AIS Exam 1
Elements or characters of a typical misappropriation
1. Gain the trust 2 uses trickery, cunning, or misinformation 3. Conceals fraud by falsifying records 4. Rarely stops voluntarily 5. Need or greed impels person to continue 6. Spends the gains 7. Takes larger and larger sums 8. Grows careless or overconfident
Reasons computer fraud is rising
1. It takes very little time 2. Difficult to detect 3. High number and variety of access points 4. Programs only need to be modified once 5. PCs are vulnerable 6. There are a number of unique challenges ( power failure fire, etc)
3 forms of rationalization
1. Justification: I only took what they owed me 2. Attitude: rules don't apply to me 3. Lack of personal integrity: getting what I want is more important than being honest
Pressures that can lead to financial statement fraud
1. Management characteristics 2. Industry conditions 3. Financial
4 types of threats to AIS
1. Natural and political disasters 2. Software errors and equipment malfunctions 3. Unintentional acts 4. Intentional threat
If an organization asks you to disclose your date of birth and your address, but refuses to let you review or correct the information you provided, the organization has likely violated which of the Generally Accepted Privacy Principles? A) Collection B) Access C) Security D) Choice and consent
B) Access
Which systems use the same key to encrypt communications and to decrypt communications? A) asymmetric encryption B) symmetric encryption C) hashing encryption D) public key encryption
B) symmetric encryption
Which of the following control procedures is most likely to deter lapping? Encryption Continual update of the access control matrix Background check on employees Periodic rotation of duties
Periodic rotation of duties
Important AIS function
Process company transactions efficiently and effectively.
Which of the following pairs of entities would typically be associated with each other in a stockflow relationship in a REA model?
Purchase and Inventory
Which of the following is the most common source document in the expenditure cycle? A. Bill of lading B. Purchase order C. Remittance advice D. Credit memo
Purchase order
Which of the following documents is most likely to be used in the expenditure cycle? A. Sales order B. Credit memo C. Receiving report D. Job time ticket
Receiving report
All of the information (e.g., name, GPA, major, etc.) about a particular student is stored in the same _______________. A. File B. Record C. Attribute D. Field
Record
Which of the following are characteristics of an RDBMS?
Tables are linked by common data known as keys. Queries are possible on individual or groups of tables. Data are organized in a series of two-dimensional tables each of which contains records for one entity.
opportinity
The condition or situation that allows a person or organization to commit and conceal a dishonest act and convert it to personal gain.
How does the chart of accounts list general ledger accounts? A. Alphabetical order B. Chronological order C. Size order D. The order in which they appear in the financial statement
The order in which they appear in the financial statement
An Entity-Relationship diagram is a graphical representation of a database schema?
True
In developing policies related to personal information about customers, Folding Squid Technologies adhered to the Trust Services framework. The standard applicable to these policies is A) security. B) confidentiality. C) privacy. D) availability.
C) privacy.
Corruption
Dishonest conduct by those in power which often involves actions that are illegitimate, immoral, or incompatible with ethical standards. Examples include bribery and bid rigging.
The minimum and maximum cardinalities in agent-event relationship is almost always one for the minimum and many for the maximum.
False
True or false. A general journal is used to record a large number of repetitive transactions.
False
True or false. A general ledger contains detailed level data for every asset, liability, revenue and expense account.
False
True or false. A specialized journal is used to record infrequent or non-routine transactions.
False
True or false. Few misappropriation frauds are self-perpetuating; that is, they do not require the perpetrator to continue the fraud scheme to avoid detection.
False
True or false. Fraud perpetrators are often referred to as blue-collar criminals.
False
True or false. Most first-time, unprosecuted fraud perpetrators never commit another fraud.
False
True or false. Most white-collar criminals have a previous criminal record; and they were honest and respected members of their community.
False
True or false. Rarely do fraud perpetrators adopt a more lavish lifestyle that requires even greater amounts of money.
False
True or false. Since there are so few quality ERP system, Choosing one is an easy task
False
True or false. The ACFE found that fraudulent financial reporting is as much as 17 times more likely than asset misappropriation.
False
True or false top management's commitment to an ERP system greatly increases The chances of success
True
True or false. A set of interrelated, centrally coordinated files is referred to as a database
True
True or false. Fraudulent financial reporting is intentional or reckless conduct that results in materially misleading financial statements.
True
True or false. Misappropriation of assets is the theft of company assets by employees.
True
True or false. The importance of sound internal controls in an ERP system cannot be overstated
True
cyber sleuths
Forensics experts breaking into a company, and specialize in catching fraud perpetrators
Which type of fraud is associated with 50 percent of all auditor lawsuits? Kiting Fraudulent financial reporting Ponzi schemes Lapping
Fraudulent financial reporting
Group code
Two or more subgroups of digits that are used to code an item. A group code is often used in conjunction with a block code.
white-collar criminals
Typically, businesspeople who commit fraud. White-collar criminals usually resort to trickery or cunning, and their crimes usually involve a violation of trust or confidence.
Who develops one-time queries?
Users
Which of the following is an example of a turnaround document? A. Companies financial statements B. Employee earnings record C. Utility bill D. Purchase orders
Utility bill
Individuals who perpetrate fraud are often referred to as: A. Bad actors B. Blue collar criminals C. All of these are correct D. White-collar criminals
White-collar criminals
turnaround document
a record of company data sent to an external party and then returned by the external party for subsequent input to the system
a database
a set of interrelated, centrally coordinated files is called
DBMS
a software program that creates, minipulates, accesses the database goes by the acronym
Coding
(1) The systematic assignment of numbers or letters to items to classify and organize them. (2) Writing program instructions that direct a computer to perform specific data processing tasks.
Skills needed by cyber sleuths
- ability to follow a trail, Think analytically, and be thorough -good understanding of information technology -ability to think like a fraud perpetrator -ability to use hacking tools and techniques
Lifestyle pressures
- gambling habit - drug or alcohol addiction - sexual relationships - family/ peer pressure
3 services provided by ERP Vendors
1. Consulting 2. Customization 3. Support
The biggest cause of data breaches
employee negligence. Company employees are much more likely to commit Data fraud then outsiders are
multiple master files which may contain redundant data
fiel oriented approaches create prblems for organizations because of
Software errors and equipment malfunctions
hardware or software failures, software errors or bugs, power outages and fluctuations, and undetected data transmission errors, operation system crashes
Data Fraud
illegally using, copying, browsing, searching, or harming company data. Data can also be damaged, changed, Destroyed or displaced. Especially by disgruntled employees
Computer fraud classifications
input fraud processor fraud computer instructions fraud data fraud output fraud
Which of the following elements of an REA data model does not necessarily generate a relational table?
one to many relationships
since they do not have to focus on the physical location and layouts of various data items
seperating the logical and physical views in a database allows the programmers to concentrate on coding the application logic
computer instructions fraud
tampering with company software, copying software illegally, using software in an unauthorized manner, and developing software to carry out an unauthorized activity
Primary key attributes
-Must be unique -Must be universal -Must be used to identify the entities or relationships to which they are assigned -Can be chosen arbitrarily
Which of the following is an information process event?
