2. Determine the effect of CIS on the procedures to assess the audit risk  Traditional risk assessment process may not be suitable for IT risk assessment
3. Able to design and perform appropriate test of control and substantive test  IT Risk assessment process should
4. If required, auditor may seek for assistance of the expert. –        Be performed in depth every year, not just an update of the prior year.
 In addition, according to The IIA’s International Standards for the Professional Practice –        Considers all the layers of the IT environment.
of Internal Auditing (Standards) —specifically Standards 1220 and 1210.A3 — internal –        Considers both static and dynamic risks.
auditors need to apply the care and skill of a reasonably prudent and competent –        Not strictly be based on interviews, but use other discovery techniques.
auditor, as well as have the necessary knowledge of key IT risks, controls, and audit –        Be supplemented with the appropriate level of analysis after discovery.
techniques to perform their assigned work, although not all internal auditors are –        Be performed by the appropriate personnel.
expected to have the expertise of an auditor whose primary responsibility is IT. AUDIT PLANNING
Design of Controls
  After completing the risk evaluation and determining the scope of the review, auditors Understanding the CIS environment
need to focus on the development and communication of the detailed review plan. The The effect of computerization in general and on internal controls
first step in developing the detailed review plan is to create a planning memorandum Types of general & application controls used in CIS processes
that lists the following application control review components: The audit process in a CIS environment
• All review procedures to be performed. To know the techniques of auditing using CAATs
• Any computer-assisted tools, techniques used & how they are used. COMPUTER AS AN AUDIT TOOL AND COMPUTER-ASSISTED AUDIT TECHNIQUES 5
• Sample sizes, if applicable. Understanding the CIS Environment
• Review items to be selected. This part outlines the following:
• Timing of the review.  The use of the computer as an audit tool
 When preparing the memorandum, all of the required internal audit resources need to  Audit software purpose
be included on the planning team. This is also the time when IT specialists need to be  Factors to consider upon choosing one
identified and included as part of the planning process.  Audit software: off-the-shelf or development of such software?
 After completing the planning memorandum, the auditor needs to prepare a detailed  Using Audit software
review program. When preparing the review program, a meeting should be held with The use of computer as an Audit Tool
management to discuss: Auditor take laptops to the client’s premises for use as an audit tool to perform various audit task, such
• Management’s concerns regarding risks. as:-
• Previously reported issues. 1.
• Internal auditing’s risk and control assessment. 1. Spreadsheets
• A summary of the review’s methodology.  Trial balance and lead schedule
• The review’s scope.  Time and cost budgeting
• How concerns will be communicated.  Analytical procedures
Planning  Audit documentation, e.g. audit confirmation
In Planning, auditor should obtain an understanding the significance and complexity of CIS activities  Audit programme preparation
and the availability of data for use in the audit. The understanding include:-  Documentation of internal control – Preparation of flowchart
1.  Communication and Reports
1. The volume of transaction that would make users difficult to identify and  Select sample for testing
correct errors.  Analyse result, by means of explanation to population as a whole
2. The computer automatically generates transactions direct from/to 1.
another application. Example: From production department 1. Word processor
automatically inventory information. 1.
3.   The Computer performs complicated computations of financial information. 1. Statistical Packages
4.   Transactions are exchanged electronically with other organization. 1.
5.   Organization structure of entity also may changed. For example: IT department as part of the 1. CAATs
structure and responsible for control application of CIS as a whole. Computer-assisted Audit Techniques
6.   The availability of data such as source document, computer data files and other evidential matter  Computer-assisted audit techniques (CAATs) make use of computer applications, such as
that may required by the auditor. ACL, IDEA, VIRSA, SAS, SQL, Excel, Crystal Reports, Business Objects, Access, and Word,
1. to automate and facilitate the audit process. The use of CAATs helps to ensure that
1. The assessment of risk. The auditor should obtain an understanding of appropriate coverage is in place for an application control review, particularly when
CIS environment may influence the assessment of inherent and control there are thousands, or perhaps millions, of transactions occurring during a test period.
risk.  In these situations, it would be impossible to obtain adequate information in a format
2. The potential for use of CAATs. The case of processing large quantities of that can be reviewed without the use of an automated tool.
data using computers may provide the auditor with opportunity to apply  Because CAATs provide the ability to analyze large volumes of data, a well-designed
general or specialized CAAT in execution of audit test. audit supported by CAAT testing can perform a complete review of all transactions and
AUDIT PROCEDURES uncover abnormalities (e.g., duplicate vendors or transactions) or a set of
Business Process Method predetermined control issues (e.g., segregation of duty conflicts).
 In the previous chapter, the business process method was identified as being the most Using CAATs – IS Auditing Guideline G3
widely used for application control review scoping. In today’s world, many transactional  CAATs include many types of tools and techniques, such as generalised audit software,
applications are integrated into an ERP system. Because business transactions that flow customised queries or scripts, utility software, software tracing and mapping, and audit
through these ERP systems can touch several modules along their life cycle, the best expert systems.
way to perform the review is to use a business process or cycle approach (i.e.,  CAATs may be used in performing various audit procedures including:
identifying the transactions that either create, change, or delete data within a business • Tests of details of transactions and balances
process and, at a minimum, testing the associated input, processing, and output • Analytical review procedures
application controls). • Compliance tests of IS general controls
Documentation Techniques • Compliance tests of IS application controls
 In addition to the documentation standards used by internal auditors, the following are • Penetration testing
suggested approaches for documenting each application control.  Decision Factors for Using CAATs
Flowcharts  When planning the audit, the IS auditor should consider an appropriate combination of
 Flowcharts are one of the most effective techniques used to capture the flow of manual techniques and CAATs. In determining whether to use CAATs, the factors to be
transactions, associated application and manual controls used within an end-to-end considered include:
business process, because they illustrate transaction flows.  Computer knowledge, expertise, and experience of the IS auditor
Process Narratives  Availability of suitable CAATs and IS facilities
 Process narratives are another technique available to document business process  Efficiency and effectiveness of using CAATs over manual techniques
transaction flows with their associated applications & best used as a documentation tool  Time constraints
for relatively non-complex business processes and IT environments.  Integrity of the information system and IT environment
Audit procedures  Level of audit risk
The auditor’s specific objective do not change whether the accounting Pre-requisites of Using CAATs
data is processed manually or by the computer. However, method of Connectivity and Access to Data
applying audit procedures to gather evidence may different.  Auditor The first prerequisite for using audit software is access to data. The auditor needs to obtain access to
may perform audit procedures manually or use CAAT or combination of both. the “live” production data.
Auditing around the computer The auditor then needs to obtain “read only” access to the files/tables that hold the data and can
Auditor does not examine the computer processing but perform transfer the data files to the notebook computer. Once this is done, the audit software can use the
procedures to obtain understanding accounting and internal control:- data files and perform the audit. It is necessary to ensure that the data that are downloaded are the
 Emphasis on ensuring the completeness, accuracy and validity of actual copy from the real production data.
information by comparing the output reports with the input documents Knowledge of the Application and Data
 To ensure the effectiveness of input controls and output controls The IS auditor needs to know technical details of the platform on which the application is built.
 To ensure the adequacy of segregation of duties Knowledge of the files or tables in which the data reside also is necessary.
 Auditing through the computer The auditor needs to get the file description and the data field types. If certain codes are used in the
–        Auditor performing test of control and substantive test. For example: “test data” enable the tables, the corresponding description of the codes also needs to be known.
auditor to examine the computer processing, internal control of the client CIS. Audit Skills and Identifying the Concerns
–        Auditor may used use CAAT in this procedures. CAAT – helps auditor in organizing, analyzing and After the data are downloaded and ready for analysis by the audit software, the auditor needs to know
extracting computerized data and re-performing computation and other processing. what control concerns are to be tested and validated.
Executing IT Auditing This is probably even more basic than the skill needed to download the data. Audit software has many
 Normal Audit process features but the features cannot perform an audit on their own.
 Consider IT audit by using frameworks and standards, such as The auditor has to design the procedures and tests. The tests that the auditor carries out are designed
–        COSO, CoBIT, ISO27001/17799… using the knowledge of the application, the business rules behind the function and the findings of the
5 v 2 Lecture Objectives application review.
 The kind of tests that are run will vary with the applications.  1st step: Set audit objectives, i.e. to test accuracy of AR, select sample for confirmation
For example, in a procurement audit, the auditor may download the purchase order and related files and print out confirmation and monthly statement of selected sample.
and perform analysis of prices.  2nd Step: Design the application, i.e. identify data and design format of confirmation.
In a financial accounting application, the auditor may analyze expenses on dollar value, revenue  3rd Step: Ensure package program able to read data
expenditure, account head, and department or cost code.  4th Step: Process the application, i.e. access the entity’s AR database with package
In a banking application, the auditor may verify interest payments using the audit software. program. The program will process automatically according to the instruction
In a sales application, the correctness of product prices or incentives may be analyzed.  5th Step: Evaluate the result. i.e. verify output, review confirmation letter and monthly
It is the audit skill of determining what is to be verified and tested, coupled with the knowledge of the statement and sent confirmation.
business and the application, that makes the software actually do the audit work.  Audit Software (Continue……):
Issues –        Written program is audit software written by the auditors for specific audit tasks and it is
 The first-time deployment of audit software in any organization is not without pain. necessary when the entity’s CIS system is not compatible with Generalized Audit Software. It is good to
Problems will occur in almost all areas, beginning with the reluctance of the IS staff. develop if the auditor can use it in doing auditing for the future. However, it is expensive, take longer
 Following this are obtaining access to the production data, fearing that the audit time to develop  and need modification for every time an entity’s change their system. Auditor also
software may interfere with the processing, the improper processing of downloads, the need an IT expert to help in developing the program.
incorrect input of file definitions and so on.  Common type of CAAT are Audit Software and Test Data……
 Investing in training on the audit software is essential and this cost should be considered  Test Data: data used by the auditor to test the operation of the enterprise’s computer
while purchasing the software. The training should not be confined to the commands program.
and menus in the software but must include real-life exercises using one of the –        The auditor uses test data primarily for testing the application controls in the entity’s computer
applications running in the organization. programmes.
 It also would help if the trainer is not strictly an IT person, but has some audit –        For example: Auditor creates a set of simulated data which include both valid data and invalid
background, too. Although the first attempt at using audit software is painstaking, there data. Then, the auditor manually calculates the result from the simulated data.
need be no doubts on the benefits and gains of continued deployment, so the need is to –        With the simulation data entered into the entity’s computer program, the valid data should be
persevere and win through the initial difficulties with help from the IS department and properly processed and invalid data should be identified as error. The results are compared to the
the trainer. auditor’s predetermined result.
Computer-Assisted Audit Techniques (CAATs) –        Another example: Unauthorized password may be used in an attempt to gain entry, transaction
 ISA 401 “Auditing in a CIS Environment” discusses some of the uses of CAATs in the with incorrect coding and transaction with non-existing customer or suppliers. These to ensure that the
following condition:- system is properly rejects invalid transactions
–        The absence of input document or lack of visible audit trail Potential benefit of using CAATs ……
–        The effectiveness of efficiency of auditing procedures may be improved through the use of  Audit Time may be saved
CAATs.  Ability to scrutinize large volume of data
 Normally being used by big auditing firm for the their big clients.  Eliminate manual casting, cross casting
 Common type of CAATs are “Audit Software” and “Test Data”.  Less manual procedures
 Audit Software: computer programs used for audit purposes to examine the contents of  The auditor does not necessarily have to be present at client’s office
the client’s file.  Review and finalizing time may be reduced
Audit software are used during substantive testing to determine the reliability of accounting controls  With data volumes growing and management expectations on assurances becoming
and integrity of computerised accounting records. Typical testing includes:- more specific, random verifications and testing do not yield the desired value. The use
–        Calculation checks, check addition, select high value, negative value of audit software ensures 100 percent scrutiny of transactions in which there is audit
–        Detecting violation of system rules – e.g. the program checks all accounts on sales ledger to interest, and pointed identification and zeroing in on erroneous/exceptional
ensure that no customer has a balance above credit limit transactions, even when data volumes are huge. And all this can be done in a fraction of
–        Detecting unreasonable items – e.g. check that no customers are allowed trade discount of more the time required with manual methods.
than 50%  Another advantage of the audit software is the uniform user friendly interface that the
–        Conducting new calculations and analyses – e.g. obtain analysis of static and slow moving stocks audit software presents to the auditor for performing all the tasks, irrespective of the
–        Selecting items for audit testing – e.g. obtain the sample to sent confirmation. data formats or the underlying technology used by the application. The audit software
–        Completeness checks – e.g. checking continuity of sales invoices to ensure they are all accounted also maintains logs of the tests done for review by peers and seniors, and advanced
for. features allow the programming of certain macros and routines that can further
 Factors that the auditor to consider in deciding whether to use CAATs:- enhance audit speeds and efficiency.
–        If no visible evidence available and the only way is CAATs OTHER ASPECTS OF IT ASSURANCE, SECURITY & GOVERNANCE
–        Cost that associated with CAATs IT Assurance – Performing audit over IT resources
–        The extent of the ability of CAATs to perform test on various financial statements items. IT Security – Securing IT resources
–        Time. Report need to be produced by the auditors within comparatively short time period. In IT Governance – Understanding and Commitment of the Board and Management
such cases it may be more efficient to use CAATs. SOURCES
–        The condition of hardware (computer) and the ability to support CAATs. MIA Handbook on International Audit Guidelines
 Audit Software Information Security and Control Association website (http://www.isaca.org)
–        Package Programs or Generalised Audit Software (GAS) Institute of Internal Auditors’ website (http://www.theiia.org)
–        Written Programs or Custom Audit Software. Certified Fraud Examiners Handbook
 Audit Software (Continue……): Federal Reserve website
–        Package programs are generalized computer programs designed to perform data processing Information Security sites; SANS, CCCure, etc.
functions such as read and extract data from entity’s computer files or database for further audit Information Security manuals, standards; NIST, ITIL, CoBIT, IEC/ISO 27001
testing, perform calculation, selecting sample and provide report. INTRODUCTION
–        For example, application of package program on  Account Receivables.
  Now-a-days, the corporate world is getting more and more inclined towards the use of Information 4.       Inexperienced personnel: Now-a-days, the technological advancement is occurring at a very fast pace.
technology (IT) and computer information system (CIS) in their daily operations. It has created a deficit of expertized staff to understand the current technology, both at client end as
  This has changed the manner in which the organisations’ carry out their operations and various business well as auditor end.
processes. 5.       Concentration of duties: Under CIS environment, more than one kind of task/function can be
  This has further led to change in the nature of audit evidences generated by each financial transaction. performed by an individual. This leads to difficulty in segregation of duties among individual.
  The method of collection and evaluation of audit evidences has also changed. Consequently, it gives rise to a number of security issues also.
  This requires auditors to possess reasonable knowledge about EDI, SDLC, CASE tools and various hardware 6.       Lack of audit trail: In computerised system, the processing of a transaction takes place instantly. This
& software used in the organisation. leads to loss of audit trail. Thus, auditor needs to apply some alternate procedure to compensate the
SCOPE OF AUDIT IN CIS ENVIRONMENT / IMPACT OF CIS ON AUDITING loss of audit trial.
The use of CIS in various organisations has caused drastic impact on audit approaches, techniques,
risk involved and internal control methods. Following factors (risks) must be given due consideration Audit Trail: It can be defined as a step-by-step record by which a transaction can be traced.

