BEC, BEC-2, BEC-3, BEC-4
A specialized version of a data warehouse that contains data that is pre-configured to meet the needs of specific departments is known as A functional warehouse. A data mart. A data store. An object-oriented database.
A data mart. A data mart is focused on a particular market or purpose and contains only information specific to that objective.
Which of the following is least likely to be an advantage of an automated accounting system? A distinct, easily followed audit trail Processing speed Fewer idiosyncratic errors Less likelihood of intrusion
A distinct, easily followed audit trail Correct! Audit trails tend to be more transparent in manual than in automated accounting systems.
The best starting point for an organizational big data initiative is: Data mining. A social media data assessment. A governance structure. Assessing controls
A governance structure. Correct! This is the best starting point for a big data initiative.
When designing the physical layout of a data processing center, which of the following would be least likely to be a necessary control? Design of controls to restrict access. Adequate physical layout space for the operating system. Inclusions of an adequate power supply system with surge protection. Consideration of risks related to other uses of electricity in the area.
Adequate physical layout space for the operating system. This answer is correct because an operating system ordinarily requires no physical layout space since it represents software within a computer.
Which of the following types of control plans is particular to a specific process or subsystem, rather than related to the timing of its occurrence? Preventive. Corrective. Application. Detective.
Application. This answer is correct because application controls apply to a particular application or process.
Major Tom's Ground Control Flight Services uses biometrics. The control goal of the use of biometrics is: Accountability. Authentication. Authorization. Certification.
Authentication. (Correct!) The goal of biometrics is to authenticate the user.
Which of the following critical accounting function is most likely to be absent in a small business computing environment? Authorization. Record keeping. Custody. All of these choices are equally likely to be absent
Authorization. Authorization is most likely to be absent in a small business computing environment. There is a great need for third-party review and testing within the small business computing environment.
Authorization in an automated system is likely to be Parallel. Tagged. Unnecessary. Automated.
Automated Correct! Authorization is often automated in online systems.
At what phase in the systems development process is a report generated that describes the content, processing flows, resource requirements, and procedures of a preliminary system design? File and database design Conceptual systems design Physical systems design Procedures design
Conceptual systems design Correct! The case describes this as a "preliminary" system design. This is a part of conceptual systems design.
Analysis of data in a database using tools which look for trends or anomalies without knowledge in advance of the meaning of the data is referred to as Artificial intelligence. Data mining. Virtual reality. Transitory analysis.
Data mining. Data mining uses tools which look for trends or anomalies without such advance knowledge.
IT policies are particularly important in: High-tech companies. Financial services companies. Decentralized companies. Companies that sell IT services.
Decentralized companies. Correct! IT policies are particularly important in decentralized companies since IT services are likely to be less under the control of management.
Bitcoin uses a(n) ______________ ledger on a ______________ network. Accounting; reticulated spline Centralized; client-server. Distributed; peer-to-peer Wallet; peer-to-peer
Distributed; peer-to-peer Correct! The ledger is distributed on a peer-to-peer network.
AI depends heavily on __________ and _________. RPA, predictive analytics Fast computers, big data Privacy, confidentiality Analytics, machine learning
Fast computers, big data Correct! AI systems require fast computers since they are computing intensive. In addition, most AI systems require the analysis of big data sets to be useful.
Big data initiatives should: Be independent of existing IT initiatives. Have a strong governance structure. Be a subset of the event response plan. Be overseen by the internal audit department.
Have a strong governance structure. (Correct!) This is a true statement.
One of the benefits of a single integrated database information system is Closer program-data linkage. Increased data redundancy. Reduced security. Increased data accessibility.
Increased data accessibility. This answer is correct. Increased data accessibility is a benefit of a single integrated database information system.
A validation check used to determine if a quantity ordered field contains only numbers is an example of a(n) Input control. Audit trail control. Processing control. Data security control.
Input control. This answer is correct. A validation check at data entry that verifies that a quantity field contains only numbers is an example of a programmatic means of ensuring the accuracy of the value in that no nonnumeric characters are permitted; this is an input control.
Which of the following is a primary concern of the "transform" phase of ETL? What data do we need? How will we report the data? Is the data correctly formatted? Who needs the data?
Is the data correctly formatted? Correct! Data formatting is a primary concern of the transform process of ETL.
Which of the following is responsible for overall program logic and functionality? IT Steering Committee. Lead systems analyst. Application programmers. End users.
Lead systems analyst. This individual is usually responsible for all direct contact with the end user and for developing overall programming logic and functionality.
Potential short- and medium-term risks of AI include all the following except Machine learning. Confirmation bias. Privacy issues. Prediction bias
Machine learning. Correct! Machine learning is a goal of AI systems, not a risk.
In a large multinational organization, which of the following job responsibilities should be assigned to the network administrator? Managing remote access. Developing application programs. Reviewing security policy. Installing operating system upgrades.
Managing remote access. Managing remote access is an appropriate responsibility for a network administrator.
Which of the following is not considered a secondary storage device? Magnetic disk. Microcomputers. Flash drives. Optical disc.
Microcomputers A microcomputer is not a secondary storage device.
In DRP, top priority is given to which activities? Accounting. Manufacturing. Mission critical. Business critical.
Mission critical. Mission-critical tasks are given first priority in DRP.
Who is responsible for managing and maintaining bitcoin? The U.S. Treasury The President's Council of Economic Advisors NSA No one
No one Correct! Bitcoin is set up to be independent of any central authority.
Alejandro uses Amazon "one-click." This is an example of: IoT. Big data. Smart data. Payment processing
Payment processing Correct! This statement is true.
In a daily computer run to update checking account balances and print out basic details on any customer's account that was overdrawn, the overdrawn account of the computer programmer was never printed. Which of the following control procedures would have been most effective in detecting this fraud? Use of the test-data approach by the author in testing the client's program and verification of the subsidiary file. Use of a running control total for the master file of checking account balances and comparison with the printout. A program check for valid customer code. Periodic recompiling of programs from documented source files, and comparison with programs currently in use.
Periodic recompiling of programs from documented source files, and comparison with programs currently in use. This answer is correct because a periodic recompiling of the program from the original source files and comparison with the program currently in use would allow the auditor to detect the modification in the program that has permitted the fraud to occur.
______ addresses whether the collection, use, retention, disclosure, and disposal of personal information is consistent with the entity's commitments and with GAPP. Quality Processing integrity Privacy Access
Privacy Correct! According to the AICPA ASEC principles, this is the definition of privacy.
After changes to a source program have been made and verified, it moves to Atlanta. Development. The operator. Production.
Production. After changes and verification to those changes, source programs move into production.
Which of the following is an important outcome of the use of blockchain? Closed-form accounting Reduced auditing and compliance costs Increased centralization of accounting systems Impenetrable authentication
Reduced auditing and compliance costs Correct! If accounting transactions are stored on an automated, secured network, then auditing and compliance costs should go down.
A bank discovers that it has violated federal law in its retention of customer records. Which of the following IT policies should address this violation? Procurement Regulatory compliance Quality Security
Regulatory compliance Correct! This is a failure of IT policies related to regulatory compliance.
What is an example of the use of the cloud to access software and programs? IaaS PaaS SaaS SAP
SaaS SaaS is the use of the cloud to access software.
Which of the following statements best characterizes the function of a physical access control? Protects systems from the transmission of Trojan horses. Provides authentication of users attempting to log in to the system. Separates unauthorized individuals from computer resources. Minimizes the risk of incurring a power or hardware failure.
Separates unauthorized individuals from computer resources. Physical access controls restrict access to computer hardware, as well as program and data files, to authorized individuals.
An accountant at Henry Higgins Language Lessons must sort the master file before processing recent transactions to update the master file. Henry Higgins uses ______ file storage. Sequential RAID Optical disk Data mart
Sequential Correct! This is an example of sequential file storage.
Jones and Willy recently implemented an automated accounting system to replace their manual accounting system. While setting up the system, they find that: They need to permanently run the manual and automated accounting systems as a control over processing. The automated system requires controls related to people, software, and hardware. Access controls are of less importance in the new system. The company's external auditors are best qualified to set up the new system.
The automated system requires controls related to people, software, and hardware. Correct! This is a true statement about automated systems.
Governance is primarily the responsibility of: Top management. The board. The CEO. Those individuals who are identified by SOX Section 404 as responsible for the system of internal control.
The board. Correct! This statement is true. Governance is primarily the responsibility of the board of directors.
A company's trading activities may be of additional concern in relation to HR. Sales contracts. The financing cycle. The general ledger cycle.
The financing cycle. Correct! Trading activities occur in the financing cycle.
Which of the following factors has the greatest impact on the design of an effective management reporting system? Number of transactions to be processed Types of decisions to be made Number of authorized users Number of regulatory agencies to be satisfied
Types of decisions to be made Correct! Management reporting systems exist to aid decisions and reporting. Hence, the types of decisions that are supported by the system is the most important design element in creating a management reporting system.
The most appropriate type of network for a company that needs its network to function inexpensively in widely separated geographical areas is Local area network (LAN). Wide area network (WAN). Value-added network (VAN). Private branch exchange (PBX).
Wide area network (WAN). This answer is correct. A wide area network (WAN) is the best kind of network because it can connect many sites located across a broad geographical distance.
In August 2013, Google's gmail system went down for many users for about an hour due to multiple network failures in its system. This is most likely an example of which of the following cloud computing risks? Unauthorized cloud activity. Lack of CSP transparency. CSP reliability and performance. Cyber attack
CSP reliability and performance. Correct! Cloud service provider (CSP, in this case Google) reliability and performance is the most likely risk illustrated in this case.
Which of the following are reasons that internal controls need to be monitored? People forget, quit jobs, get lazy, or come to work hung over. Machines fail. Advances in technology. All of the above.
All of the above. All of the above are reasons internal controls need to be monitored.
The IT department at Piggy Parts BBQ has recently learned of phishing attempts that rely on social engineering to break into its financial systems. Information about these attempts should be communicated to: Internal auditors. Other personnel. All personnel. Support functions.
All personnel. (Correct!). This answer is correct because information about social engineering efforts to break into systems should be communicated to all personnel.
The type of chart shown below, which shows changes in Apple's stock price, is useful in displaying: A distribution of multiple data points. Changes in data over time. Part-to-whole relationships. Simple changes to data across multiple categories.
Changes in data over time. Correct! This chart shows changes in Apple's stock price over about a five-year period.
ISP is a ________, SMTP is a _______________ and XML is a ______________. Protocol; company; language Company; language; protocol. Language; protocol; company Company; protocol; language
Company; protocol; language Correct! ISP (i.e., an internet service provider) is a company; SMTP (i.e., simple mail transfer protocol) is a protocol; and XML (i.e., eXtensible markup language) is a language.
According to the COSO framework, evaluators who monitor controls within an organization should have which of the following sets of characteristics? Competence and objectivity. Respect and judgment. Judgment and objectivity. Authority and responsibility.
Competence and objectivity. (Correct!) COSO indicates that the evaluator must have competence and objectivity. The other answers are incorrect because they do not describe the desired characteristics.
An organization's computer help desk function is usually a responsibility of the Applications development unit. Systems programming unit. Computer operations unit. User departments.
Computer operations unit. This answer is correct. Help desks are usually a responsibility of computer operations because of the operational nature of their functions (for example, assisting users with systems problems involving prioritization and obtaining technical support/vendor assistance).
Which of the following is not part of the HR and payroll cycle? Assessing employee performance Computing payroll taxes Maintaining controls over employee data Assigning labor costs to jobs
Assigning labor costs to jobs Correct! This is part of the production cycle, not HR cycle.
Which of the following is usually a benefit of transmitting transactions in an electronic data interchange (EDI) environment? Elimination of the need to continuously update antivirus software. Assurance of the thoroughness of transaction data because of standardized controls. Automatic protection of information that has electronically left the entity. Elimination of the need to verify the receipt of goods before making payment.
Assurance of the thoroughness of transaction data because of standardized controls. This answer is correct because in an EDI environment transactions are communicated in standard format to help ensure completeness and accuracy.
Managing cyber risks requires: Blocking all cyber breaching by relying on preventive controls. Blocking all cyber breaching by relying on detective and corrective controls. Attempting to prevent cyber breaching but addressing those that occur through detective and corrective controls. Attempting to prevent cyber breaching but addressing those that occur through preventive controls.
Attempting to prevent cyber breaching but addressing those that occur through detective and corrective controls. Correct! Organizations attempt to prevent cyber breaches but address those that occur through detective and corrective controls.
Challenges of big data include all of the following except: Storage. Quality. Integration. Attrition and retention.
Attrition and retention. (Correct!) What do attrition and retention have to do with big data? Why would attrition and retention be higher with big data? Attrition and retention of what, the data or the employees?
_____ concerns whether the system is operational and usable as specified in commitments and agreements. Security Availability Processing integrity Confidentiality
Availability Correct! According to the AICPA ASEC principles, this is the definition of availability.
An entity doing business on the Internet most likely could use any of the following methods to prevent unauthorized intruders from accessing proprietary information except: Password management. Data encryption. Digital certificates. Batch processing.
Batch processing. This answer is correct. Batch processing is a method of processing transactions. It does not serve to protect information processed on the Internet.
____ is a legal contract that defines responsibility for goods that are in transit. Freight bill. Bill of lading. Packing slip. Picking list.
Bill of lading. (Correct!) A bill of lading is the authorization for, and terms of, a shipping agreement. It is a legal contract between a seller and a shipper.
Which document lists the components needed in making a product? Inventory report Bill of materials Move ticket Operations list
Bill of materials Correct! A bill of materials lists the components used in making a product.
Eleanor Rigby's Crematorium and Pet Custodian Services wants to choose the strongest control method for accessing its systems. Eleanor should choose: A sign-in log. Biometrics. Passwords. A two-way mirror.
Biometrics. (Correct!) With improving technologies, biometrics are likely the strongest method for accessing systems.
According to COSO, what is the first ongoing monitoring step in evaluating the effectiveness of an internal control system? Establishing a control baseline. Identifying changes in internal control that have taken place. Re-evaluating the design and implementation to establish a new baseline. Periodically revalidating operations where no known change has occurred.
Establishing a control baseline. Correct! This is the first step in evaluating the effectiveness of an internal control system.
_____ systems include redundancy of components. Inefficient. Online real-time. Quicken. Fault tolerant.
Fault tolerant. A fault tolerant system includes redundant components.
According to the 17 COSO control principles, information quality primarily relates to which fundamental component of internal control: Control activities. Control environment. Information and communication. Monitoring.
Information and communication. According to the COSO principles, Information and communication primarily relate to the quality of information supporting controls, and internal and external communications.
Which document lists the items in inventory? Inventory report Bill of materials Move ticket Operations list
Inventory report Correct! An inventory report is a listing of the items in inventory.
Which of the following is a major motivation for the adoption of new payment systems? Generating real-time data streams. Monitoring physical processes. Improving privacy. Reducing abandonment rates.
Reducing abandonment rates. Correct! This statement is true. Reducing the rates at which customers abandon purchases at checkout is a major motivation for adopting new payment systems.
_____ is the foundation of systems reliability. Security Availability Processing integrity Confidentiality
Security Correct! According to the AICPA ASEC principles, security is the foundation of systems reliability.
Internal disk labels are physically read by People. Software. Scanners. Consumers.
Software. Internal disk labels are read by software.
As a result of a breach of authentication at the Toot-Le-Monde French Horn Store, an analyst has specified a new control objective of "require multifactor identification for access to the client database." In the framework for cybersecurity, this is an example of the element ______ and the function _______. Categories; detect Subcategories; respond References; identify Functions; identify
Subcategories; respond Correct! The analyst has specified a control objective (i.e., the element is "subcategories" to respond (the function) to the cyber incident.
Myron Hainsworth wants to buy a $20,000 ring from a jewelry store on credit. Before completing the sale, the clerk should consult The packing list. The sales order. The aged trial balance The customer's credit check file.
The customer's credit check file. Correct! The clerk must determine if Hainsworth has been granted the credit that he seeks. This information will be in the credit check file.
In August 2013, Google's gmail system went down for many users for about an hour due to multiple network failures in its system. This is most likely an example of: The spread of the Conficker virus. Identity theft on the internet. The risks of private clouds. The risk of even well-managed cloud computing systems.
The risk of even well-managed cloud computing systems. Correct! Gmail is a type of cloud computing system. Its failure is indicative of some of the risks of even well-managed cloud systems.
Employees of an entity feel peer pressure to do the right thing; management appropriately deals with signs that problems exist and resolves the issues; and dealings with customers, suppliers, employees, and other parties are based on honesty and fairness. According to COSO, the above scenario is indicative of which of the following? Strategic goals Operational excellence Reporting reliability Tone at the top
Tone at the top Correct! Remember rat-a-tat-tat (Tat—tone at the top). Tone at the top is critical to internal control; this description evidences a strong tone at the top in this organization.
An accounts payable clerk is accused of making unauthorized changes to previous payments to a vendor. Proof could be uncovered in which of the following places? Transaction logs. Error reports. Error files. Validated data file.
Transaction logs. This answer is correct because transaction logs maintain records of any changes in data.
A digital signature is used primarily to determine that a message is Unaltered in transmission. Not intercepted in route. Received by the intended recipient. Sent to the correct address.
Unaltered in transmission. This answer is correct because the digital signature assures the recipient that the message came from a certain individual and it was not modified.
An input clerk enters a person's employee number. The computer responds with a message that reads "Employee number that you entered is NOT assigned to an active employee. Please reenter." What technique is the computer using? Optical character recognition (OCR). Check digit. Validity check. Field (format) check.
Validity check. This answer is correct because with a validity check the computer compares input reference data to tables or master files to make sure that valid codes are being used. In this example, the computer compared the input with a table containing the employee numbers of all active employees.
One purpose of closing entries is to Record accruals and deferrals. Zero out the revenue and expense accounts. Estimate unrecorded liabilities. Comply with laws and regulations.
Zero out the revenue and expense accounts. Correct! This is a goal of closing entries. These accounts must be closed before beginning the new fiscal year.
An investment firm determines that investments in bitcoin are highly risky. For its portfolio, it sets a minimum investment of 3% and a maximum investment of 8% in bitcoin. This is an example of setting risk target (minimum) and risk roof (maximum). risk roof (minimum) and risk target (maximum). risk floor (minimum) and risk ceiling (maximum). risk ceiling (minimum) and risk floor (maximum).
risk roof (minimum) and risk target (maximum). Correct! A risk floor is a statement of the minimum amount of risk that an entity desires. A risk ceiling is a statement of the maximum amount of risk that an entity desires.
To be willing to accept higher risk, an organization should expect _________ A higher strategy. Vision questing. A higher return. A lower performance severity.
A higher return. Correct! In return for higher risk, an organization should expect to receive a higher expected return.
Cyber breaches are Preventable. Addressed in the original COSO announcements. Assumable. Inevitable.
Inevitable Correct! Organizations must plan for the inevitability of cyber breaches. This is part of the motivation for a "defense-in-depth" strategy.
Which of the following would lessen internal control in a computer processing system? The computer librarian maintains custody of computer program instructions and detailed listings. Computer operators have access to operator instructions and detailed program listings. The control group is solely responsible for the distribution of all computer output. Computer programmers write and debug programs which perform routines designed by the systems analyst.
Computer operators have access to operator instructions and detailed program listings. This answer is correct because computer operators who have access to detailed program listings have the opportunity to modify the programs.
