Evaluate Input, Processing, And Output Controls
Help Questions
CPA Information Systems and Controls (ISC) › Evaluate Input, Processing, And Output Controls
Which of the following is an example of a processing control?
A field validation that rejects entries exceeding a maximum dollar amount.
A system prompt that requires users to confirm their identity before entering data.
A report that lists all transactions processed during the period for management review.
A batch control total that compares the sum of transaction amounts before and after processing to verify completeness.
Explanation
A batch control total that reconciles pre- and post-processing totals is a processing control - it verifies that all transactions were processed correctly and completely. Answer B is correct. Field validation (A) is an input control. Management reports (C) are output controls. Identity confirmation (D) is an access control.
A company's payroll system requires that any salary entry exceeding $500,000 annually be flagged for secondary review before processing. This is an example of which input control?
Format check - verifying the salary is entered in the correct numeric format.
Reasonableness or limit check - flagging entries that exceed a defined threshold as potentially implausible.
Completeness check - ensuring all required payroll fields are populated.
Duplicate check - preventing the same employee from being entered twice.
Explanation
A limit check flags values above or below defined thresholds as potentially unreasonable - salaries over $500,000 may be valid but warrant additional scrutiny. Answer A is correct. Format checks (B) validate structure. Completeness (C) ensures fields are filled. Duplicate checks (D) prevent repeated entries.
During a batch processing run, the system processes 980 of 1,000 transactions and terminates due to an error. The remaining 20 transactions are not processed. Which processing control would most directly detect this incomplete processing?
Encryption of the batch file before processing begins.
A run-to-run control total that compares the number of records and total amounts processed against expected totals established before the run.
A format check validating the structure of each transaction record.
Access controls limiting who can initiate batch processing runs.
Explanation
Run-to-run control totals compare expected counts and amounts to actual processed results, directly detecting incomplete processing - the 20 missing transactions would cause a discrepancy. Answer C is correct. Encryption (A) addresses confidentiality. Access controls (B) address authorization. Format checks (D) validate data structure, not completeness of processing.
Which of the following best describes a 'completeness check' as an input control?
A check that verifies the data is in the correct format (e.g., date format MM/DD/YYYY).
A check that verifies a numeric field falls within an acceptable range.
A check that verifies all required fields in a record are populated before the record can be saved.
A check that verifies the data matches an authorized reference table value.
Explanation
A completeness check ensures no mandatory fields are left blank - preventing records with missing critical data from entering the system. Answer D is correct. Range checks (A), validity checks (B), and format checks (C) address different data quality dimensions.
A financial reporting system automatically locks the accounting period at month-end, preventing any further journal entries from being posted to the closed period. This is an example of which type of application control?
Processing control - enforcing period-end cutoff by preventing transactions from being processed to a closed accounting period.
Output control - ensuring reports reflect only transactions in the current period.
Input validation - preventing entries in incorrect date formats.
Access control - restricting which users can post journal entries.
Explanation
Period locking is a processing control that enforces accounting cutoff - ensuring no transactions are processed to periods that have already been closed. Answer B is correct. Date format validation (A) is an input control. Report filtering (C) is an output function. User restrictions (D) are access controls.
Which of the following is the primary purpose of a 'hash total' in batch processing?
To assign a unique transaction identifier to each record in the batch.
To create a unique numeric fingerprint of batch data (e.g., sum of account numbers) that can be compared before and after processing to detect any changes or losses.
To compress batch data to reduce processing time and storage requirements.
To encrypt batch data before transmission to prevent unauthorized access.
Explanation
A hash total (e.g., sum of transaction numbers or account numbers) has no business meaning but serves as a control - if the total changes between input and output, records were added, removed, or altered. Answer A is correct. Encryption (B), unique IDs (C), and compression (D) serve different purposes.
A company generates a daily transaction report listing all journal entries posted to the general ledger during the day. Management reviews this report for unusual items. This is an example of which type of control?
Processing control - ensuring journal entries are calculated correctly.
Access control - restricting who can view journal entries.
Input control - validating journal entries before posting.
Output control - using system-generated reports as a detective control to identify unusual or unauthorized transactions after posting.
Explanation
Reviewing system-generated output reports to detect unusual items after processing is a detective output control. Answer D is correct. The review occurs after posting (not input A or processing B), and is a detective control, not an access restriction (C).
A payroll system generates pay stubs for 500 employees. The system also generates a control report showing total gross pay, total deductions, and total net pay for the batch. Management reconciles this control report to the general ledger payroll entries. This reconciliation is an example of:
An access control limiting who can approve payroll disbursements.
An output control reconciling system-generated totals to the general ledger to verify completeness and accuracy of the payroll processing.
An input control verifying payroll data at entry.
A processing control ensuring the payroll calculations are correct.
Explanation
Reconciling the system's output control report to the GL after processing is an output control - using the system's own totals as evidence of complete, accurate processing. Answer C is correct. Payroll entry validation (A) is input. Calculation verification (B) is processing. Access restrictions (D) are separate.
Which of the following represents an effective set of controls covering all three categories - input, processing, and output - for a billing system?
Restricting billing system access to accounts receivable staff only.
Encrypting all billing data and storing it in a secure database.
Input: validating customer IDs and amounts at entry; Processing: run-to-run control totals verifying all invoices are processed; Output: reconciling billed amounts to the accounts receivable ledger.
Generating daily billing reports and distributing them to the finance team.
Explanation
A complete application control suite covers all three layers: input validation catches data errors at entry; processing controls verify completeness during the run; output reconciliation confirms the results are accurately reflected downstream. Answer B is correct. Encryption (A) and access controls (C) are IT general controls. Report distribution (D) is only one output control.
An auditor is testing application controls over a revenue recognition system. Which of the following procedures would provide evidence about the effectiveness of input controls?
Reviewing the disaster recovery plan for the revenue recognition system.
Attempting to enter transactions with invalid customer IDs, missing required fields, or out-of-range amounts, and verifying that the system rejects or flags them.
Reviewing the system's access control log to identify who has made entries.
Reconciling the total revenue recognized to the general ledger balance.
Explanation
Testing input controls requires attempting to enter invalid data and confirming the system properly rejects or flags the exceptions - directly evaluating whether validation rules operate as designed. Answer A is correct. Access logs (B) test access controls. Reconciliation (C) tests output controls. DR plans (D) are not application control tests.