ACC3304_Exam 3 review
What is a Denial-of-service attack?
An attack that prohibits users from using resources such as computers, websites, servers, or an entire network
What is a Botnet attack?
An attack that uses computers infected with malware that function like robots
What is a Malware attack?
An attack that uses destructive programs to take down a system
Model
An emergency change request bypasses which stage of the change management process?
Match the cybersecurity threat to the following control activity: Ensure that the information system enforces minimum password complexity of specified case sensitivity, character numbers, and mix of uppercase and lowercase letters, including minimum requirements for each type.
Brute-force attack
Match the cybersecurity threat to the following control activity: Prohibit password reuse for a specified number of generations.
Brute-force attack
Which statement describing COBIT 2019 is TRUE?
COBIT is designed to assist in IT governance and implementing IT controls.
Accounting professionals utilize multiple frameworks. Which framework would a manager select to make sure that all internal controls are Sarbanes Oxley compliant?
COSO
accounting professionals utilize multiple frameworks. which framework would a manager select to make sure that all internal controls are Sarbanes Oxley cpliant?
COSO
To meet year-end goals, Trident Telecom doubled shipments to customers during the month of December and let the customers know that they could return any of the extra products that they did not get sold in January. Trident did not allow for any reserve against these expected returns in the financial statements for the year ending in December. What type of financial statement fraud scheme did Trident use to inflate its financial performance?
Channel stuffing
at larger companies, the Cybersecuruty program is usually the responsibility of a dedicated executive leader. this could include which officer??
Chief Information Officer
At larger companies, the cybersecurity program is usually the responsibility of a dedicated executive leader. This could include the
Chief Information Officer.
Which of the following backup sites is the least expensive but has the slowest recovery speed?
Cold backup site
The National Institute of Standards and Technology (NIST) has published Security and Privacy Controls for Federal Information Systems and Organizations (NIST-800-53). The NIST-800-53 document is divided into
18 control families.
Which of the following COBIT 2019 management IT objectives includes topics that would help an organization manage operations, problems, continuity, and business process controls?
Deliver, Service and Support (DSS)
The National Institute of Standards and Technology (NIST) Cybersecurity Framework is displayed below. What is function D?
Detect
COBIT 2019 controls are organized iqnto five domains that are divided into what two categories based on their objectives
Governance and management
Which of the following backup sites is the most expensive but has the fastest recovery speed?
Hot backup site
Which of the following is an example of Malware internal controls?
Monitor the information system to detect attacks and indicators of potential attacks, including unauthorized local, network, and remote connections.
Daria is asked to arrange to have a container load of inventory shipped to a newly rented off-site warehouse. Daria prepares and ships the inventory as told and then notices an invoice to a new customer that Daria doesn't recognize for the same amount of inventory that she just arranged shipping to the company-owned warehouse. Daria suspects that fraud might be occurring with this situation. Daria chooses to call the whistleblower hotline and lets them know about the
sham sales.
Which development environment is often referred to as the sandbox because developers can test without having impact on the live systems?
Test
A formal change management process includes multiple environments to reduce risk. A formal change must go through the environments in what order?
Test, Model, then Production
The CEO of All Farm Insurance asked you to verify that the organization data is fully backed up.eaxj weekend and that all new data is backed up daily. on the daily backups, the CEO requests that all new data since the full back up is stored. what type of back up strategy should you choose?
differential backup
which of the Physical reconnaissance attacks is a deceptive request designed to trick victims into sharing private information
email phishing
which type of backup copies all data during every backup
full backup
Which of the stages of the formal change management process includes a recent copy of the production environment where tests are performed?
model environment
Which of the following is a poor network operations center ( NOC) power practice?
power and network cables are run along the back of machines along.tje floor to keep them out of the way ( wrong)
what role should be assigned to a new team member who just needs access to review files and not make changes?
read only
Physical access attacks
result in access to either hardware or people.
Grigor knows from his work on internal controls that the computer system that flags potentially fraudulent transactions can be manipulated to not check all transactions. Grigor's knowledge is an example of which element of the fraud triangle?
(wrong) All of these answer choices are correct.
Which of the following statements about COBIT 2019 is TRUE?
(wrong) COBIT is a part of the COSO Internal Controls
Marin recorded the purchase of a new delivery vehicle as a delivery expense for the current year. What type of financial statement fraud is being committed by Marin?
(wrong) Capitalizing expense costs
In what way do the three change management environment stages work together to prevent a change being accidentally implemented?
(wrong) Code flows through each stage and then is tested by the developer to ensure that it meets the user's requirements.
