4) A part of a program that remains idle until some date or event occurs and then is activated to cause havoc in the system is a

A) trap door.

B) data diddle.

C) logic bomb.

D) virus.

Answer:  C

Page Ref: 161

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

5) The unauthorized copying of company data is known as

A) data leakage.

B) eavesdropping.

C) masquerading.

D) phishing.

Answer:  A

Page Ref: 154

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

6) Computer fraud perpetrators who use telephone lines to commit fraud and other illegal acts are typically called

A) hackers.

B) crackers.

C) phreakers.

D) jerks.

Answer:  C

Page Ref: 154

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

7) What is a denial of service attack?

A) A denial of service attack occurs when the perpetrator sends hundreds of messages from randomly generated false addresses, overloading an Internet service provider’s e-mail server.

B) A denial of service attack occurs when an e-mail message is sent through a re-mailer, who removes the message headers making the message anonymous, then resends the message to selected addresses.

C) A denial of service attack occurs when a cracker enters a system through an idle modem, captures the PC attached to the modem, and then gains access to the network to which it is connected.

D) A denial of service attack occurs when the perpetrator e-mails the same message to everyone on one or more Usenet newsgroups LISTSERV lists.

Answer:  A

Page Ref: 150

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

8) Gaining control of someone else’s computer to carry out illicit activities without the owner’s knowledge is known as

A) hacking.

B) hijacking.

C) phreaking.

D) sniffings.

Answer:  B

Page Ref: 150

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

9) Illegally obtaining and using confidential information about a person for economic gain is known as

A) eavesdropping.

B) identity theft.

C) packet sniffing.

D) piggybacking.

Answer:  B

Page Ref: 156

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

10) Tapping into a communications line and then entering the system by accompanying a legitimate user without their knowledge is called

A) superzapping.

B) data leakage.

C) hacking.

D) piggybacking.

Answer:  D

Page Ref: 153

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

11) Which of the following is not a method of identify theft?

A) Scavenging

B) Phishing

C) Shoulder surfing

D) Phreaking

Answer:  D

Page Ref: 154

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

12) Which method of fraud is physical in its nature rather than electronic?

A) cracking

B) hacking

C) eavesdropping

D) scavenging

Answer:  D

Page Ref: 159

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

13) Which of the following is the easiest method for a computer criminal to steal output without ever being on the premises?

A) dumpster diving

B) by use of a Trojan horse

C) using a telescope to peer at paper reports

D) electronic eavesdropping on computer monitors

Answer:  D

Page Ref: 159

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

14) The deceptive method by which a perpetrator gains access to the system by pretending to be an authorized user is called

A) cracking.

B) masquerading.

C) hacking.

D) superzapping.

Answer:  B

Page Ref: 153

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

15) The unauthorized access to, and use of, computer systems is known as

A) hacking.

B) hijacking.

C) phreaking.

D) sniffing.

Answer:  A

Page Ref: 149

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

16) A fraud technique that slices off tiny amounts from many projects is called the ________ technique.

A) Trojan horse

B) round down

C) salami

D) trap door

Answer:  C

Page Ref: 154

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

17) Data diddling is

A) gaining unauthorized access to and use of computer systems, usually by means of a personal computer and a telecommunications network.

B) unauthorized copying of company data such as computer files.

C) unauthorized access to a system by the perpetrator pretending to be an authorized user.

D) changing data before, during, or after it is entered into the system in order to delete, alter, or add key system data.

Answer:  D

Page Ref: 154

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

18) Spyware is

A) software that tells the user if anyone is spying on his computer.

B) software that monitors whether spies are looking at the computer.

C) software that monitors computing habits and sends the data it gathers to someone else.

D) none of the above

Answer:  C

Page Ref: 159

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

19) The unauthorized use of special system programs to bypass regular system controls and perform illegal act is called

A) a Trojan horse.

B) a trap door.

C) the salami technique.

D) superzapping.

Answer:  D

Page Ref: 162

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

20) Computer fraud perpetrators that modify programs during systems development, allowing access into the system that bypasses normal system controls are using

A) a Trojan horse.

B) a trap door.

C) the salami technique.

D) superzapping.

Answer:  B

Page Ref: 162

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

21) A fraud technique that allows a perpetrator to bypass normal system controls and enter a secured system is called

A) superzapping.

B) data diddling.

C) using a trap door.

D) piggybacking.

Answer:  C

Page Ref: 162

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

22) A set of unauthorized computer instructions in an otherwise properly functioning program is known as a

A) logic bomb.

B) spyware.

C) trap door.

D) Trojan horse.

Answer:  D

Page Ref: 161

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

23) A ________ is similar to a ________, except that it is a program rather than a code segment hidden in a host program.

A) worm; virus

B) Trojan horse; worm

C) worm; Trojan horse

D) virus; worm

Answer:  A

Page Ref: 163

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

24) Wally Hewitt is an accountant with a large accounting firm. The firm has a very strict policy of requiring all users to change their passwords every sixty days. In early March, Wally received an email from the firm that explained that there had been an error updating his password and that provided a link to a Web site with instructions for re-entering his password. Something about the email made Wally suspicious, so he called the firm’s information technology department and found that the email was fictitious. The email was an example of

A) social engineering.

B) phishing.

C) piggybacking.

D) spamming.

Answer:  B

Page Ref: 157

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

25) Developers of computer systems often include a user name and password that is hidden in the system, just in case they need to get into the system and correct problems in the future. This is referred to as a

A) Trojan horse.

B) key logger.

C) spoof.

D) back door.

Answer:  D

Page Ref: 162

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

26) In the 1960s, techniques were developed that allowed individuals to fool the phone system into providing free access to long distance phone calls. The people who use these methods are referred to as

A) phreakers.

B) hackers.

C) hijackers.

D) superzappers.

Answer:  A

Page Ref: 154

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

27) During a routine audit, a review of cash receipts and related accounting entries revealed discrepancies. Upon further analysis, it was found that figures had been entered correctly and then subsequently changed, with the difference diverted to a fictitious customer account. This is an example of

A) kiting.

B) data diddling.

C) data leakage.

D) phreaking.

Answer:  B

Page Ref: 154

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

28) It was late on a Friday afternoon when Troy Willicott got a call at the help desk for Taggitt Finances. A man with an edge of panic clearly discernible in his voice was on the phone. “I’m really in a bind and I sure hope that you can help me.” He identified himself as Chet Frazier from the Accounting Department. He told Troy that he had to work on a report that was due on Monday morning and that he had forgotten to bring a written copy of his new password home with him. Troy knew that Taggitt’s new password policy, that required that passwords must be at least fifteen characters long, must contain letters and numbers, and must be changed every sixty days, had created problems. Consequently, Troy provided the password, listened as it was read back to him, and was profusely thanked before ending the call. The caller was not Chet Frazier, and Troy Willicott was a victim of

A) phreaking.

B) war dialing.

C) identity theft.

D) social engineering.

Answer:  D

Page Ref: 156

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

29) Chiller451 was chatting online with 3L3tCowboy. “I can’t believe how lame some people are! 🙂 I can get into any system by checking out the company web site to see how user names are defined and who is on the employee directory. Then, all it takes is brute force to find the password.” Chiller451 is a ________ and the fraud he is describing is ________.

A) phreaker; dumpster diving

B) hacker; social engineering

C) phreaker; the salami technique

D) hacker; password cracking

Answer:  D

Page Ref: 153

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

30) After graduating from college with a communications degree, Sylvia Placer experienced some difficulty in finding full-time employment. She free-lanced during the summer as a writer and then started a blog in the fall. Shortly thereafter she was contacted by Clickadoo Online Services, who offered to pay her to promote their clients by mentioning them in her blog and linking to their Web sites. She set up several more blogs for this purpose and is now generating a reasonable level of income. She is engaged in

A) Bluesnarfing.

B) splogging.

C) vishing.

D) typosquatting.

Answer:  B

Page Ref: 150

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

31) Telefarm Industries is a telemarketing firm that operates in the Midwest. The turnover rate among employees is quite high. Recently, the information technology manager discovered that an unknown employee had used a Bluetooth-enabled mobile phone to access the firm’s database and copy a list of customers from the past three years that included credit card information. Telefarm was a victim of

A) Bluesnarfing.

B) splogging.

C) vishing.

D) typosquatting.

Answer:  A

Page Ref: 165

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

32)  Jim Chan decided to Christmas shop online. He linked to Amazon.com, found a perfect gift for his daughter, registered, and placed his order. It was only later that he noticed that the Web site’s URL was actually Amazom.com. Jim was a victim of

A) Bluesnarfing.

B) splogging.

C) vishing.

D) typosquatting.

Answer:  D

Page Ref: 158

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

33) Computers that are part of a botnet and are controlled by a bot herder are referred to as

A) posers.

B) zombies.

C) botsquats.

D) evil twins.

Answer:  B

Page Ref: 150

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

34) Jiao Jan had been the Web master for Folding Squid Technologies for only three months when the Web site was inundated with access attempts. The only solution was to shut down the site and then selectively open it to access from certain Web addresses. FST suffered significant losses during the period. The company had been the victim of a(an)

A) denial-of-service attack.

B) zero-day attack.

C) malware attack.

D) cyber-extortion attack.

Answer:  A

Page Ref: 150

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

35) Jiao Jan had been the Web master for Folding Squid Technologies for only three months when he received an anonymous email that threatened to inundate the company Web site with access attempts unless a payment was wired to an account in Eastern Europe. Jiao was concerned that FST would suffer significant losses if the threat was genuine. The author of the email was engaged in

A) a denial-of-service attack.

B) Internet terrorism.

C) hacking.

D) cyber-extortion.

Answer:  D

Page Ref: 154

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

36) Mo Chauncey was arrested in Emporia, Kansas, on February 29, 2008, for running an online business that specialized in buying and reselling stolen credit card information. Mo was charged with

A) typosquatting.

B) carding.

C) pharming.

D) phishing.

Answer:  B

Page Ref: 158

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

37) I work in the information technology department of a company I’ll call CMV. On Wednesday morning, I arrived at work, scanned in my identity card and punched in my code. This guy in a delivery uniform came up behind me carrying a bunch of boxes. I opened the door for him, he nodded and went on in. I didn’t think anything of it until later. Then I wondered if he might have been

A) pretexting.

B) piggybacking.

C) posing.

D) spoofing.

Answer:  B

Page Ref: 153

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

38) The call to tech support was fairly routine. A first-time computer user had purchased a brand new PC two months ago and it was now operating much more slowly and sluggishly than it had at first. Had he been accessing the Internet? Yes. Had he installed any “free” software? Yes. The problem is likely to be a(an)

A) virus.

B) zero-day attack.

C) denial of service attack.

D) dictionary attack.

Answer:  A

Page Ref: 163

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

39) In November of 2005 it was discovered that many of the new CDs distributed by Sony BMG installed software when they were played on a computer. The software was intended to protect the CDs from copying. Unfortunately, it also made the computer vulnerable to attack by malware run over the Internet. The scandal and resulting backlash was very costly. The software installed by the CDs is a

A) virus.

B) worm.

C) rootkit.

D) squirrel.

Answer:  C

Page Ref: 162

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

40) Which of the following would be least effective to reduce exposure to a computer virus?

A) Only transfer files between employees with USB flash drives.

B) Install and frequently update antivirus software.

C) Install all new software on a stand-alone computer for until it is tested.

D) Do not open email attachments from unknown senders.

Answer:  A

Page Ref: 164

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

41) Which of the following is not an example of social engineering?