-Updating accounts receivable for a sale made to a customer -Changing a customer address in the customer database table -Printing a list of past due sales for the credit manager -Entering sales return data into the enterprise database
Emotional pressure examples
-excessive ego, pride, ambition -performance not recognized -job satisfaction -fear of losing job -need for power or control -deliberate nonconformity -inability to abide by or respect rules -challenge of beating the system -envy or resentment agains others -need to win financial one-upmanship -competition -coercion by bosses/ top management
database management system (DBMS)
the ____ acts as an interface between the database and the various application programs
Most frequent "cook the books" schemes
-fictitiously inflating revenues - recognize revenue before they are earned -delaying current expenses to later period -overstating inventories or assets -concealing losses and liabilities
Financial pressure examples
-living beyond your means -high personal debt/expenses -"inadequate" salary/income -poor credit ratings -heavy financial losses -tax avoidance -bad investments -unreasonable quotas/goals
Reasons number of incidents, total dollar loss, and sophistication of predators and schemes used to commit computer fraud are increasing rapidly:
-not everyone agrees on what constitutes computer fraud -many times computer fraud goes undetected - high percentage of fraud is not reported -many networks are not secure -internet sites offer step by step instructions -law enforcement can not keep up with the growth -calculating losses is difficult
For an act to be fraudulent there must be
1) A false statement, representation, disclosure 2) A material fact (something that induces a person to act) 3) An intent to deceive 4) A justifiable reliance (person relies on the misrepresentation to take the action) 5) An injury or loss
3 benefits of online real-time processing
1. Stored info is always current, increasing decision making usefulness 2. Information is more accurate because data Input errors can be corrected in real time or refused 3. Provides significant competitive advantage
Revenue Cycle Business Activities
1. Take customer order 2. Deliver or ship order 3. Receive cash 4. Deposit cash receipts 5. Adjust customer account
What 3 facets of each business activity must data be collected about?
1. The resources affected by each activity 2. The people who participate in each activity 3. Each activity of interest
4 types of data processing activities
1. creating new data records 2. reading, retrieving or viewing existing data 3. updating previously stored data 4. deleting data
4 steps of data processing cycle
1. data input 2. data storage 3. data processing 4. information output
database system
the combination of the database, the DBMS, and the application programs that access the database through the DBMS is refferred to as the
data processing cycle
the four operations (data input, data storage, data processing, and information output) performed on data to generate meaningful and relevant information
database administrator
the person responsible for the database is the
input fraud
the simplest and most common way to commit a computer fraud is to alter or falsify computer input
how and where the data are physically arranged and stored
the term physical view refers to:
online batch processing
transaction data are entered and edited as they occur and stored for later processing
True or false. Researchers found few psychological and demographic differences between white-collar criminals and the public.
true
General journal
A journal used to record infrequent or nonroutine transactions, such as loan payments and end-of-period adjusting and closing entries.
Legally, for an act to be fraudulent there must be: A) A justifiable reliance, where a person relies on a misrepresentation to take an action b)A false statement, representation, or disclosure c)An injury or loss suffered by the perpetrator d)A material fact that induces a person to act e)An intent to do bodily harm to the victim
A justifiable reliance, where a person relies on a misrepresentation to take an action A false statement, representation, or disclosure A material fact that induces a person to act
General ledger
A ledger that contains summary-level data for every asset, liability, equity, revenue, and expense account of the organization.
subsidiary ledger
A ledger used to record detailed data for a general ledger account with many individual subaccounts, such as accounts receivable, inventory, and accounts payable.
Chart of accounts
A listing of all the numbers assigned to balance sheet and income statement accounts. The account numbers allow transaction data to be coded, classified, and entered into the proper accounts. They also facilitate financial statement and report preparation.
Audit trail
A path that allows a transaction to be traced through a data processing system from point of origin to output or backwards from output to point of origin. It is used to check the accuracy and validity of ledger postings and to trace changes in general ledger accounts from their beginning balance to their ending balance.
master file
A permanent file of records that stores cumulative data about an organization. As transactions take place, individual records within a master file are updated to keep them current. (Like a ledger in a manual system)
Pressure
A person's incentive or motivation for committing fraud.
Unintentional Acts
Accidents caused by human carelessness, failure to follow established procedures, and poorly trained or supervised personnel Innocent errors or omissions Lost, erroneous, destroyed, or misplaced data Logic errors Systems that do not meet company needs or cannot handle intended tasks
Which of the following is most likely to be a general ledger control account? A. Accounts receivable B. Petty cash C. Prepaid rent D. Retained earnings
Accounts receivable
batch processing
Accumulating transaction records into groups or batches for processing at a regular interval such as daily or weekly. The records are usually sorted into some sequence (such as numerically or alphabetically) before processing. Since data is current only right after processing, it is only used for things like payroll that don't need to be changed all the time
Data must be collected about three facets each business activity. These facets are A. The resources, the benefit, And the process B. Activity of interest, the process, And the people who participate C. Activity of interest, the resources, And the people who participate D. Activity of interest, the resources, and the process
Activity of interest, the resources, And the people who participate
What is cardinality?
An indication of how many occurrences of one entity in a relationship can be linked to a single occurrence of the other entity in the relationship
Fraud is gaining an unfair advantage over another person. Legally, for an asked to be fraudulent there must be: A. Unfairness B. All of these are correct C. An exchange of monetary consideration D. An intent to deceive
An intent to deceive
fraud
Any and all means a person uses to gain an unfair advantage over another person.
Entity
Anything about which an organization wants to collect and store information. Examples include an employee, an inventory item, and a customer
Other way data can be lost
As a result of negligence or carelessness. Hard drives with sensitive information that are donated or resold. deleting files does not erase them
________ is/are an example of a preventive control. A) Emergency response teams B) Encryption C) Log analysis D) Intrusion detection
B) Encryption
Block code
Blocks of numbers that are reserved for specific categories of data, thereby helping to organize the data. An example is a chart of accounts.
Identify a party below who was involved with developing the Trust Services Framework. A) FASB B) United States Congress C) AICPA D) IMA
C) AICPA
If an organization asks you to disclose your social security number, yet fails to permit you to opt-out before you provide the information, the organization has likely violated which of the Generally Accepted Privacy Principles? A) Management B) Notice C) Choice and consent D) Use and retention
C) Choice and consent
The Trust Services Framework reliability principle that states personal information should be protected from unauthorized disclosure is known as A) availability. B) security. C) privacy. D) integrity.
C) privacy.
Internal control is often referred to as a(n) ________, because it permeates an organization's operating activities and is an integral part of management activities. A) event B) activity C) process D) system
C) process
The audit committee of the board of directors A) is usually chaired by the CFO. B) conducts testing of controls on behalf of the external auditors. C) provides a check and balance on management. D) does all of the above.
C) provides a check and balance on management.
Any attribute that may be decomposed into other attributes is called a
Complex Attribute
Unauthorized theft, use, access, modification copying or destruction of software, hardware, or data is called A. Technology fraud B. Hacking C. assets misappropriation D. Computer fraud
Computer fraud
A programmer at a large bank inserted code into the company's computer system that told the computer to not only ignore any overdrafts on his accounts, but to not charge his accounts any late or service fees. This is an example of what type of fraud? a)Computer instruction fraud b)Output fraud c)Data fraud d)Input fraud e)Processor fraud
Computer instruction fraud
Multi-attribute primary keys are called:
Concatenated keys
Lapping
Concealing the theft of cash by means of a series of delays in posting collections to accounts. For example, a perpetrator steals customer A's accounts receivable payment. Funds received at a later date from customer B are used to pay off customer A's balance. Funds from customer C are used to pay off B's balance, and so forth.
Once business activity data has been entered into the system, they must be processed to keep the databases current. Which of the following are not One of the four different types of Data processing activities? A. Deleting data records no longer needed B. Updating previously stored data C. Creating new data records D. Controlling access to data records E. Reading retrieving or viewing existing data
Controlling access to data records
source document
Documents used to capture transaction data at its source—when the transaction takes place. Examples include sales orders, purchase orders, and employee time cards.