while framing an audit plan for an organisation:

1.       High speed and Automatic initiation/execution of transactions: In CIS environment, transactions are The auditor may apply one of the following methods to compensate the loss of audit trail:

processed instantly. Once the transaction is fed into the system, it might get executed automatically
without requiring for authorisation of the same. Similarly, reports (even complex one’s also) can be          i.       Special/Exceptional Reports: The auditor may ask the client to arrange special reports and print-

generated at a very high speed and can be viewed by multiple users at a time. Thus giving rise to outs. E.g.: sales orders for the month of December & March; purchase orders that have been short-

many security issues. closed by the purchase department.

2.       Uniform processing of transaction, hence low clerical error: While feeding input, processing
transactions and generating outputs, computer system performs multiple checks on data at each at        ii.       Tagging and Tracing:

each point of time. Moreover, the processing of transaction is in a uniform manner. Hence the clerical
errors generated are minimised. However, there is a shift of errors from human generated errors o   It is a method of compensating the audit trail.

towards system generated errors.

3.       Unintentional or system generated errors: As discussed earlier, there is a shift in nature of errors from o   It involves tagging the clients input data such that only relevant data is highlighted on the screen, which

human generated to system generated. Errors occur due to lack of experienced personnel. And errors needs to be verified by the auditor.

are mainly related to development, maintenance and execution of CIS.

o   E.g.: cash payments of more than ₨.20,000/-; debtors outstanding for more than 3 months; purchase order
pending for more than 30 days from expected delivery date; etc. Flat File System (Old Concept) Integrated Database System (New Concept)

      iii.       Alternative Review Procedures (ARP): It means to include a number of methods to compensate
audit trial, such as: In few words, in a flat file system, In this the transaction is entered only once and
users own their own data and the data corresponding to such transaction is
they are responsible of their shared by multiple users.
o   Auditors’ judgement: budgeting the figures and comparing them with actual figures.
respective data files.

o   Ratio analysis / checking critical ratios. This implies calculating certain ratios on the basis of budgeted data It works on client-server technology / topology.
It leads to data redundancy and
or previous period’s data or data from similar industries and comparing them with the actual data of repetition of tasks.
the client organisation. It contains a set of interrelated files. When input
is fed from one end, the master file (server)
E.g.: Try and visualise admission itself gets updated. This master file can be
o   Testing on total basis: if individual items can’t be checked in detail then auditor may take totals of system of a government retrieved by more than one user (clients).
reasonable chunks of data and check accordingly. college, where you are asked Hence reduces data redundancy.
to fill-up a hand-written form.

o   Clerical recreation: Auditor may manually generate certain figures that have been generated by the system E.g.: A person sitting at sales office issue Sales
(automatically).  On the basis of this form, the Invoice to its customer. Under this system
Admission Officer makes entry master files related to Sales and Debtors are
in his register (Book-1) and automatically updated. The person sitting in
     iv.            Use of CAAT: The auditor may take the help of white-box audit approach or CAATs. asks you to deposit the fees back-office can anytime check the Sales data
with the Cashier. or outstanding debtors.