Which of the following controls would assist in detecting an error when the data input clerk records a sales invoice as $12.99 when the actual amount is $122.99? Batch control totals. Echo check. Limit check. Sign check.
Batch control totals. This answer is correct. The other controls would not find this error.
Which of the following is a primary concern of the "extract" phase of ETL? What data do we need? How will we report the data? Is the data correctly formatted? Who needs the data?
What data do we need? Correct! Determining the needed data is a primary concern of the extraction process.
An international manufacturing company has the following three statements in its enterprise risk management documents. Please identify the concepts in the COSO ERM framework that these statements best represent. The annual acceptable number of factory accidents will be between zero and four. We will not invest in cybercurrencies, e.g., bitcoin. We commit to investing at least 15% of the capital budget in emerging artificial intelligence projects. 1. risk floor, 2. risk ceiling, 3. risk range 1. risk range, 2. risk ceiling, 3. risk floor 1. target risk, 2. risk ceiling, 3. risk range 1. risk floor, 2. risk ceiling, 3. target risk
1. risk range, 2. risk ceiling, 3. risk floor Correct! Statement 1 states a range of risks and hence is a risk range. Statement 2 identifies an activity (investing in cybercurrencies) that is considered too risky and hence is a risk ceiling. Statement 3 identifies a minimum level of risk that is consistent with the organization's risk tolerance; hence, it is a risk floor.
Cecilia's Breaking My Heart dating service seeks to implement a system that distributes processing to local units but also maintains a centralized database. This is an example of: A delegated system. A centralized system. A decentralized system. A hybrid system.
A hybrid system. (Correct!) This is the very definition of a hybrid or distributed database system.
Which of the following is not a category of computer software? System software. Programming languages. Application software. All of the above are categories of computer software.
All of the above are categories of computer software. A, B, and C are all categories of computer software. Because of this, the correct answer is D - all of the above.
Which of the following statements is true regarding small business computing? Independent third-party review is especially important. Backup procedures are important. Additional supervision of computing may be necessary. All of the above.
All of the above. All of the above statements are true.
A fast-growing service company is developing its information technology internally. What is the first step in the company's systems development life cycle? Analysis Implementation Testing Design
Analysis This answer is correct. The steps in the systems development life cycle are analysis, design, build, test, and implement.
Samco Inc. is in the process of designing a new customer relations system. In which phase of the development life-cycle would a needs assessment most likely be performed? Analysis. Design. Development. Testing.
Analysis. The analysis phase the team attempts to get an understanding of the requirements of the system.
Because log-on procedures may be cumbersome and tedious, users often store log-on sequences in their personal computers and invoke them when they want to use mainframe facilities. A risk of this practice is that Personal computers become much more likely to be physically stolen. Anyone with access to the personal computers could log on to the mainframe. Backup procedures for data files would not be as effective. Users with inadequate training would make more mistakes.
Anyone with access to the personal computers could log on to the mainframe. This answer is correct. Since storing the log-on sequences makes log-on easier, anyone with access to the personal computer could potentially log-on to the mainframe through use of the personal computer.
To prevent interrupted information systems operation, which of the following controls are typically included in an organization's disaster recovery plan? Backup and data transmission controls. Data input and downtime controls. Backup and downtime controls. Disaster recovery and data processing controls.
Backup and downtime controls. This answer is correct because a disaster recovery plan should include both backup and downtime controls.
An entity doing business on the Internet most likely could use any of the following methods to prevent unauthorized intruders from accessing proprietary information except Password management. Data encryption. Digital certificates. Batch processing.
Batch processing. The use of batch processing is unrelated to attempts to prevent unauthorized intruders from accessing proprietary information. Hence, this alternative would not be used by an organization to prevent unauthorized intruders.
Bloomsdale wants to determine if the company from whom she buys seafood is buying only sustainable seafood. Bloomsdale may be able to use ____________ to find this information. Bitcoin Multifactor identification Blockchain OLTP
Blockchain Correct! A transaction record that is stored in blockchain can be designed to contain this information.
The ledger that tracks bitcoins is a(n) ____________ ledger while the network that accounts for bitcoins is a(n) ___________________ network. Accounting; centralized Centralized; client-server Bit furcated; peer-to-peer Blockchain; peer-to-peer
Blockchain; peer-to-peer Correct! The ledger is implemented in blockchain; the network is peer-to-peer.
Which of the following is true regarding public/private key encryption? Both the public and private keys can be used to encrypt and decrypt messages. Messages encrypted using public/private key encryption are more difficult to crack (or break) than messages encrypted using private key encryption. Messages are generally encrypted with the sender's private key so that no one else can decipher the message during transmission. In public/private key encryption, to gain access to the key used to decrypt the message, the recipient must know of the key to use from the sender.
Both the public and private keys can be used to encrypt and decrypt messages. Both the public and private keys can be used to encrypt and decrypt messages, although the public key can only decrypt messages encrypted using the private key and vice versa.
Bacchus, Inc. is a large multinational corporation with various business units around the world. After a fire destroyed the corporate headquarters and largest manufacturing site, plans for which of the following would help Bacchus ensure a timely recovery? Daily backup. Network security. Business continuity. Backup power.
Business continuity. This answer is correct. A business continuity plan deals with recovery of business operations after a disaster.
Which of the following is not considered to be an electronic funds transfer (EFT) transaction? Direct deposit of payroll payments into the employee's bank account. Cash cards. Automated teller machine (ATM) transactions. Credit card payment initiated from a POS terminal.
Cash cards. Cash cards do not involve bank clearing processes and are not considered to be EFT transactions.
Bob sends a message using asymmetric key to Cassie. In this exchange, who holds the private key: Bob. Cassie. Bob and Cassie. The server.
Cassie. (Correct!) In asymmetric encryption, the receiver (Cassie) has the private key.
Ruth Milkweed, a hot tub and spa manufacturer, currently has a fast network and a large, centralized computer. The computing capacity, while large, is not linked to each location's processing needs. Without any upgrades to the system, Ruth Milkweed probably uses a ___________ system. Matrix Centralized Decentralized Hybrid
Centralized Correct! A fast network and centralized computing are consistent with a centralized system.
A bank wants to reject erroneous checking account numbers to avoid invalid input. Management of the bank was told that there is a method that involves adding another number at the end of the account numbers and subjecting the other numbers to an algorithm to compare with the extra numbers. What technique is this? Optical character recognition (OCR) software. Check digit. Validity check. Field (format) check.
Check digit. This answer is correct because a check digit is an extra reference number that follows an identification number and bears a mathematical relationship to the other digits. The identification number can be subjected to an algorithm and compared to the check digit.
Cloud computing is an appropriate topic for a board of directors' discussion when Cloud computing risks are high. Most board members are knowledgeable about cloud computing. The potential for management override of controls is high. Management sets a tone at the top of strong performance incentives.
Cloud computing risks are high. Correct! If cloud computing risks are high then this is an appropriate topic for a board of directors' meeting.
Vindaloo Corporation wants data storage for a large volume of data that is unlikely to change often. They should consider using A hard disk. Magnetic tape. Cloud storage. Memory (RAM).
Cloud storage. Cloud storage is the best choice of the available answers. It can handle a large volume of data and can be adapted to data that changes infrequently.
Which of the following statements related to business analytics is true? Business analytics is primarily a technology issue. For internal control reasons, business analytics and company strategy should be kept separate. Company strategy should drive business analytics strategy. Business analytics should drive company strategy.
Company strategy should drive business analytics strategy. Correct! The business strategy, goals, and mission should drive business analytics. Business analytics must support and integrate with company strategy.
In a client/server environment, the "client" is most likely to be the Supplier of the computer system. Computers of various users. Computer that contains the network's software and provides services to a server. Database administrator.
Computers of various users. This answer is correct because the "client" may be viewed as the computer or workstation of the individual user.
This fundamental component of internal control is the core or foundation of any system of internal control. Control activities. Control environment. Information and communication. Risk assessment.
Control environment. The control environment is, "...the core or foundation of any system of internal control."
At this stage, we purchase hardware: Planning and feasibility. Analysis. Design and development. Implementation.
Design and development. Technical architecture specification and a systems model occur at the design stage. During development, programmers use the design specifications to develop the program and data files.
Griswold Corp. is planning a data analytics program to manage the risk of vendor fraud in purchasing. Which of the following activities would occur last in this process? Determine the risk of management override of controls over purchases. Determine reporting procedures for vendor anomalies. Screen data to remove html tags from harvested vendor data. Validate scraped data to match to existing vendor files.
Determine reporting procedures for vendor anomalies. Correct! Determining reporting procedures is a part of the last (fifth) step of designing a data analytics plan. This procedure is part of determining escalation procedures when a problem is identified in data analysis.
Devon Company is using an enterprise risk management system. Management of the company has set the company's objectives, identified events, and assessed risks. What is the next step in the enterprise risk management process? Establish control activities to manage the risks. Monitor the risks. Determine responses to the risks. Identify opportunities.
Determine responses to the risks. The next step in the process is to determine the risk responses to the assessed risks.
A company's accounts payable clerk obtained the payroll supervisor's computer password. The clerk then used the password to obtain unauthorized access to the company's payroll files. Any of the following can be used to prevent such unauthorized access to the payroll files, except Smart card. Digital signature. Multifactor authentication. Multimodal authentication.
Digital signature. Correct. A digital signature would not be used for identification in an internal accounting system. Digital signatures are used to verify the identity of external parties.
Maxwell's House of Fun asks suppliers to submit proposals to provide its never-ending need for silver hammers. This is an example of: An e-marketplace. An electronic exchange. Viral marketing. E-procurement.
E-procurement. (Correct!) This is an example of e-procurement, in which a company seeks bids to provide a product or service.
Which of the following is not an advantage of establishing an enterprise risk management system within an organization? Reduces operational surprises. Provides integrated responses to multiple risks. Eliminates all risks. Identifies opportunities.
Eliminates all risks. An enterprise risk management system does not seek to eliminate all risks. Risks are avoided, reduced, shifted, or accepted based on the risk appetite of the organization.
Which of the following structures refers to the collection of data for all vendors in a relational data base? Record. Field. File. Byte.
File This answer is correct. The described structure would be referred to as a vendor file.
Typography is the choice of _____ in a visual display while iconography is the choice of ______ in a visual display. Color, arrangement Fonts, colors Fonts, icons Icons, fonts
Fonts, icons Correct! Typography is the use of fonts in visual displays. Iconography is the use of icons in visual displays.
GAPP stands for Governmentally accepted payment processes. Generally accepted accounting principles. General Administration of Press and Publication Generally accepted privacy principles
Generally accepted privacy principles Correct! These are 10 principles that govern the controls over privacy in an organization.
All of the following are potential applications of HMDs except: Real-time system monitoring. Generating system logs. Visualizing. Video conferencing.
Generating system logs. Correct! This is a weird answer. How could you use HMDs to generate system logs? Therefore, this is the correct answer.
One important purpose of COBIT is to Guide managers, users, and auditors to adopt best practices related to the management of information technology. Identify specific control plans that should be implemented to reduce the occurrences of fraud. Specify the components of an information system that should be installed in an e-commerce environment. Suggest the type of information that should be made available for management decision making.
Guide managers, users, and auditors to adopt best practices related to the management of information technology. This is one important purpose of COBIT.
Hubert Humbert Fashion Designers implemented an organization-wide ERP system that failed. Which of the following is the least likely reason for the failure of such a system? A poor system development process Lack of management support Hardware failures Underestimating system implementation time and complexity
Hardware failures Correct! Hardware failures are very unusual. They are an unlikely reason for an ERP failure.
In a small public company that has few levels of management with wide spans of control, each of the following mitigates management override of controls except Establishing an effective and anonymous whistleblower program with which employees can feel comfortable reporting any irregularities. Establishing a corporate culture in which integrity and ethical values are highly appreciated. Having two officers who significantly influence management and operations. Having an effective internal auditor function.
Having two officers who significantly influence management and operations. Correct! Having two officers who significantly influence management and operations will not mitigate (i.e., reduce the likelihood) of a management override of controls. Hence, this is the correct answer.
The strength of a "defense-in-depth" security strategy is in its ability to Implement layered, mutually supportive levels of control. Respond, collect evidence, and prosecute violators. Prevent, detect, and substitute logical for physical controls. Operationalize patches to prevent intrusion.
Implement layered, mutually supportive levels of control. Correct! A defense-in-depth strategy implements layered, multi-level controls to minimize system risks.
Covington Financial, a large financial services corporation, has a unit responsible for conducting regular, recurring reviews to prevent and detect fraud. This unit should be part of the ______ function at Covington. IT HR Legal Internal audit
Internal audit Correct! The primary responsibility for conducting regular, recurring reviews to prevent and detect fraud is best located within the internal audit function of an organization.
Gimbly Cricket Corp. created a decision aid, linked to its data warehouse, to enable senior management to monitor, in real time, changes in oil production at its oil wells in Kazakhstan. This is an example of: Internal, financial reporting Internal, nonfinancial reporting. External, financial reporting. External, nonfinancial reporting.
Internal, nonfinancial reporting. (Correct!) This answer is correct because this is an internal report, and it is nonfinancial. (Oil production is not in currency.)
The first steps in assessing privacy issues in an organization is to Write notifications to stakeholders; inventory the accuracy of data. Inventory data; determine relevant laws and regulations. Draft opt-out provisions; obtain top management buy-in for these provisions Secure existing data; determine disclosures allowed to third parties.
Inventory data; determine relevant laws and regulations. Correct! These are the first steps in assessing privacy in an organization. Understanding existing data and the laws that govern is the correct starting point.
Farmers and Ranchers Credit Union has set the following statement of risk appetite: "Net credit losses will be really low." Which of the following claims regarding this statement are most accurate? It is vague and imprecise. It is excellent and appropriate. "Net credit losses" are not an appropriate metric for a statement of risk appetite. Statements of risk appetite must be stated in the active voice.
It is vague and imprecise. Correct! Statements of risk appetite should be measurable and precise, such as: "Net credit losses will be less than 1% of average loan balances." The statement given is too vague and imprecise.
A hospital that is launching a big data initiative should initially consider all the following except Privacy law. Qualitative characteristics of the data. Roles and responsibilities. Load at capacity.
Load at capacity. Correct! Considering load at capacity is unlikely to be an important initial consideration for a big data initiative.
Which of the following is true about master files? Master files contain a historical record of all transactions processed by the system. To maintain a manageable file size, master files are periodically purged from the system. Master files contain both processed and unprocessed transactions. Master files are the computerized counterpart of ledgers found in manual systems.
Master files are the computerized counterpart of ledgers found in manual systems. Master files maintain balances by accounts (financial statement accounts, customer accounts, vendor accounts, etc.), just as ledgers do in manual systems.
This image can be used to illustrate which visual design principle? Negative space Color sequence Typography Repetition
Negative space Correct! This is a clever illustration of the nature of negative space. Specifically, do you see a goblet (in white) with a black negative space, or do you see two faces (in black) with a white negative space?
ABC, Inc. assessed the overall risks of MIS systems projects on two standard criteria: technology used and design structure. The following systems projects have been assessed on these risk criteria. Which of the following projects holds the highest risk to ABC? Technology Structure Current Sketchy New Sketchy Current Well defined New Well defined
New Sketchy This answer is correct because the project involves both new (more risky than current) technology and sketchy (more risky than well-defined) structure.
Backup and recovery systems should be both _________ and ____________. RAID ready; SAN accessible Mirrored; remote Off-line; on-line Off-site; redundant
Off-site; redundant Correct! Backup systems should include an off-site company and should include redundancy.
Sweet Caroline's Tasty Treats is deciding where to locate their centralized computer facility. If it is available, they should locate the facility: In a secure basement. On the first floor. On the middle floor. On the top floor.
On the middle floor. (Correct!) A middle floor is the best choice.
Which of the following transaction processing modes provides the most accurate and complete information for decision making? Batch. Distributed. Online. Application.
Online This answer is correct. In an online system data is readily available for decision making.
A poor quality connection caused extensive line noise, resulting in faulty data transmission. Which of the following controls is most likely to detect this condition? Line check. Batch control total. Closed loop verification. Parity check.
Parity check. A parity check is designed to detect errors in data transmission.
Hildegard works at Amazon in the warehouse. What is the screen called that she most likely uses to assemble the goods for customers' orders for shipping? Sales order. Invoice. Picking ticket. Bill of lading.
Picking ticket. (Correct!) A picking ticket identifies the items to be pulled for a sales order.
The Systems Development Life Cycle (SDLC) is the traditional methodology for developing information systems. In which phase of the SDLC would the activity of identifying the problem(s) that need to be solved most likely occur? Analysis. Implementaion. Planning. Development.
Planning. Planning is the first phase of the SDLC and this information is needed before most of the analysis phase activities can be initiated.
Sad Reginald wrote software for the Valencia Clown Revue. One fine day, however, having grown tired of computers and software, he became a juggler, fire eater, and fainting goat farmer. After his departure, the Valencia Clown Revue was unable to maintain and upgrade the systems that Sad Reginald had written. The best control for preventing this failure would be Automated accruals and deferrals. User documentation. Operator documentation. Program documentation.
Program documentation. Correct! Program documentation would allow Sad Reginald's successor to maintain the software.
Reggie is the purchasing agent for a wholesale paint store (Ye Ol' Paint Pots). Reggie's cousin, Earl-the-Earl, owns a small paint store. Reggie arranged for paint to be delivered to Earl-the-Earl's stores from paint manufacturers, thereby allowing Earl-the-Earl to get the paint at a wholesale (cheaper) price, which violates a policy of the Ye Ol' Paint Pots. Reggie was most likely able to violate this policy because of a failure in Ye Ol' Paint Pots' controls related to: Purchase orders. Cash disbursements. Bills of lading. Inventory control.
Purchase orders. (Correct!) A purchase order formally requests a supplier to sell and deliver specified products at designated prices. Better controls over this document would most likely have caught this violation of policy.
What is the computer process called when data processing is performed concurrently with a particular activity and the results are available soon enough to influence the particular course of action being taken or the decision being made? Batch processing. Real-time processing. Integrated data processing. Random access processing.
Real-time processing. This answer is correct because online real-time systems are those for which processing is performed as data are input and the results are available immediately.
What type of computerized data processing system would be most appropriate for a company that is opening a new retail location? Batch processing. Real-time processing. Sequential-file processing. Direct-access processing.
Real-time processing. This answer is correct because real-time processing is the best method for use by retail businesses.
Smigly Construction builds large warehouses for many clients. Smigly is more likely than most other businesses to use _____________ in its revenue cycle billing processes. Remittance advices Customer invoices Packing lists Customer sales orders
Remittance advices Correct! Remittance advices help customers match payments with invoices. They are more likely to be used in complex businesses, such as construction and medical billing.
A value-added network (VAN) is a privately owned network that performs which of the following functions? Route data transactions between trading partners. Route data within a company's multiple networks. Provide additional accuracy for data transmissions. Provide services to send marketing data to customers.
Route data transactions between trading partners. This answer is correct because a value-added network is a system that routes data transactions between trading partners.
Imagine software at a bank that, on a specific future date, began to accumulate the remainders from calculations into an account owned by the perpetrator. This attack is a combination of a ______ and a ________. DoS attack; man-in-middle attack Logic bomb; data leakage Phishing attack; software piracy Salami fraud; logic bomb
Salami fraud; logic bomb Correct! The remainder accumulation is a salami fraud; the future date execution is a logic bomb.