In REA business process level modeling, resources are connected to economic events using
Dualty Relationships
True or false. Auditors and management are just as concerned with misappropriations as they are with fraudulent financial reporting.
False
True or false. Companies seldom hire outside help to implement ERP software
False
True or false. Corruption is misrepresenting or leaving out facts in order to promote an investment that promises fantastic profits with little or no risk.
False
True or false. Data values are characteristics of interest that are stored
False
True or false. Investment fraud is dishonest conduct, such as bribery and bid rigging, by those in power that often involves illegitimate or immoral actions.
False
True or false. Small businesses are less vulnerable to fraud than large companies because small companies typically have more effective internal controls than larger companies.
False
An individual's address is an example of a:
Field.
Which of the following classification of pressures motivate people to perpetrate employee fraud? (Check all that apply.) a) Financial pressures b)Emotional pressures c)Lifestyle pressures d)Industry pressures and conditions e)Management characteristics and pressures
Financial pressure Emotional pressure Lifestyle pressures
Where is information about business events best obtained?
From interviews with management
Which of the following would contain the total value of all inventory owned by an organization? A. Source document B. General ledger C. Cash budget
General ledger
Which of the following causes the majority of computer security problems? Human errors Software errors Natural disasters Power outages
Human errors
The recommended Step 1 in REA business process level modeling is
Identify the economic exchange events that form the core of the business process.
Redundancy is minimised with a computer based database approach.
True
True or false. A chart of accounts is a list of the numbers assigned to each general ledger account
True
True or false. A file is a group of related records
True
True or false. A significant contributor to most misappropriations is the absence of internal controls and/or the failure to enforce existing internal controls.
True
True or false. A subsidiary ledger contains detailed data for any general ledger account with many individual subaccounts.
True
True or false. A typical organization loses 5% of its annual revenue to fraud, indicating yearly global fraud losses of over $3.7 trillion.
True
True or false. Each type of entity possesses the same set of attributes
True
True or false. Frequent "cook the books" schemes involve fictitiously inflating revenues, recognizing revenues before they are earned, delaying expenses to a later period, overstating inventories, and concealing liabilities
True
True or false. Management falsifies financial statements in order to deceive investors and creditors, increase a company's stock price, meet cash flow needs, or hide company losses and problems.
True
True or false. Most fraud perpetrators are knowledgeable insiders with the requisite access, skills, and resources.
True
True or false. One way to choose a suitable ERP system is to select a package designed for your industry
True
True or false. Researchers found significant psychological and demographic differences between violent and white-collar criminals.
True
True or false. Since few perpetrators voluntarily stop their frauds, there are no small frauds—only large ones that are detected early.
True
True or false. The sheer magnitude of some frauds leads to their detection.
True
True or false: The controls used to protect corporate assets make it more difficult for an outsider to steal from a company.
True
True or false: fraud can be prevented by eliminating or minimizing one or more fraud triangle elements
True
True or false: master files are permanent. They exist across fiscal periods
True
True or false: subsidiary ledger accounts often have longer account codes than general ledger accounts
True
Statement on Auditing Standards (SAS) No. 94 requires auditors to:
Understand fraud Discuss the risk of misstatements Obtain information Identify, asses, and respond to risks Evaluate the results of the audit tests Document and communicate findings Incorporate a technology focus
Logic errors is what type of AIS threat A. Natural andpolitical disasters B. Software error and equipment malfunctions C. Intentional act D. Unintentional acts
Unintentional act
Which of the following is NOT an essential information process event?
-Communicate to the purchasing department a need to replenish a resource -Record information about an operating event -Report useful information to a decision maker -Maintain reference data about an agent or resource
computer fraud
any type of fraud that requires computer technology to perpetrate
sabotage
An intentional act where the intent is to destroy a system or some of its components.
Specialized journal
A journal used to record a large number of repetitive transactions such as credit sales, cash receipts, purchases, and cash disbursements.
Information output examples
1. Query response 2. Report
ERP is the abbreviation for A. Enterprise resource planning B. Entity resource planning C. Enterprise reporting program D. Enterprise resource program
Enterprise resource planning
Which of the following is not an example of computer fraud? Theft of money by altering computer records Obtaining information illegally using a computer Failure to perform preventive maintenance on a computer Unauthorized modification of a software program
Failure to perform preventive maintenance on a computer
A row in a database can also be called a domain.
False
Which of the following will improve the ability to detect fraud? (Check all that apply.) a)Implement project development and acquisition controls, as well as change management controls. b)Implement whistleblower rewards. c)Provide employee support programs so they know where they can get help to deal with pressures that might tempt them to perpetrate fraud. d)Restrict physical and remote access to system resources to authorized personnel. e)Implement a fraud hotline.
Implement whistleblower rewards. Implement a fraud hotline.
Who develops repetitive queries?
Information system specialist
ERP vendors
Oracle, SAP, the Sage group, Microsoft, and infor
Which of the following statements is false? The psychological profiles of white-collar criminals differ from those of violent criminals. The psychological profiles of white-collar criminals are significantly different from those of the general public. The psychological profile of white-collar criminals is similar to that of the general public. There is little difference between computer fraud perpetrators and other types of white-collar criminals. Some computer fraud perpetrators do not view themselves as criminals.
The psychological profiles of white-collar criminals are significantly different from those of the general public.
Fraud Triangle
The three factors that contribute to fraudulent activity by employees: opportunity, financial pressure, and rationalization.
misappropriation of assets
Theft of company assets by employees.
Natural and political disasters
This AIS threat includes fire or excessive heat, floods, earthquakes, landslides, hurricanes, tornadoes, blizzards, snowstorms, and freezing rain. and war and attacks by terrorists
Databases that store detailed data generated by the operations of the entire organization are called:
Transaction Databases
A first step in database creation should be needs analysis.
True
True or false. An attribute is something about which information is stored
False
Data processing examples
1. Batch or online processing 2. Updating or retrieving stored data 3. Creating and deleting data
Steps in processing input
1. Capture transaction data and enter them into the system 2. Make sure entered data are accurate and complete 3. Make sure company policies are followed
Data storage examples
1. Chart of account 2. Master and transaction files 3. Database 4. General and subsidiary journal
Opportunity allows a perpetrator to do three things
1. Commit the fraud 2. Conceal the fraud 3. Convert the theft or misrepresentation to personal gain
Disadvantages of erp systems
1. Cost 2. Amount of time required 3. Implementation has a high risk of failure 4. Changes to business processes 5. Complexity 6. Resistance
3 forms of information output
1. Document 2. Report 3. Query response
4 actions to reduce fraudulent financial reporting
1. Establish an organizational environment that contributes to the integrity of the financial reporting process 2. Identify and understand the factors that lead to fraudulent financial reporting 3. Assess the risk of fraudulent financial reporting within the company 4. Design and implement internal controls to provide reasonable assurance of preventing fraudulent financial reporting
Three types of pressures
1. Financial 2. Emotional 3. Lifestyle
Typical ERP modules include:
1. Financial (General ledger and reporting system) 2. Human Resources and payroll 3. Order to cash (revenue cycle) 4. Purchase to pay (disbursement cycle) 5. Manufacturing (production cycle) 6. Project management 7. Customer relationship management 8. System tools
What are the 3 steps when processing input
1. Make sure to capture transaction data and enter them into the system 2. Make sure captured data are accurate and complete 3. Make sure company policies are followed when data is input
Advantages of ERP Systems
1. Provides integrated, Enterprise-wide, single view of the organization's data and financial situation 2. Data input is captured once, rather than multiple times. Downloading data from one system to another is no longer needed 3. The organization gains better access control 4. Procedures and reports are standardized across business units 5. Customer Service improves 6. Manufacturing plants receive orders in real time, and increases productivity
Data input examples
1. Source documents 2. Turnaround document 3. Source data automation
Which of the following statements accurately describes the difference between an operating event and a business pro
A business process consists of several operating events
Which of the following is not an example of asset misappropriation? A. Warehouse employee takes home five iPhones without authorization B. A controller of a company falsely adds $50 million to accounts receivable C. The treasure of a company makes an unauthorized wire transfer from the organizations bring to a private account D. The president of the Company utilizes The organization cash to pay for an overseas vacation
A controller of a company falsely adds $50 million to accounts receivable
transaction file
A file that contains the individual business transactions that occur during a specific fiscal period. A transaction file is conceptually similar to a journal in a manual AIS. They are not permanent, and may not be needed beyond the fiscal year. However they are usually maintained for backup for a period of time
document
A record of a transaction or other company data. Examples include checks, invoices, receiving reports, and purchase requisitions.