7.       Auditor’s participation in SDLC and dependence on other (manual) controls: We know that there is a
constraint of audit trail in CIS environment. Thus, a computerised information system lacks manual  Now Cashier takes the fees and This kind of system is mainly used with On-Line /
passes receipt entry in his cash Real-Time Systems.
reasonableness. An information system of an organisation can only be effective if it has reasonable register (Book-2) and issues a
level of audit facilities integrated into it. Hence participation of auditor is highly important in SDLC. Cash Receipt.
Moreover, auditor may use certain manual methods also while performing the audit.
8.       Internal Control Environment & management supervision: The success of CIS highly depends upon the  Finally, you present the Cash
involvement of management in development and maintenance of CIS. Under CIS environment, the Receipt to the Admission
Officer and he issues you the
risk of fraud & error is relatively high. Thus higher management supervision and better internal
Admit Card and registers your
control environment is required. name in Student’s Register
9.       Use of CAAT: The audit under CIS environment cannot be carried by traditional (manual) approaches, (Book-3).

effectively. Since the processing of transaction in CIS environment is fast and complicated, the audit
must be carried out using computer assisted audit techniques (CAAT). This requires a reasonably  Later on the Accounts Officer will
update his own accounting
good amount of IT skills on part of the auditors.
records (Book-4) on the basis
IMPACT OF CHANGES ON BUSINESS PROCESS Cash Book & Students Register
1.       EDI: Electronic Data Inter-change, as the name suggests means exchange of maintained by above
mentioned two officers.
data/information/documents from one user to another, electronically (with the help of computers).
In other words, EDI is the computer-to-computer exchange of documents/information in public
standard format. Under EDI framework, once transaction (data) is fed into a computer many records It is evident from above example
that how one simple
are automatically updated. There is no need to re-enter the data into accounting system. This saves a transaction need to be
lot of time & effort and enables an error free transaction processing system (TPS). recorded in 4 separate set of
books kept with separate
2.       Process of recording transactions: Unlike, manual system where a transaction goes through a sequence
users.
of steps in order to get recorded in the principal books [Entry Ledger
Final Accounts (Balance Sheet and Profit & Loss Account)]. Under CIS environment, the
above mentioned three processes are carried out simultaneously.
3.       Accounting / Transaction Processing System: As mentioned above the CIS mechanism leads to
abandonment of maintenance primary records. 5.       Organisational structure: Since there is very high dependence of the organisation of CIS, no-a-days.
Thus, there is a need for separate department (group of people) to take care of IT needs of the
organisation. Some of the personnel are listed below:
Batch OLRT / RTOL Time Sharing & Service Bureau                      i.            EDP Manager: is responsible for overall management and administration of the IT
Processing System (Distinct & New Concept) department.
(Old Concept) (New                    ii.            Data Administrator: ascertains the data requirements of various users of information
Concept) system in the organisation.
                  iii.            Database Administrator: is responsible for operational efficiency and security of the
It is a simple OLRT – On-Line / Time sharing is a situation where a single organisational database.
system and Real-Time. computer serves more than one user.                  iv.            System Analyst: takes care of the information requirement of the users for new as well as
somewhat like existing applications; designs information system architecture to meet these requirements; facilitates
traditional Under this system A service bureau is an organisation which implementation of information systems and maintains documentation.
manual transaction processes transaction on behalf of its client                    v.            System Programmers: is responsible for the maintenance of operating system (OS)
system. are processed organisation. software, network and hardware requirements.
as soon as                  vi.            Application Programmer: designs new programs and modifies existing to meet the data
In this process they occur. E.g.: a service bureau handling payroll processing needs; remove errors and improves efficiency of the existing application software.
transactions (including ESI/PF) for a small company.                 vii.            Operation Specialist: plans and controls the day-to-day issues, which emerge during
are All the records are normal course of work, of the users of information.
accumulated updated If an organisation uses services of a service               viii.            Librarian: maintains library of magnetic media and documentation.
and processed simultaneousl bureau then the auditor must obtain 6.       Modified internal control base: In CIS environment since most of the processes are automated, the
in groups. y on reasonable evidences in support of the probability of occurrence of error substantially increases. Moreover, the risk of fraud is higher in CIS
occurrence of controls exercised by the client organisation environment, as it is less-easily identifiable. Thus, there is a shift in internal control base in CIS
In this files are not a transaction. over the activities performed by service environment as compared to traditional manual system. Following are two main categories of
updated bureau. internal control required in CIS environment:
quickly. E.g.: On issue of a
Sales invoice, Nowadays, many of accounting firms are doing
E.g.: Accountant Sales ledger this kind of activities. A.      General EDP Controls: B.      EDP Application Controls :
Overall controls over EDP Specific controls over specific
accumulates and debtor’s environment. applications.
all the cash ledger are
receipts updated,
vouchers for automatically. i.      Organisational & Management    i.     Control Over Inputs: These
the day and Controls: These controls are controls are drawn to assure that:
designed to establish an
updates his Software
organisation wide frame-work
accounting packages like for CIS activities. It includes: Transactions are properly authorised
record by the Tally, SAP, etc. before being processed by the
computer.
end of a works like this.   Designing appropriate control
working day. policies & procedure;
There are adequate checks installed in the
4.       Data Storage / file system: The data storage facilities and filing system of the organisation has gone
input form to assure the correctness
through drastic changes as result of changes in the style of carrying out business processes. Properly segregating duties among of data entered by the users.
various individuals.

Incorrect transactions are rejected,

 AUDIT SOFTWARE

ii.      System Software Controls: corrected and if necessary, The use of CAAT allows the auditor to test the reliability and credibility of the clients’ information
These controls are meant to resubmitted on a timely basis. system, without being much dependent upon the clients’ software. Now-a-days, there are a plenty of
provide assurance that system audit software options available with the auditor, with the help of which he can perform his audit
software is acquired or
developed in an authorised ii.     Control Over Processing & data independently and effectively. This audit software may include package programs, purpose-written
manner. It includes: files: These controls ensure that: programs, utility programs or system management program. These programs are explained as follows:
Transactions are properly processed by
   I.            Package Programs:
the computer.
Authorisation, approval, testing, Transactions are not lost, added o   These are generalised computer software packages.
implementation and duplicated or improperly changed. o   These packages come with a lot of generalised features and utilities, which can be used at many clients’
documentation of new system
software and system software site.
modification; o   Since these software packages are highly generalised and are available across the globe, so one does not
face any compatibility issues. Almost all the organisation maintains certain level of compatibility with
Restriction of access to system Processing errors are identified and these programs.
software and documentation to corrected on a timely basis. o   E.g. MS-Excel can be the most common example for such programs.
authorised personnel.
II.            Purpose-written Programs:
o   These programs are created to perform specific natured audit task.
iii.      Application System o   These packages are not available for sale in the open market. The auditor is required to get these programs
Development & Maintenance
Controls: These control are iii.     Control Over Output: They assure developed.
designed to provide assurance that: o   The auditor may appoint some outside agency to develop the program on his behalf (outsourcing) or he
that systems are developed and
may himself hire the programmers and get it built in-house.
maintained in an authorised and
efficient manner and also to o   While choosing the purpose-written program option, the auditor must take into consideration, the cost
establish control over: related issues.
Results of processing are complete, III.            Utility Programs:
testing, conversion, implementation accurate and through ride media. o   These programs are used to perform common data processing functions such as sorting; sampling;
and documentation of new documenting; creating, emailing & printing files/reports, etc.
revised system;
o   Although, these are not specifically designed for the audit purposes but can be extremely useful while
performing the audit.
changes made to application system;
Outputs so generated, satisfy the o   E.g. Acrobat’s Adobe Reader; Microsoft’s Office also consist of certain utility programs such as MS-Access,
requirement of the user. MS-Word, MS-PowerPoint, etc.
access to system documentation; IV.            System Management Software:
o   These software/programs are also not specifically meant for audit purpose.
Acquisition of application system o   These are productive tools, meant to enhance the performance of the Operating System.
from third parties.
Access to output is restricted to o   E.g.: Disk Defragment, Task Manager, Task Scheduler, Disk Clean-up, etc. are some of the examples of
authorised personnel. system management software.
iv.      Computer Operation Controls: USES OF CAAT
These help in controlling the
operations of the computer CAAT may be used to perform following audit procedures:
system. They assure that: 1.       Detailed and in-depth test of transactions and balances: The auditor can check the transaction in-depth
and in detail, since he can select a larger sample size. There is a lot of time saving, while applying CAAT,
The systems are used for authorised thus he may apply more time to analyse a transaction.
purposes only. 2.       Application of complex analytical review procedures: The can perform complex procedure and
calculations with the help of CIS. He may extract detailed and complex reports also to support his
Access to computer operation is procedure.
restricted to authorised 3.       Application of statistical sampling techniques to extract the relevant data: While extract data from the
personnel.
client’s information system, the auditor can take help of complex statistical and scientific techniques in
order to improve the quality and prudence of sample selected. Application of statistical and scientific
Only authorised programs are to be
methods is almost impossible, without the help of computer systems. E.g.: MS Excel is an application
used.
program that contains a number of statistical and mathematical formulae and techniques.
4.       Test of general EDP controls: The auditor may check various input controls; processing controls; output
Processing errors are detected and
corrected on timely basis. controls; data storage, transmission and security controls. The auditor can check the access rules and
procedure.
5.       Test of Application controls: The auditor can check the functioning of various applications installed and
v.      Data Entry & Program
Controls: These assures that: running in the system. The auditor may check the authenticity of various application programs.
6.       Re-Performing calculations and processing: The auditor can also re-perform calculations performed by
Access to data and program is the client’s accounting system.
restricted to authorised 7.       Better reporting Methods: Under CIS environment there are a number of reporting techniques are
personnel.
available with the auditor. The auditor can use of various graphical designs and multimedia techniques
in order to make his report effective, concrete and more catchy. E.g.: MS PowerPoint is one of the
An authorisation structure is software used to prepare presentations.
established over transaction
being entered into the system. CONSIDERATIONS IN USE OF CAAT