Jim is responsible for setting system access parameters in Kentucky Fried Opossums' ERP system. Each month, he reviews any issues related to setting access parameters and writes a report about them. This type of monitoring is: Continuous. Self. Oversight. Supervisory.
Self. (Correct!) This is self-assessment or self-monitoring.
An assessment of the likelihood and severity of cyber risk impacts should be led by ____________ and should include ____________. IT stakeholders; users The board president; the board of directors White hackers; cyber security experts Senior management; individuals who know the organization's cyber risk profile
Senior management; individuals who know the organization's cyber risk profile Correct! This initiative should be led by senior management and should include cyber security experts who are familiar with the organization.
RFID tagging is most helpful to Cash collections. Receivables billing. Shipping. Bank reconciliations.
Shipping. Correct! RFID tagging of physical goods can increase the speed and accuracy of shipping processes.
Each of the following is a desirable characteristic of IT policies except: Should relate to physical or electronic threats to IT. An owner is responsible for the policy. Should include a statement of purpose and a title. Should be linked to strategy and objectives.
Should relate to physical or electronic threats to IT. Correct! This is a false statement. IT policies need not relate specifically to physical or electronic threats to IT.
Compared to online real-time processing, batch processing has which of the following disadvantages? A greater level of control is necessary. Additional computing resources are required. Additional personnel are required. Stored data are current only after the update process.
Stored data are current only after the update process. This answer is correct because batch-processed data is not updated until the batch is processed.
Which of the following is a general control rather than a transaction control activity? Technology development policies and procedures. Reconciliations. Physical controls over assets. Controls over standing data.
Technology development policies and procedures. Technology development policies and procedures are part of the general controls.
Frequently, in an organization with a dual board of directors' structure, The management committee oversees strategy while the governing board oversees operations. The management board oversees operations while the governing board oversees strategy. The under-board oversees operations while the over-board oversees strategy. The management board manages the risk portfolio while the chief risk officer coordinates risk.
The management board oversees operations while the governing board oversees strategy. Correct! In a dual board of directors' organization, the management board usually oversees operations while the supervising board oversees strategy.
A consortium of accounting firms shares information about security breaches, including descriptions of cyber attackers and the exploitation methods that they use. This is an IT application of the COSO principle of: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. The organization communicates with external parties regarding matters affecting the functioning of internal control. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
The organization communicates with external parties regarding matters affecting the functioning of internal control. Correct! This statement is accurate. The example illustrates external communication (with a consortium of accounting firms) about internal control.
In a risk-aware organization, The organizational culture is independent of management. The organizational culture will be risk averse. Investments in unproven technologies will be minimized. The organizational culture is closely linked to the organization's strategy, objectives, and business context.
The organizational culture is closely linked to the organization's strategy, objectives, and business context. Correct! In a risk-aware organization, the culture will be created by a close and careful analysis of the organization's strategy, objectives, and business context.
Umbrella Corporation sells office and factory equipment. Company management is concerned that the company has not assumed sufficient risks in opening new offices. Which of the following results would best indicate that the company has not assumed sufficient risk? The company opened more new offices than expected. A 4% decrease in calls to the whistleblower hotline. Firing the CRO. The planning and logistics team, which is responsible for opening new offices, is operating below capacity.
The planning and logistics team, which is responsible for opening new offices, is operating below capacity. Correct! The availability of unused resources for opening new offices would indicate that the company has not assumed sufficient risk.
According to the COSO internal control framework, if an organization outsources certain activities within the business to an outside party: Responsibility also transfers to the outside party. The responsibilities never transfer to the outsourced party. The responsibilities only transfer if the outside party explicitly agrees to accept responsibility. The organization is no longer accountable for the outsourced activities.
The responsibilities never transfer to the outsourced party. (Correct!) Activities of an organization may be outsourced, but the responsibilities never transfer to the outsourced party. Management is never relieved of ultimate responsibility or accountability.
In updating a computerized accounts receivable file, which one of the following would be used as a batch control to verify the accuracy of the total credit posting? The sum of the cash deposits plus the discounts less the sales returns. The sum of the cash deposits. The sum of the cash deposits less the discounts taken by customers. The sum of the cash deposits plus the discounts taken by customers.
The sum of the cash deposits plus the discounts taken by customers. This answer is correct because the accounts receivable will be credited for the amount of cash received plus discounts taken by the customers. Therefore, the control total should be the sum of the cash deposits plus the discounts taken by customers.
Which of the following most likely represents a significant deficiency in the internal control? The systems analyst reviews applications of data processing and maintains systems documentation. The systems programmer designs systems for computerized applications and maintains output controls. The control clerk establishes control over data received by the information systems departments and reconciles totals after processing. The accounts payable clerk prepares data for computer processing and enters the data into the computer.
The systems programmer designs systems for computerized applications and maintains output controls. This answer is correct. The systems programmer should not maintain custody of output in a computerized system. At a minimum, the programming, operating, and library functions should be segregated in such computer systems.
All of the following are examples of IT changes that have impacted internal control risk: Clouding computing, repurposed computing, blockchain The web, mobile computing, the cloud, and social media. Hackers, crackers, flappers, and wrappers. Text analytics, defense in depth, and in-shoring
The web, mobile computing, the cloud, and social media. Correct! Each of these factors has changed IT risks.
A data scientist who works for a large company is harvesting data from a new social media website. In relation to this task, she states, "Because the data are text (i.e., words), we are having trouble cleaning it." This statement relates to the _______ portion of the ETL process and reflects a concern about ________ of the data. Load, process used to produce the data Transform, source Extract, nature Transform, nature
Transform, nature Correct! This concern relates to transforming the data, that is, cleaning it, and to the nature of the data, which is qualitative (i.e., words) and is therefore messy.
Which of the following input controls would prevent an incorrect state abbreviation from being accepted as legitimate data? Reasonableness test. Field check. Digit verification check. Validity check.
Validity check. A validity check compares the value entered in a field to a list of valid data values. An error message is displayed if the value is not found on the list.
Which of the following solutions creates an encrypted communication tunnel across the Internet for the purpose of allowing a remote user secure access to the network? Packet-switched network. Digital encryption. Authority certificate. Virtual private network.
Virtual private network. A virtual private network (VPN) is a secure way to create an encrypted communication tunnel to allow remote users secure access to a network. The VPN uses authentication to identify users and encryption to prevent unauthorized users from intercepting data.
Which of the following is an advantage of a computer-based system for transaction processing over a manual system? A computer-based system Does not require as stringent a set of internal controls. Will produce a more accurate set of financial statements. Will be more efficient at producing financial statements. Eliminates the need to reconcile control accounts and subsidiary ledgers.
Will be more efficient at producing financial statements. This answer is correct because computer-based systems are more efficient than manual systems at producing financial statements.
An auditor was examining a client's network and discovered that the users did not have any password protection. Which of the following would be the best example of the type of network password the users should have? trjunpqs. 34787761. tr34ju78. tR34ju78.
tR34ju78. Password strength is increased when passwords are longer, when they include numbers, letters, and special characters, and when both uppercase and lowercase letters are included. Although this password does not include special characters, it does contain numerals, uppercase letters and lowercase letters and is, therefore, the strongest password listed.
Match the statements below with the associated categories in ERM: We will improve the quality of life of ... We will be known for outstanding ... We will treat our customers and employees with respect ... 1 core values, 2 risk appetite, 3 mission 1 strategy, 2 values, 3 vision 1 tolerance, 2 mission, 3 appetite 1 mission, 2 vision, 3 core values
1 mission, 2 vision, 3 core values Correct! "Improving the quality of life" is appropriate for a mission statement since many of such statements include the verb "improving." "We will be known for outstanding ..." is a vision statement since the desire to be known for something is often a vision statement aspiration. "We will treat our customers and employees with respect" is a statement of behavior and is therefore best characterized as a statement of core values.
Winthrop P. Snigledorf calls about his outrageous cable bill and is greeted by the "voice" of an AI program. This system is probably best described as an example of Machine learning. A robot. An intelligent agent. An expert system.
An intelligent agent. Correct! Intelligent agents interact with humans (e.g., Siri® on the Apple® iPhone®) and have natural language processing ability.
A marketing manager at Hubert Humbert Fashion Designers is using a component of its organization-wide ERP system to determine which accounts generate the most profitable returns to the company. The manager is most likely using the _________ component of the system. CRM OLAP OLTP Supply chain management
CRM Correct! This is an application of a CRM (customer relationship management) system.
Which of the following implementation approaches has been described as "sink or swim?" Parallel. Cold turkey. Phased. Pilot.
Cold turkey. Also called the plunge or big bang approach. The old system is dropped and the new system is put in place all at once.
This system is most likely to include external data. Operational system. MIS. DSS. ESS.
ESS. ESS are most likely to include external data.
In general, information about cyber breaches should be communicated to: External auditors. All personnel. The federal cyber breach authority. The press.
External auditors. Correct! Information about cyber breaches should be communicated to an entity's external auditors.
Which of the following is the primary advantage of using a value-added network (VAN)? It provides confidentiality for data transmitted over the Internet. It provides increased security for data transmissions. It is more cost effective for the company than transmitting data over the Internet. It enables the company to obtain trend information on data transmission.
It provides increased security for data transmissions. This answer is correct. VANs provide increased security over transactions because they use private networks.
_____, ______, and ______ are all elements of a manual accounting system. Journals; ledgers; e-vouchers Ledgers, automated transactions, assets Journals, receivables ledgers, concentration of information Ledgers, journals, invoices
Ledgers, journals, invoices Correct! Ledgers, journals, and invoices are all elements of a manual accounting system.
Which of the following is not a risk of e-commerce? Integrity. Authentication. Limited growth. Security and confidentiality.
Limited growth. Limited growth is a risk of failing to implement e-commerce, not a risk of e-commerce.
This is an example of B2G Amazon. Municipal audit procurement. Online chemical sales. RAID.
Municipal audit procurement. Municipal audit procurement is an example of business to government e-commerce.
Which of the following statements is correct? I. An important advantage of flat file systems is that they are program independent. II. Flat file systems contain little data redundancy. Both I and II. I only. II only. Neither I or II.
Neither I or II. Statement one is incorrect because, while flat file systems do contain program independence, this is seen as a disadvantage not an advantage. This is because the program independence of flat file systems means that multiple programs must be used to read, access and process the data. Statement II is incorrect because flat file systems contain a high degree of data redundancy.
A master production schedule is most likely to be useful in Identifying erroneous journal entries. Inventory shrinkage. Pricing of goods for sale. Reducing excess production of inventory.
Reducing excess production of inventory. Correct! A master production schedule will be helpful in reducing excess production of inventory.
Hubert Humbert Fashion Designers is considering implementing an organization-wide ERP. Which of the following is least likely to be a motivation for implementing such a system? Reducing and eliminating data redundancy Improving organizational agility Improving data analytic capabilities Reducing system complexity
Reducing system complexity Correct! Reducing system complexity is an unlikely reason to implement an ERP. ERP systems tend to increase system complexity.
Which of the following statements presents an example of a general control for a computerized system? Limiting entry of sales transactions to only valid credit customers. Creating hash totals from Social Security numbers for the weekly payroll. Restricting entry of accounts payable transactions to only authorized users. Restricting access to the computer center by use of biometric devices.
Restricting access to the computer center by use of biometric devices. Restricting access to the computer center is an example of a general control.
Which two cycles receive (get) cash? Expenditure, production Production, HR Revenue, financing Revenue, expenditure
Revenue, financing Correct! Revenue receives cash from sales; financing receives cash from financing activities (creating debt and equity).
__________ is a financial performance measure while ___________ is an operating performance measure. Profitability; regulatory compliance Discreteness; employment skill delivery Data velocity; data integrity Revenue; production yield
Revenue; production yield Correct! Revenue is a financial performance measure while production yield is an operating performance measure.
Demanding higher performance usually requires accepting more _________. Tolerance Vision Risk Performance severity
Risk Correct! A higher performance, in most settings, requires accepting a higher level of risk.
The call center manager of Wholly Parts Chicken Supply manages all unit resources using an MS Access database that only she has access to. She is not trained in accounting or systems development. The most important concern with this situation is For internal control reasons, MS Access should not be available to employees. The database likely has never been tested or validated. The database may be incompatible with some operating systems. Logical access controls may be insufficient.
The database likely has never been tested or validated. Correct! This is an important problem with end user-developed applications and spreadsheets.
A heat map used as a part of assessing risks plots the___________________ on the vertical axis against the___________________ on the horizontal axis. likelihood rating; impact ratings inherent risk; risk appetite target residual risk, actual residual risk internal control; inherent risk
likelihood rating; impact ratings Correct! A heat map that is used in assessing the severity of risk plots the likelihood of the risk occurring on the vertical axis against the impact of the risk, should it occur, on the horizontal axis.
Which of the following is not an example of gamification? Building graphics and video displays into simulations to teach workers about dangers at a factory A competition among salespeople to earn points Dressing up as a cow to promote a fast food restaurant Creating a game to teach students about managerial accounting
Dressing up as a cow to promote a fast food restaurant Correct! Dressing up as a cow to promote a fast food restaurant is not an example of gamification.
Which of the following statements about firewalls is NOT true? Firewalls frequently include both a hardware component and a software component. Firewalls screen data packets to determine if they are acceptable or unacceptable and block unacceptable packets from the system. Application firewalls, in addition to monitoring data packets, control the execution of programs and examine the handling of data by specific applications. "Network firewall" and "application firewall" are two different names for a program designed to prevent and detect unauthorized access to the system.
"Network firewall" and "application firewall" are two different names for a program designed to prevent and detect unauthorized access to the system. "Application firewalls" are separate and distinct from "network firewalls": the terms definitely do not refer to the same program. Network firewalls perform relatively low-level filtering capabilities; application firewalls have the ability to do much more sophisticated checks and provide much better control.
Haufinger buys one widget each day for use in his factory and pays for the widget using one bitcoin. On three recent days, the value of one bitcoin was: Day 1: $2,200 US Day 2: $2,400 US Day 3: $2,500 US According to the IRS, what is the cost of the widgets purchased for these three days for tax purposes? 1 bitcoin $2,200 $2,367 $7,100
$2,367 Correct! The average cost is the correct cost, since bitcoins are treated as intangible assets.
Which of the following is least likely to trigger a review and revision to an organization's ERM practices? The purchase and implementation of a system that enables real-time monitoring of customer satisfaction and complaints. A sales growth rate that is 2½ times that which was expected. A 4% increase in calls to the whistleblower hotline. Firing the CRO.
A 4% increase in calls to the whistleblower hotline. Correct! A relatively small (here 4%) increase in calls to a whistleblower hotline is the least likely event listed to trigger a review and revision to the organization's ERM practices.
A type of malware designed to let the attacker bypass the normal user authentication process (e.g., enter username and password) and enter the user's system is A Trojan horse. A virus. A back door. A worm.
A back door. A back door is a program that allows an unauthorized user to gain access to the system by side-stepping the normal logon procedures.
A company wants to protect its IT system from unauthorized users accessing the system. Which of the following controls would best serve to mitigate this risk? A keystroke log A transaction log A biometric device Public key encryption
A biometric device Correct! Biometric controls are helpful in preventing unauthorized access to systems.
A cloud computing system solution integrates which of the following elements? A business problem, a vendor contract, and a service delivery model A business process, a deployment model, and a service delivery model A private cloud, a business process, and a service delivery model A service delivery model, a board discussion, and a deployment model.
A business process, a deployment model, and a service delivery model Correct! Effective cloud solutions require considering and integrating a relevant business process, a deployment model and a service delivery model.
An internal cloud is: Less expensive than an external cloud. Owned and managed through a contract service provider. A cloud that is behind an entity's firewall. Riskier than other types of cloud computing.
A cloud that is behind an entity's firewall. Correct! Although an internal cloud has many other elements, one essential element is that it is protected by an entity's firewall.
According to COSO, which of the following activities provides an example of a top-level review as a control activity? Computers owned by the entity are secured and periodically compared with amounts shown in the records. A comprehensive marketing plan is implemented, and management reviews actual performance to determine the extent to which benchmarks were achieved. Reconciliations are made of daily wire transfers with positions reported centrally. Verification of status on a medical claim determines whether the charge is appropriate for the policy holder.
A comprehensive marketing plan is implemented, and management reviews actual performance to determine the extent to which benchmarks were achieved. Correct! The performance review of the marketing plan is an example of a top-level review control activity.
Which of the following is the best definition of a compensating control? A control that accomplishes the same objective as another control. A condition within an internal control system requiring attention. The targets against which the effectiveness of internal control are evaluated. Metrics that reflect critical success factors.
A control that accomplishes the same objective as another control. This is the best answer. It is the definition of a compensating control.
A data warehouse differs from a data mart because A data warehouse is more specialized than a data mart. Data mining is possible in a data mart but not a data warehouse. A data mart supports specific needs. External data is not included in a data mart.
A data mart supports specific needs. A data mart is more specialized than a data warehouse. The data mart is often constructed to support specific needs of subunits of an organization.
Lonesome Dove Cattle Ranch stores its accounting system data in multiple tables (i.e., matrices) that are linked by common key fields. This data structure is called Flat files. Matrix organization. A database system. An OLTP.
A database system. Correct! This is a database.
Space Cowboy Amusements operates amusement parks throughout the U.S. Its chief technology officer, Steve Miller, wants to implement a system that allows for more customization to meet the needs of location operations. It most likely will implement: A centralized system. Robotics. A decentralized system. A hybrid system.
A decentralized system. (Correct!) A concern for customized systems would suggest the use of a decentralized system.
A company's web server has been overwhelmed with a sudden surge of false requests that caused the server to crash. The company has most likely been the target of Spoofing. Piggybacking. An eavesdropping attack. A denial of service attack.
A denial of service attack. In a denial of service attack, servers are overwhelmed with incomplete access requests, causing them to hang, zombie like, in a living, though brain-dead, useless state.
Which of the following situations most clearly illustrates a breach of fiduciary duty by one or more members of the board of directors of a corporation? A corporation previously has distributed 50% of its earnings as dividends. This year it has annual earnings per share of $2, and the board of directors voted 4 to 1 against paying any dividend to finance growth. A director of a corporation who co-owns a computer vendor negotiated the purchase of a computer system by the corporation from the vendor, making a disclosure to the corporation and the other board members. The purchase price was competitive, and the board (absent the vendor co-owner) unanimously approved the purchase. Two directors of a corporation favor business expansion, two oppose it, and the fifth did not attend the meeting. During the five years that the fifth person has been a director, the individual did not attend two other meetings. A director who learned that the corporation is thinking of buying retail space in a city personally purchased a vacant building in the same city that would have been suitable for use by the corporation.
A director who learned that the corporation is thinking of buying retail space in a city personally purchased a vacant building in the same city that would have been suitable for use by the corporation. Correct! This director has breached a fiduciary duty by appropriating a business opportunity (to acquire retail space) for himself or herself.
Public company audit committees must contain which of the following? A majority of independent directors An accounting expert A financial expert A legal expert
A financial expert Correct! SOX requires that every audit committee of a public company have at least one "financial expert" with (a) an understanding of GAAP and financial statements; (b) experience in preparing or auditing financial statements; (c) experience with internal auditing controls; and (d) an understanding of audit committee functions.
Which of the following examples shows the highest level of intelligence of an AI system? User identification Translating financial statements into the structure and format of international financial reporting standards A fleet of drones monitors a client's inventory of livestock and reports on the health and well-being of the herd Analyzing financial statements for a client
A fleet of drones monitors a client's inventory of livestock and reports on the health and well-being of the herd Correct! This is an example of a physical task that includes a sophisticated visual recognition system and advanced analytics.