query
A request for the database to provide the information needed to deal with a problem or answer a question. The information is retrieved, displayed, and/or analyzed as requested.
What is a 'tuple'?
A row or record in a database table.
Record
A set of fields whose data values describe specific attributes of an entity, such as all payroll data relating to a single employee. An example is a row in a spreadsheet.
Database
A set of interrelated, centrally coordinated data files that are stored with as little data redundancy as possible. A database consolidates records previously stored in separate files into a common pool and serves a variety of users and data processing applications
File
A set of logically related records, such as the payroll records of all employees.
Enterprise Resource Planning (ERP)
A system that integrates all aspects of an organization's activities—such as accounting, finance, marketing, human resources, manufacturing, inventory management—into one system. An ERP system is modularized; companies can purchase the individual modules that meet their specific needs. An ERP facilitates information flow among the company's various business functions and manages communications with outside stakeholders.
Control account
A title given to a general ledger account that summarizes the total amounts recorded in a subsidiary ledger. For example, the accounts receivable control account in the general ledger represents the total amount owed by all customers. The balances in the accounts receivable subsidiary ledger indicate the amount owed by each specific customer.
Which of the following is a benefit of implementing an ERP System at a multinational corporation? A. All of these are correct B. Increase productivity of employees C customer service improves as employees can quickly access data D. Standardization of procedures and reports cross business units
All of the above
A rationalization allows a person to convince him or herself that his or her actions are not illegal or dishonest. There are several different types of rationalizations: (Check all that apply.) a)A mental defect that makes a person think that they own the item that they took b)An attitude, such as "the rules do not apply to me" c)A lack of personal integrity that makes what a person wants more important than acting honestly d)A justification, such as "I am underpaid, so they owe it to me"
An attitude, such as "the rules do not apply to me" A lack of personal integrity that makes what a person wants more important than acting honestly A justification, such as "I am underpaid, so they owe it to me"
Restricting access of users to specific portions of the system as well as specific tasks, is an example of A) authentication. B) authorization. C) identification. D) threat monitoring.
B) authorization.
Which of the following is an example of how a perpetrator would rationalize the fraud A. Sense of dissatisfaction against the company B. Need to have additional funds to pay for gambling addiction C. There is lack of internal control in the company D. Belief that no one is going to be harmed
Belief that no one is going to be harmed
Which attribute below is not an aspect of the COSO ERM Framework internal environment? A) enforcing a written code of conduct B) holding employees accountable for achieving objectives C) restricting access to assets D) avoiding unrealistic expectations
C) restricting access to assets
Business policies are specified in the:
Cardinalities
Which of the following is not one of the responsibilities of auditors in detecting fraud, according to SAS No. 99? Evaluating the results of their audit tests Incorporating a technology focus Discussing the risks of material fraudulent misstatements Catching the perpetrators in the act of committing the fraud.
Catching the perpetrators in the act of committing the fraud.
After a fraud has occurred which of the following ways is the best Way to reduce loss from that fraud A. Develop and implement a strong system of internal controls B. Increase the penalty for committing fraud by prosecuting fraud perpetrators more vigorously C create an organizational culture that stresses integrity and commitment to ethical values and competence D. Collect on fraud insurance purchased before the fraud E. Implements computer based controls over Data input, computer processing, Data storage, Data transmission and information output
Collect on fraud insurance purchased before the fraud
Opportunity is the condition or situation that allows a perpetrator to: (Check all that apply.) a)Convert the theft into a personal gain b)Conceal the fraud c)Control those who may know of his or her actions d)Commit the fraud e)Convince the perpetrator that he or she will not be caught
Convert the theft into a personal gain Conceal the fraud Commit the fraud
Types of Fraud
Corruption Investment fraud Misappropriation of assets Fraudulent financial reporting
check kiting
Creating cash using the lag between the time a check is deposited and the time it clears the bank. Suppose an account is opened in banks A, B, and C. The perpetrator "creates" cash by depositing a $1,000 check from bank B in bank C and withdrawing the funds. If it takes two days for the check to clear bank B, he has created $1,000 for two days. After two days, the perpetrator deposits a $1,000 check from bank A in bank B to cover the created $1,000 for two more days. At the appropriate time, $1,000 is deposited from bank C in bank A. The scheme continues—writing checks and making deposits as needed to keep the checks from bouncing—until the person is caught or he deposits money to cover the created and stolen cash.
Data warehouses may be subdivided into ________ that hold subsets of data from the warehouse that focus on specific aspects of a company:
Data Marts
Which of the following is not a step in data processing cycle? A. Data collection B. Data input C. Data storage D. Data processing
Data collection
A hacker was able to break into the system that transmitted the daily transactions of a retail store to the company's central office. Every night for several weeks he copied the transaction data that included customer names, credit card numbers, and other confidential data. Hundreds of thousands of customers were affected. This is an example of what type of fraud? a)Input fraud b)Computer instruction fraud c)Data fraud d)Output fraud e)Processor fraud
Data fraud
What does the abbreviation DBMS stand for?
Database Management System.
A system which integrates the use and storage of data in an information system is called a:
Database management system.
Which of the following is an example of an operating event?