AUDIT APPROACH IN CIS ENVIRONMENT While planning an audit with the help of CAAT, the auditor must take care of the following factors:

There have been drastic changes in audit approaches and methodologies as a result of emergence of 1.       IT knowledge and experience of the Audit Team: Both the auditor and the audit team should have

CIS environment. The selection of one of the approaches depends upon the knowledge base sufficient skills and experience to handle the audit under CAAT.

expertise of Auditors. There are mainly two approaches for auditing in CIS environment that are 2.       Availability of relevant Audit Software and suitable computer facilities: The auditor can use the CAAT

explained as follows: and maintain the independence only if he has sufficient infrastructure, in the form of computer

A.      Black-box Approach (Auditing around the computer): In this approach, the auditor is mainly concerned hardware and audit software, available with him. Otherwise the cooperation and assistance of the

about the Inputs fed-in by the client and the output generated by the system. The auditor completely client entity’s personnel will be required.

ignores the internal processing of the Information System. 3.       Impracticability of manual test: Now-a-days, many organisations are adopting eco-friendly approaches

For example, while testing payroll of a company, under black-box approach, the auditor may first find while performing the business operations. Moreover, many computer information system perform

out the total monthly hours worked by selected employees from their respective time cards and then tasks where there is no hard copy evidence is generated. Hence making it impractical for the auditor to

he may check the salary/wage rate from the rate card to find out the salary/wage payable to each perform the tests manually.

employee. On the basis of above, the auditor ascertains his own output by comparing hours, rates, 4.       Effective and Efficiency: With the help of CAAT, it is possible to test large number of transactions

extensions, over-time & leaves. Finally, the auditor compares his own results with the system together with a better level of precision. This brings efficiency and effectiveness in performing the

generated results. audit assignment.

The biggest advantage of auditing around the computer is the ease and simplicity, since the auditor 5.       Time Constraint: The auditor is required to perform the assignment in the limited time span. Whereas, a

does not require in-depth knowledge of system application program in order to perform his duties. large amount of data is required to be stored (such as transaction details and reports) for such short

On the contrary, a major disadvantage is that, under this approach, the auditor is completely audit period. Thus the auditor is required to make arrangement for retention and retrieval of data.

ignorant about the internal processes of the system. Moreover, in order to generate certain complex 6.       Detection of fraud and error: The CAAT allows the auditor to plan and execute the audit work more

reports, print-outs cannot be arranged to apply the audit procedures. effectively with the help of sophisticated audit software. But, under CIS environment, frauds are

White-Box Approach (Auditing through the computer): Under this approach, the auditor is not only intentional and generally deep-laid. Moreover, there are chances that some frauds are highlighted, but

concerned with the subject matter of the audit (i.e. inputs and outputs), but also with the internal there is no concrete evidence to prove the same. Thus it cannot be said that the auditing through the

processing of the computer system. This means to include various auditing with the help of Audit computer will increase the probability of detection of fraud.

software and computer aided audit techniques (CAAT) 7.       Use of CAAT in small organisations: In small business organisation, use of CAAT might not be a cost-

CAAT: COMPUTER AIDED/ASSISTED AUDIT TECHNIQUE effective and viable alternative. This is because of two reasons, first the revenue per assignment is not

Under CIS environment, the auditing cannot be carried effectively using traditional / conventional and very huge, and second the client entity might not have the appropriate technical infrastructure to run

manual techniques of auditing. The auditing through the computer requires the use of various audit CAAT.