Which of the following statements is correct regarding information technology (IT) governance? A primary goal of IT governance is to balance risk versus return over IT and its processes. IT governance is an appropriate issue for organizations at the level of the board of directors only. IT goals should be independent of strategic goals. IT governance requires that the Control Objectives for Information and related Technology (COBIT) framework be adopted and implemented.
A primary goal of IT governance is to balance risk versus return over IT and its processes. Correct! The purpose of IT governance is to strategically manage and acquire IT resources in support of the organization's mission. This requires balancing the risks and returns from IT assets.
The best control to avoid ordering unneeded goods is A receiving report. A vendor invoice. A purchase requisition. Automated payment.
A purchase requisition. Correct! A purchase requisition is a formal document that orders goods. It is the best offered control related to the risk of ordering unneeded goods.
Which of the following statements is true regarding internal control objectives of information systems? Primary responsibility of viable internal control rests with the internal audit division. A secure system may have inherent risks due to management's analysis of trade-offs identified by cost-benefit studies. Control objectives primarily emphasize output distribution issues. An entity's corporate culture is irrelevant to the objectives.
A secure system may have inherent risks due to management's analysis of trade-offs identified by cost-benefit studies.
Which of the following is least likely to be a source of big data? Wearables A thermostat A single-page pdf document A cow
A single-page pdf document Correct! A single-page pdf document, by itself, is hardly a likely or viable source of big data.
Which of the following is a back door? Unauthorized copying of software The use of powerful software to access secure information while bypassing normal controls A software program that allows an unauthorized user to gain access to the system by sidestepping the normal login procedures. An attacker identifies an IP address (usually through packet sniffing) and then attempts to use that address to gain access to the network
A software program that allows an unauthorized user to gain access to the system by sidestepping the normal login procedures. Correct! This is a back door.
Which of the following types of systems would you use to record the number of hours worked during the current pay period for each of your employees? An office automation system (OAS). A decision support system (DSS). A transaction processing system (TPS). A partitioned system (PS).
A transaction processing system (TPS). Transaction processing systems (TPSs) support the day-to-day activities of the business (purchasing of goods and services, manufacturing activities, sales to customers, cash collections, payroll, etc.).
Which of the following is an advantage of using a value-added network for EDI transactions? Ability to deal with differing data protocols. Decrease in cost of EDI. Increase in data redundancy. Direct communication between trading partners.
Ability to deal with differing data protocols. This answer is correct because a value-added network is a privately owned network that routes EDI transactions and alleviates problems related to differences between various organizations' hardware and software.
Controls in the information technology area are classified into the preventive, detective, and corrective categories. Which of the following is a preventive control? Contingency planning. Hash total. Echo check. Access control software.
Access control software. This answer is correct. A preventive control is designed to prevent a misstatement from occurring. Access control software prevents unauthorized individuals from gaining access to a system or application and therefore prevents unauthorized transactions or changes in data.
To properly control the improper access to accounting database files, the database administrator should ensure that database system features are in place to permit Read-only access to the database files. Updating from privileged utilities. Access only to authorized logical views. User updates of their access profiles.
Access only to authorized logical views. One security feature in database systems is their ability to let the database administrator restrict access on a logical view basis for each user.
The IT Steering Committee at Henry Flower's Flower shop is assessing whether to purchase, or internally develop, a new CRM (customer relationship management) system. In the COBIT model, this is best classified as an example of Planning and Organization. Acquisition and Implementation. Delivery and Support. Monitoring.
Acquisition and Implementation. Correct! A make or purchase decision, such as is described in this case, is a part of assessing how to acquire, implement, or develop IT solutions that address business objectives and integrate with critical business process.
The fixed assets and related depreciation of a company are currently tracked on a password-protected spreadsheet. The information technology governance committee is designing a new enterprise-wide system and needs to determine whether the current fixed asset process should be included because the current system seems to be working properly. What long-term solution should the committee recommend? Continuing to use the current spreadsheet process because there have been no issues in this area. Developing a new fixed asset system to manage the assets and related depreciation. Purchasing a stand-alone fixed asset program for managing the assets and related depreciation. Adopting the fixed-asset module of the new system for integration.
Adopting the fixed-asset module of the new system for integration. One of the goals of an enterprise-wide system is to integrate" all data maintained by the organization into a single database." This option best achieves the goal of a single, organization-wide system with which to bind the entire organization together.
Which of the following configurations of elements represents the most complete disaster recovery plan? Vendor contract for alternate processing site, backup procedures, names of persons on the disaster recovery team. Alternate processing site, backup and off-site storage procedures, identification of critical applications, test of the plan. Off-site storage procedures, identification of critical applications, test of the plan. Vendor contract for alternate processing site, names of persons on the disaster recovery team, off-site storage procedures.
Alternate processing site, backup and off-site storage procedures, identification of critical applications, test of the plan. This answer is correct because the plan should provide for an alternative processing site, backup and off-site storage procedures, identification of critical applications, and test of the plan.
Henry Higgins of Jiffy Grill has learned that the controller is likely embezzling money to fund an expensive drug and gambling habit. Ideally, Henry should communicate this information to: The controller. His boss. An anonymous hotline set up by Jiffy Grill. His employees.
An anonymous hotline set up by Jiffy Grill. (Correct!) If Jiffy Grill has an anonymous hotline set up for this purpose, then this is the best way to communicate this information.
Happy's Nutty Clownery ordered 82 bags of balloons from a supplier but received only 28. Which of the following controls is most likely to have caught this error? Separation of duties in cash receipts Formalizing the process for authorizing the purchase of goods Requiring purchasing agents to disclose relationships with vendors and purchasers An automated receiving system that includes multiple points of scanning of received goods
An automated receiving system that includes multiple points of scanning of received goods (Correct!) An automated receiving system that includes multiple scans of received goods is likely to have caught this error.
The perpetrator of a fictitious vendor fraud is usually A stakeholder. An employee. A mountebank. A customer.
An employee. Correct! Many fake vendor frauds are perpetrated by employees.
A client would like to implement a management information system that integrates all functional areas within an organization to allow information exchange and collaboration among all parties involved in business operations. Which of the following systems is most effective for this application? A decision support system. An executive support system. An office automation system. An enterprise resource planning system.
An enterprise resource planning system. ERPs provide transaction processing, management support, and decision-making support in a single, integrated package. By integrating all data and processes of an organization into a unified system, ERPs attempt to eliminate many of the problems faced by organizations when they attempt to consolidate information from operations in multiple departments, regions, or divisions. This is the correct answer since facilitating information exchange and collaboration is the primary purpose of the proposed system.
Which of the following is not true regarding the information and communication component of internal control? The information system captures both internal and external sources of data. The information and communication component involves developing channels for communication from external stakeholders. A whistleblower hotline is an important aspect of the information and communication component. An important aspect of the information and communication component is assessment of information about fraud.
An important aspect of the information and communication component is assessment of information about fraud. This item is related to the risk assessment component.
Risk identification should be mapped to: An organization's industry. Organizational personnel. Liabilities. Asset utilization.
An organization's industry. Correct! Cyber risks are often planned by hackers to exploit specific weaknesses, and achieve specific outcomes, in an industry—for example, targeting financial services firms to steal money.
Which of the following steps in the accounting cycle comes before posting entries to accounts? Journalize closing entries. Analyze transactions. Prepare reports. Prepare post-closing trial balance.
Analyze transactions. Correct! Analyze transactions comes before posting entries to accounts.
Which of the following sets of duties would not be performed by a single individual in a company with the most effective segregation of duties in place? Posting accounts payable transactions and entering additions and terminations to payroll. Having custody of signed checks yet to be mailed and maintaining depreciation schedules. Approving sales returns on customers' accounts and depositing customers' checks in the bank. Preparing monthly customer statements and maintaining the accounts payable subsidiary ledger.
Approving sales returns on customers' accounts and depositing customers' checks in the bank. Correct. Both tasks occur in the revenue cycle. In addition, fraud risk exists if one individual both approves sales returns and deposits checks. A criminal individual could steal the customer checks and create falsified returns to balance the customer's account from which the check was stolen.
During the annual audit, it was learned from an interview with the controller that the accounting system was programmed to use a batch processing method and a detailed posting type. This would mean that individual transactions were Posted upon entry, and each transaction had its own line entry in the appropriate ledger. Assigned to groups before posting, and each transaction had its own line entry in the appropriate ledger. Posted upon entry, and each transaction group had a cumulative entry total in the appropriate ledger. Assigned to groups before posting, and each transaction group had a cumulative entry total in the appropriate ledger.
Assigned to groups before posting, and each transaction had its own line entry in the appropriate ledger. This answer is consistent with the batch processing system and the detailed posting of transactions.
An external auditor is conducting a review of the accounting and control system of Bill's Bad Boy Bagels and Farm Fresh Cream Cheese. Which of the following would be inappropriate in relation to this review? Use key concepts from the framework for cybersecurity as a basis for explaining the results of the review to Bill's management. Assure Bill's management that identified deficiencies will be corrected. Identify the control deficiencies in Bill's system. Report on the conduct of the engagement to the PCAOB.
Assure Bill's management that identified deficiencies will be corrected. Correct! An external auditor cannot assure a client that control deficiencies will be corrected since the auditor is not a part of correcting the deficiencies. This is an inherent limitation of auditing that is unchanged by the framework for cybersecurity.
Database management software is considered: Outerwear. Software. Middleware B and C.
B and C. Database management software is considered both software and middleware.
A checkpoint is used mostly in _____ systems. Online real time. Faulty. Batch. General.
Batch. Checkpoints are mostly used in batch systems. The use of checkpoint and restart is an important backup procedure.
Hamish works in a factory that builds tractors in Des Moines, Iowa. He can't remember whether the B352 or the C917 sprocket is needed in building a X793 tractor. The document, form, or screen that would help him decide is: Bill of materials. Materials requisition. Move ticket. Picking ticket.
Bill of materials. (Correct!) The bill of materials specifies which parts are used in making a product. This is what Hamish needs.
At Mega-Construction, secured payments are sent to suppliers as soon as materials are received and scanned. Many attributes of the received goods are also scanned and recorded immediately on receipt (e.g., time received, quality indicators, item location through GPS functionality). This information is shared through a distributed ledger. Mega-Construction is likely using _______________. Blockchain TCP/IP Bitcoin STMP
Blockchain Correct! The described characteristics are consistent with the use of a blockchain system.
Selling a digitized product can: Decrease its cost. Improve its quality. Both A and B. Neither A nor B.
Both A and B. This statement is true. Therefore, this is the correct answer since selling a digitized product can reduce costs and improve quality (e.g., some online books are cheaper, include hyperlinks to resources and key terms, and include additional content).
Which of the following is true in regard to data warehouses? I. The bulk of the data found in a data warehouse comprises historical operational data. II. Pattern recognition is one of the principal functionalities offered by data mining software. I only. II only. Both I and II. Neither I nor II.
Both I and II. A data warehouse is a database archive of an organization's operational transactions (sales, purchases, production, payroll, etc.) over a period of years; external data that might be correlated with these transactions, such as economic indicators, stock prices, and exchange rates, are also included. Pattern recognition is a major component of data mining software: data mining is the process of performing statistical analysis and automatically searching for patterns in large volumes of data.
The materials manager of a warehouse is given a new product line to manage with new inventory control procedures. Which of the following sequences of the COSO internal control monitoring-for-change continuum is affected by the new product line? Control baseline but not change management Change management but not control baseline Neither control baseline nor change management Both control baseline and change management
Both control baseline and change management Correct! This is a substantial change; hence it will affect both the assessment of the control baseline and assessment of changes in that baseline (i.e., "change management").
More than one file may be stored on a single magnetic disc. Several programs may be in the core storage unit simultaneously. In both cases it is important to prevent the mixing of data. One way to do this is to use File integrity control. Boundary protection. Interleaving. Paging.
Boundary protection. This answer is correct because the primary purpose of boundary protection is to prevent the mixing of data on a magnetic memory disc and a core storage unit.
Roles for accountants in big data include all of the following except: Assessing the quality and integrity of big data. Integrating big data into evaluations of internal control. Building big data systems. Data scientists.
Building big data systems. (Correct!) While accountants may have a role in designing big data systems, they will not hold responsibility for building them.
In a public company, which of the following officers must certify that the accuracy of their firms' financial statements as filed with the SEC? CEO and CAO CAO and CFO CFO and CEO CEO and COO
CFO and CEO Correct! SOX requires both the CEO and the CFO, but no other officers, to certify the accuracy of their firms' audited financial statements when filed with the SEC.
The Slippin' into Darkness Mortuary is reviewing its cybersecurity to explore its current state and related risks as a part of establishing high-level objectives for cybersecurity. In the framework for cybersecurity, this is an example of the element ______ and the function _______. Categories; identify Subcategories; respond References; identify Functions; detect
Categories; identify Correct! The organization is exploring "how is it doing?" at a high level related to cybersecurity. Hence, the function is "identify" and, because the focus is on high-level objectives, the element is "categories."
Management of a company has a lack of segregation of duties within the application environment, with programmers having access to development and production. The programmers have the ability to implement application code changes into production without monitoring or a quality assurance function. This is considered a deficiency in which of the following areas? Change control. Management override. Data integrity. Computer operations.
Change control. The management of changes to applications is part of the Source Program Library Management System (SPLMS).
A brokerage firm has changed a program so as to permit higher transaction volumes. After proper testing of the change, the revised programs were authorized and copied to the production library. This practice is an example of Prototyping. Program integration. SDLC (System Development Life Cycle). Change control.
Change control. This answer is correct. The practice of authorizing changes, approving tests results, and copying developmental programs to a production library is program change control.
According to COSO, the use of ongoing and separate evaluations to establish a new baseline after changes have been made can best be accomplished in which of the following stages of the monitoring-for-change continuum? Control baseline. Change identification. Change management. Control revalidation/update.
Change management. The change management stage involves evaluating the design and implementation of changes and establishing a new baseline.
Big data: Is similar to automated authentication. Changes an entity's risk profile. Is unrelated to financial reporting. Is the monetization of data assets.
Changes an entity's risk profile. (Correct!) Big data adds a new set of risks to an entity and changes some existing risks.
What is the correct ascending hierarchy of data in a system? Character, record, file, field. Field, character, file, record. Character, field, record, file. Field, record, file, character.
Character, field, record, file. This answer lists the data structures in the correct order. Specifically, a character has fewer pieces of data than does a field. A field has fewer pieces of data than does a record. And a record has fewer pieces of data than does a file.
Which of the following controls is not usually found in batch processing systems? Closed loop verification. Financial control totals. Check digits. Limit checks.
Closed loop verification. Closed loop verification is an input control associated with online real-time systems.
A customer notified a company that the customer's account did not reflect the most recent monthly payment. The company investigated the issue and determined that a clerk had mistakenly applied the customer's payments to a different customer's account. Which of the following controls would help to prevent such an error? Checksum Field check Completeness test Closed-loop verification
Closed-loop verification Correct! Closed-loop verification helps ensure that a valid and correct customer account has been entered; after the code is entered, this system looks up and displays additional information about the selected code. For example, the operator enters a customer code, and the system displays the customer's name and address.
Which of the following terms refers to a site that has been identified and maintained by the organization as a data processing disaster recovery site but has not been stocked with equipment? Hot. Cold. Warm. Flying start.
Cold. This answer is correct. A cold site is a backup site that has not been stocked with equipment.
According to the COSO framework, evaluators that monitor controls within an organization should have which of the following set of characteristics? Competence and objectivity. Respect and judgment. Judgment and objectivity. Authority and responsibility.
Competence and objectivity. COSO indicates that the evaluator must have competence and objectivity.
Which of the following characteristics distinguishes computer processing from manual processing? Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing. Errors or fraud in computer processing will be detected soon after their occurrences. The potential for systematic error is ordinarily greater in manual processing than in computerized processing. Most computer systems are designed so that transaction trails useful for audit purposes do not exist.
Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing. The high degree of accuracy of computer computation virtually eliminates the occurrence of computational errors.
Rootin' Roberta of Sharpie Shooters Range Corp. is charged with replacing the computer used in the accounting system. She wants a quick boot time and fast access to storage. She doesn't need a lot of storage, but she wants maximum security in storage. She should consider purchasing: Computers that primary rely on optical disks. A system that primary rely on RAID storage. A system that primarily relies on cloud-based storage. Computers that primary rely on SSD storage.
Computers that primary rely on SSD storage. (Correct!) Solid state drive (SSD) storage has the desired characteristics.
_____ concerns whether confidential information is protected consistent with the organization's commitments and agreements. Quality Processing integrity Privacy Confidentiality
Confidentiality Correct! According to the AICPA ASEC principles, this is the definition of confidentiality.
Ashley's Tree and Trim has an automated system that monitors system access events and reports them, in real time, to the IT security manager. This type of monitoring is: Continuous. Self. XBRL-enabled. Supervisory.
Continuous. (Correct!) This monitoring occurs continuously.
Which of the following components of internal control would encompass the routine controls over business processes and transactions? The control environment. Information and communication. Control activities. Risk assessment.
Control activities. Control activities, policies and procedures are designed to assure that management's directives are followed.
Which of the following components of internal control encompass policies and procedures that ensure that management's directives are carried out? The control environment. Monitoring. Control activities. Information and communication.
Control activities. This answer is correct. Control activities encompass policies and procedures that ensure that management's directives are carried out.
Multi National United Corporation is a private contractor that relocates aliens to temporary housing facilities. On its company home page, the company lists the following words: "integrity," professional," "teamwork," and "security." These words are probably part of the company's ____________ Core values. Mission statement. Statement of position (SOP). Vision.
Core values. Correct! These adjectives are most likely statements of the company's core values, which are the entity's beliefs and ideals about what is good or bad, acceptable or unacceptable, and are statements that influence the behavior of the organization.
A computer emergency response team (CERT) is a ______ control. Defense-in-depth Preventive Detective Corrective
Corrective Correct! A CERT is a corrective control since it is intended primarily to clean up the mess of a violation of the system's integrity.
For the past three years, the management of AlphaCentaur Products, a U.S.-based company, has paid money to the Minister of Trade and Technology for the government of ChipstatLand (an Eastern European country) to obtain government contracts to purchase computers, software, and network products. These activities have increased AlphaCentaur's sales by 20%. These actions can best be described as Reporting fraud: nonfinancial. Misappropriate of assets. Corruption and illegal acts Reporting fraud: financial.
Corruption and illegal acts Correct! The described scenario describes the payment of bribes, which indicates corruption on the part of the government officials and a violation of the Foreign Corrupt Practices law by AlphaCentaur.
DOUBLE Today organizations are using microcomputers for data presentation because microcomputer use, compared to mainframe use, is more Controllable. Conducive to data integrity. Reliable. Cost effective.
Cost effective. This answer is correct. In cooperative processing, microcomputers are more cost effective than mainframes for data entry and presentation because microcomputers are better suited to frequent screen updating and graphical user interfaces.
Today organizations are using microcomputers for data presentation because microcomputer use, compared to mainframe use, is more Controllable. Conducive to data integrity. Reliable. Cost effective.
Cost effective. This answer is correct. In cooperative processing, microcomputers are more cost effective than mainframes for data entry and presentation because microcomputers are better suited to frequent screen updating and graphical user interfaces.