Delivering a product to a customer
Another way to fight computer fraud
Develop software to examine bank or accounting records for suspicious transactions
These databases may be copies of operational or analytical databases that reside on corporate intranets or extranets:
Distributed Databases
Which of the following is an example of an ERP system? A. Jim has a system that keeps track of the cash receipts and cash disbursements of his cleaning business. At the end of each month, the system helps him prepare monthly profit and loss statement. B. Ken is a freelance contractor. He keeps records of all revenues and expenses on his cell phone and the files are uploaded to the cloud regularly C. John uses a computerized information System to keep track of all the Financial data generated by his business. D. Each week Emily enters all of the data into a system that automatic generates purchase orders, based on predetermined inventory reorder points. Production quotas for the coming week are also automatically generated based on customer orders
Each week Emily enters all of the data into a system that automatic generates purchase orders, based on predetermined inventory reorder points. Production quotas for the coming week are also automatically generated based on customer orders
Which of the following conditions is NOT usually necessary for a fraud to occur? pressure opportunity explanation rationalization
Explanation
Internal control Opportunities permitting fraud
Failure to enforce/monitor internal controls Management's failure to be involved in the internal control system Management override of controls Managerial carelessness, inattention to details Dominant and unchallenged management Ineffective oversight by board of directors No effective internal auditing staff Infrequent third-party reviews Insufficient separation of authorization, custody, and record-keeping duties Too much trust in key employees Inadequate supervision Unclear lines of authority Lack of proper authorization procedures No independent checks on performance Inadequate documents and records Inadequate system for safeguarding assets No physical or logical security system No audit trails Failure to conduct background checks No policy of annual vacations, rotation of duties
Calculating amounts, sending documents to outside parties such as customers, and generating analysis reports are all examples of
Information process events
What is the first step in the data processing cycle? A. Output B. Input C. Processing D. Storage
Input
A woman sent her company fictitious medical bills from doctors who did not exist. The bills were processed in the normal way by her employer, and payments went to her husband's office address. She bilked her company out of millions of dollars. This is an example of what type of fraud? a)Processor fraud b)Data fraud c)Computer instruction fraud d)Input fraud e)Output fraud
Input fraud
Misappropriation of assets is an example of what type accounting information threat? A. Natural andpolitical disasters B. Software error and equipment malfunctions C. Intentional act D. Unintentional acts
Intentional act
fraudulent financial reporting
Intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements.
Computer systems are particularly vulnerable to fraud for the following reasons: (Check all that apply.) a)Few companies design controls into their computer systems. b)Most employees and suppliers with access to a computer system will eventually perpetrate a computer fraud, irrespective of the strength of the Internal controls. c)It is difficult to control physical access to each electronic device that accesses a network. d)Computer programs need to be illegally modified only once, in order for them to operate improperly for as long as they are in use. e)Perpetrators who break into corporate databases can steal or destroy massive amounts of data in very little time, often leaving little evidence.
It is difficult to control physical access to each electronic device that accesses a network. Computer programs need to be illegally modified only once, in order for them to operate improperly for as long as they are in use. Perpetrators who break into corporate databases can steal or destroy massive amounts of data in very little time, often leaving little evidence.
The advantages of Standard Query Language (SQL) include which of the following in relation to GIS databases?
It uses a pseudo-English style of questioning. It is good at handling geographical concepts. It is widely used. It uses a pseudo-English style of questioning.
Sequence codes
Items are numbered consecutively to account for them so that gaps in the sequence code indicate missing items that should be investigated. Examples of sequence code use include prenumbered checks, invoices, and purchase orders.
Which of the following is a fraud in which later payments on account are used to pay off earlier payments that were stolen? A. Lapping B. Kiting C. Ponzi scheme D. Salami technique
Lapping
Other Opportunities for fraud
Large, unusual, or complex transactions Numerous adjusting entries at year-end Related-party transactions Accounting department that is understaffed, overworked Incompetent personnel Rapid turnover of key employees Lengthy tenure in a key job Overly complex organizational structure No code of conduct, conflict-of-interest statement, or definition of unacceptable behavior Frequent changes in auditors, legal counsel Operating on a crisis basis Close association with suppliers/customers Assets highly susceptible to misappropriation Questionable accounting practices Pushing accounting principles to the limit Unclear company policies and procedures Failing to teach and stress corporate honesty Failure to prosecute dishonest employees Low employee morale and loyalty
Mnemonic code
Letters and numbers that are interspersed to identify an item. The mnemonic code is derived from the description of the item and is usually easy to memorize. For example, Dry300W could represent a dryer (Dry), model number 300, that is white (W).
Organizations can increase The difficulty of committing fraud by all of the following except: A. Encrypting stored and transmitted data B. Implementing strong internal controls C. Distracting access to Company assets and data D. Maintaining adequate insurance
Maintaining adequate insurance
Cupcake by Emma is a dessert retailer in Texas. Emma is the sole proprietorship that stocks an inventory of between 30 and 50 different kind of desserts. Inventor is updated in real-time by the companies AIS. If Emma wishes to keep cumulative data about his company, Emma might use a A. Specific file B. Master file C. Transaction file D. Relational file
Master file
investment fraud
Misrepresenting or leaving out facts in order to promote an investment that promises fantastic profits with little or no risk. Examples include Ponzi schemes and securities fraud.
Which of the following is the most effective way to segregate duties in an ERP system? A. No one person should be responsible for authorization, Recording, and have custody organizational assets B. No one person should be responsible for recording and monitoring of organizational assets C. No one person should be responsible for authorization, monitoring, and risk assessment D. No one person should be responsible for Recording, risk assessment, And Control procedures
No one person should be responsible for authorization, Recording, and have custody organizational assets
How to prevent fraud
Organizations must create a climate that makes fraud less likely, Increases the difficulty of committing it, improves detection methods, and reduces the amount lost if fraud occurs
Which of the following is least likely to be a specialized journal? A. Sales journal B. Cash receipts journal C. Prepaid insurance journal D. Cash disbursement journal
Prepaid insurance journal
Employees at a large brokerage house used their employer's computer system to run a large and lucrative side business that their employer knew nothing about. This is an example of what type of fraud? a)Processor fraud b)Output fraud c)Input fraud d)Data fraud e)Computer instruction fraud
Processor fraud
In an ERP system, the module used to record data about transactions in the disbursement cycle is called A. Manufacturing B. Purchase to pay C. Financial D. Order to cash
Purchase to pay
True statements about data warehouses include each of the following except: A) Data has been cleaned, transformed, and catalogued to enable better analysis. B) Store data that has been extracted from both internal and external sources. C) Relatively inexpensive to setup and maintain. D) Data can be converted to new data elements, and aggregated into new data subsets.
Relatively inexpensive to setup and maintain.
The data manipulation tool that helps you graphically design the answer to a question is a:
Report Generator
Intentional Acts
Sabotage Misrepresentation, false use, or unauthorized disclosure of data Misappropriation if assets Financial statement fraud Corruption Computer fraud- attack's, social engineering, malware etc
The typical relationship between Sales Order and Inventory would be:
Sales order (1,m)-(0,m) inventory
Data resource management is the managerial activity that:
Seeks to manage an organization's data resources using the techniques of "database management and administration" and "data administration and planning".
Once fraud has occurred, which of the following will NOT reduce fraud losses? Insurance regular backup of data and programs contingency plan segregation of duties
Segregation of duties
Which of the following is the most important, basic, and effective control to deter fraud? Enforced vacations Logical access control Segregation of duties Virus protection controls
Segregation of duties
Most databases are accessed using a ________ language:
Structured Query
SQL is an acronym for:
Structured Query Language
report
System output, organized in a meaningful fashion, that is used by employees to control operational activities, by managers to make decisions and design strategies, and by investors and creditors to understand a company's business activities.
Data value
The actual value stored in a field. It describes a particular attribute of an entity. For example, the customer name field would contain "ZYX Company" if that company was a customer.
Coding System Guidelines
The code should: 1. Be consistent with its intended use 2. Allow for growth 3. Be as simple as possible 4 be consistent with the company's organizational structure
source data automation
The collection of transaction data in machine-readable form at the time and place of origin. Examples are point-of-sale terminals and ATMs.
online, real-time processing
The computer system processes data immediately after capture and provides updated information to users on a timely basis. It ensures that data is always current, which helps with decision making usefulness.
Rationalization
The excuse that fraud perpetrators use to justify their illegal behavior.
The most prevalent opportunity for fraud is:
The failure by the company to design and enforce a good internal control system
Field
The portion of a data record where the data value for a particular attribute is stored. For example, in a spreadsheet each row might represent a customer and each column is an attribute of the customer. Each cell in a spreadsheet is a field.