software packages and some computer assisted audit techniques. STEPS INVOLVED IN APPLICATION OF CAAT
 Following steps are required to be undertaken by the auditor in effective application of CAAT:
1.       set the objective of CAAT application; RFJPIACUPLEVEL2–AuditingTheory(EASYQUESTION#3)
2.       determine the content and accessibility of the entity’s files;  The measure of variability of a statistical sample that serves as an estimateof the population variability
3.       determine the scope: identify the specific files or databases to be examined; is the:a.Basic precision.b.Range.c . M e a s u r e s o f c e n t r a l t e n d e n c y .
4.       understand the relationship between the data tables where a database is to be examined; d.Standard deviation.e . I n t e r v a l .
5.       define the specific tests or procedures and related transactions and balances affected; RFJPIACUPLEVEL2–AuditingTheory(EASYQUESTION#4)
6.       define the output requirements; If a control total were to be computed on each of the following data
7.       arrange files & databases: arrange with the user and IT departments, if appropriate, for copies of the i t e m s , which would best be identified as a hash total for a payroll CBIS application?a . N e t
relevant files or database tables to be made at the appropriate cut-off date and time; p a y b.Department numbers. c . H o u r s w o r k e d d . T o t a l
8.       audit team: identify the personnel who may participate in the design and application of CAAT; d e b i t s . e.Total credits.
9.       cost effectiveness: refine the estimates of costs and benefits;
10.   follow-up: ensure that the use of CAAT is properly controlled; RFJPIACUPLEVEL2–AuditingTheory(EASYQUESTION#5)
11.   arrange the administrative activities, including the necessary skills and computer facilities; W h e n t h e a u d i t o r d e t e r m i n e s t h a t d e t e c ti o n r i s k
12.   reconcile data to be used for CAAT with the accounting and other records; r e g a r d i n g a fi n a n c i a l statement assertion for a material account balance or class of
13.   execute CAAT application; transactions cannotbe reduced to an acceptable level, the auditor should express:
14.   evaluate the results; a . Q u a l i fi e d o r a d v e r s e o p i n i o n .
15.   document CAATs to be used including objectives, high level flowcharts and run instructions; and b.Unqualified opinion with explanatory paragraph.c.Qualified or disclaimer of opinion.
16.   Assess the effect of changes to the programs/system on the use of CAAT. d . U n q u a l i fi e d o p i n i o n . e . A d v e r s e o r d i s c l a i m e r o f o p i n i o n . AVERAGEROUND
TESTING CAAT RFJPIACUPLEVEL2–AuditingTheory(AVERAGEQUESTION#1)
Before applying or completely relying CAAT, the auditor must first obtain reasonable assurance of the Which of the following is not explicitly referred to in the Code of Ethics
integrity, reliability, usefulness, and security of CAAT through appropriate planning, design, testing, a s source of technical standards?
processing and review of documentation. There are many testing methods; some of them are listed a . C o m m i s s i o n o n A u d i t . b . A u d i ti n g a n d A s s u r a n c e S t a n d a r d s
below: C o u n c i l . c . S e c u r i ti e s a n d E x c h a n g e C o m m i s s i o n . d . R e l e v a n t
1.       Test Data: The auditor enters the test data into the entity’s computer system and compares the result l e g i s l a ti o n . e . N o n e o f t h e a b o v e .
with predetermined results. RFJPIACUPLEVEL2–AuditingTheory(AVERAGEQUESTION#2)
2.       Test Packs: It involves testing a set of data, chosen by the auditor from the entity’s system and testing it   T h i s o c c u r s w h e n a fi r m o r a m e m b e r o f t h e a s s u r a n c e t e a m , p r o m o t e s o r may be
separately from the normal processing procedure. perceived to promote an assurance client’s position or opinion to the pointt h a t o b j e c ti v i t y m a y
3.       Integrated Test Facility: In this approach, auditor establishes a dummy unit, into which test transactions o r m a y b e p e r c e i v e d t o b e c o m p r o m i s e d . S u c h m a y b e t h e c a s e i f a fi r m
are posted during the normal processing cycle of the entity. However, these dummy entries are or a member of the assurance team were to
eliminated later on. s u b o r d i n a t e t h e i r  judgment to that of the client.
MEASURES TO EXERCISE CONTROL OVER CAAT APPLICATIONS Answer: Advocacy threat.RFJPIACUPLEVEL2–AuditingTheory(AVERAGEQUESTION#3)
Since, most of the audit procedures performed using CAAT are highly automated and machine driven. A n a u d i t o r w h o d i s c o v e r s t h a t c l i e n t e m p l o y e e s h a v e c o m m i tt e d a n i l l e g a l act
Moreover, many-a-times, a situation may occur, where the auditor also requires the cooperation of that has a material effect on the client's financial statements most likely wouldw i t h d r a w
client entity’s IT staff for extensive knowledge of computer installation. In such circumstances, the f r o m t h e e n g a g e m e n t i f : a . T h e i l l e g a l a c t i s v i o l a ti o n o f
chances of inappropriately influencing the CAAT results by the client’s staff. Thus, while applying CAAT g e n e r a l l y a c c e p t e d a c c o u n ti n g p r i n c i p l e s . b . T h e c l i e n t d o e s n o t t a k e t h e
in audit procedure, due care and control must be exercised. Following points are important to r e m e d i a l a c ti o n t h a t t h e a u d i t o r considers necessary.c . T h e i l l e g a l a c t w a s
consider: c o m m i tt e d d u r i n g a p r i o r y e a r t h a t w a s n o t a u d i t e d . d . T h e a u d i t o r h a s a l r e a d y
o   The kind of audit procedure that needs to be performed by CAAT; assessed control risk at th e min imum level. e . T h e a u d i t o r c a n n o t r e d u c e
o   Review the entity’s general controls that may affect the integrity of CAAT, for example, controls over t h e m a t e r i a l e ff e c t o f t h e i l l e g a l a c t t o a n immaterial one.
program changes and access to computer files. When such controls cannot be relied on to ensure the RFJPIACUPLEVEL2–AuditingTheory(AVERAGEQUESTION#4)
integrity of CAAT, the auditor may consider processing CAAT application at another suitable computer A w r i tt e n r e p r e s e n t a ti o n f r o m a c l i e n t ' s m a n a g e m e n t w h i c h , a m o n g
facility; and o t h e r m a tt e r s , a c k n o w l e d g e s r e s p o n s i b i l i t y f o r t h e f a i r
o   Ensure appropriate integration of the output by the auditor into the audit process, and later on in drawing p r e s e n t a ti o n o f fi n a n c i a l statements should normally be signed by the:
audit conclusions and reporting. a.Chief executive officer and the chief financial officer.b.Chief financial officer and the chairman of the
The success or failure of auditing with CAAT highly depends upon the degree of control exercised on BOD.c.Chairman of the audit committee of the BOD.
the overall application of CAAT. The control over the CAAT applications can be: d.Chief executive officer, the chairman of the BOD and the client's lawyer.
        I.            Control Over Software Application: e.C h i e f e x e c u ti v e o ffi c e r , c h i e f fi n a n c i a l o ffi c e r a n d t h e c h a i r m a n o f t h e BOD.
a.       Participation in design and testing of CAAT: The success of CAAT significantly depends upon the RFJPIACUPLEVEL2–AuditingTheory(AVERAGEQUESTION#5) 
participation of the principal auditor in the designing and testing of CAAT. CBIS controls are frequently classified as to general controls and applicationcontrols. Which of the
b.      Checking the coding: Wherever applicable, detailed checking the coding of the program to ensure that it following is an example of an application control?a . P r o g r a m m e r s m a y
is in-line with the program specification. a c c e s s t h e c o m p u t e r o n l y f o r t e s ti n g
c.       Compatibility with client’s system: Asking the client entity’s IT staff to check the compatibility of the a n d "debugging" programs.b . A l l p r o g r a m c h a n g e s m u s t b e f u l l y
audit software with the operating system used in the client’s information system. d o c u m e n t e d a n d a p p r o v e d b y t h e information systems manager and the user
d.      Testing the software: Before running the audit software on the main system’s data files, the software department authorizing thechange.c . A s e p a r a t e d a t a c o n t r o l g r o u p i s r e s p o n s i b l e f o r
must be run on small test files in a different system. d i s t r i b u ti n g o u t p u t , a n d also compares input and output on a test basis.d . U s e o f p a s s w o r d s
e.      Testing the test results: The results of the above test. a n d i d e n ti fi c a ti o n c o d e s .
f.        Addressing the security issues: The must establish appropriate security measures to safeguard the e.In processing sales orders, the computer compares
integrity and confidentiality of client’s data. c u s t o m e r and product numbers with internally stored lists.
g.       Regular follow-up: Sufficient evidence must be obtained so as to ensure that the audit software is DIFFICULTROUND
functioning, as planned. And also ensure that there is proper vendor support. RFJPIA CUP LEVEL 2 – Auditing Theory (DIFFICULT QUESTION #1)
      II.            Control Over Test Data: I n s t u d y i n g a c l i e n t ' s i n t e r n a l c o n t r o l s , a n
a.       Controlling the sequence in which the test data needs to be sent. a u d i t o r m u s t b e a b l e t o d i s ti n g u i s h b e t w e e n p r e v e n ti o n
b.      Initially, performing the test runs with small chunks of test data, before submitting the main audit test c o n t r o l s a n d d e t e c ti o n c o n t r o l s . O f t h e f o l l o w i n g data processing controls, which is the
data. best detection control?
c.       Predicting the results of the test data and comparing it with the actual test data output. a.Policy requiring password security.b . B a c k u p a n d r e c o v e r y p r o c e d u r e .
d.      Confirming that the current version of the programs was used to process the test data. c.Access controls.d.Use of data encryption techniques.e . R e v i e w o f m a c h i n e u ti l i z a ti o n l o g s .
e.      Ensure that the client entity used the same version of software throughout the audit period, on which RFJPIA CUP LEVEL 2 – Auditing Theory (DIFFICULT QUESTION #2)
the audit is being conducted. W h e n t h e a u d i t o r e n c o u n t e r s s o p h i s ti c a t e d c o m p u t e r - b a s e d s y s t e m s , h e o r s h e
f.        Make sure that dummy entries are deleted, which were fed in the system, while performing the audit. m a y n e e d t o m o d i f y t h e a u d i t a p p r o a c h . O f t h e f o l l o w i n g c o n d i ti o n s , w h i c h one
The auditor should one thing in mind while performing the audit that, “CAAT is one of the ‘solutions’ is not a valid reason for modifying the audit approach?a . M o r e a d v a n c e d c o m p u t e r
for Audit and no the ‘substitute’ to Audit."uditingTheoryELIMINATION ROUND s y s t e m s p r o d u c e l e s s d o c u m e n t a ti o n , t h u s reducing the visibility of the audit
EASYROUND trail.b . I n c o m p l e x c o m p u t e r - b a s e d s y s t e m s , c o m p u t e r v e r i fi c a ti o n