Real-time processing is most appropriate for which of the following bank transactions? Credit authorizations for consumer loan applicants Biweekly payroll for bank employees Purchases of fixed assets Expiration of prepaid liability insurance
Credit authorizations for consumer loan applicants Correct! Speed! It's all about speed here. Loan applicants want fast answers. They are impatient! Quickly! Run the data quickly! Gimme my money! Now!
Which of the following is not an important aspect of supply chain management? Information technology. Accurate forecasts. Customer relations. Communications.
Customer relations. Supply chain management is primarily designed to manage the firm's relationships with suppliers by sharing key information all along the supply chain. The area of customer relations is not a primary focus of supply chain management.
The following customer data is stored in the sales processing system to a regional produce distributor: CustomerNumber, CustomerName, CustomerPhone, CustomerContact, CustomerCreditLimit Which of the following is true? CustomerNumber is an example of a field. CustomerNumber is an example of a data value. CustomerNumber is an example of a record All of the above are true.
CustomerNumber is an example of a field. CustomerNumber is an example of a field (also known as an attribute).
Concerns about the IoT include all of the following except: Reduced privacy. Cycle times. Data storage. Risk exposure.
Cycle times. Correct! A cycle time in manufacturing is the time required to produce an order. In computer science, it is the time between one random access memory event to the next. Neither of these definitions is relevant to the IoT.
Which of the following items would be most critical to include in a systems specification document for a financial report? Cost-benefit analysis Data elements needed Training requirements Communication of change management considerations
Data elements needed This answer is correct. A systems specification document should include a description of the data elements needed.
Which of the following information technology (IT) departmental responsibilities should be delegated to separate individuals? Network maintenance and wireless access. Data entry and antivirus management. Data entry and application programming. Data entry and quality assurance.
Data entry and application programming. The separation of the data entry function from the application programming function is critical to the segregation of duties within an IT department. This is because if one both enters data and changes the programs into which those data are entered, one can perpetrate consequential financial frauds. This is why data entry occurs within the operations unit of an IT department and application development occurs within the development function of an IT department. These functions must be kept separate and their duties segregated. Therefore, this is the best answer to the question.
Mitch and Murray Real Estate is building a national database of real estate sales transactions to help their sales staff identify trends, opportunities, and unique risks in their markets. This is an example of: Data transformation. Data cleansing. Data visualization. Data extracting.
Data extracting. Correct! Harvesting data—that is, building a database—is an example of data extraction.
A data mart is a specialized type of ____________ that is tailored to the needs of a(n) _______. Database; user Data warehouse; organization OLTP; ERP AI; ERP
Data warehouse; organization Correct! A data mart is a type of data warehouse that is customized for an organization.
Harvey Mudbath, a hot tub and spa manufacturer, currently has a slow network but computing capacity that is distributed across its 18 locations. The computing capacity, while large, is not linked to each location's processing needs. Without any upgrades to the system, Harvey Mudbath probably uses a ___________ system. Centralized Decentralized Hybrid Schema
Decentralized Correct! A decentralized system is characterized by distributed processing and a lessened need for network resources.
IT policies are particularly valuable in _______ and _________ organizations. Asset-intensive; centralized Decentralized; geographically disbursed Low-reliability; gaming Cooperative; incipient
Decentralized; geographically disbursed Correct! These attributes make IT policies particularly valuable, since personnel are disbursed across multiple locations. IT policies are particularly valuable with disbursed units.
An organization implements an integrated package of authentication controls related to its critical systems. This is an example of: Defense in depth. Automated authentication. Security procedure design. Rollback and restart.
Defense in depth. Correct! Defense in depth includes the implementation of multiple control layers.
Which of the following large-scale conversion approaches to system implementation presents the greatest risk to an organization? Parallel. Direct. Phase-in. Pilot.
Direct. Correct! In a direct cutover implementation, the old system is dropped and the new system is put in place all at once. This is risky but fast (except when it fails—in which case it is slower). This is the riskiest of the chosen strategies.
An information technology director collected the names and locations of key vendors, current hardware configuration, names of team members, and an alternative processing location. What is the director most likely preparing? Data restoration plan. Disaster recovery plan. System security policy. System hardware policy.
Disaster recovery plan. This answer is correct. This information would be useful in reconstructing a database in the event of a disaster.
An internal audit manager requested information detailing the amount and type of training that the IT department's staff received during the last year. According to COSO, the training records would provide documentation for which of the following principles? Exercising oversight of the development and performance of internal control Demonstrating a commitment to retain competent individuals in alignment with objectives Developing general control activities over technology to support the achievement of objectives Holding individuals responsible for their internal control responsibilities in the pursuit of objectives
Demonstrating a commitment to retain competent individuals in alignment with objectives Correct! Evaluating the quality and nature of IT department staff training is essential to retaining competent individuals in the organization.
If a control total were to be computed on each of the following data items, which would best be identified as a hash total for a payroll application? Hours worked. Total debits and total credits. Net pay. Department numbers.
Department numbers. This answer is correct. A hash total is a meaningless sum which normally has no use other than to prove the completeness with which a batch has been processed. The summation of department numbers has no apparent use other than to help determine that an entire batch has been processed.
An information technology director collected the names and locations of key vendors, current hardware configuration, names of team members, and an alternative processing location. What is the director most likely preparing? Data restoration plan. Disaster recovery plan. System security policy. System hardware policy.
Disaster recovery plan. This information would contribute to the development of a disaster recovery plan.
Mr. Shankley's Medical Services Corp. operates in all states and territories of the U.S. It is developing a new patient relationship management system. The system is approaching completion and is behind schedule. Which of the following implementation methods would be potentially fastest but also involve the most risk? Pilot testing. Direct cutover. Phased implementation. Parallel implementation.
Direct cutover. (Correct!) Direct cutover would be the riskiest, since all locations would implement simultaneously.
The CEO of Duke & Duke has been known to yell at employees. When the board first hears about such behavior, the role of the board in relation to the CEO's behavior is most likely to be to: Determine if the board is independent of the CEO. Define the organizational culture as risk averse. Fire the CEO. Discuss the CEO's behavior and challenge the CEO to overcome these issues.
Discuss the CEO's behavior and challenge the CEO to overcome these issues. Correct! This action is best supported by COSO's ERM framework. The board must challenge the CEO to address his or her behavior.
Tyrell Corporation, a start-up company, develops and manufactures robotic applications for use in manufacturing facilities. The company CEO is considering implementing two statements of company-wide risk appetite: The company will not invest more than 5% of its capital budget in projects that are categorized as high risk. The company will ensure that it realizes at least 80% of expected earnings at a 95% level of confidence. How should the CEO proceed with consideration of the proposed statements of risk appetite? Determine if the board is independent of the CEO. Define the organizational culture as risk averse. Discuss the proposed risk appetite statements with major company stakeholders, including the management and risk management teams, and the board of directors. Discuss the proposed risk appetite statements with the management and risk management teams.
Discuss the proposed risk appetite statements with major company stakeholders, including the management and risk management teams, and the board of directors. Correct! The next step in adopting company-wide statements of risk appetite is to discuss these statements with, at a minimum, management and risk management teams and the board of directors. The CEO may also want to hold workshops related to defining risk appetite.
The multi-location system structure that is sometimes called the "Goldilocks" solution because it seeks to balance design tradeoffs is Centralized. Decentralized. Distributed. ROM.
Distributed. This question presumes a knowledge of the Grimms' fairy tale, "The Story of the Three Bears." In the fairy tale, Goldilocks wants her porridge neither too hot, nor too cold. Hence, the "Goldilocks" solution, which is sought by this question in relation to computing and file sharing, is a solution that is neither too centralized, nor too decentralized (metaphorically, neither too hot nor too cold). Hence, this is the correct answer — a compromise between centralized and decentralized computing.
A zombie computer is used most frequently to perpetrate a _________ attack: DoS Man-in-the-middle Phishing Session
DoS Correct! Zombie or botnet computers are often used perpetrate denial of service (DoS) attacks.
Winifred, an internal auditor, wants to access company data from the company's 10-K SEC filing. An efficient way to access these data would be to use the SEC's _______ system to access the ________ filing. Internet; pdf EDGAR; XBRL Intranet; paper Exchange; Dropbox
EDGAR; XBRL Correct! Accessing the company's XBRL (i.e., eXtensible business reporting language) filing in the EDGAR system is the most efficient way to get these data.
Which of the following is considered an application input control? Run control total. Edit check. Report distribution log. Exception report.
Edit check. This answer is correct. An edit check is a check on the accuracy of data as it is inputted.
Brownout is an example of a(n) ___________ risk. Electrical system Logical control Authentication Encryption
Electrical system Correct! Brownout (i.e., reduced voltage) is a physical system risk related to electricity. Brownout is reduced voltage in the electrical system of an organization.
When used in an information technology context, EDI is Education Discount Interface. Electronic Data Interchange. Engineered Duplicate Integration. Extreme Disaster Inhibitor.
Electronic Data Interchange. This answer is correct because EDI stands for electronic data interchange.
Which of the following best defines electronic data interchange (EDI) transactions? Electronic business information is exchanged between two or more businesses. Customers' funds-related transactions are electronically transmitted and processed. Entered sales data are electronically transmitted via a centralized network to a central processor. Products sold on central Web servers can be accessed by users anytime.
Electronic business information is exchanged between two or more businesses. This answer is correct. Electronic data interchange involves the electronic exchange of business transaction data in a standard format from one entity's computer to another entity's computer.
A manufacturing company that wanted to be able to place material orders more efficiently most likely would utilize which of the following? Electronic check presentment. Electronic data interchange. Automated clearinghouse. Electronic funds transfer.
Electronic data interchange. This answer is correct because electronic data interchange is used to electronically connect a company to its suppliers and customers.
Each of the following is a greater risk in the small business computing environment except Physical controls. Encryption. Logical controls. Program development.
Encryption. Correct! Encryption is not a risk. It is a procedure to reduce risk.
A system in which the end user is responsible for the development and execution of the computer application that he or she uses is referred to as Microcomputing. End-user computing. Distributed computing. Decentralized computing.
End-user computing. This answer is correct because in end-user computing the user is responsible for the development and execution of the computer application that generates the information used by that same user.
A system in which the end user is responsible for the development and execution of the computer application that he or she uses is referred to as Microcomputing. End-user computing. Distributed computing. Decentralized computing.
End-user computing. This answer is correct because in end-user computing, the user is responsible for the development and execution of the computer application that generates the information used by that same user.
A company permits employees to work from home using company-owned laptops. Which of the following competitive advantages does the company most likely obtain as a result of this decision? Integrity Reliability Engagement Confidentiality
Engagement Correct! Employees are likely to be more engaged and committed to the organization when working from home than when working at the office. In addition, allowing employees to work from home increases the availability of the company's systems to employees.
Which of the following is an example of applications software that a large client is most likely to use? Enterprise resource planning. Operating system. Central processing unit. Value-added network.
Enterprise resource planning. Enterprise resource planning (ERP) software is a form of applications software that provides relatively complete information systems for large and medium size organizations.
The Wasabi Electronics employee survey related to fraud risk includes this question: "Employees who report suspected improprieties are protected from reprisal." This question best relates to which of the following fraud management principles and processes? Establishing a fraud risk management program Selecting, developing, and deploying fraud controls Selecting, developing, and deploying evaluation and monitoring processes Establishing a communication program to obtain information about potential frauds
Establishing a communication program to obtain information about potential frauds Correct! This survey question is asking about employees' willingness to communicate fraud risks. Therefore, the question directly relates to the company's processes for establishing a communication program to obtain information about potential frauds.
A company's new time clock process requires hourly employees to select an identification number and then choose the clock-in or clock-out button. A video camera captures an image of the employee using the system. Which of the following exposures can the new system be expected to change the least? Fraudulent reporting of employees' own hours. Errors in employees' overtime computation. Inaccurate accounting of employees' hours. Recording of other employees' hours.
Errors in employees' overtime computation. This is the best answer. Computing overtime requires a calculation (total hours - normal hours = overtime hours) that is independent of the system described. That is, the addition of a time clock and video camera will not directly help in allocating hours worked between normal and overtime hours. In addition, the other answers are, bad choices. Therefore, this is the best answer of the available choices.
A company has a significant e-commerce presence and self-hosts its website. To assure continuity in the event of a natural disaster, the firm should adopt which of the following strategies? Back up the server database daily. Store records off-site. Purchase and implement RAID technology. Establish off-site mirrored Web server.
Establish off-site mirrored Web server. This answer is correct. Establishing an off-site mirrored Web server would provide for continuous duplication of data in geographically separated locations.
A company has a significant e-commerce presence and self-hosts its website. To assure continuity in the event of a natural disaster, the firm should adopt which of the following strategies? Back up the server database daily. Store records off-site. Purchase and implement RAID technology. Establish off-site mirrored web server.
Establish off-site mirrored web server. Mirroring is a high-cost, high-reliability approach to backup that is common in e-commerce applications. Of the offered alternatives in this question, this is the best approach to assuring the continuous delivery of services despite a natural disaster.
Problems associated with e-commerce in general include all of the following except Problems in establishing identity and authenticity. Maintaining privacy of customer information. Establishing contractual agreements between trading partners. Effecting a secure exchange of payment for the goods/services.
Establishing contractual agreements between trading partners. Most e-commerce transactions are not based on prior contractual agreements between trading partners.
A start-up company seeks to build a wired LAN in its building. Cost is unimportant; security and speed are critical. The company should consider using: Twisted pair. Fiber optic cable. Coaxial cable. Microwave media.
Fiber optic cable. (Correct!) Fiber optic cable is a higher-cost, higher-quality choice for a wired network.
The Board of Directors of Martin Manufacturing Enterprises, Inc. is meeting to consider whether they should expand their manufacturing facilities to include a product line. Although the company's current financial position and sales potential for existing products are part of the information the Board must consider, of even greater importance is external information concerning economic conditions, market projects for the new product, the cost of long-term financing alternatives, and information about potential competitors. The Board of Directors' decision process would be best supported by a Management information system (MIS). Knowledge management system (KMS). Decision support system (DSS). Executive support system (ESS).
Executive support system (ESS). Executive support systems (ESSs) are a subset of DSS that are especially designed for forecasting and making long-range, strategic decisions, and they place greater emphasis on external data. The need to consider a large proportion of external information in the decision process makes an executive support system (ESS) the best choice listed.
Monster Lorenzo Sneakers has a division that combines information from several sources into one comprehensive database. The included data relates to customer information from a company's point-of-sale systems (the cash registers), its website, its mailing lists, and its comment cards. It also includes separate data about employees, including time cards, demographic data, and salary. If Monster Lorenzo Sneakers decided to launch a big data initiative, what is the most likely effect on this division? Expansion Contraction Elimination Refurbishing
Expansion Correct! The described division is a data warehouse. Big data initiatives generally result in expanding data warehouses.
A public company audit committee's "financial expert" must have all of the following except: An understanding of GAAP and financial statements. Experience in preparing or auditing financial statements of comparable companies and application of such principles in connection with accounting for estimates, accruals, and reserves. Experience with internal auditing controls. Experience on a public company's compensation committee.
Experience on a public company's compensation committee. Correct! SOX does not require that a "financial expert" have experience on a compensation committee. It does require that she have an understanding of GAAP and GAAS, an ability to assess the general application of these principles, experience in preparing, auditing, analyzing or evaluating F/S, an understanding of internal controls and procedures for financial reporting, and an understanding of audit committee functions.
Scarlett O'Hara "Give a Darn" tours of Atlanta has an automated system that uses information obtained from travel agents to help customers find the best tours for their interests. This is best described as a(n) _____________. Database Data warehouse Expert system Data mart
Expert system Correct! This is an expert system since it integrates expert advice for a user.
Employee numbers have all numeric characters. To prevent the input of alphabetic characters, what technique should be used? Optical character recognition (OCR). Check digit. Validity check. Field (format) check.
Field (format) check. This answer is correct because with a field (format) check, the computer checks the characteristics of the character content, length, or sign of the individual data fields.
Every audit committee of a public company must have at least one: Legal expert who understands the liabilities that public companies can face if they misreport financial information. Financial expert who understands GAAP and financial statements. Ethics expert who is familiar with Immanuel Kant's writings. Accounting expert who is familiar with the AICPA Code of Professional Conduct.
Financial expert who understands GAAP and financial statements. Correct! SOX required financial experts (who often have accounting experience), but not legal experts or "accounting experts" familiar with the AICPA Code.
Public company external audit firms must audit their clients': Financial statements. Internal controls. Financial statements and internal controls. Neither financial statements nor internal controls.
Financial statements and internal controls. Correct! SOX requires the auditors of public companies to audit both their financial statements and their internal controls.
XBRL is a ____________ that is derived from ________. Financial tagging language; XML Protocol; STMP Company; a stock offering Financial tagging language; STMP
Financial tagging language; XML Correct! XBRL (i.e., eXtensible business reporting language) is for tagging financial information. It is derived from XML (i.e., eXtensible markup language).
Which of the following is an electronic device that separates or isolates a network segment from the main network while maintaining the connection between networks? Query program. Firewall. Image browser. Keyword.
Firewall. This answer is correct because a firewall prevents unauthorized users from accessing a network segment.
Which of the following is a defining characteristic of supply chain management? Focuses on the sharing of information with suppliers and customers. Focuses on redesigning processes. Focuses on improving quality. Focuses on strategic alliances.
Focuses on the sharing of information with suppliers and customers. A key aspect of supply chain management is the sharing of key information from the point of sale to the consumer back to the manufacturer, the manufacturer's suppliers, and the supplier's suppliers.
Bad, Bad, Leroy Brown Corp., a BBQ food chain based in Kansas City, MO is building a new customer relationship management (CRM) system. In transitioning between phases in the SDLC, the company must obtain and document: Critical success factors analysis. Change control. Formal approval. End user participation.
Formal approval. (Correct!) Formal approval is necessary before moving into the next phase.
Catalonian Olive Oil Products runs an ERP system and conducts backup procedures that are _______, ______, and _______. Grandfather, father, and son Full, incremental, and differential Bin, volume, and name Checkpoint, recovery, restart
Full, incremental, and differential Correct! These terms describe the extent of backup used each time at the company.
The financing cycle contributes ___________ to the expenditure cycle, which contributes _____________ to the production cycle. Revenue, expenditures Raw materials, finished products Labor, raw materials Funds, raw materials
Funds, raw materials Correct! Money (or credit) from the financing cycle is used to buy raw materials in the expenditure cycle, which is then sent to the production cycle.
There are several kinds of hardware and software for connecting devices within a network and for connecting different networks to each other. The kind of connection often used to connect dissimilar networks is a Gateway. Bridge. Router. Wiring concentrator.
Gateway. This answer is correct. A gateway, often implemented via software, translates between two or more different protocol families and makes connections between dissimilar networks possible.
The Internet is made up of a series of networks which include Gateways to allow mainframe computers to connect to personal computers. Bridges to direct messages through the optimum data path. Repeaters to physically connect separate local area networks (LANs). Routers to strengthen data signals between distant computers.
Gateways to allow mainframe computers to connect to personal computers. This answer is correct. Gateways connect Internet computers of dissimilar networks.
IT facility controls are Detective. General. Corrective. Preventive.
General. IT facility controls are general controls. That is, they are controls over the IT department as a whole. For example, restricting access to the IT department prevents unauthorized individuals from gaining physical access to the system.
Which of the following risks increases the least with cloud-based computing compared with local server storage for an organization that implements cloud-based computing? Data loss. Vendor security failure. Global visibility. System hacks.
Global visibility. Global visibility is not a risk of cloud-based computing.