A) Obtaining and using another person’s Social Security Number, credit card, or other confidential information

B) Creating phony Web sites with names and URL addresses very similar to legitimate Web sites in order to obtain confidential information or to distribute malware or viruses

C) Using email to lure victims into revealing passwords or user IDs

D) Setting up a computer in a way that allows the user to use a neighbors unsecured wireless network

Answer:  D

Page Ref: 156-159

Objective:  Learning Objective 2

Difficulty :  Moderate

AACSB:  Analytic

42) How can a system be protected from viruses?

Answer:  Install reliable antivirus software that scans for, identifies, and isolates or destroys viruses. Use caution when copying files on to your diskettes from unknown machines. Ensure the latest version of the antivirus program available is used. Scan all incoming emails for viruses at the server level. All software should be certified as virus-free before loading it into the system. If you use jump drives, diskettes, or CDs, do not put them in unfamiliar machines as they may become infected. Obtain software and diskettes only from known and trusted sources. Use caution when using or purchasing software or diskettes from unknown sources. Deal with trusted software retailers. Ask whether the software you are purchasing comes with electronic techniques that makes tampering evident. Check new software on an isolated machine with virus detection software before installing on the system. Cold boot to clear and reset the system. When necessary, “cold boot” the machine from a write-protected diskette. Have two backups of all files. Restrict the use of public bulletin boards.

Page Ref: 164

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

43) Describe at least six computer attacks and abuse techniques.

Answer: 

Round-down technique  rounded off amounts from calculations and the fraction deposited in perpetrator’s account.

Salami technique  small amounts sliced off and stolen from many projects over a period of time.

Software piracy  unauthorized copying of software, probably the most committed computer crime.

Data diddling  changing data in an unauthorized way.

Data leakage  unauthorized copying of data files.

Piggybacking  latching onto a legitimate user in data communications.

Masquerading or Impersonation  the perpetrator gains access to the system by pretending to be an authorized user.

Hacking  unauthorized access and use of a computer system.

E-mail threats  threatening legal action and asking for money via e-mail.

E-mail forgery  removing message headers, using such anonymous e-mail for criminal activity. Denial of service attack  sending hundreds of e-mail messages from false addresses until the attacked server shuts down.

Internet terrorism  crackers using the Internet to disrupt electronic commerce and communication lines.

Internet misinformation  using the Internet to spread false or misleading information.

War dialing  searching for an idle modem by dialing thousands of telephones and intruding systems through idle modems.

Spamming  e-mailing the same message to everyone on one or more Usenet groups.

Page Ref: 165-167

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

44) Describe at least four social engineering techniques.

Answer: 

Piggybacking  latching onto a legitimate user in data communications.

Masquerading or Impersonation  the perpetrator gains access to the system by pretending to be an authorized user.

Social engineering  a perpetrator tricks an employee into giving him the information he needs to get into the system.

Identity theft  illegally assuming someone else’s identity, usually with the social security number.

Pretexting  using an invented scenario to increase the likelihood the victim will give away information.

Posing  fraudsters try to collect personal information by pretending to be legitimate business colleagues.

Phishing  sending email, pretending to be a legitimate business colleague, requesting user ID or password or other confidential data.

Vishing  pretending to be a legitimate business colleague and attempting to get a victim to provide confidential information over the phone.

Carding  using stolen credit card information.

Pharming  redirecting Web site traffic to a spoofed Web site.

Typosquatting  setting up Web sites with names similar to real Web sites.

Scavenging  gaining access to confidential data by searching corporate records in dumpsters or computer storage.

Shoulder surfing  looking over a person’s shoulder in a public place to see PIN or passwords.

Skimming  manually swiping a credit card through a handheld card reader and storing the data for future use.

Eavesdropping  observation of private communications by wiretapping or other surveillance techniques.

E-mail forgery  removing message headers, using such anonymous e-mail for criminal activity.

Page Ref: 157-159

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

45) Describe the differences between a worm and a virus?

Answer:  A computer virus is a segment of executable code that attaches itself to computer software. A virus has two phases: it replicates itself and spreads to other systems or files, and in the attack phase, the virus carries out its mission to destroy files or the system itself. A worm is similar to a virus, except that it is a program rather than a code segment hidden in a host program. A worm can reside in e-mail attachments, which when opened or activated can damage a user’s system. Worms can also reproduce themselves by mailing themselves to the addresses found in the recipient’s mailing list. Worms do not have long lives, but their lives can be very destructive nonetheless.

Page Ref: 163

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

Chapter 7  

1) What is one reason why AIS threats are increasing?

A) LANs and client/server systems are easier to control than centralized, mainframe systems.

B) Many companies do not realize that data security is crucial to their survival.

C) Computer control problems are often overestimated and overly emphasized by management.

D) Many companies believe that protecting information is a strategic requirement.

Answer:  B

Page Ref: 184

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

2) Which of the following is not one of the risk responses identified in the COSO Enterprise Risk Management Framework?

A) Monitoring

B) Avoidance

C) Acceptance

D) Sharing

Answer:  A

Page Ref: 193

Objective:  Learning Objective 6

Difficulty :  Easy

AACSB:  Analytic

3) A control procedure designed so that the employee that records cash received from customers does not also have access to the cash itself is an example of a(n)

A) preventive control.

B) detective control.

C) corrective control.

D) authorization control.

Answer:  A

Page Ref: 185

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Reflective Thinking

4) At a movie theater box office, all tickets are sequentially prenumbered. At the end of each day, the beginning ticket number is subtracted from the ending number to calculate the number of tickets sold. Then, ticket stubs collected at the theater entrance are counted and compared with the number of tickets sold. Which of the following situations does this control detect?

A) Some customers presented tickets purchased on a previous day when there wasn’t a ticket taker at the theater entrance (so the tickets didn’t get torn.)

B) A group of kids snuck into the theater through a back door when customers left after a show.

C) The box office cashier accidentally gives too much change to a customer.

D) The ticket taker admits his friends without tickets.

Answer:  A

Page Ref: 199-200

Objective:  Learning Objective 7

Difficulty :  Moderate

AACSB:  Reflective Thinking

5) At a movie theater box office, all tickets are sequentially prenumbered. At the end of each day, the beginning ticket number is subtracted from the ending number to calculate the number of tickets sold. Cash is counted and compared with the number of tickets sold. Which of the following situations does this control detect?

A) Some customers presented tickets purchased on a previous day when there wasn’t a ticket taker at the theater entrance (so the tickets didn’t get torn.)

B) A group of kids snuck into the theater through a back door when customers left after a show.

C) The box office cashier accidentally gives too much change to a customer.

D) The ticket taker admits his friends without tickets.

Answer:  C

Page Ref: 199-200

Objective:  Learning Objective 7

Difficulty :  Moderate

AACSB:  Reflective Thinking

6) Which of the following is an example of a preventive control?

A) approving customer credit prior to approving a sales order

B) reconciling the bank statement to the cash control account

C) counting inventory on hand and comparing counts to the perpetual inventory records

D) maintaining frequent backup records to prevent loss of data

Answer:  A

Page Ref: 185

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

7) Independent checks on performance include all the following except

A) data input validation checks.

B) reconciling hash totals.

C) preparing a trial balance report.

D) supervisor review of journal entries and supporting documentation.

Answer:  A

Page Ref: 200

Objective:  Learning Objective 7

Difficulty :  Easy

AACSB:  Analytic

8) A computer operator is allowed to work as a programmer on a new payroll software project. Does this create a potential internal control problem?

A) Yes, the computer operator could alter the payroll program to increase her salary.

B) Yes, this is a potential problem unless the computer operator is supervised by the payroll manager.

C) No, ideal segregation of duties is not usually possible, and operators are often the best at programming changes and updates.

D) No, as long as the computer operator separately accounts for hours worked in programming and in operations.

Answer:  A

Page Ref: 198

Objective:  Learning Objective 7

Difficulty :  Moderate

AACSB:  Analytic

9) One of the objectives of the segregation of duties is to

A) make sure that different people handle different parts of the same transaction.

B) ensure that no collusion will occur.

C) make sure that different people handle different transactions.

D) achieve an optimal division of labor for efficient operations.

Answer:  A

Page Ref: 196

Objective:  Learning Objective 7

Difficulty :  Moderate

AACSB:  Analytic

10) Pam is a receptionist for Dunderhead Paper Co., which has strict corporate policies on appropriate use of corporate resources. The first week of August, Pam saw Michael, the branch manager, putting pencils, pens, erasers, paper and other supplies into his briefcase on his way out the door. This situation best reflects a weakness in which aspect of internal environment, as discussed in the COSO Enterprise Risk Management Framework?

A) Integrity and ethical values

B) Risk management philosophy

C) Restrict access to assets

D) Methods of assigning authority and responsibility

Answer:  A

Page Ref: 189

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

11) Which of the following statements is true?

A) Internal auditors, rather than external auditors, can conduct evaluations of effectiveness of Enterprise Risk Management processes.

B) Re-adding the total of a batch of invoices and comparing the total with the first total you calculated is an example of an independent check.

C) Requiring two signatures on checks over $20,000 is an example of segregation of duties.

D) Although forensic specialists utilize computers, only people can accurately identify fraud.

Answer:  A

Page Ref: 201

Objective:  Learning Objective 7

Difficulty :  Difficult

AACSB:  Reflective Thinking

12) Of the following examples of fraud, which will be the most difficult to prevent and detect? Assume the company enforces adequate segregation of duties.

A) Jim issues credit cards to him and Marie, and when the credit card balances are just under $1,000, Marie writes off the accounts as bad debt. Jim then issues new cards.

B) An employee puts inventory behind the dumpster while unloading a vendor’s delivery truck, then picks up the inventory later in the day and puts it in her car.

C) A mail room employee steals a check received from a customer and destroys the documentation.

D) The accounts receivable clerk does not record sales invoices for friends or family, so they can receive free goods.

Answer:  A

Page Ref: 197

Objective:  Learning Objective 7

Difficulty :  Difficult

AACSB:  Reflective Thinking

13) According to The Sarbanes-Oxley Act of 2002, the audit committee of the board of directors is directly responsible for

A) hiring and firing the external auditors.

B) performing tests of the company’s internal control structure.

C) certifying the accuracy of the company’s financial reporting process.

D) overseeing day-to-day operations of the internal audit department.

Answer:  A

Page Ref: 186

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

14) Go-Go Corporation, a publicly traded company, has three brothers who serve as President, Vice President of Finance and CEO. This situation

A) increases the risk associated with an audit.

B) must be changed before your audit firm could accept the audit engagement.

C) is a violation of the Sarbanes-Oxley Act.

D) violates the Securities and Exchange Act.

Answer:  A

Page Ref: 193

Objective:  Learning Objective 6

Difficulty :  Easy

AACSB:  Analytic

15) Which of the following is a control related to design and use of documents and records?

A) Sequentially prenumbering sales invoices

B) Comparing physical inventory counts with perpetual inventory records

C) Reconciling the bank statement to the general ledger

D) Locking blank checks in a drawer or safe

Answer:  A

Page Ref: 199

Objective:  Learning Objective 7

Difficulty :  Easy

AACSB:  Analytic

16) Which of the following duties could be performed by the same individual without violating segregation of duties controls?

A) Approving accounting software change requests and testing production scheduling software changes

B) Programming new code for accounting software and testing accounting software upgrades

C) Approving software changes and implementing the upgraded software

D) Managing accounts payable function and revising code for accounting software to more efficiently process discount due dates on vendor invoices

Answer:  A

Page Ref: 198

Objective:  Learning Objective 7

Difficulty :  Moderate

AACSB:  Reflective Thinking

17) With a limited work force and a desire to maintain strong internal control, which combination of duties would result in the lowest risk exposure?