Attributes
The properties, identifying numbers, and characteristics of interest of an entity that is stored in a file or database. Examples of employee attributes are employee number, pay rate, name, and address.
Agents are people or organizations about whom information is desired.
True
decentralized management of data
all the following are benefits of database technology except:
Processor Fraud
unauthorized system use, including the theft of computer time and services
Output Fraud
unless properly safeguarded, displayed or printed output can be stolen, copied, or misused. Fraud perpetrators use computers to forge authentic looking outputs such as paychecks
many separate files
using a file oriented approach to data and information, data is maintained in
relational
what is the most popular type of database?
the preliferation of master files creates problems in the consistancy of specific data stored in different files
which statement is true reguarding file systems?
A control procedure designed so that the employee that records cash received from customers does not also have access to the cash itself is an example of a A) preventive control. B) detective control. C) corrective control. D) authorization control.
preventative control
Data capture process is triggered by
A business activity
________ is not a risk responses identified in the COSO Enterprise Risk Management Framework. A) Acceptance B) Avoidance C) Monitoring D) Sharing
C) Monitoring
Applying the COBIT5 framework, governance is the responsibility of A) internal audit. B) external audit. C) management. D) the board of directors.
D) the board of directors
Human Resources cycle activities
1. Collect employee withholding data 2. Record time worked by employees 3. Record time spent on specific jobs
3 facets of business activity that data must be collected of
1. Each activity of interest 2. The resources affected by each activity 3. The people who participate in each activity
Expenditure cycle business activities
1. Request items 2. Order items 3. Receive items 4. Pay for items
If an organization asks you to disclose your social security number, but decides to use it for a different purpose than the one stated in the organization's privacy policies, the organization has likely violated which of the Generally Accepted Privacy Principles? A) Collection B) Access C) Security D) Quality
A) Collection
Which of the following is not a basic principle of the COSO ERM framework? A) Companies are formed to create value for society. B) Management must decide how much uncertainty it will accept to create value. C) Uncertainty results in risk. D) Uncertainty results in opportunity.
A) Companies are formed to create value for society.
Identify one weakness of encryption below. A) Encrypted packets cannot be examined by a firewall. B) Encryption provides for both authentication and non-repudiation. C) Encryption protects the privacy of information during transmission. D) Encryption protects the confidentiality of information while in storage.
A) Encrypted packets cannot be examined by a firewall.
The largest differences between the COSO Integrated Control (IC) framework and the COSO Enterprise Risk Management (ERM) framework is A) IC is controls-based, while the ERM is risk-based. B) IC is risk-based, while ERM is controls-based. C) IC is required, while ERM is optional. D) IC is more applicable to international accounting standards, while ERM is more applicable to generally accepted accounting principles.
A) IC is controls-based, while the ERM is risk-based.
Identify the first step in protecting the confidentiality of intellectual property below. A) Identifying who has access to the intellectual property B) Identifying the means necessary to protect the intellectual property C) Identifying the weaknesses surrounding the creation of the intellectual property D) Identifying what controls should be placed around the intellectual property
A) Identifying who has access to the intellectual property
Identify the statement below that is not true of the 2013 COSO Internal Control updated framework. A) It more efficiently deals with control implementation and documentation issues. B) It more effectively deals with control implementation and documentation issues. C) It provides users with more precise guidance. D) It adds many new examples to clarify the framework concepts.
A) It more efficiently deals with control implementation and documentation issues.
If an organization asks you to disclose your social security number, but fails to establish a set of procedures and policies for protecting your privacy, the organization has likely violated which of the Generally Accepted Privacy Principles? A) Management B) Notice C) Choice and consent D) Use and retention
A) Management
One way to circumvent the counterfeiting of public keys is by using A) a digital certificate. B) digital authority. C) encryption. D) cryptography.
A) a digital certificate.
Which of the following is not a factor of internal environment according to the COSO Enterprise Risk Management Framework? A) analyzing past financial performance and reporting B) providing sufficient resources to knowledgeable employees to carry out duties C) disciplining employees for violations of expected behavior D) setting realistic targets for long-term performance
A) analyzing past financial performance and reporting
These are used to create digital signatures. A) asymmetric encryption and hashing B) hashing and packet filtering C) packet filtering and encryption D) symmetric encryption and hashing
A) asymmetric encryption and hashing
Noseybook is a social networking site that boasts over a million registered users and a quarterly membership growth rate in the double digits. As a consequence, the size of the information technology department has been growing very rapidly, with many new hires. Each employee is provided with a name badge with a photo and embedded computer chip that is used to gain entry to the facility. This is an example of a(n) A) authentication control. B) biometric device. C) remote access control. D) authorization control.
A) authentication control.
Verifying the identity of the person or device attempting to access the system is an example of A) authentication. B) authorization. C) identification. D) threat monitoring.
A) authentication.
The Trust Services Framework reliability principle that states that users must be able to enter, update, and retrieve data during agreed-upon times is known as A) availability. B) security. C) maintainability. D) integrity.
A) availability.
Independent checks on performance include all the following except A) data input validation checks. B) reconciling hash totals. C) preparing a trial balance report. D) supervisor review of journal entries and supporting documentation.
A) data input validation checks.
According to The Sarbanes-Oxley Act of 2002, the audit committee of the board of directors is directly responsible for A) hiring and firing the external auditors. B) performing tests of the company's internal control structure. C) certifying the accuracy of the company's financial reporting process. D) overseeing day-to-day operations of the internal audit department.
A) hiring and firing the external auditors.
Which component of the COSO Enterprise Risk Management Integrated Framework is concerned with understanding how transactions are initiated, data are captured and processed, and information is reported? A) information and communication B) internal environment C) event identification D) objective setting
A) information and communication
A well-known hacker started his own computer security consulting business shortly after being released from prison. Many companies pay him to attempt to gain unauthorized access to their network. If he is successful, he offers advice as to how to design and implement better controls. What is the name of the testing for which the hacker is being paid? A) penetration test B) vulnerability scan C) deep packet inspection D) buffer overflow test
A) penetration test
According to the COSO Enterprise Risk Management Framework, the risk assessment process incorporates all of the following components except A) reporting potential risks to auditors. B) identifying events that could impact the enterprise. C) evaluating the impact of potential events on achievement of objectives. D) establishing objectives for the enterprise.
A) reporting potential risks to auditors.
The COSO Enterprise Risk Management Integrated Framework stresses that A) risk management activities are an inherent part of all business operations and should be considered during strategy setting. B) effective risk management is comprised of just three interrelated components; internal environment, risk assessment, and control activities. C) risk management is the sole responsibility of top management. D) risk management policies, if enforced, guarantee achievement of corporate objectives.
A) risk management activities are an inherent part of all business operations and should be considered during strategy setting.
All of the following are associated with asymmetric encryption except A) speed. B) private keys. C) public keys. D) no need for key exchange.
A) speed.
Which internal control framework is widely accepted as the authority on internal controls? A) COBIT B) COSO Integrated Control C) COSO Enterprise Risk Management D) Sarbanes-Oxley Control Framework
B) COSO Integrated Control
If an organization asks you to disclose your social security number, but fails to tell you about its privacy policies and practices, the organization has likely violated which of the Generally Accepted Privacy Principles? A) Management B) Notice C) Choice and consent D) Use and retention
B) Notice
Identify the preventive control below. A) reconciling the bank statement to the cash control account B) approving customer credit prior to approving a sales order C) maintaining frequent backup records to prevent loss of data D) counting inventory on hand and comparing counts to the perpetual inventory records
B) approving customer credit prior to approving a sales order
Which of the following is not one of the basic actions that an organization must take to preserve the confidentiality of sensitive information? A) identification of information to be protected B) backing up the information C) controlling access to the information D) training
B) backing up the information
In 2007, a major U.S. financial institution hired a security firm to attempt to compromise its computer network. A week later, the firm reported that it had successfully entered the system without apparent detection and presented an analysis of the vulnerabilities that had been found. This is an example of a A) preventive control. B) detective control. C) corrective control. D) standard control.