_____ is the name of the processes and structures, implemented by the board, to achieve organizational goals. Governance Matching Oversight Strategy
Governance Correct - this is the definition of governance.
BigWig Costume Rentals recently implemented an initiative to attract and retain web programmers and systems analysts as a part of its expanded web development to support online sales. This initiative most likely occurs as a part of which component in the ERM framework? Governance and Culture Performance Strategy and Objective-Setting Information, Communication, and Reporting
Governance and Culture Correct! Governance is the allocation of roles, authorities, and responsibilities among stakeholders including attracting, retaining, and developing capable individuals. The listed activities are part of COSO ERM Principle 5, which relates to attracting, retaining, and developing capable individuals.
Adventureland, a start-up Pittsburgh theme park, has a series of meetings with its investors, management, and employees to help identify its risk culture. This initiative most likely occurs as a part of which component in the ERM framework? Governance and Culture Performance Strategy and Objective-Setting Information, Communication, and Reporting
Governance and Culture Correct! Governance is the identification and allocation of roles, authorities, and responsibilities among stakeholders, including identifying the organization's risk culture. This is exactly the activity described in this scenario.
Compared to a more risk-averse entity, the ERM of a more risk-aggressive entity demands __________. Greater integration A discrete, autonomous ERM unit Lower-velocity data Lower performance expectations
Greater integration Correct! Accepting more risk requires greater integration of the ERM function into the entity's structure and processes compared to a more risk-averse entity. This is because the ERM unit in a risk-aggressive entity must monitor risk information more quickly and nimbly than a risk-averse entity. Monitoring risk information quickly requires greater integration.
Management of a financial services company is considering a strategic decision concerning the expansion of its existing local area network (LAN) to enhance the firm's customer service function. Which of the following aspects of the expanded system is the least significant strategic issue for management? How the expanded system can contribute to the firm's long-range business plan. How the expanded system would support daily business operations. How indicators can be developed to measure how well the expanded system achieves its business objectives. How the expanded system will contribute to the reduction of operating costs.
How the expanded system will contribute to the reduction of operating costs. This answer is correct. Cutting costs, per se, is the least important issue. Payoff, or return on costs, is a more relevant strategic consideration.
Which of the following is an important threat to accountability in an organization's ERM practices? Excessive communication Hypocrisy (i.e., when management says one thing and does another) Escalation Deviations
Hypocrisy (i.e., when management says one thing and does another) Correct! Setting an appropriate tone at the top of both talking and acting consistent with organizational values is important to establishing accountability.
Although only selected activities in the plan are stated below, which of the following states the correct order of activities for establishing a cybersecurity program? Identify and prioritize risks, create current profile, conduct risk assessment. Identify and prioritize risks, determine gaps, create target profile. Conduct detailed risk assessment, prioritize risks, determine gaps. Create target profile, create current profile, determine gaps.
Identify and prioritize risks, create current profile, conduct risk assessment. Correct! This answer identifies early (though not all) activities in this process.
In an accounting system, a header can be used to Help format a word processing document. Identify data records. Identify file folders. All of the above.
Identify data records. Headers are used to identify data records in an accounting system file.
Snuggly Whippet Corp. has assigned a staff analyst to investigate privacy laws and regulations related to its business of selling whippet puppies to an international clientele of wealthy purchasers. In relation to the framework for cybersecurity, this is an example of: Detecting threats. Recovering from a cyber incident Responding to a cyber incident Identifying references
Identifying references Correct! The staff analyst is searching regulations. The goal of this project is to identify relevant privacy laws and regulations (i.e., references in the language of the framework for cybersecurity).
In applying COSO to cyber risks, managing cyber risks should begin with: Informing the board about cyber risks. Allocating resources to addressing cyberattacks. Identifying system value. Cyber risk assessment.
Identifying system value. Correct! Managing cyber risks begins with identifying system value and protecting systems according to their value.
Data conversion occurs at this stage: Planning and feasibility. Analysis. Design and development Implementation.
Implementation. The process of moving from the old to the new system occurs at this stage.
An enterprise resource planning (ERP) system has which of the following advantages over multiple independent functional systems? Modifications can be made to each module without affecting other modules. Increased responsiveness and flexibility while aiding in the decision-making process. Increased amount of data redundancy, since more than one module contains the same information. Reduction in costs of implementation and training.
Increased responsiveness and flexibility while aiding in the decision-making process. Improving responsiveness and flexibility, and aiding the decision-making processes in an organization, are important goals of an ERP system. Hence, this is the best answer.
An enterprise resource planning (ERP) system has which of the following advantages over multiple independent functional systems? Modifications can be made to each module without affecting other modules. Increased responsiveness and flexibility while aiding in the decision-making process. Increased amount of data redundancy, since more than one module contains the same information. Reduction in costs for implementation and training.
Increased responsiveness and flexibility while aiding in the decision-making process. This answer is correct. An ERP system increases responsiveness and flexibility while aiding in the decision-making process.
Compared to manual systems, automated systems have ____ risks related to remote access, ____ risks related to the concentration of information, and, ______ opportunities for directly observing processes: Increased, increased, increased Decreased, decreased, decreased Increased, increased, decreased Increased, decreased, increased
Increased, increased, decreased Correct. This is an accurate statement. Automated systems have increased risks related to remote access, increased risks related to the concentration of information, and decreased opportunities for directly observing processes.
Boris works for Nefarious Corp. Boris's job is to steal genetic engineering trade secrets from the Gentle Lamb Company. He does this by dating employees of Gentle Lamb Company and stealing their access information (e.g., logon and password). Boris is a(n) _____________ who uses the computer system as a __________. Nation spy; subject Industrial spy; tool Member of organized crime; target Hacker; target
Industrial spy; tool Correct! Boris is an industrial spy (for Nefarious Corp.) who uses the computer as a tool (to gain industrial trade secrets)
The component of COSO's framework for internal control that includes the goal of proper measurement of transactions is The control environment. Control activities. Information and communication. Monitoring.
Information and communication. This answer is correct. This is one of the goals of the information and communication system.
Dennis Rodman's Shoes and Shinola recently implemented a whistleblower hotline to facilitate the reporting of events and concerns related to potential violations of its code of conduct. This initiative most likely occurs as a part of which component in the ERM framework? Governance and Culture Performance Strategy and Objective-Setting Information, Communication, and Reporting
Information, Communication, and Reporting Correct! Communication is the continual, iterative process of obtaining and sharing information to facilitate and enhance ERM. This function includes reporting on the organization's risk, culture, and performance. The listed activities are part of COSO ERM Principle 19, which relates to creating communication channels that support ERM.
Pierce and Pierce is an investment and brokerage company that manages client investments and seeks exceptional market opportunities for these clients. The company recently issued a report on its investment philosophy and risk management culture. This initiative most likely occurs as a part of which component in the ERM framework? Governance and Culture Performance Strategy and Objective-Setting Information, Communication, and Reporting
Information, Communication, and Reporting Correct! Communication is the process of obtaining and sharing information to facilitate and enhance ERM. This function includes reporting on the organization's risk, culture, and performance. The listed activities are part of the information, communication and reporting process.
The ERM component that includes email, board meeting minutes, and reports as important elements is Governance and Culture. Performance. Review and Revision. Information, Communication, and Reporting.
Information, Communication, and Reporting. Correct! Communication is the continual, iterative process of obtaining and sharing information to facilitate and enhance ERM. This function includes reporting on the organization's risk, culture, and performance. This is the component that includes email, board meeting minutes, and reports as important elements.
An enterprise resource planning system is designed to Allow nonexperts to make decisions about a particular problem. Help with the decision-making process. Integrate data from all aspects of an organization's activities. Present executives with the information needed to make strategic plans.
Integrate data from all aspects of an organization's activities. It is a primary objective of an enterprise resource planning system to integrate data from all aspects of an organization's activities into a centralized data repository. Hence, this is the best answer to the question.
Automating security systems changes: Human error. Biometrics. Oversight. Internal controls.
Internal controls. Correct! Control over access to systems is a part of accounting controls.
Which of the following is most clearly not a type of IT outsourcing: External, public cloud Internal, public cloud External, private cloud Internal, private cloud
Internal, private cloud Correct! This is not an example of IT outsourcing. An internal, private cloud is not shared and is wholly owned and managed within an entity.
Which of the following is not true? Intranets are implemented using Internet protocols. Training time for intranet-based applications is usually lower than training for similar programs using a traditional LAN interface. Intranets are generally available to the public. Intranets are often used to connect geographically separate LANs within a company.
Intranets are generally available to the public. Intranets usually require a username and password in order to access the system.
In an accounting information system, which of the following types of computer files most likely would be a master file? Inventory subsidiary. Cash disbursements. Cash receipts. Payroll transactions.
Inventory subsidiary. The "inventory subsidiary" is an example of a "ledger." A ledger maintains the balances of some kind of account (accounts receivable subsidiary ledger maintains customer accounts, accounts payable subsidiary ledger maintains vendor accounts, inventory subsidiary ledger maintains product accounts). Ledger files are called "master files" because the individual transaction amounts found in the journals ("transaction files") are used to update the balances in the ledger files: the transaction files contain the detail; the master file contains the totals.
Which of the following internal control procedures would prevent an employee from being paid an inappropriate hourly wage? Having the supervisor of the data entry clerk verify that each employee's hours worked are correctly entered into the system. Using real-time posting of payroll so there can be no after-the-fact data manipulation of the payroll register. Giving payroll data entry clerks the ability to change any suspicious hourly pay rates to a reasonable rate. Limited access to employee master files to authorized employees in the personnel department.
Limited access to employee master files to authorized employees in the personnel department. This answer is correct because limiting access to employee master files to authorized employees would help prevent unauthorized changes in the wage rates in the master files.
The following chart is an example of what type of chart? Word cloud Bar chart Scatterplot Line chart
Line chart Correct! This is a line chart, which is the preferred chart type for showing one or more measures over time (as is shown here).
Which of the following best describes a hot site? Location within the company that is most vulnerable to a disaster. Location where a company can install data processing equipment on short notice. Location that is equipped with a redundant hardware and software configuration. Location that is considered too close to a potential disaster area.
Location that is equipped with a redundant hardware and software configuration. This answer is correct because a hot site is one that is equipped with redundant hardware and software that may be used quickly when the primary site goes down.
Which of the following is an effective control related to personal computing in a small business? Network transit facilities. Locking doors when offices are open and removing storage devices to secure locations. High density data entry and report production. Flashpoint recovery systems.
Locking doors when offices are open and removing storage devices to secure locations. This answer is correct and is an important physical security control in a small business environment.
Billy Bob's BarBQ has a small accounting staff and outsources payroll to a payroll service bureau. Which of the following is the most important advantage of outsourcing payroll? Improved batch control totals More accurate time recording by employees Hiring more qualified employees Lower fraud risk
Lower fraud risk Correct! Lower fraud risk is an important advantage of outsourcing payroll.
The system that most resembles a managerial accounting, budgeting system is: Operational system. MIS. DSS. ESS.
MIS. MIS take planning information (budgets, forecasts, etc.) data and compare it to actual results in periodic management reports (summary reports, variance reports, and exception reports). Hence, MIS can be considered similar to, and may incorporate, traditional budgeting systems.
Roberta is a programmer who writes applications for Parsnips Health Care. She also has access to the file library. This is a concern because she may: Grant system access inappropriately to others. Make changes in applications. Make changes to both the live and archive copies of programs. Fail to follow system change protocols.
Make changes to both the live and archive copies of programs. (Correct!) If she changes both live and archive copies of programs, changes that she has made may not be detected.
Internal auditors at Henry Flower's Flower Shop are undertaking a comprehensive review to determine if the company has complied with privacy regulations regarding customer data. In the COBIT model, this is best classified as an example of Planning and Organization. Acquisition and Implementation. Delivery and Support. Monitoring.
Monitoring. Correct! Analyzing compliance with privacy regulations is part of a formal review process to assess how to best assess IT quality and compliance with control requirements.
Hamish works in a factory that builds tractors in Des Moines, Iowa. He wants to get a B352 sprocket that is needed in building a X793 tractor. The document, form, or screen that would authorize this action is: Bill of materials. Materials requisition. Move ticket. Picking ticket.
Materials requisition. (Correct!) A materials requisition, also called a "materials transfer ticket," would authorize Hamish to move the sprocket from raw materials to production.
Which of the following is not a goal of the HR/payroll cycle? Accurately computing taxes Minimizing the time required to move goods from raw materials to in-process inventory Securing information about an employee's drug addiction Complying with employment laws and regulations
Minimizing the time required to move goods from raw materials to in-process inventory Correct! This is a goal of the production cycle, not the HR/payroll cycle.
In COBIT, the process of reviewing system response time logs falls within the _______ control process domain. Acquire and implement. Deliver and support. Monitor and evaluate. Plan and organize.
Monitor and evaluate. The process of reviewing system response logs is within the "monitor the processes" (M1) activity, which falls within the "monitor and evaluate" domain. Therefore, this is the correct answer.
Jeffrey Smiggles of Rajon Rondo Sportswear has developed a software application that helps monitor key production risks at company factories. In order to reduce costs, his approach to monitoring risks is likely to be: Monitor all risks using indirect information. Monitor all risks using direct information. Monitor more important risks using indirect information and less important risks using direct information. Monitor more important risks using direct information and less important risks using indirect information
Monitor more important risks using direct information and less important risks using indirect information (Correct!) Collecting direct information is often costlier than collecting indirect information. Hence, to reduce costs, less important risks are likely to be monitored with indirect information.
Within the COSO Internal Control—Integrated Framework, which of the following components is designed to ensure that internal controls continue to operate effectively? Control environment. Risk assessment. Information and communication. Monitoring.
Monitoring. Monitoring is the core, underlying control component in the COSO ERM model. Its position at the foundation is not accidental and reflects the importance of monitoring to achieving strong internal control and effective risk management. Ensuring that internal controls continue to operate effectively is the primary purpose of monitoring.
Which of the following is not a factor included in the control environment? Board of directors or audit committee participation. Commitment to competence. Monitoring. Organizational structure.
Monitoring. This answer is correct. Monitoring is one of the five interrelated components of internal control, not a factor of the control environment. The seven control environment factors are as follows: (1) integrity and ethical values, (2) commitment to competence, (3) human resource policies and practices, (4) assignment of authority and responsibility, (5) management's philosophy and operating style, (6) board of directors or audit committee participation, and (7) organizational structure.
Billy Wingate enters his college dorm by typing an access code and putting his hand in a scanner. This is an example of _________ identification. Biometric Password Multifactor Hypergeometric
Multifactor Correct! This system uses both biometric and password identification, so it is multifactor.
Which of the following is NOT true of online/real-time transaction processing systems? Records are usually updated as transactions occur. Random access storage devices are normally required. Network access is not usually required to implement online/real-time systems. Errors are captured and corrected as the transaction occurs.
Network access is not usually required to implement online/real-time systems. Online/real-time systems are updated as transactions occur and consequently require networked information systems based on random access storage devices. Because the information system is updated immediately, errors are detected as soon as the transaction occurs.
ABC, Inc. assessed overall risks of MIS systems projects on two standard criteria: technology used and design structure. The following systems projects have been assessed on these risk criteria. Which of the following projects holds the highest risk to ABC? Technology Structure Current Sketchy New Sketchy Current Well defined New Well defined
New Sketchy This answer is correct because the project involves both new (more risky than current) technology and sketchy (more risky than well-defined) structure.
Simone works as an airline reservations agent. She mostly likely interacts with a: Batch system. Batched, online system. POS system. OLRT system.
OLRT system. (Correct!) An online, real-time system would be appropriate for airline reservations.
The machine-language program that results when a symbolic-language program is translated is called a(n) Processor program. Object program. Source program. Wired program.
Object program. This answer is correct because the translation of a symbolic-language program (readable by humans) results in an object program which is machine-readable.
A general type of IT system that is designed to improve the productivity of daily office work is referred to as a(n) Office automation system. Transaction processing system. Decision support system. Executive information system.
Office automation system. Office automation systems include the software tools of daily work, including word processing programs, spreadsheets, email, and electronic calendars.
Credit Card International developed a management reporting software package that enables members interactively to query a data warehouse and drill down into transaction and trend information via various network set-ups. What type of management reporting system has Credit Card International developed? On-line analytical processing system. On-line transaction-processing system. On-line executive information system. On-line information storage system.
On-line analytical processing system. On-line analytical processing systems (OLAPs) are an increasingly important multidimensional analytical tool. An OLAP is a modification and expansion of an on-line transaction processing system to provide the capabilities and functionalities identified in this question.
A data warehouse is an example of Online analytical processing. Online transaction processing. Essential information batch processing. Decentralized processing.
Online analytical processing. This answer is correct because a data warehouse is an approach to online analytical processing that combines data into a subject-oriented, integrated collection of data used to support management decision-making processes.
Software that performs a variety of general technical computer-controlling operations is a(n) Integrated suite. Shareware. Database. Operating system.
Operating system. An operating system controls the execution of computer programs and may provide various services.
Which of the following statements about processing methodologies is true? Batch systems, though inexpensive to develop, are much more expensive to operate than online real-time databases. Online real-time processing is especially desirable when transactions occur continuously and are interdependent. The implementation of both batch processing and online real-time processing require access to a networked computer system. Although designed to help ensure accuracy in a batch processing environment, batch control totals are frequently used to control accuracy in online real-time systems as well.
Online real-time processing is especially desirable when transactions occur continuously and are interdependent. Online real-time processing is especially desirable when transactions occur continuously and are interdependent. Batch processing is especially desirable when transactions occur periodically and are independent.
Which of the following areas of responsibility are normally assigned to a systems programmer in a computer system environment? Systems analysis and applications programming. Data communication hardware and software. Operating systems and compilers. Computer operations.
Operating systems and compilers. This answer is correct because systems programmers are given responsibility for maintaining system software, including operating systems and compilers.
In the COSO (2011) "cube" model, each of the following are components of internal control except Monitoring. Control activities. Operations control. Risk assessment.
Operations control. Operations control is not a component of internal control in the COSO model.
Which document lists the steps in making a product? Inventory report Bill of materials Move ticket Operations list
Operations list Correct! As is indicated by the name, this document lists the steps (or operations) needed to make a product.
Which of the following is the best description of the potential root cause of a risk? Emerging data analytic methods are unhelpful to risk assessment. Low staff morale contributes to the risk that key employees leave, creating high turnover. Lack of training increases the risk that processing errors and incidents occur. Operator processing errors will reduce the quality of manufacturing units.
Operator processing errors will reduce the quality of manufacturing units. Correct! This is a precisely stated risk (lower quality of manufactured units) that includes a potential root cause (i.e., operator processing errors).
Which of the following devices "burns" data onto a surface? Magnetic tape reader. Supercomputer. ROM. Optical disc recorder.
Optical disc recorder. An optical disc recorder uses a laser to burn data onto a disk surface.
The distribution of reports is considered what type of control? Input. Processing. Output. Software.
Output. The distribution of reports is considered an output control.
A change control process would likely not include which of the following? Change request form. Approval process. Outsourcing. Documentation.
Outsourcing. (Correct!) A change control process should include the use of change request forms, an approval process for changes, and appropriate documentation; however, outsourcing is not part of the design for a recommended change control process.
What is an example of the use of the cloud to create software and programs? IaaS PaaS SaaS SAP
PaaS PaaS is the use of the cloud to create (not access) software.
Which of the following is a critical success factor in data mining a large data store? Pattern recognition. Effective search engines. Image processing systems. Accurate universal resource locater (URL).