A) Updating the inventory subsidiary ledgers and recording purchases in the purchases journal

B) Approving a sales return on a customer’s account and depositing customers’ checks in the bank

C) Updating the general ledger and working in the inventory warehouse

D) Entering payments to vendors in the cash disbursements journal and entering cash received from customers in the cash receipts journal

Answer:  D

Page Ref: 196-197

Objective:  Learning Objective 7

Difficulty :  Moderate

AACSB:  Reflective Thinking

18) Which of the following is not a factor of internal environment according to the COSO Enterprise Risk Management Framework?

A) Analyzing past financial performance and reporting

B) Providing sufficient resources to knowledgeable employees to carry out duties

C) Disciplining employees for violations of expected behavior

D) Setting realistic targets for long-term performance

Answer:  A

Page Ref: 188

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

19) Which of the following suggests a weakness in a company’s internal environment?

A) The audit committee regularly meets with the external auditors.

B) The Board of Directors is primarily independent directors.

C) The company has an up-to-date organizational chart.

D) Formal employee performance evaluations are prepared every three years.

Answer:  D

Page Ref: 191

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

20) Which of the following statements about internal environment is false?

A) Management’s attitudes toward internal control and ethical behavior have only minimal impact on employee beliefs or actions.

B) Supervision is especially important in organizations that cannot afford elaborate responsibility reporting or are too small to have adequate segregation of duties.

C) An overly complex or unclear organizational structure may be indicative of more serious problems.

D) A written policy and procedures manual is an important tool for assigning authority and responsibility.

Answer:  A

Page Ref: 189

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Reflective Thinking

21) Which of the following is not a reason for the increase in security problems for AIS?

A) Confidentiality issues caused by interlinked inter-company networks

B) Difficult to control distributed computing networks

C) Increasing efficiency resulting from more automation

D) Increasing numbers of information systems and users

Answer:  C

Page Ref: 184

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

22) One reason why many organizations do not adequately protect their systems is because

A) control problems may be overestimated by many companies.

B) productivity and cost cutting cause management to forgo implementing and maintaining internal controls.

C) control technology has not yet been developed.

D) all of the above

Answer:  B

Page Ref: 184

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

23) Accountants must try to protect the AIS from threats. Which of the following would be a measure that should be taken?

A) Take a proactive approach to eliminate threats.

B) Detect threats that do occur.

C) Correct and recover from threats that do occur.

D) All of the above are proper measures for the accountant to take.

Answer:  D

Page Ref: 185

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

24) The process that a business uses to safeguard assets, provide accurate and reliable information, and promote and improve operational efficiency is known as

A) a phenomenon.

B) internal control.

C) an AIS threat.

D) a preventive control.

Answer:  B

Page Ref: 184

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

25) Safeguarding assets is one of the control objectives of internal control. Which of the following is not one of the other control objectives?

A) providing accurate and reliable information

B) promoting operational efficiency

C) ensuring that no fraud has occurred

D) encouraging adherence to management policies

Answer:  C

Page Ref: 184

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

26) Internal control is often referred to as a(n) ________, because it permeates an organization’s operating activities and is an integral part of management activities.

A) event

B) activity

C) process

D) system

Answer:  C

Page Ref: 184

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

27) Which of the following is accomplished by corrective controls?

A) Identify the cause of the problem.

B) Correct the resulting errors.

C) Modify the system to prevent future occurrences of the problem.

D) All of the above are accomplished by corrective controls.

Answer:  D

Page Ref: 185

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

28) Duplicate checking of calculations is an example of a ________ control, and procedures to resubmit rejected transactions is an example of a ________ control.

A) corrective; detective

B) detective; corrective

C) preventive; corrective

D) detective; preventive

Answer:  B

Page Ref: 185

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

29) What is not a corrective control procedure?

A) Identify the cause of a problem.

B) Deter problems before they arise.

C) Correct resulting errors or difficulties.

D) Modify the system so that future problems are minimized or eliminated.

Answer:  B

Page Ref: 185

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

30) ________ controls are designed to make sure an organization’s control environment is stable and well managed.

A) Application

B) Detective

C) General

D) Preventive

Answer:  C

Page Ref: 185

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

31) ________ controls prevent, detect and correct transaction errors and fraud.

A) Application

B) Detective

C) General

D) Preventive

Answer:  A

Page Ref: 185

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

32) The primary purpose of the Foreign Corrupt Practices Act of 1977 was

A) to require corporations to maintain a good system of internal control.

B) to prevent the bribery of foreign officials by American companies.

C) to require the reporting of any material fraud by a business.

D) All of the above are required by the act.

Answer:  B

Page Ref: 185

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

33) Congress passed this federal law for the purpose of preventing financial statement fraud, to make financial reports more transparent and to strengthen the internal control of public companies.

A) Foreign Corrupt Practices Act of 1977

B) The Securities Exchange Act of 1934

C) The Sarbanes-Oxley Act of 2002

D) The Control Provision of 1998

Answer:  C

Page Ref: 185

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

34) Which of the following is not one of the important aspects of the Sarbanes-Oxley Act?

A) The creation of the Public Company Accounting Oversight Board

B) New rules for auditors and management

C) New roles for audit committees

D) New rules for information systems development

Answer:  D

Page Ref: 186

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

35) A(n) ________ helps employees act ethically by setting limits beyond which an employee must not pass.

A) boundary system

B) diagnostic control system

C) interactive control system

D) internal control system

Answer:  A

Page Ref: 185

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

36) A(n) ________ measures company progress by comparing actual performance to planned performance.

A) boundary system

B) diagnostic control system

C) interactive control system

D) internal control system

Answer:  B

Page Ref: 185

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

37) A(n) ________ helps top-level managers with high-level activities that demand frequent and regular attention.

A) boundary system

B) diagnostic control system

C) interactive control system

D) internal control system

Answer:  C

Page Ref: 185

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

38) This control framework addresses the issue of control from three vantage points: business objectives, information technology resources, and information technology processes.

A) ISACA’s control objectives for information and related technology

B) COSO’s internal control framework

C) COSO’s enterprise risk management framework

D) none of the above

Answer:  A

Page Ref: 186

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

39) This control framework’s intent includes helping the organization to provide reasonable assurance that objectives are achieved and problems are minimized, and to avoid adverse publicity and damage to the organization’s reputation.

A) ISACA’s control objectives for information and related technology

B) COSO’s internal control framework

C) COSO’s enterprise risk management framework

D) none of the above

Answer:  C

Page Ref: 187

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

40) The COSO Enterprise Risk Management Framework includes eight components. Which of the following is not one of them?

A) control environment

B) risk assessment

C) compliance with federal, state, or local laws

D) monitoring

Answer:  C

Page Ref: 188

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

41) Which of the following is not one of the eight interrelated risk and control components of COSO Enterprise Risk Management Framework?

A) Internal environment

B) Monitoring

C) Risk response

D) Event assessment

Answer:  D

Page Ref: 188

Objective:  Learning Objective 2

Difficulty :  Moderate

AACSB:  Analytic

42) The COSO Enterprise Risk Management Integrated Framework stresses that

A) risk management activities are an inherent part of all business operations and should be considered during strategy setting.

B) effective risk management is comprised of just three interrelated components; internal environment, risk assessment, and control activities.

C) risk management is the sole responsibility of top management.

D) risk management policies, if enforced, guarantee achievement of corporate objectives.

Answer:  A

Page Ref: 187

Objective:  Learning Objective 2

Difficulty :  Moderate

AACSB:  Analytic

43) Which of the following would be considered a “red flag” for problems with management operating style if the question were answered “yes”?

A) Does management take undue business risks to achieve its objectives?

B) Does management attempt to manipulate performance measures such as net income?

C) Does management pressure employees to achieve results regardless of the methods?

D) All of the above statements would raise “red flags” if answered “yes.”

Answer:  D

Page Ref: 189

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

44) Which component of the COSO Enterprise Risk Management Integrated Framework is concerned with understanding how transactions are initiated, data are captured and processed, and information is reported?

A) Information and communication

B) Internal environment

C) Event identification

D) Objective setting

Answer:  A

Page Ref: 201

Objective:  Learning Objective 8

Difficulty :  Easy

AACSB:  Analytic

45) The COSO Enterprise Risk Management Integrated Framework identifies four objectives necessary to achieve corporate goals. Objectives specifically identified include all of the following except

A) implementation of newest technologies.

B) compliance with laws and regulations.

C) effective and efficient operations.

D) reliable reporting.

Answer:  A

Page Ref: 192

Objective:  Learning Objective 4

Difficulty :  Easy

AACSB:  Analytic

46) The audit committee of the board of directors

A) is usually chaired by the CFO.

B) conducts testing of controls on behalf of the external auditors.

C) provides a check and balance on management.

D) does all of the above.

Answer:  C

Page Ref: 189

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

47) The audit committee is responsible for

A) overseeing the internal control structure.

B) overseeing the financial reporting process.

C) working with the internal and external auditors.

D) All of the above are responsibilities.

Answer:  D

Page Ref: 189

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

48) The definition of the lines of authority and responsibility and the overall framework for planning, directing, and controlling is laid out by the

A) control activities

B) organizational structure

C) budget framework

D) internal environment

Answer:  B

Page Ref: 190

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

49) Reducing management layers, creating self-directed work teams, and emphasizing continuous improvement are all related to which aspect of internal environment?

A) Organizational structure

B) Methods of assigning authority and responsibility

C) Management philosophy and operating style

D) Commitment to competence

Answer:  A

Page Ref: 190

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

50) Personnel policies such as background checks, mandatory vacations, and rotation of duties tend to deter

A) unintentional errors.

B) employee fraud or embezzlement.

C) fraud by outsiders.

D) disgruntled employees.

Answer:  B

Page Ref: 190-191

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

51) The SEC and FASB are best described as external influences that directly affect an organization’s

A) hiring practices.

B) philosophy and operating style.

C) internal environment.

D) methods of assigning authority.

Answer:  C

Page Ref: 192

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

52) Which attribute below is not an aspect of the COSO ERM Framework internal environment?

A) Enforcing a written code of conduct

B) Holding employees accountable for achieving objectives

C) Restricting access to assets

D) Avoiding unrealistic expectations

Answer:  C

Page Ref: 188

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

53) The amount of risk a company is willing to accept in order to achieve its goals and objectives is

A) Inherent risk

B) Residual risk

C) Risk appetite

D) Risk assessment

Answer:  C

Page Ref: 189

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

54) The risk that remains after management implements internal controls is

A) Inherent risk

B) Residual risk

C) Risk appetite

D) Risk assessment

Answer:  B

Page Ref: 193

Objective:  Learning Objective 6

Difficulty :  Easy

AACSB:  Analytic

55) The risk that exists before management takes any steps to control the likelihood or impact of a risk is

A) Inherent risk

B) Residual risk

C) Risk appetite

D) Risk assessment

Answer:  A

Page Ref: 193

Objective:  Learning Objective 6

Difficulty :  Easy

AACSB:  Analytic

56) When undertaking risk assessment, the expected loss is calculated like this.

A) Impact times expected loss

B) Impact times likelihood

C) Inherent risk times likelihood

D) Residual risk times likelihood

Answer:  B

Page Ref: 194

Objective:  Learning Objective 6

Difficulty :  Easy

AACSB:  Analytic

57) Generally in a risk assessment process, the first step is to

A) identify the threats that the company currently faces.

B) estimate the risk probability of negative events occurring.

C) estimate the exposure from negative events.

D) identify controls to reduce all risk to zero.

Answer:  A

Page Ref: 194

Objective:  Learning Objective 6

Difficulty :  Easy

AACSB:  Analytic

58) Store policy that allows retail clerks to process sales returns for $300 or less, with a receipt dated within the past 60 days, is an example of

A) general authorization.