B) detective control.
Duplicate checking of calculations is an example of a ________ control, and procedures to resubmit rejected transactions are an example of a ________ control. A) corrective; detective B) detective; corrective C) preventive; corrective D) detective; preventive
B) detective; corrective
An electronic document that certifies the identity of the owner of a particular public key. A) asymmetric encryption B) digital certificate C) digital signature D) public key
B) digital certificate
Which of the following is not one of the essential criteria for successfully implementing each of the principles that contribute to systems reliability, as discussed in the Trust Services Framework? A) developing and documenting policies B) effectively communicating policies to all outsiders C) designing and employing appropriate control procedures to implement policies D) monitoring the system and taking corrective action to maintain compliance with policies
B) effectively communicating policies to all outsiders
15) Which of the following is not a violation of the Sarbanes-Oxley Act (SOX)? The management at Oanez Dinnerware A) asked their auditors to make recommendations for the redesign of their information technology system and to aid in the implementation process. B) hired the manager from the external audit team as company CFO twelve months after the manager had worked on the audit. C) selected the company's Chief Financial Officer to chair the audit committee. D) did not mention to auditors that the company had experienced significant losses due to fraud during the past year.
B) hired the manager from the external audit team as company CFO twelve months after the manager had worked on the audit.
Classification of confidential information is the responsibility of whom, according to COBIT5? A) external auditor B) information owner C) IT security professionals D) management
B) information owner
The Trust Services Framework reliability principle that states access to the system and its data should be controlled and restricted to legitimate users is known as A) availability. B) security. C) privacy. D) integrity.
B) security.
Which of the following is a control related to design and use of documents and records? A) locking blank checks in a drawer or safe B) sequentially prenumbering sales invoices C) reconciling the bank statement to the general ledger D) comparing physical inventory counts with perpetual inventory records
B) sequentially prenumbering sales invoices
Encryption has a remarkably long and varied history. The invention of writing was apparently soon followed by a desire to conceal messages. One of the earliest methods, attributed to an ancient Roman emperor, was the simple substitution of numbers for letters, for example A = 1, B = 2, etc. This is an example of A) a hashing algorithm. B) symmetric key encryption. C) asymmetric key encryption. D) a public key.
B) symmetric key encryption.
Why did COSO develop the Enterprise Risk Management framework? A) to improve the audit process B) to improve the risk management process C) to improve the financial reporting process D) to improve the manufacturing process
B) to improve the risk management process
The primary purpose of the Foreign Corrupt Practices Act of 1977 was A) to require corporations to maintain a good system of internal control. B) to prevent the bribery of foreign officials by American companies. C) to require the reporting of any material fraud by a business. D) All of the above are required by the act.
B) to prevent the bribery of foreign officials by American companies.
6) How many principles are there in the 2013 updated COSO - Internal Control Framework? A) 5 B) 8 C) 17 D) 21
C) 17
Kuzman Jovan called a meeting of the top management at Jovan Capital Management. Number one on the agenda was computer system security. "The risk of security breach incidents has become unacceptable," he said, and turned to the Chief Information Officer. "What do you intend to do?" Which of the following is the best answer? A) Evaluate and modify the system using COBOL. B) Evaluate and modify the system using the CTC checklist. C) Evaluate and modify the system using the Trust Services framework D) Evaluate and modify the system using the COSO Internal Control Framework.
C) Evaluate and modify the system using the Trust Services framework
Identify the statement below which is true. A) Requiring two signatures on checks over $20,000 is an example of segregation of duties. B) Although forensic specialists utilize computers, only people can accurately identify fraud. C) Internal auditors, rather than external auditors, can conduct evaluations of effectiveness of Enterprise Risk Management processes. D) Re-adding the total of a batch of invoices and comparing the total with the first total you calculated is an example of an independent check.
C) Internal auditors, rather than external auditors, can conduct evaluations of effectiveness of Enterprise Risk Management processes.
Which of the following is not true regarding virtual private networks (VPN)? A) VPNs provide the functionality of a privately owned network using the Internet. B) Using VPN software to encrypt information while it is in transit over the Internet in effect creates private communication channels, often referred to as tunnels, which are accessible only to those parties possessing the appropriate encryption and decryption keys. C) It is more expensive to reconfigure VPNs to include new sites than it is to add or remove the corresponding physical connections in a privately owned network. D) The cost of the VPN software is much less than the cost of leasing or buying the infrastructure (telephone lines, satellite links, communications equipment, etc.) needed to create a privately owned secure communications network.
C) It is more expensive to reconfigure VPNs to include new sites than it is to add or remove the corresponding physical connections in a privately owned network.
If an organization asks you to disclose your date of birth and your address, but fails to take any steps to protect your private information, the organization has likely violated which of the Generally Accepted Privacy Principles? A) Collection B) Access C) Security D) Quality
C) Security
Which of the following is not a principle related to information and communicating in the updated COSO Integrated Control framework? A) Communicate relevant internal control matters to external parties. B) Obtain or generate relevant, high-quality information to support internal control. C) Surround internal control processes with information technology that enables discrepancies to be identified. D) Internally communicate the information necessary to support the other components of internal control.
C) Surround internal control processes with information technology that enables discrepancies to be identified.
11) Congress passed this federal law for the purpose of preventing financial statement fraud, to make financial reports more transparent and to strengthen the internal control of public companies. A) Foreign Corrupt Practices Act of 1977 B) The Securities Exchange Act of 1934 C) The Sarbanes-Oxley Act of 2002 D) The Control Provision of 1998
C) The Sarbanes-Oxley Act of 2002
The most effective way to protect network resources that are exposed to the internet, yet reside outside of a network is A) a firewall. B) employee training. C) a demilitarized zone. D) stateful packet filtering.
C) a demilitarized zone.
Identify the statement below which is not a useful control procedure regarding access to system outputs. A) restricting access to rooms with printers B) coding reports to reflect their importance C) allowing visitors to move through the building without supervision D) requiring employees to log out of applications when leaving their desk
C) allowing visitors to move through the building without supervision
Information rights management software can do all of the following except A) limiting access to specific files. B) limit action privileges to a specific time period. C) authenticate individuals accessing information. D) specify the actions individuals granted access to information can perform.
C) authenticate individuals accessing information.
Why does COBIT5 DSS-05.06 stress the importance of restricting physical access to network printers? A) because hackers can use them to print out sensitive information B) because hackers often hide inside large network printers until night C) because document images are often stored on network printers D) because network printers are easier to hack into than computers
C) because document images are often stored on network printers
The Trust Services Framework reliability principle that states sensitive information be protected from unauthorized disclosure is known as A) availability. B) security. C) confidentiality. D) integrity.
C) confidentiality.
Information encrypted with the creator's private key that is used to authenticate the sender is A) asymmetric encryption. B) digital certificate. C) digital signature. D) public key.
C) digital signature.