Pattern recognition. Data mining is the process of sorting through data maintained in a data warehouse in an effort to identify relationships between data fields or events. These relationships are often classified as sequences (one event leads to another) or associations (one event is correlated with another event). The ability to recognize these patterns is, thus, critical to successful data mining.
Which of the following is a critical success factor in data mining a large data store? Pattern recognition. Effective search engines. Image processing systems. Accurate universal resource locator (URL).
Pattern recognition. This answer is correct because the benefit of data mining is the confirmation and exploration of data relationships.
Overland Stage and Transport uses a fraud risk assessment heat map that charts the significance (on the vertical axis) and the likelihood (on the horizontal axis) of frauds as a part of its fraud risk management program. The company's use of a fraud risk heat map best relates to which of the following activities? Establishing a fraud risk management program Selecting, developing, and deploying fraud controls Selecting, developing, and deploying evaluation and monitoring processes Performing a comprehensive fraud risk assessment
Performing a comprehensive fraud risk assessment Correct! The company's use of a fraud risk heat map relates to performing a comprehensive fraud risk assessment.
Which of the following controls is mostly likely to prevent a kickback to a purchasing agent? Prenumbering of purchase order Matching packing lists to vendor invoices Periodically requiring purchasing agents to disclose their relationships to all vendors Requiring authorization to receive goods from vendors
Periodically requiring purchasing agents to disclose their relationships to all vendors Correct! This control will help prevent kickbacks to purchasing agents. Requiring a statement from vendors as to whether they are: (1) related to or have had (2) non-work related contact with vendors would help prevent kickbacks. Of course, the agents can lie, but at least there is a stronger evidence trail of misconduct if they lie in response to these questions.
The IT Steering Committee at Henry Flower's Flower Shop is determining whether the basic infrastructure of the company should include a significant component of cloud computing. In this exercise, the committee is primarily using the company's IT strategic plan to conceptually consider how cloud computing advances or detracts from the company's business objectives. In the COBIT model, this is best classified as an example of Planning and Organization Acquisition and Implementation Delivery and Support Monitoring
Planning and Organization Correct! This task is not a part of assessing how IT can best contribute to business objectives.
Which of the following statements related to IT policy monitoring is false? Analyzing help calls can be useful in improving policy compliance. Internal audit staff may be involved in policy monitoring. Monitoring may be continuous or periodic. Policy monitoring is particularly important in centralized entities.
Policy monitoring is particularly important in centralized entities. Correct! There is no reason why monitoring IT policies is particularly important in centralized entities. Because this is a false statement, it is the correct answer.
Key risk indicators are Indicators of internal control quality. Substantively equivalent to KPIs. Predictive and usually quantitative. Used primarily by risk-aware, risk-averse entities.
Predictive and usually quantitative. Correct! KRIs are usually quantitative and are used to predict risks.
The performance audit report of an information technology department indicated that the department lacked a disaster recovery plan. Which of the following steps should management take first to correct this condition? Bulletproof the information security architecture. Designate a hot site. Designate a cold site. Prepare a statement of responsibilities for tasks included in a disaster recovery plan.
Prepare a statement of responsibilities for tasks included in a disaster recovery plan. This answer is correct. The first step is to identify the responsibilities for tasks included in the plan.
The performance audit report of an information technology department indicated that the department lacked a disaster recovery plan. Which of the following steps should management take first to correct this condition? Bulletproof the information security architecture. Designate a hot site. Designate a cold site. Prepare a statement of responsibilities for the tasks included in a disaster recovery plan.
Prepare a statement of responsibilities for the tasks included in a disaster recovery plan. This would be a logical first step toward the creation of a disaster recovery plan.
Which of the following is least likely to be an example of accounting work in the AI era? Working with an AI system to harvest and clean data for use in predicting fraud risk. Working on a legacy system, with AI assistance, that is uneconomical to replace with AI technology. Developing an AI system to analyze the risk of investing in the extraction industry. Preparing financial statements for a client.
Preparing financial statements for a client. Correct! Preparing financial statements is a standardized task that is likely to be mostly automated into an AI system.
Which of the following is not a part of the central processing unit? Control unit. Arithmetic unit. Logic unit. Printer unit.
Printer unit. The printer is a separate output device.
Complete the missing words in the following sentence: ____ are actions that implement _____. Policies, control systems Control systems, policies Procedures, policies Policies, procedures
Procedures, policies Correct! This is a true statement. Procedures are actions that implement policies.
A company that sells hand-carved statues from rural Indonesia online is using a ___________ strategy: Digitization Product differentiation Cost leadership Integrated
Product differentiation Correct! This is an example of a product differentiation strategy since competitors are unlikely to be able to sell this same product.
Mars Dreamy Clothing is a retailer with 15 locations. Which cycle is likely of least importance to Mars? Financing General ledger Production Revenue
Production Correct! The production cycle has little relevance to a retail operation because retailers don't have production processes.
Which of the following organizations was established by the Sarbanes-Oxley Act of 2002 to control the auditing profession? Information Systems Audit and Control Foundation (ISACF) IT Governance Institute (ITGI) Public Company Accounting Oversight Board (PCAOB) Committee of Sponsoring Organizations (COSO)
Public Company Accounting Oversight Board (PCAOB) Correct! SOX did create the PCAOB to govern the audit profession.
According to the framework for cybersecurity, protecting and securing the U.S. critical infrastructure requires a partnership between ___________ and __________. ISPs; government Security professionals; the federal government Public entities; private entities Auditors; clients
Public entities; private entities Correct! Public and private entity partnerships are specified as necessary in the framework.
Which of the following is often a contract with a vendor for the purchase of goods? Remittance advice Vendor invoice Packing lists Purchase order
Purchase order Correct! A purchase order is often a contract to purchase goods from a vendor.
When considering disaster recovery, what type of backup facility involves an agreement between two organizations to aid each other in the event of disaster? Cold site. Hot site. Reciprocal agreement. Rollback.
Reciprocal agreement. This answer is correct because a reciprocal agreement involves agreement between two or more organizations to help each other in the event of disaster to one's processing.
Maintaining an inventory of backup files facilitates Inventories of assets. Identifying unrecorded liabilities. Internal and external labeling. Recovery.
Recovery. Correct! An inventory of backup files enables a more rapid recovery process.
James Victor's Snickers Joke House hires illegal workers. Which of the core activities of the HR department should have identified and prevented this violation of law? Complying with laws and regulations. Training and development. Salaries and benefits. Recruiting and hiring employees.
Recruiting and hiring employees. (Correct!) This is the function that should have determined whether the hired workers could legally be employed.
Which of the following is least likely to be considered an advantage of a value-added network (VAN)? Reduce communication and data protocol problems. Increased security. Reduced cost. Partners do not have to establish numerous point-to-point connections.
Reduced cost. This answer is correct since VAN are often costly.
SnowDrift Ski Resorts has many celebrity visitors. At a recent meeting, the CIO presented a plan to ensure the complete privacy of all visitors, including compliance with relevant laws and regulations related to privacy. This plan is likely to also be found in a (an) Use and connection policy. Procurement policy. Values and service culture policy. Regulatory compliance policy.
Regulatory compliance policy. Correct! This policy is a statement of regulatory requirements related to organizational IT systems. It includes consideration of privacy law and regulations.
According to the AICPA ASEC, GAPP are: A type of generally accepted accounting principles. A subelement of information quality. Related to privacy. Generally accepted principles and practices.
Related to privacy. Correct! According to the AICPA ASEC principles, GAPP is a set of criteria to guide best practices related to data privacy.
SQL is most directly related to String question language processing. The "grandfather, father, son" method of record retention. Electronic commerce. Relational databases.
Relational databases. This answer is correct because virtually all relational databases use the SQL computer language.
Which of the following is an inappropriate application of the framework for cybersecurity? Use the framework to help guide the development and implementation of cybersecurity workforce training related to privacy policies and regulations Use the framework to help guide the search for referential sources related to a hospital's need to protect patient health care data. A consortium of small HMOs develops a target cybersecurity profile to guide its members' efforts to create organizationally tailored target profiles. Replace the organization's existing risk management process with that specified in the framework for cybersecurity.
Replace the organization's existing risk management process with that specified in the framework for cybersecurity. Correct! This is an inappropriate application of the framework for cybersecurity, since organizational risk management is a broader process than the risk management process specified in the framework for cybersecurity.
Fictitious customers are an important risk of the General ledger cycle. Revenue cycle. Financing cycle. Expenditure cycle.
Revenue cycle. Correct! Fictitious customers can be, and often are (in frauds), used to overstate revenue and sales.
Winifred, an internal auditor, wants to determine if payroll taxes have been properly withheld and paid. Her best strategy for accomplishing this goal is to Review W-2s. Review Form 941. Review W-4s. Review the cumulative earnings register.
Review Form 941. Correct! Form 941 shows aggregate payroll tax withholdings and payments.
An organization launches a new product and finds the product is performing better than expected and that the volatility of sales is less than expected. Which of the following is the organization most likely to do? Review its internal control procedures. Investigate new technologies to improve product performance. Revise its tolerance and decrease its risk appetite Review its ERM practices.
Review its ERM practices. Correct! The organization should review its ERM practices to better understand why it misestimated the risks related to the new product.
Winifred, an internal auditor, wants to determine if employee pay rates are accurate. Her best strategy for accomplishing this goal is to Review W-2s. Review Form 941. Review W-3s. Review the cumulative earnings register.
Review the cumulative earnings register. Correct! This review will enable Winifred to determine if employee pay rates are accurate. She can evaluate these over time, and across job descriptions and ranks.
Which of the following is least likely to be an example of big data? Dark data. Multifactor identification data. Sales data. Video conferencing data.
Sales data. (Correct!) This is a traditional accounting data source. Therefore, while these data will find their way into a big data pool (eventually), this is the least likely to be an example of big data, from the offered alternatives.
The most important document in the billing process is the Picking ticket. Sales invoice. Packing slip. Bill of lading.
Sales invoice. (Correct!) A sales (or customer) invoice documents a sale and the billing of the customer for the sale.
In which of the following locations should a copy of the accounting system data backup of year-end information be stored? Secure off-site location. Data backup server in the network room. Fireproof cabinet in the data network room. Locked file cabinet in the accounting department.
Secure off-site location. This answer is correct because it is desirable to store the data in a separate secure location to prevent loss from fire or natural disaster.
A manufacturing company discovers that its rollback and retention procedures do not include data from a key system related to production quality. Which of the following IT policies should address this violation? Procurement Service management and operational service problem solving Quality Security
Security Correct! This problem relates to disaster recovery preparation, which is a subcategory of IT security policies.
A hacker breaks into an entity's system but fails to access the information that she seeks. Which of the following statements is correct according to the time-based model of controls? Security procedures are ineffective. Preventive controls failed. Security procedures are ineffective. Detective and corrective controls failed. Security procedures are effective. Preventive controls failed. Security procedures are effective. Detective and corrective controls failed.
Security procedures are effective. Preventive controls failed. Correct! Although preventive controls failed in this case, the detective and corrective procedures prevented a loss. Therefore, security procedures are effective even though preventive controls failed.
Which of the following is not a component in the COSO framework for internal control? Control environment. Segregation of duties. Risk assessment. Monitoring.
Segregation of duties. Segregation of duties is an aspect of control activities, which is the component.
Reggie is the purchasing agent for a wholesale paint store (Ye Ol' Paint Pots) that sells only to large chains. Reggie's cousin, Earl the Earl, owns a small paint store. Reggie arranged for paint to be delivered from paint manufacturers to Earl the Earl's store, thereby allowing Earl the Earl to get the paint at a wholesale (cheaper) price, which violates a policy of Ye Ol' Paint Pots. The control that is most likely to have prevented this violation of policy is: Segregation of the receiving function from the purchasing function Monitoring whether discounts are taken in purchasing Requiring purchasing agents to disclose relationships with vendors and purchases Automated receiving
Segregation of the receiving function from the purchasing function Correct. Segregation of the receiving function from the purchasing function would help prevent the violation because, if all purchase orders had to be checked in by a separate receiving department, we would detect the mis-delivered order.
Management of Warren Company has decided to respond to a particular risk by hedging the risk with futures contracts. This is an example of risk Avoidance. Acceptance. Reduction. Sharing.
Sharing. Hedging involves sharing the risk with another party.
Layton Company has implemented an enterprise risk management system and has responded to a particular risk by purchasing insurance. Such a response is characterized by COSO's Enterprise Risk Management Framework as: Avoidance. Sharing. Acceptance. Reduction.
Sharing. This answer is correct. Sharing involves reducing risk likelihood or impact by transferring or sharing a portion of the risk.
Due to 50% store growth year after year, monitoring internal controls at a national retail chain has come under tremendous pressure. According to COSO, which of the following responses would be appropriate under the circumstances to help restore effective monitoring? Decreasing the size of the corporate internal audit activities. Consolidating the data in the operational reports reviewed by the chief internal auditor. Shifting most of the monitoring responsibility to store managers and district managers. Having all the managers sign the corporate compliance policy on an annual basis.
Shifting most of the monitoring responsibility to store managers and district managers. Correct! Given the growth of stores, moving monitoring responsibility to those who are closer to the actual numbers is an effective action to improve effective monitoring.
Assessments of cyber risk impact: Should assess the timing and duration of impacts and be led by the IT steering committee in consultation with senior managers and IT stakeholders. Should assess the likelihood and severity of impacts and should be led by senior management in consultation with business and IT stakeholders. Should assess the timing and duration of impacts and be led by senior managers in consultation with business and IT stakeholders. Should assess the likelihood and severity of impacts and should be led by the IT steering committee in consultation with senior management and IT stakeholders.
Should assess the likelihood and severity of impacts and should be led by senior management in consultation with business and IT stakeholders. Correct! The initiative should assess likelihood and severity of impact and should be led by senior management in consultation with business and IT stakeholders.
A fire suppression system in a computer facility Is an application control. Should include ceiling water outlets. Should not include halon chemicals. Is no longer needed in most cases.
Should not include halon chemicals. Fire suppression systems in a computer facility should not use halon, because it is an environmental hazard.
What document is useful in determining which employee should be assigned a new job duty? U.S. form 941. Workforce inventory. Skills inventory report. Cumulative earnings register.
Skills inventory report. (Correct!) This report would be helpful in matching employee skills (from the report) to the new job duty.
The widespread adoption of the IoT will: Speed the adoption of automated authentication. Reduce the need for monitoring. Reduce security. Reduce costs.
Speed the adoption of automated authentication. Correct! This is true because, with the widespread data provided by electronic devices, there will be less need for user authentication by password.
Which of the following statements is true regarding small business computing? General IT controls are less important in a small business computing environment. Spreadsheets should be reviewed and tested by an independent third party. The centralized IT department should be the primary source of control. All of the above.
Spreadsheets should be reviewed and tested by an independent third party. This ensures that they operate as expected.
In the COBIT model, __________ is an (are) example(s) of an information criterion while _________ is an example of (an) IT resource(s). Penetration testing results; routers Acquisition and Implementation; a capacitor Standards for user response times, network structure IT staff, computer servers
Standards for user response times, network structure Correct! Standards for user response times is an example of an information criterion related to system availability. The network structure is an example of an IT resource.
Which of the following procedures would an entity most likely include in its disaster recovery plan? Convert all data from EDI format to an internal company format. Maintain a Trojan horse program to prevent illicit activity. Develop an auxiliary power supply to provide uninterrupted electricity. Store duplicate copies of files in a location away from the computer center.
Store duplicate copies of files in a location away from the computer center. Storing duplicate copies of files in a different location will allow recovery of contaminated original files.
AppleNCheese Food Products recently completed a systematic analysis of the political, economic, social, technological, legal, and environmental conditions that it expects in the short and the long term. This analysis most likely occurs as a part of which component in the ERM framework? Governance and Culture Performance Strategy and Objective-Setting Information, Communication, and Reporting
Strategy and Objective-Setting Correct! The listed activities are the analysis of the business context, which occurs in the Strategy and Objective-Setting component of ERM.
Jiffy Grill has an ERP system. It has assigned responsibility for determining who has what access rights within the ERP system. Based on this, to whom is it most likely that Jiffy Grill has assigned this responsibility? Internal auditors. Other personnel. Management Support functions
Support functions (Correct!) This answer is correct because support functions are mostly likely to have responsibility for determining system access.
Jody's Hardware Store developed a new module for the accounting system to monitor and forecast contractor purchases by vendor month. The old system was manual. The most important risk related to the new system is Idiosyncratic processing errors. Systematic processing errors. Automated processing of transactions. Computer-initiated transactions.
Systematic processing errors. Correct! Systematic processing errors are an important risk of a new system.
Which of the following employees normally would be assigned the operating responsibility for designing a computer installation, including flowcharts of data processing routines? Computer programmer. Data processing manager. Systems analyst. Internal auditor.
Systems analyst. This answer is correct because the systems analyst is responsible for designing the computer system, including the goals of the system and means of achieving those goals, based upon the nature of the business and its information needs. The systems analyst also must outline the data processing system for the computer programmer with system flowcharts.
The most appropriate data-gathering techniques for a system survey include interviews, quick questionnaires, observations, and Prototypes. Systems documentation. PERT charts. Gantt charts.
Systems documentation. Correct! Creating system documentation would be an appropriate data-gathering technique for a system survey.
Rose and McMullin, a regional public accounting firm, has recently accepted a contract to audit On-the-Spot, Inc., a mobile vending service that provides vending machines for large events. On-the-Spot uses a computerized accounting system, portions of which were developed internally to integrate with a standard financial reporting system that was purchased from a consultant. What type of documentation will be most useful to Rose and McMullin in determining how the system as a whole is constructed? Operator documentation. Program documentation. Systems documentation. User documentation.
Systems documentation. Systems documentation provides an overview of the program and data files, processing logic, and interactions with each of the other programs and systems and is appropriate for the auditor to use as a means of gaining familiarity with the system.
The data control protocol used to control transmissions on the Internet is CSMA-CD TCP/IP ISP HTML
TCP/IP Transmission control protocol/Internet protocol (TCP/IP) is the protocol used by the Internet.
Management of Johnson Company is considering implementing technology to improve the monitoring of internal control. Which of the following best describes how technology may be effective at improving internal control monitoring? Technology can identify conditions and circumstances that indicate that controls have failed or risks are present. Technology can ensure that items are processed accurately. Technology can provide information more quickly. Technology can control access to terminals and data.
Technology can identify conditions and circumstances that indicate that controls have failed or risks are present. (Correct!) This answer is correct because monitoring involves collecting information to determine that controls are working.
Morgan Property Management, Inc. recently switched from a manual accounting system to a computerized accounting system. The system supports online real-time processing in a networked environment, and six employees have been granted access to various parts of the system in order to perform their jobs. Relative to the manual system, Morgan can expect to see That functions that had previously been spread across multiple employees have been combined. An increase in the incidence of clerical errors. A decrease in the incidence of systemic errors. A decrease in the need for access controls to the accounting records.
That functions that had previously been spread across multiple employees have been combined. It is common for computerized systems to combine functions that would be considered incompatible in a manual system (for example, in computerized systems, a single employee is often responsible for creating the deposit and posting the transactions to the cash receipts journal, the accounts receivable sub ledger, and the general ledger). This can occur because the system limits the transactions that it is possible for the employee to record, creating a compensating control.