B) specific authorization.

C) special authorization.

D) generic authorization.

Answer:  A

Page Ref: 196

Objective:  Learning Objective 7

Difficulty :  Easy

AACSB:  Reflective Thinking

59) Corporate policy that requires a purchasing agent and purchasing department manager to sign off on asset purchases over $1,500 is an example of

A) general authorization.

B) specific authorization.

C) special authorization.

D) generic authorization.

Answer:  B

Page Ref: 196

Objective:  Learning Objective 7

Difficulty :  Easy

AACSB:  Reflective Thinking

60) A document that shows all projects that must be completed and the related IT needs in order to achieve long-range company goals is known as a

A) performance evaluation.

B) project development plan.

C) data processing schedule.

D) strategic master plan.

Answer:  D

Page Ref: 198

Objective:  Learning Objective 7

Difficulty :  Moderate

AACSB:  Analytic

61) A ________ is created to guide and oversee systems development and acquisition.

A) performance evaluation

B) project development plan

C) steering committee

D) strategic master plan

Answer:  C

Page Ref: 198

Objective:  Learning Objective 7

Difficulty :  Easy

AACSB:  Analytic

62) A ________ shows how a project will be completed, including tasks and who will perform them as well as a timeline and cost estimates.

A) performance evaluation

B) project development plan

C) steering committee

D) strategic master plan

Answer:  B

Page Ref: 198

Objective:  Learning Objective 7

Difficulty :  Easy

AACSB:  Analytic

63) Which of the following is not a violation of the Sarbanes-Oxley Act (SOX)? The management at Folding Squid Technologies

A) asked their auditors to make recommendations for the redesign of their information technology system and to aid in the implementation process.

B) hired the manager from the external audit team as company CFO twelve months after the manager had worked on the audit.

C) selected the company’s Chief Financial Officer to chair the audit committee.

D) did not mention to auditors that the company had experienced significant losses due to fraud during the past year.

Answer:  B

Page Ref: 186

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

64) The Sarbanes-Oxley Act (SOX) applies to

A) all companies with gross annual revenues exceeding $500 million.

B) publicly held companies with gross annual revenues exceeding $500 million.

C) all private and publicly held companies incorporated in the United States.

D) all publicly held companies.

Answer:  D

Page Ref: 185

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

65) Chuck Hewitt was relaxing after work with a colleague at a local watering hole. Well into his second martini, he began expressing his opinions about his company’s budgeting practices. It seems that, as a result of “budget handcuffs” that require managers to explain material deviations from budgeted expenditures, his ability to creatively manage his department’s activities have been curtailed. The level of control that the company is using in this case is a

A) boundary system.

B) belief system.

C) interactive control system.

D) diagnostic control system.

Answer:  D

Page Ref: 185

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

66) Chuck Hewitt was relaxing after work with a colleague at a local watering hole. Well into his second martini, he began expressing his opinions about his work environment. It seems that, as a result of “feminazi” interference, the suggestive banter that had been prevalent in the workplace during his youth was no longer acceptable. He even had to sit through a sexual harassment workshop! The level of control that the company is using in this case is a

A) boundary system.

B) belief system.

C) interactive control system.

D) diagnostic control system.

Answer:  A

Page Ref: 185

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

67) River Rafting Adventures of Iowa provides rafts and tour guides to tourists eager to ride the wild rivers of Iowa. Management has determined that there is one chance in a thousand of a client being injured or killed. Settlement of resulting lawsuits has an average cost of $650,000. Insurance with a $50,000 deductible is available. It covers the costs of lawsuits, unless there is evidence of criminal negligence. What is the impact of this risk without insurance?

A) $50,000

B) $650,000

C) $650

D) $50

Answer:  B

Page Ref: 194

Objective:  Learning Objective 6

Difficulty :  Easy

AACSB:  Analytic

68) River Rafting Adventures of Iowa provides rafts and tour guides to tourists eager to ride the wild rivers of Iowa. Management has determined that there is one chance in a thousand of a client being injured or killed. Settlement of resulting lawsuits has an average cost of $650,000. Insurance with a $50,000 deductible is available. It covers the costs of lawsuits, unless there is evidence of criminal negligence. What is the expected loss without insurance?

A) $50,000

B) $650,000

C) $650

D) $50

Answer:  C

Page Ref: 194

Objective:  Learning Objective 6

Difficulty :  Easy

AACSB:  Analytic

69) River Rafting Adventures of Iowa provides rafts and tour guides to tourists eager to ride the wild rivers of Iowa. Management has determined that there is one chance in a thousand of a client being injured or killed. Settlement of resulting lawsuits has an average cost of $650,000. Insurance with a $50,000 deductible is available. It covers the costs of lawsuits, unless there is evidence of criminal negligence. What is the expected loss with insurance?

A) $50,000

B) $650,000

C) $650

D) $50

Answer:  D

Page Ref: 194

Objective:  Learning Objective 6

Difficulty :  Easy

AACSB:  Analytic

70) River Rafting Adventures of Iowa provides rafts and tour guides to tourists eager to ride the wild rivers of Iowa. Management has determined that there is one chance in a thousand of a client being injured or killed. Settlement of resulting lawsuits have an average cost of $650,000. Insurance with a $50,000 deductible is available. It covers the costs of lawsuits, unless there is evidence of criminal negligence. Based on cost-benefit analysis, what is the most that the business should pay for the insurance?

A) $500

B) $650

C) $600

D) $50

Answer:  C

Page Ref: 194

Objective:  Learning Objective 6

Difficulty :  Easy

AACSB:  Analytic

71) Due to data errors occurring from time to time in processing the Albert Company’s payroll, the company’s management is considering the addition of a data validation control procedure that is projected to reduce the risk of these data errors from 13% to 2%. The cost of the payroll reprocessing is estimated to be $11,000. The cost of implementing the data validation control procedure is expected to be $700. Which of the following statements is true?

A) The data validation control procedure should be implemented because its net estimated benefit is $510.

B) The data validation control procedure should be implemented because its cost of $700 is less than the payroll reprocessing cost of $1,430.

C) The data validation control procedure should not be implemented because its cost of $700 exceeds the expected benefit by $480.

D) The data validation control procedure should not be implemented because its net estimated benefit is a negative $1,210.

Answer:  A

Page Ref: 194

Objective:  Learning Objective 6

Difficulty :  Moderate

AACSB:  Analytic

72) The organization chart for Geerts Corporation includes a controller and an information processing manager, both of whom report to the vice president of finance. Which of the following would be a control weakness?

A) Assigning the programming and operating of the computer system to an independent control group which reports to the controller

B) Providing for maintenance of input data controls by an independent control group which reports to the controller

C) Periodically rotating assignment of application processing among machine operators, who all report to the information processing manager

D) Providing for review and distribution of system-generated reports by an independent control group which reports to the controller

Answer:  A

Page Ref: 198

Objective:  Learning Objective 7

Difficulty :  Moderate

AACSB:  Reflective Thinking

73) Global Economic Strategies, L.L.D., has been diligent in ensuring that their operations meet modern control standards. Recently, they have extended their control compliance system by incorporating policies and procedures that require the specification of company objectives, uncertainties associated with objectives, and contingency plans. They are transitioning from a ________ to a ________ control framework.

A) COSO-Integrated Framework; COBIT

B) COBIT; COSO-Integrated Framework

C) COBIT; COSO-ERM

D) COSO-Integrated Framework; COSO-ERM

E) COSO-ERM; COBIT

Answer:  D

Page Ref: 187-188

Objective:  Learning Objective 2

Difficulty :  Moderate

AACSB:  Reflective Thinking

74) FranticHouse Partners, L.L.C., does home remodeling and repair. All employees are bonded, so the firm’s risk exposure to employee fraud is

A) reduced.

B) shared.

C) avoided.

D) accepted.

Answer:  B

Page Ref: 193

Objective:  Learning Objective 6

Difficulty :  Easy

AACSB:  Analytic

75) FranticHouse Partners, L.L.C., does home remodeling and repair. The firm does not accept jobs that require the installation of slate or copper roofing because these materials often require costly post-installation services. The firm’s risk exposure to costly post-installation services is

A) reduced.

B) shared.

C) avoided.

D) accepted.

Answer:  C

Page Ref: 193

Objective:  Learning Objective 6

Difficulty :  Easy

AACSB:  Analytic

76) According to the COSO Enterprise Risk Management Framework, the risk assessment process incorporates all of the following components except

A) reporting potential risks to auditors.

B) identifying events that could impact the enterprise.

C) evaluating the impact of potential events on achievement of objectives.

D) establishing objectives for the enterprise.

Answer:  A

Page Ref: 193

Objective:  Learning Objective 6

Difficulty :  Moderate

AACSB:  Analytic

77) Ferdinand Waldo Demara was known as the great imposter. He had an astounding ability to convince people that he was who he truly was not. He worked as a naval officer, physician, college teacher, prison warden, and other jobs without any of the prerequisite qualifications. By not diligently checking references, the organizations fooled by Demara (including the Canadian Navy) apparently chose to ________ the risk of fraud.

A) reduce

B) share

C) avoid

D) accept

Answer:  D

Page Ref: 193

Objective:  Learning Objective 6

Difficulty :  Easy

AACSB:  Analytic

78) Which of the following is an independent check on performance?

A) The Purchasing Agent physically reviews the contents of shipments and compares them with the purchase orders he has placed.

B) Production teams perform quality evaluations of the products that they produce.

C) The General Manager compares budgeted amounts with expenditure records from all departments.

D) Petty cash is disbursed by Fred Haynes. He also maintains records of disbursements, places requests to finance to replace expended funds, and periodically reconciles the petty cash balance.

Answer:  C

Page Ref: 200

Objective:  Learning Objective 7

Difficulty :  Easy

AACSB:  Analytic

79) Petty cash is disbursed by the Fred Haynes in the Cashier’s Office. He also maintains records of disbursements, places requests to the Finance Department to replace expended funds, and periodically reconciles the petty cash balance. This represents a(an) ________ segregation of duties.

A) effective

B) ideal

C) ineffective

D) limited

Answer:  C

Page Ref: 196

Objective:  Learning Objective 7

Difficulty :  Easy

AACSB:  Analytic

80) Hiring decisions at Frazier’s Razors are made by Sheila Frazier, the Director of Human Resources. Pay rates are approved by the Vice President for Operations. At the end of each pay period, supervisors submit time cards to Sheila, who prepares paycheck requisitions. Paychecks are then distributed through the company’s mail room. This represents a(an) ________ segregation of duties.

A) effective

B) partial

C) ineffective

D) limited

Answer:  A

Page Ref: 196

Objective:  Learning Objective 7

Difficulty :  Moderate

AACSB:  Reflective Thinking

81) Change management refers to

A) disbursement controls on petty cash.

B) operational controls applied to companies after mergers or acquisitions.

C) replacement of upper management and their introduction to the organization.

D) controls designed to ensure that updates in information technology do not have negative consequences.

Answer:  D

Page Ref: 199

Objective:  Learning Objective 7

Difficulty :  Easy

AACSB:  Analytic

82) The Director of Information Technology for the city of Bumpkiss, Minnesota, formed a company to sell computer supplies and software. All purchases made on behalf of the City were made from his company. He was later charged with fraud for overcharging the City, but was not convicted. The control issue in this case arose because the Director had both ________ and ________ duties.

A) custody; authorization

B) custody; recording

C) recording; authorization

D) management; custody

Answer:  C

Page Ref: 196

Objective:  Learning Objective 7

Difficulty :  Moderate

AACSB:  Reflective Thinking

83) According to the ERM, these help the company address all applicable laws and regulations.