Which category of fraud is associated with an employee selling the employer's customer list to a competitor?
(wrong) Corruption maybe: bribery
Angela is tasked with reviewing the IT service request process for her accounting firm. Which COBIT domain should she reference?
(wrong) Monitor, Evaluate, and Assess (MEA)
What does a company apply to ensure that systems are running up-to-date security when they are available?
(wrong) Patches
What physical location is used to recover systems and data after a disaster?
Backup site
NIST provides explicit guidelines that companies can require for password strength. What is the NIST recommended length?
8 — 64 characters
Novak accepted an offer of payment from Iga to help sway a business decision. Who is in the wrong in this situation?
Both Novak and Iga are guilty.
Which control activity related to physical security is managed by the facilities manager?
Access to buildings is justified, authorized, logged, and monitored.
Match the cybersecurity threat to the following control activity: Enforce a specified number of changed characters when new passwords are created.
Brute-force attack
What is the appropriate role assigned to a leader in the IT team who needs unlimited access and is responsible for assigning roles to other users?
Administratior
ABC Technology Management, InC. is seeking guidance on managing risk, security, budgets, and innovation. Which COBIT 2019 management IT objective should ABC consult?
Align, Plan and Organize (APO)
Which of the following roles have control ownership related to protecting the physical computer systems?
All answer choices are correct.
Which of the following are risks to physical IT equipment and systems?
All answer choices are correct. - Failure to maintain facilities in accordance with laws and regulations may result in fines and reputational losses. - A natural disaster causing damage to systems and equipment may result in a disruption of business activities and financial losses. -An unauthorized user gaining access to physical equipment may result in theft, malicious attacks, fraud, or data breaches.
Fabio and Frances work in cybersecurity and challenge each other to find holes in the internal control framework of the company as part of their job to test controls. When they discover that there is a monitoring program that can be manipulated, Fabio and Frances decide that the company will not notice a few hundred dollars per week in reimbursements when the normal budget for reimbursements is over $5,000 per week. Which of the following statements about Fabio and Frances's situation is TRUE?
All of these answer choices are correct.
Jalena is investigating a tip from the employee hotline that Camila may be misappropriating assets. Jalena learned from her investigation that Camila frequently uses her company computer to check her online gambling accounts during her breaks. Knowing that pressure alone does not mean Camila is committing fraud, how should Jalena proceed?
All of these answer choices are correct.
Occupational fraud can
All of these answer choices are correct.
Occupational fraud is committed by
All of these answer choices are correct.
What kind of occurrence would constitute an emergency change to a system?
All of these answer choices are correct.
When Alpha Industries records equipment maintenance as a capital improvement to fixed asset accounts instead of an expense account, what is the result?
All of these answer choices are correct.
Which category of fraud may be detected by using data analytics to summarize inventory write-offs by employee?
All of these answer choices are correct.
Which of the following statements about the COBIT 2019 IT governance domain, Evaluate, Direct and Monitor (EDM) is TRUE?
EDM states that the board of directors must assess needs and provide oversight.
Alejandro reviewed the user access protocols for Ponder Products. Alejandro is concerned that the accounting system could be subject to malicious attacks on user accounts that are currently protected with a user name and password. The system has the capability to send a message to a user's cell phone or email address. How could Alejansro use the messaging capabilities of the system to further protect it from attack?
Enable two-factor authentification
Which of the following represents an accurate definition of external fraud?
External fraud is fraud committed by customers, vendors or other outside parties against a company.
What type of fraud involves materially misrepresenting the financial results and position of a company in the financial statements?
Financial statement fraud
What step do reconnaissance attacks correspond to in the cyber-kill chain?
Gather information about the network
Match the cybersecurity threat to the following control activity: Ensure that the information system uniquely identifies and authenticates devices before establishing a connection.
IP spoofing
Which role in the change management process tests the functionality of the code submitted to the model environment and documents the results of the test?
IT Analyst
Which of the following statements concerning IT governance are TRUE?
IT governance ensures effective and efficient use of IT.
Garbine, an internal auditor for XYZ, examined purchases made for the previous year. Garbine found that several contracts were awarded to the same vendor despite several bids coming in with more favorable terms. Upon questioning those in the purchasing department, Garbine learned that Amanda always handled the contracts with that vendor and seems to have received gifts from the vendor. What kind of corruption may be between Amanda and the vendor?
Illegal gratuities
Which type of accounting professional provides the third line of defense by evaluating accounting systems for internal control deficiencies that provide an opportunity for fraud?