A process that takes plaintext of any length and transforms it into a short code. A) asymmetric encryption B) encryption C) hashing D) symmetric encryption
C) hashing
The first step of the risk assessment process is generally to A) identify controls to reduce all risk to zero. B) estimate the exposure from negative events. C) identify the threats that the company currently faces. D) estimate the risk probability of negative events occurring.
C) identify the threats that the company currently faces.
Best Friends, Incorporated is a publicly traded company where three BFF's (best friends forever) serve as its key officers. This situation A) is a violation of the Sarbanes-Oxley Act. B) violates the Securities and Exchange Act. C) increases the risk associated with an audit. D) must be changed before your audit firm could accept the audit engagement.
C) increases the risk associated with an audit.
The SEC and FASB are best described as external influences that directly affect an organization's A) hiring practices. B) philosophy and operating style. C) internal environment. D) methods of assigning authority.
C) internal environment.
Which of the following descriptions is not associated with symmetric encryption? A) a shared secret key B) faster encryption C) lack of authentication D) separate keys for each communication party
C) lack of authentication
12) Which of the following was not an important change introduced by the Sarbanes-Oxley Act of 2002? A) new roles for audit committees B) new rules for auditors and management C) new rules for information systems development D) the creation of the Public Company Accounting Oversight Board
C) new rules for information systems development
This is an authorized attempt by an internal audit team or an external security consultant to attempt to break into the organization's information system. A) log analysis B) intrusion detection system C) penetration test D) vulnerability scan
C) penetration test
The Director of Information Technology for the city of Tampa, Florida formed a company to sell computer supplies and software. All purchases made on behalf of the City were made from her company. She was later charged with fraud for overcharging the City, but was not convicted by a jury. The control issue in this case arose because the Director had both ________ and ________ duties. A) custody; authorization B) custody; recording C) recording; authorization D) management; custody
C) recording; authorization
Encryption has a remarkably long and varied history. Spies have been using it to convey secret messages ever since there were secret messages to convey. One powerful method of encryption uses random digits. Two documents are prepared with the same random sequence of numbers. The spy is sent out with one and the spy master retains the other. The digits are used as follows. Suppose that the word to be encrypted is SPY and the random digits are 352. Then S becomes V (three letters after S), P becomes U (five letters after P), and Y becomes A (two letters after Y, restarting at A after Z). The spy would encrypt a message and then destroy the document used to encrypt it. This is an early example of A) a hashing algorithm. B) asymmetric key encryption. C) symmetric key encryption. D) public key encryption.
C) symmetric key encryption.
COSO requires that any internal deficiencies identified through monitoring be reported to whom? A) the external auditor B) appropriate federal, state, or local authorities C) the board of directors D) the audit committee
C) the board of directors
n a private key system the sender and the receiver have ________, and in the public key system they have ________. A) different keys; the same key B) a decrypting algorithm; an encrypting algorithm C) the same key; two separate keys D) an encrypting algorithm; a decrypting algorithm
C) the same key; two separate keys
Using a combination of symmetric and asymmetric key encryption, Sofia Chiamaka sent a report to her home office in Bangalore, India. She received an e-mail acknowledgement that her report had been received, but a few minutes later she received a second e-mail that contained a different hash total than the one associated with her report. This most likely explanation for this result is that A) the public key had been compromised. B) the private key had been compromised. C) the symmetric encryption key had been compromised. D) the asymmetric encryption key had been compromised.
C) the symmetric encryption key had been compromised.
Why was the original 1992 COSO - Integrated Control framework updated in 2013? A) Congress required COSO to modernize. B) U.S. stock exchanges required more disclosure. C) to more effectively address technological advancements D) to comply with International accounting standards
C) to more effectively address technological advancements
Under CAN-SPAM legislation, an organization that receives an opt-out request from an individual has ________ days to implement steps to ensure they do not send out any additional unsolicited e-mail to the individual again. A) 2 B) 5 C) 7 D) 10
D) 10
Nolwenn Limited has been diligent in ensuring that their operations meet modern control standards. Recently, they have extended their control compliance system by incorporating policies and procedures that require the specification of company objectives, uncertainties associated with objectives, and contingency plans. Nolwenn Limited is transitioning from a ________ to a ________ control framework. A) COSO-Integrated Framework; COBIT B) COBIT; COSO-Integrated Framework C) COBIT; COSO-ERM D) COSO-Integrated Framework; COSO-ERM E) COSO-ERM; COBIT
D) COSO-Integrated Framework; COSO-ERM
If an organization asks you to disclose your date of birth and your address, but fails to establish any procedures for responding to customer complaints, the organization has likely violated which of the Generally Accepted Privacy Principles? A) Collection B) Access C) Security D) Monitoring and enforcement
D) Monitoring and enforcement
Applying the COBIT5 framework, monitoring is the responsibility of A) the CEO. B) the CFO. C) the board of directors. D) all of the above
D) all of the above
When new employees are hired by Pacific Technologies, they are assigned user names and appropriate permissions are entered into the information system's access control matrix. This is an example of a(n) A) authentication control. B) biometric device. C) remote access control. D) authorization control.
D) authorization control.
Which of the following preventive controls are necessary to provide adequate security for social engineering threats? A) controlling remote access B) encryption C) host and application hardening D) awareness training
D) awareness training
The COBIT5 framework primarily relates to A) best practices and effective governance and management of private companies. B) best practices and effective governance and management of public companies. C) best practices and effective governance and management of information technology. D) best practices and effective governance and management of organizational assets.
D) best practices and effective governance and management of organizational assets.
Which of the below is not a component of the COSO ERM? A) monitoring B) control environment C) risk assessment D) compliance with federal, state, or local laws
D) compliance with federal, state, or local laws
Asymmetric key encryption combined with the information provided by a certificate authority allows unique identification of A) the user of encrypted data. B) the provider of encrypted data. C) both the user and the provider of encrypted data. D) either the user or the provider of encrypted data.
D) either the user or the provider of encrypted data.
The most effective method for protecting an organization from social engineering attacks is providing A) a firewall. B) stateful packet filtering. C) a demilitarized zone. D) employee awareness training.
D) employee awareness training.
Which of the following is not one of the five principles of COBIT5? A) meeting stakeholder needs B) covering the enterprise end-to-end C) enabling a holistic approach D) improving organization efficiency
D) improving organization efficiency
According to the Trust Services Framework, the reliability principle of integrity is achieved when the system produces data that A) is available for operation and use at times set forth by agreement. B) is protected against unauthorized physical and logical access. C) can be maintained as required without affecting system availability, security, and integrity. D) is complete, accurate, and valid.
D) is complete, accurate, and valid.
Which of the following is not one of the three important factors determining the strength of any encryption system? A) key length B) key management policies C) encryption algorithm D) privacy
D) privacy
The system and processes used to issue and manage asymmetric keys and digital certificates are known as A) asymmetric encryption. B) certificate authority. C) digital signature. D) public key infrastructure.
D) public key infrastructure.
Identify the item below which is not a piece of legislation passed to protect individuals against identity theft or to secure individuals' privacy. A) the Health Insurance Portability and Accountability Act B) the Health Information Technology for Economic and Clinical Heath Act C) the Financial Services Modernization Act D) the Affordable Care Act
D) the Affordable Care Act
Which of the following duties could be performed by the same individual without violating segregation of duties controls? A) approving accounting software change requests and testing production scheduling software changes B) programming new code for accounting software and testing accounting software upgrades C) approving software changes and implementing the upgraded software D) managing accounts payable function and revising code for accounting software to more efficiently process discount due dates on vendor invoices
approving accounting software change requests and testing production scheduling software changes