A) Compliance objectives

B) Operations objectives

C) Reporting objectives

D) Strategic objectives

Answer:  A

Page Ref: 192

Objective:  Learning Objective 4

Difficulty :  Easy

AACSB:  Analytic

84) According to the ERM, high level goals that are aligned with and support the company’s mission are

A) compliance objectives.

B) operations objectives.

C) reporting objectives.

D) strategic objectives.

Answer:  D

Page Ref: 192

Objective:  Learning Objective 4

Difficulty :  Easy

AACSB:  Analytic

85) According to the ERM, these deal with the effectiveness and efficiency of company operations, such as performance and profitability goals.

A) Compliance objectives

B) Operations objectives

C) Reporting objectives

D) Strategic objectives

Answer:  B

Page Ref: 192

Objective:  Learning Objective 4

Difficulty :  Easy

AACSB:  Analytic

86) According to the ERM, these objectives help ensure the accuracy, completeness and reliability of internal and external company reports.

A) Compliance objectives

B) Operations objectives

C) Reporting objectives

D) Strategic objectives

Answer:  C

Page Ref: 192

Objective:  Learning Objective 4

Difficulty :  Easy

AACSB:  Analytic

87) Which of the following is not a risk reduction element of a disaster recovery plan?

A) Identification of alternate work site

B) Off-site storage of backup files and programs

C) Documentation of procedures and responsibilitie

D) Adequate casualty insurance

Answer:  D

Page Ref: 193

Objective:  Learning Objective 6

Difficulty :  Difficult

AACSB:  Reflective Thinking

88) Describe the differences between general and specific authorization.

Answer:  Authorizations are often documented by signing, initializing, or entering an authorization code on a transaction document or record. Management may deem that certain transactions are of a routine nature and as such may authorize employees to handle such transactions without special approval. This is known as general authorization. Other transactions may be of such consequence that management grants specific authorization for them to occur. Usually management must approve of such transactions and oversee them to completion, requiring an additional signature required on checks exceeding a given dollar amount. Management should have written policies on both specific and general authorization for all type of transactions.

Page Ref: 196

Objective:  Learning Objective 7

Difficulty :  Moderate

AACSB:  Analytic

89) Explain how a company could be the victim of fraud, even if ideal segregation of duties is enforced.

Answer:  When a system effectively incorporates a separation of duties, it should be difficult for any one employee to defeat the system and commit fraud. Fraud is possible when two or more employees agree to defeat the system for their own dishonest ends. This problem is known as collusion. When two or more employees act together to defeat the internal controls of the system, they may likely succeed. It is more difficult to detect such activity because the employees may have planned to “cover their tracks.” This is why independent review of transaction activity by third parties is important to monitor that internal controls are in place and working as designed.

Page Ref: 197

Objective:  Learning Objective 7

Difficulty :  Moderate

AACSB:  Reflective Thinking

90) Classify each of the following controls as preventive, detective, or corrective.

            Periodic bank reconciliation

            Separation of cash and accounting records

            Maintaining backup copies of master and transaction files

            Pre-numbering of sales invoices

            Chart of accounts

            Retina scan before entering a sensitive R & D facility

            Resubmission of error transactions for subsequent processing

            Internal auditor rechecking the debits and credits on the payment voucher

            Depositing all cash receipts intact

            Hiring qualified accounting personnel

Answer:  Detective. Preventive. Corrective. Preventive. Preventive. Preventive. Corrective. Detective. Preventive. Preventive

Page Ref: 185

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

91) Discuss four reasons why AIS threats are increasing.

Answer: 

1. Client/server systems have proliferated and have enabled large numbers of employees to have access to the information.

2. LANs and client/server systems distribute data to various users and are more difficult to control than centralized systems.

3. EDI and e-commerce have enabled customers and suppliers to access each other’s systems and data, making confidentiality a major concern.

4. Organizations are not aggressively protecting their data for various reasons.

5. Computer control problems are often underestimated and downplayed.

6. Control implications of networked systems are not properly reasoned out.

7. Top management does not grasp the effect of security of data and information on survival and profitability of the company.

8. Internal controls become a casualty in cost cutting and productivity measures undertaken by the management.

Page Ref: 184

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

92) Explain why the Foreign Corrupt Practices Act was important to accountants.

Answer:  The act is important to accountants because it incorporates the language of the AICPA pronouncement on internal controls. The Act mandates that corporations should keep records that accurately and fairly reflect their transactions and assets in reasonable detail. The internal control system of these organizations should be able to provide reasonable assurance that: a) transactions are properly authorized and recorded; b) assets are safeguarded and protected from unauthorized access; and c) recorded asset values are periodically compared with actual assets and any differences are corrected. The act requires corporations to maintain good systems of internal accounting control.

Page Ref: 185

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

93) Discuss the internal environment and identify the elements that comprise the internal environment.

Answer:  The internal environment embraces individuals and the environment in which they operate in an organization. Individual employees are “the engine” that drive the organization and form the foundation upon which everything in the organization rests. Elements of the internal environment are: 1) a commitment to integrity and ethical values; 2) the philosophy and operating style of management; 3) organizational structure; 4) the audit committee of the board of directors; 5) methods of assigning authority and responsibility; 6) human resources policies and practices; and 7) various external influences. Each of these elements influences the internal control structure of the organization. Likewise, these elements should be examined and analyzed in detail when implementing or evaluating a system of internal controls.

Page Ref: 188

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

94) Explain why management’s philosophy and operating style are considered to be the most important element of the internal environment.

Answer:  Management truly sets the tone for the control environment of a business. If top management takes good control seriously and makes this known to everyone in the organization, then employees down the line will tend to do likewise. Management’s attitude toward risk taking and the assessment of risk before acting are indications. Willingness to manipulate performance measures or to encourage employees to do likewise is another indication of attitude. Finally, pressure on subordinates to achieve certain results regardless of the methods used can be a very persuasive indicator of problems. Management concerned about control will assess risk and act prudently, manipulation of performance measures will not be tolerated, and ethical behavior will be instilled in and required of employees.

Page Ref: 189

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Reflective Thinking

95) What are some of the ways to assign authority and responsibility within an organization?

Answer:  It is incumbent on management to identify specific business objectives and assign such objectives to certain departments and individuals. Management must also hold such departments and individuals responsible and accountable for achieving the assigned business objectives. Ways in which management may assign authority and responsibility is through formal job descriptions, employee training, budgets, operating plans, and scheduling. A formal code of conduct also sets the stage for responsible behavior on the part of employees by defining ethical behavior, acceptable business practices, regulatory requirements, and conflicts of interest. Another useful and important tool is a written policy and procedures manual.

Page Ref: 190

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

96) Discuss the weaknesses in COSO’s internal control framework that led to the development of the COSO Enterprise Risk Management framework.

Answer:  COSO’s internal control framework 1. had too narrow a focus. 2. examined controls without first addressing purposes and risks of business processes 3. existing internal control systems often have controls that protect against items that are no longer risks or are no longer important. 4. focusing on controls first has an inherent bias toward past problems and concerns.

Page Ref: 187-188

Objective:  Learning Objective 2

Difficulty :  Moderate

AACSB:  Analytic

Chapter 8  

1) The Trust Services Framework reliability principle that states that users must be able to enter, update, and retrieve data during agreed-upon times is known as

A) availability.

B) security.

C) maintainability.

D) integrity.

Answer:  A

Page Ref: 221

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

2) Which of the following is not a useful control procedure to control access to system outputs?

A) Allowing visitors to move through the building without supervision

B) Coding reports to reflect their importance

C) Requiring employees to log out of applications when leaving their desk

D) Restricting access to rooms with printers

Answer:  A

Page Ref: 229

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

3) According to the Trust Services Framework, the reliability principle of integrity is achieved when the system produces data that

A) is available for operation and use at times set forth by agreement.

B) is protected against unauthorized physical and logical access.

C) can be maintained as required without affecting system availability, security, and integrity.

D) is complete, accurate, and valid.

Answer:  D

Page Ref: 221

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

4) Which of the following is not one of the three fundamental information security concepts?

A) Information security is a technology issue based on prevention.

B) Security is a management issue, not a technology issue.

C) The idea of defense-in-depth employs multiple layers of controls.

D) The time-based model of security focuses on the relationship between preventive, detective and corrective controls.

Answer:  A

Page Ref: 222-224

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

5) Which of the following is not one of the essential criteria for successfully implementing each of the principles that contribute to systems reliability, as discussed in the Trust Services Framework?

A) Developing and documenting policies

B) Effectively communicating policies to all outsiders

C) Designing and employing appropriate control procedures to implement policies

D) Monitoring the system and taking corrective action to maintain compliance with policies

Answer:  B

Page Ref: 223

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

6) If the time an attacker takes to break through the organization’s preventive controls is greater than the sum of the time required to detect the attack and the time required to respond to the attack, then security is

A) effective.

B) ineffective.

C) overdone.

D) undermanaged.

Answer:  A

Page Ref: 224

Objective:  Learning Objective 2

Difficulty :  Moderate

AACSB:  Analytic

7) Verifying the identity of the person or device attempting to access the system is

A) authentication.

B) authorization.

C) identification.

D) threat monitoring.

Answer:  A

Page Ref: 226

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

8) Restricting access of users to specific portions of the system as well as specific tasks, is

A) authentication.

B) authorization.

C) identification.

D) threat monitoring.

Answer:  B

Page Ref: 228

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

9) Which of the following is an example of a preventive control?

A) Encryption

B) Log analysis

C) Intrusion detection

D) Emergency response teams

Answer:  A

Page Ref: 228

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

10) Which of the following is an example of a detective control?

A) Physical access controls

B) Encryption

C) Log analysis

D) Emergency response teams

Answer:  C

Page Ref: 237

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

11) Which of the following is an example of a corrective control?

A) Physical access controls

B) Encryption

C) Intrusion detection

D) Incident response teams

Answer:  D

Page Ref: 239

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

12) Which of the following is not a requirement of effective passwords?

A) Passwords should be changed at regular intervals.

B) Passwords should be no more than 8 characters in length.

C) Passwords should contain a mixture of upper and lowercase letters, numbers and characters.

D) Passwords should not be words found in dictionaries.

Answer:  B

Page Ref: 227

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

13) Multi-factor authentication

A) involves the use of two or more basic authentication methods.

B) is a table specifying which portions of the systems users are permitted to access.

C) provides weaker authentication than the use of effective passwords.

D) requires the use of more than one effective password.

Answer:  A

Page Ref: 228

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

14) An access control matrix

A) does not have to be updated.

B) is a table specifying which portions of the system users are permitted to access.

C) is used to implement authentication controls.

D) matches the user’s authentication credentials to his authorization.

Answer:  B

Page Ref: 228

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

15) Perimeter defense is an example of which of the following preventive controls that are necessary to provide adequate security?

A) Training

B) Controlling physical access

C) Controlling remote access

D) Host and application hardening

Answer:  C

Page Ref: 230

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

16) Which of the following preventive controls are necessary to provide adequate security for social engineering threats?

A) Controlling remote access

B) Encryption

C) Host and application hardening

D) Awareness training

Answer:  D

Page Ref: 226

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

17) A special purpose hardware device or software running on a general purpose computer, which filters information that is allowed to enter and leave the organization’s information system, is known as a(n)

A) demilitarized zone.

B) intrusion detection system.

C) intrusion prevention system.

D) firewall.

Answer:  D

Page Ref: 230

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

18) This protocol specifies the procedures for dividing files and documents into packets to be sent over the Internet.