RFJPIACUPLEVEL2–AuditingTheory(EASYQUESTION#1) of data att h e p o i n t o f i n p u t r e p l a c e s t h e m a n u a l
 The need for assurance services arises because:a . T h e r e i s a c o n s o n a n c e o f v e r i fi c a ti o n f o u n d i n l e s s sophisticated data processing
i n t e r e s t s o f t h e p r e p a r e r a n d t h e u s e r o f t h e financial statements. systems.c.Integrated data processing has replaced the more traditional separationof duties that
b.There is a potential bias in providing information. existed in manual and batch processing systems.
c . E c o n o m i c t r a n s a c ti o n s a r e l e s s c o m p l e x t h a n t h e y w e r e a d e c a d e d.Real-time processing of transactions has enabled the auditor toconcentrate less on the completeness
ago.d . M o s t u s e r s t o d a y h a v e a c c e s s t o t h e assertion.e . N o n e o f t h e a b o v e .  
s y s t e m t h a t g e n e r a t e s t h e financial statements they use.e . N o n e RFJPIA CUP LEVEL 2 – Auditing Theory (DIFFICULT QUESTION #3)
of the above. I n a n a p p l i c a ti o n o f m e a n p e r u n i t s a m p l i n g , t h e f o l l o w i n g i n f o r m a ti o n h a s been
RFJPIACUPLEVEL2–AuditingTheory(EASYQUESTION#2) obtained:Reported book value P600,000Point estimate (estimated total value) 591,000Allowance for
Which of the following is explicitly included in the Auditor’s sampling risk (precision) +-
r e s p o n s i b i l i t y section of the auditor's report? 22,000  T o l e r a b l e
a.Reason for modification of opinion.b.“Philippine Financial Reporting Standards”. e r r o r + -
c.“Philippines Standards on Auditing”.d.Division of responsibility with another 4 5 , 0 0 0
auditor.e . M a n a g e m e n t r e p r e s e n t a ti o n s . The appropriate conclusion would be that the reported book value is:
a.Acceptable only if the risk of incorrect rejection is at least twice the riskof incorrect Answer: 2 and 3 only.RFJPIA CUP LEVEL 2 – Auditing Theory (COC)
acceptance.b.A c c e p t a b l e o n l y i f t h e r i s k o f i n c o r r e c t a c c e p t a n c e i s a t l e a s t t w i c e  The auditor's report should be dated as of the date on which the:
t h e risk of incorrect rejection.c.A c c e p t a b l e o n l y i f t h e r i s k o f o v e r r e l i a n c e i s a t l e a s t a . F i e l d w o r k i s c o m p l e t e d . b.Report is delivered to the client.c . R e p o r t i s s u b m i tt e d t o
t w i c e t h e r i s k o f   underreliance.d . A c c e p t a b l e . e.Not acceptable. t h e a u d i t c o m m i tt e e . d.Fiscal period under audit ends.e.Review of the working papers is
RFJPIA CUP LEVEL 2 – Auditing Theory (DIFFICULT QUESTION #4) complete
Based on RA 9298, how many years can a partner who survived the death orw i t h d r a w a l o f o t h e r RFJPIA CUP LEVEL 2 – Auditing Theory (JPI)ACE QUESTION
p a r t n e r / s c o n ti n u e t o p r a c ti c e u n d e r t h e p a r t n e r s h i p n a m e after becoming a sole W h i c h o f t h e f o l l o w i n g a u d i ti n g p r o c e d u r e s w o u l d t h e a u d i t o r n o t a p p l y t o
practitioner? a cutoff bank statement?a . T r a c e y e a r e n d o u t s t a n d i n g c h e c k s a n d d e p o s i t s i n t r a n s i t
Answer: 2 years.RFJPIA CUP LEVEL 2 – Auditing Theory (DIFFICULT QUESTION #5) t o t h e c u t o ff   bank statement.b.Reconcile the bank account as of the end of the cutoff period.
 The following procedures may be performed by CPAs in an engagement:1 . C o n s i d e r a ti o n o f c . C o m p a r e d a t e s , p a y e e s a n d e n d o r s e m e n t s o n r e t u r n e d c h e c k s w i t h t h e cash
i n t e r n a l c o n t r o l 2 . O b s e r v a ti o n 3 . I n q u i r y a n d disbursements record.d . D e t e r m i n e t h a t t h e y e a r e n d d e p o s i t i n t r a n s i t w a s c r e d i t e d
a n a l y s i s 4 . I n s p e c ti o n 5 . C o n fi r m a ti o n 6 . O b t a i n i n g m a n a g e m e n t b y t h e b a n k on the first working day of the following accounting period.e . N o n e o f t h e
r e p r e s e n t a ti o n l e tt e r W h i c h o f t h e f o r e g o i n g a r e above.
n o r m a l l y p e r f o r m e d i n a n a g r e e d - RFJPIA CUP LEVEL 2 – Auditing Theory (BSU) JOKERQUESTION
u p o n procedures engagement?   T h e m o s t e ff e c ti v e m e a n s f o r t h e a u d i t o r t o d e t e r m i n e w h e t h e r a
Answer: 2, 3, 4 and 5 only. r e c o r d e d intangible asset possesses the characteristics of an asset is to:
CLINCHERQUESTIONS a.Vouch the purchase by reference to underlying documentation.b . I n q u i r e a s t o t h e s t a t u s o f
RFJPIACUPLEVEL2–AuditingTheory(CLINCHERQUESTION#1) p a t e n t a p p l i c a ti o n s . c . R e g i s t e r t h e p a t e n t a t t h e
Which of the following is not a distinguishing feature of risk-based auditing?a . I d e n ti f y i n g a r e a s P a t e n t O ffi c e t o t e s t i t s v a l i d i t y
p o s i n g t h e h i g h e s t r i s k o f fi n a n c i a l s t a t e m e n t e r r o r s . b . A n a l y s i s o f i n t e r n a l a n d acceptability.d . E v a l u a t e t h e f u t u r e
control. r e v e n u e - p r o d u c i n g c a p a c i t y o f t h e intangible
c . C o l l e c ti n g a n d e v a l u a ti n g e v i d e n c e . asset.
d . C o n c e n t r a ti n g a u d i t r e s o u r c e s i n t h o s e a r e a s p r e s e n ti n g t h e h i g h e s t r i s k of e.Analyze research and development expenditures to determine that onlyt h o s e
financial statement errors.e . N o n e o f t h e a b o v e . e x p e n d i t u r e s p o s s e s s i n g f u t u r e e c o n o m i c b e n e fi t h a v e
RFJPIACUPLEVEL2–AuditingTheory(CLINCHERQUESTION#2) b e e n capitalized.
I n c o n d u c ti n g a s u b s t a n ti v e t e s t o f a n a c c o u n t RFJPIA CUP LEVEL 2 – Auditing Theory (SMC)
b a l a n c e , a n a u d i t o r hypothesizes that no material error  The probability of a significant idle capacity loss increases under which of thefollowing conditions?
e x i s t s . T h e r i s k t h a t s a m p l e r e s u l t s w i l l support the hypothesis when a material a.S a l e s a n d p r o d u c ti o n h a v e i n c r e a s e d s i g n i fi c a n t l y d u r i n g t h e
error actually does exist is the risk of:a . I n c o r r e c t r e j e c ti o n . b.Alpha error.c.Incorrect p e r i o d under audit.b . S a l e s a n d p r o d u c ti o n h a v e d e c l i n e d
acceptance. m a t e r i a l l y d u r i n g t h e period under audit.c.S a l e s h a v e d e c l i n e d
d . T y p e I e r r o r . e.Risk of overreliance. s o m e w h a t , b u t p r o d u c ti o n h a s r e m a i n e d c o n s t a n t in anticipation of a sales recovery in
  the following accounting period.d . T h e c l i e n t h a s i n c r e a s e d i t s o v e r h e a d
RFJPIACUPLEVEL2–AuditingTheory(CLINCHERQUESTION#3) a b s o r p ti o n r a t e e ff e c ti v e a t t h e beginning of the following accounting
In a distributed data base (DDB) environment, control tests for access controladministration can be period.e . S a l e s a n d p r o d u c ti o n r e m a i n e d c o n s t a n t d u r i n g t h e p e r i o d u n d e r a u d i t .
designed which focus on: RFJPIA CUP LEVEL 2 – Auditing Theory (FSUU)
a.Reconciliation of batch control totals.b . H a s h t o t a l s . c . E x a m i n a ti o n o f l o g g e d A n a u d i t r e p o r t c o n t a i n s t h e f o l l o w i n g
a c ti v i t y . d.Prohibition of random access.e.Analysis of system generated core dumps. p a r a g r a p h : " B e c a u s e o f t h e inadequacies in the company's
RFJPIACUPLEVEL2–AuditingTheory(CLINCHERQUESTION#4) accounting records during the year ended June 30,2 0 0 3 , i t w a s n o t p r a c ti c a b l e t o
Which of the following might be detected by an e x t e n d o u r a u d i ti n g p r o c e d u r e s t o t h e e x t e n t n e c e s s a r y t o
a u d i t o r ' s r e v i e w o f t h e client's sales cut-off?a . E x c e s s i v e g o o d s r e t u r n e d e n a b l e u s t o o b t a i n c e r t a i n e v i d e n ti a l m a tt e r
for credit.b . U n r e c o r d e d s a l e s d i s c o u n t s c.Lapping of year end accounts a s i t r e l a t e s t o classification of certain items in the consolidated statements of
receivable operations." Thisparagraph most likely describesa . A m a t e r i a l d e p a r t u r e f r o m G A A P
d . I n fl a t e d s a l e s f o r t h e y e a r . e . N o n e o f t h e a b o v e . r e q u i r i n g a q u a l i fi e d a u d i t o p i n i o n . b . A n u n c e r t a i n t y t h a t s h o u l d n o t l e a d t o a
RFJPIACUPLEVEL2–AuditingTheory(CLINCHERQUESTION#5) q u a l i fi e d o p i n i o n . c . A m a tt e r t h a t r e q u i r e s a n a d v e r s e o p i n i o n .
An auditor confirms a representative number of open accounts receivable aso f D e c e m b e r 3 1 , d . A m a tt e r t h a t t h e a u d i t o r w i s h e s t o e m p h a s i z e a n d t h a t d o e s n o t l e a d t o a
2 0 1 0 , a n d i n v e s ti g a t e s r e s p o n d e n t s ' e x c e p ti o n s a n d c o m m e n t s . B y t h i s qualified audit opinion.e . A m a t e r i a l s c o p e r e s t r i c ti o n r e q u i r i n g a
procedure, the auditor would be most likely to learn q u a l i fi c a ti o n o f t h e auditopinion.
o f w h i c h o f t h e following? RFJPIACUPLEVEL2–AuditingTheory(XU)
a . O n e o f t h e c a s h i e r s h a s Under which of the following circumstances would a disclaimer of opinion notbe appropriate?
b e e n c o v e r i n g a a . T h e fi n a n c i a l s t a t e m e n t s f a i l t o c o n t a i n a d e q u a t e
p e r s o n a l embezzlementbylapping. d i s c l o s u r e concerning related party transactions.b.  T h e c l i e n t r e f u s e s t o
b.O n e o f t h e s a l e s c l e r k s h a s n o t b e e n p r e p a r i n g c h a r g e s l i p s f o r c r e d i t sales to p e r m i t i t s a tt o r n e y t o f u r n i s h i n f o r m a ti o n requested
family and friendsc.O n e o f t h e C B I S c o n t r o l c l e r k s h a s b e e n r e m o v i n g a l l in a letter of audit inquiry.
s a l e s i n v o i c e s applicable to his account from the data file. c.  T h e a u d i t o r i s e n g a g e d a ft e r fi s c a l y e a r - e n d a n d i s u n a b l e t o
d.  T h e c r e d i t m a n a g e r h a s m i s a p p r o p r i a t e d r e m i tt a n c e s f r o m c u s t o m e r s whose o b s e r v e p h y s i c a l i n v e n t o r i e s o r a p p l y a l t e r n a ti v e p r o c e d u r e s t o
accounts have been written off.e . T h e i n t e r n a l c o n t r o l i s e ff e c ti v e . v e r i f y t h e i r balances.
FINAL ROUNDEASYQUESTIONS d. The auditor is unable to determine the amounts associated with illegalacts committed by the client's
RFJPIA CUP LEVEL 2 – Auditing Theory (AKIC)ACE QUESTION management.e.Under no circumstances.
  T h i s e x i s t s w h e n o t h e r i n f o r m a ti o n c o n t r a d i c t s i n f o r m a ti o n c o n t a i n e d i n RFJPIA CUP LEVEL 2 – Auditing Theory (IIT)
t h e financial statements. Morgan, CPA, is the principal auditor for a multi-national corporation. AnotherC P A h a s
a . M a t e r i a l i n c o n s i s t e n c y . b . M a t e r i a l d i ff e r e n c e . c . M a t e r i a l e x a m i n e d a n d r e p o r t e d o n t h e fi n a n c i a l s t a t e m e n t s o f
d e v i a ti o n . d . M a t e r i a l e r r o r . e . N o n e o f t h e c h o i c e s . a s i g n i fi c a n t s u b s i d i a r y o f t h e c o r p o r a ti o n . M o r g a n i s s a ti s fi e d
RFJPIACUPLEVEL2–AuditingTheory(MTIM) JOKERQUESTION w i t h t h e i n d e p e n d e n c e a n d p r o f e s s i o n a l r e p u t a ti o n o f t h e o t h e r