Internal auditors
Enoch developed code in response to a request ticket submitted by Cody. Enoch tested his code in the sandbox and is ready for Cody to test the code to see if it meets his requirements. In what environment will Cody test the new code?
Model environment
User Acceptance Testing
Joel has developed new code and implemented it into the model environment so that the user can test it to see if it works as required. What stage in the change management process is Joel preparing for?
Which of the following terms is defined as the theft of company assets after the company has recorded the assets in its books?
Larceny
Moore Software Development (MSD), Inc. began operations in Moore, Oklahoma, an area prone ro tornadoes. Recent business growth necessitates the need for a larger data center. Select the most appropriate statement associated with MSDs new data center.
MSD should locate a space for an off-site data center in an area away from the risk of bad weather to mitigate the risk of losing both centers at the same time.
A user access review is as important yet tedious and time consuming process. What kind of newer technology can be implemented to automate or semi- automate the process?
Machine Learning alogorithm
Which of the following is an example of a Denial-of-Service internal control?
Manage capacity, bandwidth, or other redundancy to limit the effects of an attack.
Which of the following would be considered a fraud scheme to understate financial performance?
Misclassification of revenue
Which user has access to all three change management environments?
No user has access to all environments.
Match the cybersecurity threat to the following control activity: Review and update the baseline configuration of the information system using a company-defined frequency.
On-path attack
NIST provides explicit guidelines that companies can require for password strength. What is the NIST recommendation for resetting a password?
Only reset your password if you know it has been compromised.
The National Institute of Standards Technology (NIST) has published Security and Privacy Controls for Federal Information Systems and Organizations (NIST-800-53). The NIST-800-53 document. is divided into 18 control families. one of the control families is Physical and Environmental Protection. What ID does Physical and Environmental Protection family use?
PE
What two categories do cyberattacks fall into?
Physical attack, logical attack
Controlled access to data centers often includes multifactor authentication to mitigate the high risk to the equipment that is powering the business. An increased security measure used at very high security data centers is a man-in-the-middle trap. What kind of risk does the trap prevent?
Piggybacking
Which of these access roles would you assign an internal auditor reviewing accounts payable and accounts receivable transactions?
Read-only
Attackers us these three types of attacks to plan, enter, and damage a victim's network: What type of attack is A?
Reconnaissance attack
The National Institute of Standards and Technology (NIST) Cybersecurity Framework is displayed below. What is function A?
Recover
When disaster strikes, what two metrics concerning sustem and data restoration are important to consider??
Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
Which of the following controls could help mitigate expense reimbursement fraud?
Requiring receipts to be submitted for all expenses.
What is an incorrect sender address red flag?
Sending from obscure domains that are designed to look similar to legitimate domains
Which of the following terms is most closely associated with an employee stealing cash before the cash is recorded in the accounting records?
Skimming
What statement concerning backup cycles is FALSE?
The Grandfather-Father-Son backup cycle removes the need to conduct quarterly, or annual backups.
What is encryption?
The process of using an algorithm to encode a plaintext message and converting it to something that is seemingly meaningless
A business with cash transactions may choose not to record the cash sales to understate revenue. Why would a business want to understate revenue?
To decrease tax liabilities
Which of the following reasons would management use to justify overstating performance in the financial statements?
To meet benchmarks for performance-based compensation
Which of these access roles would you assign a graphic designer working on updating the internal corporate data dashboard to include key financial data?
User
Which of these roles would you assign a graphic designer working on updating the internal corporate data dashboard to include key financial data? Creator Administrator User Read-only
User
Which of the following statements concerning user access reviews is TRUE?
User access reviews move infrequently used accounts to a dormant status.
Which of the following is an example of a user authentication control?
Username and password
All answers are correct
Which of the following roles have controll ownership related to protecting the physical computer systems? Data Center Manager Information Security Manager Facilities Manager
The National Institute of Standards and Technology (NIST) has published Security and Privacy Controls for Federal Information Systems and Organizations (NIST-800-53). The NIST-800-53 document is
a catalog of security control baselines for business.
what is file transfer protocol (FTP)
a standard network protocol that allows users to transfer files between the company network and outside parties
what is a accidental tailgating
authorized users are unaware that there is a tailgater
what determines when data is being stored during data back
backup cycle
Differential backup
backup strategy that copies all data created since the most recent full backup in its entirety every time
Incremental backup
backup that copies only new or updated data every time
in which change management environment does a developer write code to make the change in the system
test
Which type of authorization uses groups with pre- defined permissions to which users are assigned?
user access roles
Jannik visits with a good customer of the firm frequently at their place of business but never leaves the office to visit other customers. Is Jannik's behavior a red flag?
yes