A) Access control list

B) Internet protocol

C) Packet switching protocol

D) Transmission control protocol

Answer:  D

Page Ref: 231

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

19) This protocol specifies the structure of packets sent over the internet and the route to get them to the proper destination.

A) Access control list

B) Internet protocol

C) Packet switching protocol

D) Transmission control protocol

Answer:  B

Page Ref: 231

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

20) This network access control determines which IP packets are allowed entry to a network and which are dropped.

A) Access control list

B) Deep packet inspection

C) Stateful packet filtering

D) Static packet filtering

Answer:  A

Page Ref: 233

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

21) Compatibility tests utilize a(n) ________, which is a list of authorized users, programs, and data files the users are authorized to access or manipulate.

A) validity test

B) biometric matrix

C) logical control matrix

D) access control matrix

Answer:  D

Page Ref: 228

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

22) The process that screens individual IP packets based solely on the contents of the source and/or destination fields in the packet header is known as

A) access control list.

B) deep packet inspection.

C) stateful packet filtering.

D) static packet filtering.

Answer:  D

Page Ref: 233

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

23) The process that maintains a table that lists all established connections between the organization’s computers and the Internet, to determine whether an incoming packet is part of an ongoing communication initiated by an internal computer is known as

A) access control list.

B) deep packet inspection.

C) stateful packet filtering.

D) static packet filtering.

Answer:  C

Page Ref: 233

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

24) The process that allows a firewall to be more effective by examining the data in the body of an IP packet, instead of just the header, is known as

A) deep packet inspection.

B) stateful packet filtering.

C) static packet filtering.

D) an intrusion prevention system.

Answer:  A

Page Ref: 233

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

25) The security technology that evaluates IP packet traffic patterns in order to identify attacks against a system is known as

A) an intrusion prevention system.

B) stateful packet filtering.

C) static packet filtering.

D) deep packet inspection.

Answer:  A

Page Ref: 234

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

26) This is used to identify rogue modems (or by hackers to identify targets).

A) War chalking

B) War dialing

C) War driving

D) none of the above

Answer:  B

Page Ref: 235

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

27) The process of turning off unnecessary features in the system is known as

A) deep packet inspection.

B) hardening.

C) intrusion detection.

D) war dialing.

Answer:  B

Page Ref: 236

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

28) The most common input-related vulnerability is

A) buffer overflow attack.

B) hardening.

C) war dialing.

D) encryption.

Answer:  A

Page Ref: 237

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

29) This creates logs of network traffic that was permitted to pass the firewall.

A) Intrusion detection system

B) Log analysis

C) Penetration test

D) Vulnerability scan

Answer:  A

Page Ref: 238

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

30) The process that uses automated tools to identify whether a system possesses any well-known security problems is known as a(n)

A) intrusion detection system.

B) log analysis.

C) penetration test.

D) vulnerability scan.

Answer:  D

Page Ref: 236

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

31) This is an authorized attempt by an internal audit team or an external security consultant to attempt to break into the organization’s information system.

A) Intrusion detection system

B) Log analysis

C) Penetration test

D) Vulnerability scan

Answer:  C

Page Ref: 238

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

32) A well-known hacker started his own computer security consulting business shortly after being released from prison. Many companies pay him to attempt to gain unauthorized access to their network. If he is successful, he offers advice as to how to design and implement better controls. What is the name of the testing for which the hacker is being paid?

A) Penetration test

B) Vulnerability scan

C) Deep packet inspection

D) Buffer overflow test

Answer:  A

Page Ref: 238

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

33)  The ________ disseminates information about fraud, errors, breaches and other improper system uses and their consequences.

A) chief information officer

B) chief operations officer

C) chief security officer

D) computer emergency response team

Answer:  C

Page Ref: 240

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

34) In 2007, a major U.S. financial institution hired a security firm to attempt to compromise its computer network. A week later, the firm reported that it had successfully entered the system without apparent detection and presented an analysis of the vulnerabilities that had been found. This is an example of a

A) preventive control.

B) detective control.

C) corrective control.

D) standard control.

Answer:  B

Page Ref: 238

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

35) It was 9:08 A.M. when Jiao Jan, the Network Administrator for Folding Squid Technologies, was informed that the intrusion detection system had identified an ongoing attempt to breach network security. By the time that Jiao had identified and blocked the attack, the hacker had accessed and downloaded several files from the company’s server. Using the notation for the time-based model of security, in this case

A) P > D

B) D > P

C) C > P

D) P > C

Answer:  B

Page Ref: 224

Objective:  Learning Objective 2

Difficulty :  Difficult

AACSB:  Analytic

36) Which of the following is commonly true of the default settings for most commercially available wireless access points?

A) The security level is set at the factory and cannot be changed.

B) Wireless access points present little danger of vulnerability so security is not a concern.

C) Security is set to the lowest level that the device is capable of.

D) Security is set to the highest level that the device is capable of.

Answer:  C

Page Ref: 235

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

37) In recent years, many of the attacks carried out by hackers have relied on this type of vulnerability in computer software.

A) Code mastication

B) Boot sector corruption

C) Weak authentication

D) Buffer overflow

Answer:  D

Page Ref: 236

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

38) Meaningful Discussions is a social networking site that boasts over a million registered users and a quarterly membership growth rate in the double digits. As a consequence, the size of the information technology department has been growing very rapidly, with many new hires. Each employee is provided with a name badge with a photo and embedded computer chip that is used to gain entry to the facility. This is an example of a(an)

A) authentication control.

B) biometric device.

C) remote access control.

D) authorization control.

Answer:  A

Page Ref: 226

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

39) When new employees are hired by Folding Squid Technologies, they are assigned user names and appropriate permissions are entered into the information system’s access control matrix. This is an example of a(an)

A) authentication control.

B) biometric device.

C) remote access control.

D) authorization control.

Answer:  D

Page Ref: 228

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

40) When new employees are hired by Folding Squid Technologies, they are assigned user names and passwords and provided with laptop computers that have an integrated fingerprint reader. In order to log in, the user’s fingerprint must be recognized by the reader. This is an example of a(an)

A) authorization control.

B) biometric device.

C) remote access control.

D) defense in depth.

Answer:  B

Page Ref: 227

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

41) Information technology managers are often in a bind when a new exploit is discovered in the wild. They can respond by updating the affected software or hardware with new code provided by the manufacturer, which runs the risk that a flaw in the update will break the system. Or they can wait until the new code has been extensively tested, but that runs the risk that they will be compromised by the exploit during the testing period. Dealing with these issues is referred to as

A) change management.

B) hardening.

C) patch management.

D) defense in depth.

Answer:  C

Page Ref: 240

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

42) Murray Snitzel called a meeting of the top management at Snitzel Capital Management. Number one on the agenda was computer system security. “The risk of security breach incidents has become unacceptable,” he said, and turned to the Chief Information Officer. “This is your responsibility! What do you intend to do?” Which of the following is the best answer?

A) Evaluate and modify the system using the Trust Services framework

B) Evaluate and modify the system using the COSO Internal Control Framework.

C) Evaluate and modify the system using the CTC checklist.

D) Evaluate and modify the system using COBOL.

Answer:  A

Page Ref: 221

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

43) Which of the following is the most effective method of protecting against social engineering attacks on a computer system?

A) stateful packet filtering

B) employee awareness training

C) a firewall

D) a demilitarized zone

Answer:  B

Page Ref: 226

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

44) The most effective way to protect network resources, like email servers, that are outside of the network and are exposed to the Internet is

A) stateful packet filtering.

B) employee training.

C) a firewall.

D) a demilitarized zone.

Answer:  D

Page Ref: 230

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

45) All employees of E.C. Hoxy are required to pass through a gate and present their photo identification cards to the guard before they are admitted. Entry to secure areas, such as the Information Technology Department offices, requires further procedures. This is an example of a(an)

A) authentication control.

B) authorization control.

C) physical access control.

D) hardening procedure.

Answer:  C

Page Ref: 229

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

46) On February 14, 2008, students enrolled in an economics course at Swingline College received an email stating that class would be cancelled. The email claimed to be from the professor, but it wasn’t. Computer forensic experts determined that the email was sent from a computer in one of the campus labs at 9:14 A.M. They were then able to uniquely identify the computer that was used by means of its network interface card’s ________ address. Security cameras revealed the identity of the student responsible for spoofing the class.

A) TCP/IP

B) MAC

C) DMZ

D) IDS

Answer:  B

Page Ref: 228

Objective:  Learning Objective 3

Difficulty :  Difficult

AACSB:  Analytic

47) There are “white hat” hackers and “black hat” hackers. Cowboy451 was one of the “black hat” hackers. He had researched an exploit and determined that he could penetrate the target system, download a file containing valuable data, and cover his tracks in eight minutes. Six minutes into the attack he was locked out of the system. Using the notation of the time-based model of security, which of the following must be true?

A) P < 6

B) D = 6

C) P = 6

D) P > 6

Answer:  D

Page Ref: 224

Objective:  Learning Objective 2

Difficulty :  Difficult

AACSB:  Analytic

48) Identify three ways users can be authenticated and give an example of each.

Answer:  Users can be authenticated by verifying: 1. something they know (password). 2. something they have (smart card or ID badge). 3. Something they are (biometric identification of fingerprint).

Page Ref: 226

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

49) Describe four requirements of effective passwords .

Answer:  1. Strong passwords should be at least 8 characters. 2. Passwords should use a mixture of upper and lowercase letters, numbers and characters. 3. Passwords should be random and not words found in dictionaries. 4. Passwords should be changes frequently.

Page Ref: 227

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

50) Explain social engineering.

Answer:  Social engineering attacks use deception to obtain unauthorized access to information resources, such as attackers who post as a janitor or as a legitimate system user. Employees must be trained not to divulge passwords or other information about their accounts to anyone who contacts them and claims to be part of the organization’s security team.

Page Ref: 226

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

51) Explain the value of penetration testing.

Answer:  Penetration testing involves an authorized attempt by an internal audit team or an external security consultant to break into the organization’s information system. This type of service is provided by risk management specialists in all the Big Four accounting firms. These specialists spend more than half of their time on security matters. The team attempts to compromise the system using every means possible. With a combination of systems technology skills and social engineering, these teams often find weaknesses in systems that were believed to be secure.

Page Ref: 238

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Reflective Thinking

52) Describe the function of a computer incident response team (CIRT) and the steps that a CIRT should perform following a security incident.

Answer:  A CIRT is responsible for dealing with major security incidents and breaches. The team should include technical specialists and senior operations management. In response to a security incident, first the CIRT must recognize that a problem exists. Log analysis, intrusion detection systems can be used to detect problems and alert the CIRT. Second, the problem must be contained, perhaps by shutting down a server or curtailing traffic on the network. Third, the CIRT must focus on recovery. Corrupt programs may need to be reinstalled and data restored from backups. Finally, the CIRT must follow-up to discover how the incident occurred and to design corrective controls to prevent similar incidents in the future.

Page Ref: 239

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

53) Identify six physical access controls.

Answer:  Require visitors to sign in and receive a visitor badge before being escorted by an employee; require employees to wear photo ID badges that are checked by security guards; physical locks and keys; storing documents and electronic media in a fire-proof safe or cabinet; restrict or prohibit cell phones, iPods and other portable devices; set screen savers to start after a few minutes of inactivity; set computers to lock keyboards after a few minutes of inactivity; utilize screen protection devices; use biometric devices to authorize access to spaces and equipment; attach and lock laptops to immobile objects; utilize magnetic or chip cards to authorize access to spaces and equipment; limit or prohibit windows and glass walls in sensitive areas.

Page Ref: 229-230

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

Chapter 9  

1) Concerning virtual private networks (VPN), which of the following is not true?