 The term "present fairly, in all material respect", means  auditor, as well as the quality of the otherauditor's
a . T h e fi n a n c i a l s t a t e m e n t s c o n f o r m t o G A A P . b . T h e fi n a n c i a l s t a t e m e n t s m a y e x a m i n a ti o n . W i t h r e s p e c t t o M o r g a n ' s r e p o r t o n t h e
s ti l l b e m a t e r i a l l y m i s s t a t e d b e c a u s e t h e auditors may not have discovered the c o n s o l i d a t e d financial statements, taken as a whole, Morgan
errors.c . T h e fi n a n c i a l s t a t e m e n t s a r e a c c u r a t e l y p r e p a r e d . a.Must not refer to the examination of the other auditor.b.Must refer to the examination of the other
d . T h e a u d i t o r c o n s i d e r s o n l y t h o s e m a tt e r s t h a t a r e s i g n i fi c a n t t o the users of the auditor.c . M a y r e f e r t o t h e e x a m i n a ti o n o f t h e o t h e r a u d i t o r .
financial statements. d.May refer to the examination of the other auditor, in which case Morganm u s t i n c l u d e i n
e . I m m a t e r i a l a m o u n t s a r e o m i tt e d f r o m t h e fi n a n c i a l s t a t e m e n t s . the auditor's report on the consolidated
RFJPIA CUP LEVEL 2 – Auditing Theory (SIC) fi n a n c i a l s t a t e m e n t s a q u a l i fi e d o p i n i o n w i t h r e s p e c t t o t h e e x a m i n a ti o n o f
  T h i s o c c u r s w h e n b y v i r t u e o f a c l o s e r e l a ti o n s h i p w i t h a n a s s u r a n c e c l i e n t , i t s t h e other auditor.e.May refer only if the other auditor consents.
d i r e c t o r s , o ffi c e r s o r e m p l o y e e s , a fi r m o r a m e m b e r o f t h e a s s u r a n c e RFJPIA CUP LEVEL 2 – Auditing Theory (SFXC)
t e a m becomes too sympathetic to the client’s interests. In which of the following reports should a CPA not express negative or limitedassurance?
Answer:Familiaritythreat. a . A s t a n d a r d c o m p i l a ti o n r e p o r t o n fi n a n c i a l s t a t e m e n t s o f a n o n - publicentity.
RFJPIA CUP LEVEL 2 – Auditing Theory (PCC) b . A s t a n d a r d r e v i e w r e p o r t o n fi n a n c i a l s t a t e m e n t s o f a n o n - p u b l i c e n ti t y . c . A
Which of the following acts is/are considered fraud?1 . A l t e r a ti o n o f r e c o r d s o r s t a n d a r d r e v i e w r e p o r t o n i n t e r i m fi n a n c i a l s t a t e m e n t s o f a
d o c u m e n t s . 2 . M i s i n t e r p r e t a ti o n o f f a c t s . 3 . M i s a p p r o p r i a ti o n o f p u b l i c entity.d . A s t a n d a r d c o m f o r t l e tt e r o n
a s s e t s . 4 . R e c o r d i n g o f t r a n s a c ti o n s w i t h o u t s u b s t a n c e . 5 . C l e r i c a l m i s t a k e s . fi n a n c i a l i n f o r m a ti o n i n c l u d e d i n a registration statement of
Answer: 1, 3 and 4 only.RFJPIA CUP LEVEL 2 – Auditing Theory (MVC) a public entity.e . A l l o f t h e a b o v e .
  T h i s r e f e r s t o t h e c o m m u n i c a ti o n t o t h e p u b l i c o f RJPIA CUP LEVEL 2 – Auditing Theory (LDCU)
i n f o r m a ti o n a s t o t h e service or skills provided by professional accountants in public   Comfort letters are ordinarily signed by the
practice with a viewof procuring professional business.Answer: Advertising. a.Client.b . I n d e p e n d e n t a u d i t o r . c . I n t e r n a l a u d i t o r . d . I n d e p e n d e n t
RFJPIA CUP LEVEL 2 – Auditing Theory (CMU) a u d i t o r a n d c l i e n t . e.Independent auditor and internal auditor.
Which of the following factors is/are essential to an effective internal auditingorganization? RFJPIA CUP LEVEL 2 – Auditing Theory (LC)ACE QUESTION
1.Operating responsibility.2 . O r g a n i z a ti o n a l s t a t u s 3 . O b j e c ti v i t y
  T h e e n g a g e m e n t t e a m f o r t h e 2 0 1 0 a u d i t o f t h e fi n a n c i a l Which of the following is least likely a procedure that would be performed bythe auditor near the
s t a t e m e n t s o f   Sarimanok Company is composed of the auditor’s report date?
following:P a r t n e r : J o s e a . R e a d i n g t h e m i n u t e s o f t h e m e e ti n g s o f
M a r q u e z S e n i o r s h a r e h o l d e r s , t h e b o a r d o f d i r e c t o r s a n d a u d i t
a s s o c i a t e : A s s e r i n a e x e c u ti v e c o m m i tt e e s h e l d throughout the audit year.
T a m a y o M a n a g e r : S h i r l e y b . R e a d i n g t h e e n ti t y ’ s l a t e s t a v a i l a b l e i n t e r i m fi n a n c i a l s t a t e m e n t s . c . I n q u i r i n g
C o r d o v a A u d i t a s s o c i a t e s : o f t h e c l i e n t ’ s l e g a l c o u n s e l c o n c e r n i n g l i ti g a ti o n s a n d c l a i m s . d . R e v i e w i n g t h e
C r i s t y E s p e n i l l a ,  Jona LeeFollowing Philippine Standards on p r o c e d u r e s t h a t m a n a g e m e n t h a s e s t a b l i s h e d t o e n s u r e that subsequent events are
Auditing, who among the above would beconsidered as the auditor? identified.e . A l l a r e p e r f o r m e d n e a r t h e a u d i t o r ’ s r e p o r t .
a.Jose Marquez only. RFJPIA CUP LEVEL 2 – Auditing Theory (STC)
b.Jose Marqu ez and Asserin a Tamayo only.c.Jose Marqu ez, Asserina Tamayo Which of the followin g statements is not tru e regardin g the competence
and all the audit associates only.d.Jose Marquez, Asserin a Tamayo and Shirley o f   audit evidence?
Cordova only.e . A l l o f t h e m . a.Relevance is enhanced by an effective information system.
RFJPIA CUP LEVEL 2 – Auditing Theory (NFJPIA) JOKERQUESTION b.To be competent, evidence must be both valid and relevant.c.Validity is
  T h e f o l l o w i n g s t a t e m e n t s r e l a t e t o C P A e x a m i n a ti o n r a ti n g s . W h i c h o f r e l a t e d t o t h e q u a l i t y o f t h e c l i e n t ’ s i n f o r m a ti o n s y s t e m . d . R e l e v a n c e m u s t
t h e following is incorrect?a . T o p a s s t h e e x a m i n a ti o n , c a n d i d a t e s s h o u l d o b t a i n a a l w a y s r e l a t e t o a u d i t o b j e c ti v e s . e . N o n e o f t h e a b o v e .
g e n e r a l w e i g h t e d average of 75% and above, with no rating in any subject less than RFJPIA CUP LEVEL 2 – Auditing Theory (FCC)
65%.b . C a n d i d a t e s w h o o b t a i n a r a ti n g o f 7 5 % a n d Which one of the following, if present, would support a finding of constructivefraud on the part of a
a b o v e i n a t l e a s t f o u r subjects shall receive a conditional credit for the CPA?
subjects passed. a.Privity of contract.b . I n t e n t t o d e c e i v e . c . R e c k l e s s
c . C a n d i d a t e s w h o f a i l e d i n f o u r c o m p l e t e e x a m i n a ti o n s s h a l l disregard.d.Ordinary negligence.e . N o n e o f t h e a b o v e .
n o longer be allowed to take the examinations the fifth time. RFJPIA CUP LEVEL 2 – Auditing Theory (SEC)
d . C o n d i ti o n e d c a n d i d a t e s s h a l l t a k e a n e x a m i n a ti o n i n A n a u d i t o r c o m p a r e s 2 0 1 0 r e v e n u e s a n d e x p e n s e s w i t h t h o s e o f t h e p r i o r year
t h e r e m a i n i n g subjects within two years from the preceding examination.e . N o n e o f investigating all changes exceeding 10%. By this procedure the auditor wouldbe most likely to learn
the above. that:a . A n i n c r e a s e i n p r o p e r t y t a x r a t e s h a s n o t b e e n r e c o g n i z e d i n t h e
RFJPIA CUP LEVEL 2 – Auditing Theory (CTKC) c l i e n t ' s accrual.b. The 2010 provision for uncollectible accounts is inadequate, because of worsening
Which statement is incorrect regarding the nature of tests of controls?a . A s t h e p l a n n e d economic conditions.c.Fourth quarter payroll taxes were not paid.
l e v e l o f a s s u r a n c e i n c r e a s e s , t h e a u d i t o r s e e k s m o r e reliable audit d . T h e c l i e n t c h a n g e d i t s c a p i t a l i z a ti o n p o l i c y f o r s m a l l t o o l s
evidence.b . T h o s e c o n t r o l s s u b j e c t t o t e s ti n g b y p e r f o r m i n g i n q u i r y c o m b i n e d i n 2010.
w i t h i n s p e c ti o n o r r e p e r f o r m a n c e o r d i n a r i l y p r o v i d e m o r e a s s u r a n c e t h a n t h o s e e.All of the above.
c o n t r o l s f o r w h i c h t h e a u d i t e v i d e n c e c o n s i s t s s o l e l y o f i n q u i r y and observation. RFJPIACUPLEVEL2–AuditingTheory(MSUM)
c . T h e a b s e n c e o f m i s s t a t e m e n t s d e t e c t e d b y a E x p e r i e n c e h a s s h o w n t h a t c e r t a i n c o n d i ti o n s
s u b s t a n ti v e procedure provides audit evidence that controls related to theassertion being i n a n o r g a n i z a ti o n a r e symptoms of possible management fraud. Which of
tested are effective  d . A m a t e r i a l m i s s t a t e m e n t d e t e c t e d b y t h e a u d i t o r ’ s the following conditions wouldnot be considered an indicator of possible fraud?
p r o c e d u r e s t h a t w a s not identified by the entity ordinarily is indicative of the existence of a.Managers regularly assuming subordinates' duties.b.Managers dealing in matters outside their profit
amaterial weakness in internal control.e . N o n e o f t h e a b o v e . center's scope.c.Managers not complying with corporate directives and procedures.
RFJPIA CUP LEVEL 2 – Auditing Theory (SPUS) d . M a n a g e r s s u b j e c t t o f o r m a l p e r f o r m a n c e r e v i e w s o n a r e g u l a r basis.e . N o n e
 The assessment of the risks of material misstatement of the above.
a t t h e fi n a n c i a l s t a t e m e n t l e v e l i s a ff e c t e d b y RFJPIACUPLEVEL2–AuditingTheory(MU)
t h e a u d i t o r ’ s u n d e r s t a n d i n g o f t h e G i v e n t h e i n c r e a s i n g u s e o f m i c r o c o m p u t e r s a s a m e a n s f o r a c c e s s i n g d a t a bases,
c o n t r o l environment. Weaknesses in the control environment along with on-line real-time processing, companies face a serious challenger e l a ti n g t o d a t a
o r d i n a r i l y w i l l l e a d t h e auditor to:a . H a v e m o r e c o n fi d e n c e i n s e c u r i t y . W h i c h o f t h e f o l l o w i n g i s n o t a n a p p r o p r i a t e m e a n s f o r meeting this
i n t e r n a l c o n t r o l a n d t h e r e l i a b i l i t y o f a u d i t evidence generated challenge?a . I n s ti t u t e a p o l i c y o f s t r i c t i d e n ti fi c a ti o n a n d p a s s w o r d c o n t r o l s
internally within the entity.b . C o n d u c t s o m e a u d i t p r o c e d u r e s a t a n i n t e r i m d a t e h o u s e d i n t h e c o m p u t e r s o ft w a r e t h a t p e r m i t o n l y s p e c i fi e d i n d i v i d u a l s t o
r a t h e r t h a n a t p e r i o d end.c . D e c r e a s e t h e n u m b e r o f l o c a ti o n s t o b e i n c l u d e d i n a c c e s s the computer files and perform a given function.b . L i m i t t e r m i n a l s t o p e r f o r m o n l y
the audit scope.d . W i t h d r a w f r o m t h e e n g a g e m e n t . c e r t a i n t r a n s a c ti o n s . c . P r o g r a m s o ft w a r e t o p r o d u c e a l o g o f t r a n s a c ti o n s
e . M o d i f y t h e n a t u r e o f a u d i t s h o w i n g d a t e , ti m e , type of transaction, and operator.
p r o c e d u r e s t o o b t a i n m o r e persuasive audit d . P r o h i b i t t h e n e t w o r k i n g o f m i c r o c o m p u t e r s a n d d o n o t p e r m i t users to access
evidence.RFJPIA CUP LEVEL 2 – Auditing Theory (LSU) centralized data bases.
e.All are appropriate measu res for maintainin g data secu rity.

Bcdbcabaeeddcccdaadabdbeacabacc In your presence at your throne The whole earth shakes, the whole Your glory
eaacdd I called you answered earth shakes Chorus:
And you came to my rescue and I I see his love and mercy You are the God who lives, You are
I wanna be where you are Washing over all our sin the God who heals
" Magnificent " In my life be lifted high The people sing, the people sing Who are my hope my everything
Who compares to You? In our world be lifted high Chorus You brought salvation to us offered
Who set the stars in their place? In our love be lifted high Hosanna, hosanna your peace to the earth
You who calmed the raging seas " Lead Me To The Cross " Hosanna in the highest You are my Lord my everything
That came crashing over me. Savior I come Verse 2 Verse 2:
VERSE 2: Quiet my soul remember I see a generation In Your promise and Your faithfulness
Who compares to You? Redemptions hill Rising up to take the place I will trust all my days
You who bring the morning light, Where Your blood was spilled With selfless faith, with selfless faith King forever great in majesty
The hope of all the earth For my ransom I see a new revival Be glorified
Is rest assured in Your great love. Everything I once held dear Staring as we pray and seek Bridge:
CHORUS:You are magnificent, I count it all as lost We're on our knees, we're on our I'll trust in You, i'll trust in You
Eternally wonderful, glorious. Lead me to the cross knees I'll trust in You with all my heart
Jesus, no one ever will compare (last Where Your love poured out Bridge One Thing
time to tags) Bring me to my knees Heal my heart and make it clean One thing
To You, Jesus.VERSE 3: Lord I lay me down Open up my eyes to the things One thing I desire
Where the evening fades, Rid me of myself unseen One thing I seek
You call forth songs of joy. I belong to You Show me how to love like you have To gaze upon Your beauty
As the morning wakes, Lead me, lead me to the cross loved me Your majesty
We Your children give You praise. You were as I Break my heart for what is yours In the day of trouble
TAGS: Tempted and trialed Everything I am for your kingdom's You cover me
Jesus, no one ever will compare You are cause In the secret place of refuge
To You, Jesus.No one ever will Te word became flesh As I walk from earth into eternity Lord I will singSo I pray to You
compareTo You, Jesus. Bore my sin and death " God Of Ages " So I pray to YouLord Your Name is
" Came To My Rescue " Now you're risen God of ages bringing glory here higher than the heavensLord Your
Falling on my knees in worship To your heart You are good, You are good Name is higher than all created things
Giving all I am to seek your face To your heart Son of righteousness You are all I see Higher than hopeHigher than dreams
Lord all I am is yours Lead me to your heart With all my heart The Name of the Lord
My whole life Lead me to your heart All I want is You
I place in your hands " Hosanna " PreChorus: All I want is You
God of Mercy I see the king of glory Giver of life hope for the lost is in You Jesus
Humbled I bow down Coming down the clouds with fire All of the earth shines with Your light