A) VPNs provide the functionality of a privately owned network using the Internet.

B) Using VPN software to encrypt information while it is in transit over the Internet in effect creates private communication channels, often referred to as tunnels, which are accessible only to those parties possessing the appropriate encryption and decryption keys.

C) The cost of the VPN software is much less than the cost of leasing or buying the infrastructure (telephone lines, satellite links, communications equipment, etc.) needed to create a privately owned secure communications network.

D) It is more expensive to reconfigure VPNs to include new sites than it is to add or remove the corresponding physical connections in a privately owned network.

Answer:  D

Page Ref: 264

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

2) Which of the following is not associated with asymmetric encryption?

A) No need for key exchange

B) Public keys

C) Private keys

D) Speed

Answer:  D

Page Ref: 260

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

3) The system and processes used to issue and manage asymmetric keys and digital certificates are known as

A) asymmetric encryption.

B) certificate authority.

C) digital signature.

D) public key infrastructure.

Answer:  D

Page Ref: 262

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

4) Which of the following describes one weakness of encryption?

A) Encrypted packets cannot be examined by a firewall.

B) Encryption protects the confidentiality of information while in storage.

C) Encryption protects the privacy of information during transmission.

D) Encryption provides for both authentication and non-repudiation.

Answer:  A

Page Ref: 264

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

5) Using a combination of symmetric and asymmetric key encryption, Chris Kai sent a report to her home office in Syracuse, New York. She received an email acknowledgement that the document had been received and then, a few minutes later, she received a second email that indicated that the hash calculated from the report differed from that sent with the report. This most likely explanation for this result is that

A) the public key had been compromised.

B) the private key had been compromised.

C) the symmetric encryption key had been compromised.

D) the asymmetric encryption key had been compromised.

Answer:  C

Page Ref: 261

Objective:  Learning Objective 3

Difficulty :  Difficult

AACSB:  Analytic

6) Encryption has a remarkably long and varied history. The invention of writing was apparently soon followed by a desire to conceal messages. One of the earliest methods, attributed to an ancient Roman emperor, was the simple substitution of numbers for letters, for example A = 1, B = 2, etc. This is an example of

A) a hashing algorithm.

B) symmetric key encryption.

C) asymmetric key encryption.

D) a public key.

Answer:  B

Page Ref: 260

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

7) An electronic document that certifies the identity of the owner of a particular public key.

A) Asymmetric encryption

B) Digital certificate

C) Digital signature

D) Public key

Answer:  B

Page Ref: 262

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

8) These systems use the same key to encrypt and to decrypt.

A) Asymmetric encryption

B) Hashing encryption

C) Public key encryption

D) Symmetric encryption

Answer:  D

Page Ref: 260

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

9) These are used to create digital signatures.

A) Asymmetric encryption and hashing

B) Hashing and packet filtering

C) Packet filtering and encryption

D) Symmetric encryption and hashing

Answer:  A

Page Ref: 261

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

10) Information encrypted with the creator’s private key that is used to authenticate the sender is

A) asymmetric encryption.

B) digital certificate.

C) digital signature.

D) public key.

Answer:  C

Page Ref: 261

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

11) Which of the following is not one of the three important factors determining the strength of any encryption system?

A) Key length

B) Key management policies

C) Encryption algorithm

D) Privacy

Answer:  D

Page Ref: 259

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

12) A process that takes plaintext of any length and transforms it into a short code.

A) Asymmetric encryption

B) Encryption

C) Hashing

D) Symmetric encryption

Answer:  C

Page Ref: 260

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

13) Which of the following descriptions is not associated with symmetric encryption?

A) A shared secret key

B) Faster encryption

C) Lack of authentication

D) Separate keys for each communication party

Answer:  C

Page Ref: 260

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

14) Encryption has a remarkably long and varied history. Spies have been using it to convey secret messages ever since there were secret messages to convey. One powerful method of encryption uses random digits. Two documents are prepared with the same random sequence of numbers. The spy is sent out with one and the spy master retains the other. The digits are used as follows. Suppose that the word to be encrypted is SPY and the random digits are 352. Then S becomes V (three letters after S), P becomes U (five letters after P), and Y becomes A (two letters after Y, restarting at A after Z). The spy would encrypt a message and then destroy the document used to encrypt it. This is an early example of

A) a hashing algorithm.

B) asymmetric key encryption.

C) symmetric key encryption.

D) public key encryption.

Answer:  C

Page Ref: 260

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

15) One way to circumvent the counterfeiting of public keys is by using

A) a digital certificate.

B) digital authority.

C) encryption.

D) cryptography.

Answer:  A

Page Ref: 262

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

16) In a private key system the sender and the receiver have ________, and in the public key system they have ________.

A) different keys; the same key

B) a decrypting algorithm; an encrypting algorithm

C) the same key; two separate keys

D) an encrypting algorithm; a decrypting algorithm

Answer:  C

Page Ref: 260

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

17) Asymmetric key encryption combined with the information provided by a certificate authority allows unique identification of

A) the user of encrypted data.

B) the provider of encrypted data.

C) both the user and the provider of encrypted data.

D) either the user or the provider of encrypted data.

Answer:  D

Page Ref: 262

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

18) Which of the following is not one of the 10 internationally recognized best practices for protecting the privacy of customers’ personal information?

A) Providing free credit report monitoring for customers

B) Inform customers of the option to opt-out of data collection and use of their personal information

C) Allow customers’ browsers to decline to accept cookies

D) Utilize controls to prevent unauthorized access to, and disclosure of, customers’ information

Answer:  A

Page Ref: 256-257

Objective:  Learning Objective 2

Difficulty :  Moderate

AACSB:  Analytic

19) On March 3, 2008, a laptop computer belonging to Folding Squid Technology was stolen from the trunk of Jiao Jan’s car while he was attending a conference in Cleveland, Ohio. After reporting the theft, Jiao considered the implications of the theft for the company’s network security and concluded there was nothing to worry about because

A) the computer was protected by a password.

B) the computer was insured against theft.

C) it was unlikely that the thief would know how to access the company data stored on the computer.

D) the data stored on the computer was encrypted.

Answer:  D

Page Ref: 258

Objective:  Learning Objective 3

Difficulty :  Easy

AACSB:  Analytic

20) Jeff Davis took a call from a client. “Jeff, I need to interact online and real time with our affiliate in India, and I want to make sure that our communications aren’t intercepted. What do you suggest?” Jeff responded “The best solution will be to implement

A) a virtual private network.”

B) a private cloud environment.”

C) an asymmetric encryption system with digital signatures.”

D) multifactor authentication.”

Answer:  A

Page Ref: 264

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

21) In developing policies related to personal information about customers, Folding Squid Technologies adhered to the Trust Services framework. The standard applicable to these policies is

A) security.

B) confidentiality.

C) privacy.

D) availability.

Answer:  C

Page Ref: 254

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

22) Jeff Davis took a call from a client. “Jeff, I need for my customers to make payments online using credit cards, but I want to make sure that the credit card data isn’t intercepted. What do you suggest?” Jeff responded “The best solution will be to implement

A) a virtual private network.”

B) a private cloud environment.”

C) an encryption system with digital signatures.”

D) a data masking program.”

Answer:  C

Page Ref: 261

Objective:  Learning Objective 2

Difficulty :  Moderate

AACSB:  Analytic

23) Describe some steps you can take to minimize your risk of identify theft.

Answer:  Shred documents containing personal information. Never send personally identifying information in unencrypted email. Beware of email/phone/print requests to verify personal information that the requesting party should already possess. Do not carry your social security card with you. Print only your initials and last name on checks. Limit the amount of other information preprinted on checks. Do not use your mailbox for outgoing mail. Do not carry more than a few blank checks with you. Use special software to digitally clean any digital media prior to disposal. Monitor your credit cards regularly. File a police report as soon as you discover a purse or wallet missing. Make photocopies of driver’s license, passports and credit cards and keep in a safe location. Immediately cancel any stolen or lost credit cards.

Page Ref: 256

Objective:  Learning Objective 2

Difficulty :  Moderate

AACSB:  Analytic

24) Describe symmetric encryption and identify three limitations.

Answer:  Symmetric encryption systems use the same key to encrypt and decrypt data. Symmetric encryption is much faster than asymmetric encryption, but the sender and receiver need to know the shared secret key, which requires a different secure method of exchanging the key. Also, different secret keys must be used with each different communication party. Finally, there is no way to prove who created a specific document.

Page Ref: 260

Objective:  Learning Objective 3

Difficulty :  Moderate

AACSB:  Analytic

Chapter 10  

1) The best example of a hash total for a payroll transaction file could be

A) total of employees’ social security numbers.

B) sum of net pay.

C) total number of employees.

D) sum of hours worked.

Answer:  A

Page Ref: 277

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

2) Error logs and review are an example of

A) data entry controls.

B) data transmission controls.

C) output controls.

D) processing controls.

Answer:  A

Page Ref: 277

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

3) Following is the result of batch control totals on employee Social Security Numbers in a payroll processing transaction:

Correct Values From MasterfileValues Entered During Processing
487358796487358796
534916487534916487
498374526498374526
514873420514873420
534196487534916487
678487853678487853
471230589471230589
37194381583720158158

The difference in the control totals is 720,000. Which data entry control would best prevent similar data entry errors in the future?

A) Modulus 11

B) Validity check

C) Check digit

D) Sequence check

Answer:  C

Page Ref: 277

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

4) Which of the following data entry controls would not be useful if you are recording the checkout of library books by members?

A) Sequence check

B) Prompting

C) Validity check

D) Concurrent update control

Answer:  A

Page Ref: 276

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

5) A customer failed to include her account number on her check, and the accounts receivable clerk credited her payment to a different customer with the same last name. Which control could have been used to most effectively to prevent this error?

A) Closed-loop verification

B) Duplicate values check

C) Validity check

D) Reconciliation of a batch control total

Answer:  A

Page Ref: 277

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

6) If invoices are processed in groups of fifty, which fields from the document shown below would not be used to create a hash control total?

A) Amount

B) Item Number

C) Quantity Ordered

D) Sales Order number

Answer:  A

Page Ref: 277

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Reflective Thinking

7) A data entry input control in which the application software sums the first four digits of a customer number to calculate the value of the fifth digit and then compares the calculated number to the number typed in during data entry is an example of a

A) check digit verification.

B) validity check.

C) closed-loop verification.

D) duplicate data check.

Answer:  A

Page Ref: 277

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

8) All of the following controls for online entry of a sales order would be useful except

A) check digit verification on the dollar amount of the order.

B) validity check on the inventory item numbers.

C) field check on the customer ID and dollar amount of the order.

D) concurrent update control.

Answer:  A

Page Ref: 277

Objective:  Learning Objective 1

Difficulty :  Difficult

AACSB:  Analytic

9) A specific inventory record indicates that there were 12 items on hand before a customer brings two of the items to the check stand to be purchased. The cashier accidentally entered quantity 20 instead of 2. Which data entry control would best have prevented this error?

A) sign check

B) limit check

C) validity check

D) field check

Answer:  A

Page Ref: 276

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

10) When processing weekly payroll, an employee accidentally entered 400 for hours worked. The best data entry control for this error would be

A) a limit check.

B) a check digit.

C) batch total reconciliation.

D) a field check.

Answer:  A

Page Ref: 276

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

11) The data entry control that would best prevent entering an invoice received from a vendor who is not on an authorized supplier list is

A) a validity check.

B) an authorization check.

C) a check digit.

D) closed-loop verification.

Answer:  A

Page Ref: 276

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

12) Forms design is an example of this type of control.

A) Data entry control

B) Processing control

C) Output control

D) Input control

Answer:  D

Page Ref: 276

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

13) Sequentially prenumbered forms is an example of a(n)

A) data entry control.

B) data transmission control.

C) processing control.

D) input control.

Answer:  D

Page Ref: 276

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

14) Turnaround documents are an example of a(n)

A) data entry control.

B) output control.

C) processing control.

D) input control.

Answer:  D

Page Ref: 276

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

15) A validity check is an example of a(n)

A) data entry control.

B) data transmission control.

C) output control.

D) input control.

Answer:  A

Page Ref: 276

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

16) Parity checks are an example of a(n)

A) data entry control.

B) data transmission control.

C) output control.

D) processing control.

Answer:  B

Page Ref: 279

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

17) User reviews are an example of a(n)

A) data entry control.

B) data transmission control.

C) output control.

D) processing control.

Answer:  C

Page Ref: 278

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

18) Data matching is an example of a(n)

A) data entry control.

B) data transmission control.

C) processing control.

D) input control.

Answer:  C

Page Ref: 277

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

19) Batch totals are an example of a(n)

A) data entry control.

B) data transmission control.

C) output control.

D) processing control.

Answer:  A

Page Ref: 277

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

20) Cancellation and storage of documents means that

A) data are copied from a document and stored, after which the document is shredded.

B) documents are defaced before being shredded.

C) documents are defaced and stored.

D) cancellation data are copied from documents before they are stored.

Answer:  C

Page Ref: 276

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

21) Check digit verification is an example of a(n)

A) data transmission control.

B) output control.

C) processing control.

D) input control.

Answer:  D

Page Ref: 277

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

22) This ensures that the input data will fit into the assigned field.

A) Limit check

B) Range check

C) Size check

D) Validity check

Answer:  C

Page Ref: 276

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

23) This tests a numerical amount to ensure that it does not exceed a predetermined value nor fall below another predetermined value.

A) Completeness check

B) Field check

C) Limit check

D) Range check

Answer:  D

Page Ref: 276

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

24) This determines if all required data items have been entered.

A) Completeness check

B) Field check

C) Limit check

D) Range check

Answer:  A

Page Ref: 276

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

25) This determines the correctness of the logical relationship between two data items.

A) Range check

B) Reasonableness test

C) Sign check

D) Size check

Answer:  B

Page Ref: 276

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

26) This determines if characters are of the proper type.

A) Field check

B) Alpha-numeric check

C) Range check

D) Reasonableness test

Answer:  A

Page Ref: 276

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

27) This tests a numerical amount to ensure that it does not exceed a predetermined value.

A) Completeness check

B) Limit check

C) Range check

D) Sign check

Answer:  B

Page Ref: 276

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

28) This batch processing data entry control sums a field that contains dollar values.

A) Record count

B) Financial total

C) Hash total

D) Sequence check

Answer:  B

Page Ref: 277

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

29) This batch processing data entry control sums a non-financial numeric field.

A) Record count

B) Financial total

C) Hash total

D) Sequence check

Answer:  C

Page Ref: 277

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

30) When I enter a correct customer number, the data entry screen displays the customer name and address. This is an example of

A) prompting.

B) preformatting.

C) closed-loop verification.

D) error checking.

Answer:  C

Page Ref: 277

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

31) This control ensures that the correct and most current files are being updated.

A) Cross-footing balance test

B) Data matching

C) File labels

D) Write-protect mechanism

Answer:  C

Page Ref: 277

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

32) This batch processing data entry control sums the number of items in a batch.

A) Financial total

B) Hash total

C) Record count

D) Sequence check

Answer:  C

Page Ref: 277

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

33) This data entry control compares the ID number in transaction data to a master file to verify that the ID number exists.

A) Reasonableness test

B) User review

C) Data matching

D) Validity check

Answer:  D

Page Ref: 276

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

34) File labels are an example of

A) data entry controls.

B) output controls.

C) processing controls.

D) source data controls.

Answer:  C

Page Ref: 277

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

35) A computer operator accidentally used the wrong master file when updating a transaction file. As a result, the master file data is now unreadable. Which control could best have prevented this from happening?

A) Internal header label

B) Validity check

C) Check digit

D) Parity check

Answer:  A

Page Ref: 277

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

36) Chaz Finnerty called the IT Help Desk in a huff. “I’m trying to open an Excel file and I get a message that says that the file is locked for editing. What’s going on?” The answer is likely that

A) the file is corrupted due to a computer virus.

B) there is no problem. Chaz is editing the file, so it is locked.

C) concurrent update controls have locked the file.

D) Chaz probably opened the file as read-only.

Answer:  C

Page Ref: 278

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

37) This control protects records from errors that occur when two or more users attempt to update the same record simultaneously.

A) Concurrent update controls

B) Cross-footing balance test

C) Data conversion controls

D) Recalculation of batch totals

Answer:  A

Page Ref: 278

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

38) Modest Expectations Investment Services (MEIS) allows customers to manage their investments over the Internet. If customers attempt to sell more shares of a stock than they have in their account, an error message is displayed. This is an example of a

A) reasonableness test.

B) field check.

C) validity check.

D) limit check.

Answer:  A

Page Ref: 276

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

39) Modest Expectations Investment Services (MEIS) allows customers to manage their investments over the Internet. If customers attempt to spend more money than they have in their account, an error message is displayed. This is an example of a

A) reasonableness test.

B) field check.

C) validity check.

D) limit check.

Answer:  A

Page Ref: 276

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

40) The Spontaneous Combustion Rocket Shoppe in downtown Fargo, North Dakota, generates three quarters of its revenue from orders taken over the Internet. The revenue clearing account is debited by the total of cash and credit receipts and credited by the total of storefront and Internet sales. This is an example of a

A) data integrity test.

B) zero-balance test.

C) trial balance audit.

D) cross-footing balance test.

Answer:  B

Page Ref: 278

Objective:  Learning Objective 1

Difficulty :  Moderate

AACSB:  Analytic

41) What is the most effective way to ensure information system availability?

A) High bandwidth

B) Maintain a hot site

C) Maintain a cold site

D) Frequent backups

Answer:  B

Page Ref: 287

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

42) Concerning system availability, which of the following statements is true?

A) Human error does not threaten system availability.

B) Proper controls can maximize the risk of threats causing significant system downtime.

C) Threats to system availability can be completely eliminated.

D) Threats to system availability include hardware and software failures as well as natural and man-made disasters.

Answer:  D

Page Ref: 284

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

43) Which of the following is not an objective of a disaster recovery plan?

A) Minimize the extent of the disruption, damage or loss.

B) Permanently establish an alternative means of processing information.

C) Resume normal operations as soon as possible.

D) Train employees for emergency operations.

Answer:  B

Page Ref: 287

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

44) Which item below would not typically be part of an adequate disaster recovery plan?

A) a system upgrade due to operating system software changes

B) uninterruptible power systems installed for key system components

C) scheduled electronic vaulting of files

D) backup computer and telecommunication facilities

Answer:  A

Page Ref: 287

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

45) A facility that contains all the computing equipment the organization needs to perform its essential business activities is known as a

A) cold site.

B) hot site.

C) remote site.

D) subsidiary location.

Answer:  B

Page Ref: 287

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

46) A facility that is pre-wired for necessary telecommunications and computer equipment, but doesn’t have equipment installed, is known as a

A) cold site.

B) hot site.

C) remote site.

D) subsidiary location.

Answer:  A

Page Ref: 287

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

47) When a computer system’s files are automatically duplicated on a second data storage system as they are changed, the process is referred to as

A) real-time mirroring.

B) batch updating.

C) consistency control.

D) double-secure storage.

Answer:  A

Page Ref: 287

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

48) ________ enables a system to continue functioning in the event that a particular component fails.

A) An incremental backup procedure

B) Fault tolerance

C) Preventive maintenance

D) A concurrent update control

Answer:  B

Page Ref: 284

Objective:  Learning Objective 2

Difficulty :  Moderate

AACSB:  Analytic

49) A copy of a database, master file, or software that will be retained indefinitely as a historical record is known as a(n)

A) archive.

B) cloud computing.

C) differential backup.

D) incremental backup.

Answer:  A

Page Ref: 286

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

50) While this type of backup process takes longer than the alternative, restoration is easier and faster.

A) Archive

B) Cloud computing

C) Differential backup

D) Incremental backup

Answer:  C

Page Ref: 286

Objective:  Learning Objective 2

Difficulty :  Moderate

AACSB:  Analytic

51) ________ involves copying only the data items that have changed since the last partial backup.

A) Archive

B) Cloud computing

C) Differential backup

D) Incremental backup

Answer:  D

Page Ref: 285

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

52) ________ copies all changes made since the last full backup.

A) Archive

B) Cloud computing

C) Differential backup

D) Incremental backup

Answer:  C

Page Ref: 286

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

53) The maximum amount of time between backups is determined by a company’s

A) recovery time objective.

B) recovery point objective.

C) recovery objective.

D) maximum time recovery objective.

Answer:  B

Page Ref: 285

Objective:  Learning Objective 2

Difficulty :  Moderate

AACSB:  Analytic

54) The maximum acceptable down time after a computer system failure is determined by a company’s

A) recovery time objective.

B) recovery point objective.

C) recovery objective.

D) maximum time recovery objective.

Answer:  A

Page Ref: 285

Objective:  Learning Objective 2

Difficulty :  Moderate

AACSB:  Analytic

55) The accounting department at Synergy Hydroelectric records an average of 12,500 transactions per hour. By cost-benefit analysis, managers have concluded that the maximum acceptable loss of data in the event of a system failure is 25,000 transactions. If the firm’s recovery time objective is 120 minutes, then the worst case recovery time objective is

A) 1 hour

B) 2 hours

C) 3 hours

D) 4 hours

Answer:  D

Page Ref: 285

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

56) The accounting department at Synergy Hydroelectric records an average of 10,000 transactions per hour. By cost-benefit analysis, managers have concluded that the maximum acceptable loss of data in the event of a system failure is 20,000 transactions. If the firm’s recovery time objective is 60 minutes, then the worst case recovery time objective is

A) 1 hour

B) 2 hours

C) 3 hours

D) 4 hours

Answer:  C

Page Ref: 285

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

57) The accounting department at Synergy Hydroelectric records an average of 10,000 transactions per hour. By cost-benefit analysis, managers have concluded that the maximum acceptable loss of data in the event of a system failure is 40,000 transactions. The firm’s recovery point objective is therefore

A) 40,000 transactions

B) 10,000 transactions

C) 10 hours

D) 4 hours

Answer:  D

Page Ref: 285

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

58) The accounting department at Synergy Hydroelectric records an average of 12,500 transactions per hour. By cost-benefit analysis, managers have concluded that the maximum acceptable loss of data in the event of a system failure is 25,000 transactions. The firm’s recovery point objective is therefore

A) 25,000 transactions

B) 12,500 transactions

C) 1 hour

D) 2 hours

Answer:  D

Page Ref: 285

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic

59) This control entails verifying that the proper number of bits are set to the value 1 in each character received.

A) Echo check

B) Field check

C) Parity check

D) Trailer record

Answer:  C

Page Ref: 279

Objective:  Learning Objective 1

Difficulty :  Easy

AACSB:  Analytic

60) Probably the most important change management control is

A) monitoring user rights and privileges during the change process.

B) testing all changes thoroughly prior to implementation on a stand-alone computer.

C) updating all documentation to reflect changes made to the system.

D) management’s careful monitoring and review.

Answer:  D

Page Ref: 289

Objective:  Learning Objective 2

Difficulty :  Easy

AACSB:  Analytic