The following statement is adapted from the annual report of a large corporation: "Overall responsibility for overseeing the management of risks, compliance with our risk management framework and risk appetite lies with _______." The CEO The board of directors Management The risk management team
The board of directors Correct! The ultimate responsibility for these ERM components rests with the board of directors.
Which of the following internal control components includes the factor of management's philosophy and operating style? Control activities. The control environment. Risk assessment. Monitoring.
The control environment. This answer is correct. Management's philosophy and operating style is a factor of the control environment.
Adjusting journal entries are often the responsibility of Production managers. The corporate finance officer. The controller. The JE clerk.
The controller. Correct! Adjusting entries are usually posted by the controller in the general ledger cycle.
Harold is a sales person at a jeweler. His friend Robert wants to buy a ring for his fiancée. Who should establish the credit limit for Robert's purchase? Harold. The credit manager. The sales manager. Any of the above.
The credit manager. Correct. Allowing the credit manager to set the credit limit is most likely to result in following organizational policy related to the setting of customer credit limits.
The Buy N Large Company is a diversified, multinational consumer and wholesale products company. Which of the following is least likely to be a consideration in defining the company's risk appetite related to sustainability and climate change risk? The resources (e.g., financial and human) available to manage the risks. The method of communicating the risks to internal stakeholders. The risk profile. The risk capability.
The method of communicating the risks to internal stakeholders. Correct! The method of communicating the risks to internal stakeholders is unlikely to influence the company risk appetite related to sustainability and climate change risk.
A new attack involves hacking into medical records and then offering these records for sale on the black market. A medical records company in Brazil learned of this attack and has built controls into its systems to prevent hackers from accessing its systems. This is an IT application of the COSO principle of _______ and evidences _______ controls. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control; preventive. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. Detective. The organization communicates with external parties regarding matters affecting the functioning of internal control. Detective. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Preventive.
The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Preventive. Correct! This statement is accurate. The example illustrates the creation of a control activity to reduce risk. In addition, the example does illustrate a preventive control.
Securing client/server systems is a complex task because of all of the following factors except: The use of relational databases. The number of access points. Concurrent operation of multiple user sessions. Widespread data access and update capabilities.
The use of relational databases. This answer is correct. Client server implementation does not necessarily use relational databases.
Public company CEOs and CFOs must certify that: They are responsible for establishing and maintaining their firm's internal financial controls. They have hired an excellent auditing firm and have delegated to that firm ultimate responsibility for the accuracy of financial statements. They have taken lie detector tests regarding the accuracy of the financial statements. They are subject to firm codes of ethics policing the accuracy of financial statements.
They are responsible for establishing and maintaining their firm's internal financial controls. Correct! SOX requires the CEO and CFO to certify, among other things, that they are responsible for establishing and maintaining their firm's internal financial controls. But it does not require lie detector tests, or that they promise they have hired an excellent audit firm. Or that they are subject to a code of ethics policing the accuracy of the financial statements.
Compared to batch processing, real-time processing has which of the following advantages? Ease of auditing. Ease of implementation. Timeliness of information. Efficiency of processing.
Timeliness of information. This answer is correct because the major advantage of real-time processing is that information is available immediately.
The general ledger cycle receives _____________ and generates ________________. Transactions, reports Reports, transactions Reports, funds Controls, funds
Transactions, reports Correct! The general ledger cycle receives transactions and generates reports, including financial statements.
In the accounting cycle, closing journal entries: Identify and record all liabilities, revenues, and expenses at the end of the fiscal year. Ensure the matching of revenue and expenses by period. Transfer balances in temporary accounts to retained earnings. Lessen the likelihood of deceptive manual journal entries.
Transfer balances in temporary accounts to retained earnings. (Correct!) This is the purpose of closing journal entries.
The use of a voucher systems helps control Unauthorized payment of invoices. Unauthorized orders of goods The use of unauthorized vendors Underpayments to supplier
Unauthorized payment of invoices. Correct! The primary purpose of a voucher system is to help control unauthorized payment of invoices.
When a client's accounts payable computer system was relocated, the administrator provided support through a dial-up connection to a server. Subsequently, the administrator left the company. No changes were made to the accounts payable system at that time. Which of the following situations represents the greatest security risk? User passwords are not required to be in alphanumeric format. Management procedures for user accounts are not documented. User accounts are not removed upon termination of employees. Security logs are not periodically reviewed for violations.
User accounts are not removed upon termination of employees. This answer is correct. If accounts are removed upon termination, the terminated administrator can no longer have access to the company's systems.
Reggie Sloanback, the operations manager, writes a spreadsheet to keep track of fixed assets at Mason's Masonry and Stoneworks, a manufacturer of stone structures and sculptures. His spreadsheet does not link to the ERP used at Mason's. The most serious internal control concern about this situation is Incompatibility of operating systems. Overcentralization of systems. User-developed systems can create control issues. The use of incompatible devices.
User-developed systems can create control issues. Correct! User-created systems can create multiple control issues. Users often inadequately test and review the systems that they develop.
Which of the following input controls would prevent an incorrect state abbreviation from being accepted as legitimate data? Reasonableness test. Field check. Digit verification check. Validity check.
Validity check. This answer is correct because a validity check involves comparison of input to a list of valid items.
A customer's order was never filled because an order entry clerk transposed the customer identification number while entering the sales transaction into the system. Which of the following controls would most likely have detected the transposition? Sequence test. Completeness test. Validity check. Limit test.
Validity check. This answer is correct because a validity check is a check of an entered number to see if it is in valid form or a valid account number.
Which of the following types of networks is often utilized to process electronic data interchange (EDI) transactions? Wide area network (WAN). Secure electronic transactions (SET) network. Value-added network (VAN). Intranet.
Value-added network (VAN). VANs often provide the additional security and addressing capabilities necessary to process EDI transactions.
Which of the following strategies is important to managing security over mobile systems? Hot sites. BCM. Teleprinters. View-only access.
View-only access. View-only access is a useful control (i.e., restriction) on the ability of mobile devices to make changes in data.
Which of the following is not a risk of e-commerce? System availability. Viral marketing. Nonrepudiation. Failure of trust in trading partners.
Viral marketing. Viral marketing is the use of e-commerce or e-business to increase brand awareness or sales.
Data control language used in a relational database is most likely to include commands used to control The original defining of a database. The maintenance and querying of a database. Which users have various privileges relating to a database. The creation and alteration of tables within a database.
Which users have various privileges relating to a database. This answer is correct because data control language is composed of commands used to control a database, including controlling which users have various privileges (e.g., who is able to read from and write to various portions of the database).
Lott's Pot, Pots, and Pottery, located in Colorado, hosts parties where customers sample high-end cannabis products (by smoking, eating candy, or in aerial diffusers) while making pots and pottery (clever idea, right?). In assessing the company's business strategy, which of the following risks would be least important? Does our business strategy align with our mission? Does our business strategy align with our core values? Do we understand the risks of our strategy? Will we achieve the goals that we have set?
Will we achieve the goals that we have set? Correct! According to COSO, assessing whether the organization will achieve its goals is the least important risk, of those listed, in the assessment of strategy.
Consider the following two items, which are included in a risk report received by the CEO of Kiki's Delivery Service, a global transportation and logistics company. #1: IT reports 17 incidents of denied attempts to access the system. #2: IT analysis indicates a 5% probability of a level 2 system breach within the next 3 months. Item #1 is a __________ while item #2 is a __________. key performance indicator; key risk indicator portfolio view of risk, risk profile view key risk indicator; key performance indicator risk profile view; portfolio view of risk
key performance indicator; key risk indicator Correct! The historical analysis of system breaches is a key performance indicator while the analysis of the likelihood (5% probability) and severity (level 2 breach) of the risk is a key risk indicator.
McDowell's fast food (motto: our hamburger buns got no sticky, icky sesame seeds!) determines that its financial performance for the recently ended year evidences a different risk profile than that which was expected. In response to this finding, the company should: expand its risk tolerance. revise its mission, vision, and core values. review its strategy and business objectives. reassess the costs and benefits of risk analysis.
review its strategy and business objectives. Correct! The company's review of ERM practices needs to focus on understanding why the risk profile differed from the expected risk profile. Reviewing the strategy and business objectives will be helpful to understanding why the risk profile differed from expected.
An auditor was examining a client's network and discovered that the users did not have any password protection. Which of the following would be the best example of the type of network password the users should have? trjunpqs. 34787761. tr34ju78. tR34ju78.
tR34ju78. This answer is correct because good passwords contain a combination of upper- and lowercase letters, numbers, and punctuation symbols. This selection is the best because it contains a combination of numbers and upper- and lowercase letters.
An entity has the following sales orders in a batch: Invoice# Product Quantity Unit Price 101 K 10 50 $ 5.00 102 M 15 100 $10.00 103 P 20 150 $25.00 104 Q 25 200 $30.00 105 T 30 250 $35.00 Which of the following numbers represents the record count? 5 100 105 750
5 This answer is correct because a record count is simply a count of the number of records in a batch.
One of the major problems in a computer system is that incompatible functions may be performed by the same individual. One compensating control for this is use of A tape library. A self-checking digit system. Computer generated hash totals. A computer log.
A computer log. This answer is correct because the use of a computer log will allow a review of an individual's access to the system.
Controls in the information technology area are classified into the categories of preventive, detective, and corrective. Which of the following is a preventive control? Contingency planning. Hash total. Echo check. Access control software.
Access control software. Access control software is a preventive control.
An important benefit of an enterprise risk management system is Alignment of shareholder returns with management returns. Alignment of management risk taking with employee risk appetite. Alignment of management risk taking with shareholder risk appetite. Alignment of management risk taking with creditor risk appetite.
Alignment of management risk taking with shareholder risk appetite. This answer is correct. A major aspect of an enterprise risk management system is the alignment of management risk taking with shareholder risk appetite.
Reconciling the accounts receivable control and subsidiary accounts is useful in ensuring that: All recorded balances are active. All credit sales transactions are recorded. Stockouts are unlikely. Prenumbered shipping documents match sales.
All credit sales transactions are recorded. Correct. Because credit sales should appear in the subsidiary ledger (and obviously, in aggregate, in the control account), this activity will be useful in determining that all credit sales are recorded.
The CPU includes all of the following except ALU. RAM. Control unit. All of the above are part of the CPU.
All of the above are part of the CPU. This is the best answer because ALU, RAM, and the control unit are all considered part of the CPU.
Which of the following is not an advantage of the employment of an enterprise risk management (ERM) system? Helps an organization seize opportunities. Allows an organization to eliminate all risks. Improves the deployment of capital. Reduces operational surprises.
Allows an organization to eliminate all risks. This answer is correct. An ERM system does not eliminate all risks.
Billy Bigswater reviews a listing of each customer and how long each amount owed by a customer has been outstanding. This is most likely An aged trial balance, to determine the age and collectability of accounts receivable. A customer order document, to determine if the correct items were shipped to a customer. A customer invoice, to determine if a customer's bill is correct. A bill of lading, to determine if the correct items were shipped to a customer.
An aged trial balance, to determine the age and collectability of accounts receivable. Correct! This is an accurate description of an aged trial balance and a good reason for reviewing it.
Roger buys seashells from Sally's SeaShore Sales. A more secure way for Roger to access Sally's website is by XBRL. An intranet. The Internet. An extranet.
An extranet. Correct! This is the most secure access means of the available choices.
Which of the following examples is least likely to be related to civil liberty risks? An Internet service provider (ISP) contracts for cloud storage for customer records. An organization decides to reduce its internal audit staff due to budget reductions. A ride-sharing service has no policy on data retention. A hospital's cybersecurity prevents visitors from connecting to their accounts while at the hospital.
An organization decides to reduce its internal audit staff due to budget reductions. Correct! Reducing the internal audit staff has no obvious or known implications for civil liberties.
Which statement is not one of the objectives of internal control as included in the definition of internal control developed by the Committee of Sponsoring Organizations (COSO)? Asset safeguarding. Compliance. Financial reporting. Operations.
Asset safeguarding. This answer is correct. Auditing standards include objectives to provide reasonable assurance regarding the achievement of objectives in three categories: (1) reliability of financial reporting, (2) effectiveness and efficiency of operations, and (3) compliance with applicable laws and regulations.
Leapin' Lizards (LL) reptile trainers is a small but growing organization that trains lizards and chameleons to do tricks and sells the trained lizards to buyers. Combining which of the following functions would represent the least (i.e., smallest) concern for the system of internal control at LL? Authorizing vendor creation, authorizing purchases, and custody of purchased items Granting credit to customers and recording sales Authorizing chameleon purchases and internal audit of receivables Custody of chameleons and recording chameleon purchases, sales, and deaths
Authorizing chameleon purchases and internal audit of receivables Correct! Combining authorization for purchases and internal review of receivables is the least serious threat of the answers listed. This is because purchase responsibilities (e.g., authorization for purchases) occur primarily in the expenditure cycle whereas receivable responsibilities (e.g., reviewing receivables) occur primarily in the sales and revenue cycle. Therefore, the described activities are largely unrelated to one another.
Which of the following best illustrates sales by category using best practices for visualization? Pie chart Packed bubble chart Symbol chart Bar chart
Bar chart Correct! This is the best choice for displaying these data. The data are ordered by size and labeled with percentages of total.
This chart is an example of a: Line chart. Graph line. Scatterplot. Bar chart.
Bar chart. Correct! This bar chart shows the relationship between a category (region) and a variable (business tax rate).
In walking through O'Hare airport in Chicago, you notice a man talking into an ear piece. The communication between the ear piece and the man's cell phone mostly likely uses which transmission media and protocol? Fiber optics. Microwave transmission. Wi-Fi or spread-spectrum radio transmission. Bluetooth.
Bluetooth. Bluetooth is designed for exactly this scenario, i.e., short-range, low power communication, for example, between an ear piece and a cell phone.
Which of the following statements of risk appetite related to factory floor accidents is acceptable? "Low" " < 3 per year" Neither Both "Low" but not " < 3 per year." " < 3 per year" but not "Low."
Both Correct! Yes. Risk appetite may be stated either in words (e.g., "low") or in numbers (" < 3 per year"). Hence, both statements of risk are acceptable.
What is a major disadvantage of using a private key to encrypt data? Both the sender and receiver must have the private key before this encryption method will work. The private key cannot be broken into fragments and distributed to the receiver. The private key is used by the sender for encryption, but not by the receiver for decryption. The private key is used by the receiver for decryption, but not by the sender for encryption.
Both the sender and receiver must have the private key before this encryption method will work. This answer is correct. In order to decrypt a message encrypted via private key encryption (also known as single key encryption), both the sender and the receiver must have access to the key, as a single key is used both to encrypt (run the encryption algorithm "forward") and decrypt (run the encryption algorithm "backward"). This is a disadvantage because the transmission of the key is inherently insecure.
Which of the following statements about business analytics is true? Business analytics is the same as audit analytical procedures. Audit data analytics is restricted to internal auditor use. Business analytics is useful in preventing and detecting fraud. Business analytics primarily consists of giving users access to new data.
Business analytics is useful in preventing and detecting fraud. Correct! Fraud detection and prevention is an important accounting application of business analytics.
The accounting cycle begins by recording _____________ in the form of journal entries. Business transactions. Financial information. Corporate minutes. Business contracts.
Business transactions. (Correct!) The accounting cycle as a sequence of steps begins by recording business transactions.
Which of the following is a primary function of a database management system? Report customization. Capability to create and modify the database. Financial transactions input. Database access authorizations
Capability to create and modify the database. This answer is correct. One of the functions is to create and modify the database.
Rollins Corporation uses batch processing for its accounting system. During a recent monthly payroll processing run, it experienced a power failure that corrupted the payroll database. Which of the following controls will be most useful to the company in recovering from this failure? Batch control totals. Off-site backup files. Checkpoint/restart controls. Hot site.
Checkpoint/restart controls. A checkpoint/restart control would be an appropriate way to reprocess only those transactions that took place after the last valid run.
To maintain effective segregation of duties within the information technology function, an application programmer should have which of the following responsibilities? Modify and adapt operating system software. Correct detected data entry errors for the cash disbursement system. Code approved changes to a payroll program. Maintain custody of the billing program code and its documentation.
Code approved changes to a payroll program. This answer is correct. An appropriate function for an application programmer includes making code approved changes to a payroll program.
A controller is developing a disaster recovery plan for a corporation's computer systems. In the event of a disaster that makes the company's facilities unusable, the controller has arranged for the use of an alternate location and the delivery of duplicate computer hardware to this alternate location. Which of the following recovery plans would best describe this arrangement? Hot site. Cold site. Back-up site procedures. Hot spare site agreement.
Cold site. In a cold site approach to disaster recovery, hardware and records are delivered after the occurrence of a disaster. This approach is less expensive, but more risky than a hot site approach.
Which of the following is not a limitation of an enterprise risk management system? Risk relates to the future that is uncertain. Collusion among two or more individuals can result in enterprise risk management failure. Companies cannot avoid risk. Enterprise risk management is subject to management override.
Companies cannot avoid risk. This answer is correct. This is a fact that results in the need to have enterprise risk management.
Which of the following is an example of a detective control? Use of pre-formatted screens for data entry. Comparison of data entry totals to batch control totals. Restricting access to the computer operations center to data-processing staff only. Employing a file librarian to maintain custody of the program and data files.
Comparison of data entry totals to batch control totals. Reconciliation of data entry totals with batch control totals will detect errors made by the data entry clerks.
The use of a header label in conjunction with magnetic tape is most likely to prevent errors by the Computer operator. Keypunch operator. Computer programmer. Maintenance technician.
Computer operator. This answer is correct because the use of a header label allows the computer operator to determine whether the correct file has been selected for processing. Therefore, header labels will most likely prevent errors by the computer operator who mounts the magnetic tapes on the tape drives.
When erroneous data are detected by computer program controls, such data may be excluded from processing and printed on an error report. The error report should most probably be reviewed and followed up by the Supervisor of computer operations. Systems analyst. Control group. Computer programmer.
Control group. This answer is correct because the control group is responsible for providing a continuous review function by supervising and monitoring input, operations, and the distribution of output (i.e., a continuous internal audit function).
Which of the following is not a control environment principle? Commitment to integrity and ethical values. Board of directors or audit committee independence and oversight. Competence. Control monitoring.
Control monitoring. Control monitoring is a separate component of internal control.
In a system with strong controls, information requirements are linked to _______ and ______. Patch controls; reticulating splines Likelihood; damages Controls; risks Exploits; outsourcing
Controls; risks Correct! Information requirements of organizational systems should be linked to internal control and relevant risks, including cyber risks.
The position responsible for managing the flow of documents and reports in and out of the computer operations department is the Data entry clerk. Computer operator. Data control clerk. File librarian.
Data control clerk. The data control clerk controls the flow of all documents into and out of computer operations.
An overall description of a database, including the names of data elements, their characteristics, and their relationship to one another, would be defined by using a Data definition language. Data control language. Data manipulation language. Data command interpreter language.
Data definition language. This answer is correct. The data definition language defines the database structure and content, especially the schema and subschema descriptions, including the names of the data elements contained in the database and their relationship to each other.
Walmart analyzes point-of-sale data to determine sales trends, develop marketing campaigns, and predict customer loyalty. Walmart is engaged in _____________ using __________. Online marketing; social media data Industrial espionage; internal data Data mining; big data Audit analytics; a database
Data mining; big data Correct! This is an example of using data mining with big data.
A computer input control is designed to ensure that Machine processing is accurate. Only authorized personnel have access to the computer area. Data received for processing are properly authorized and converted to machine-readable form. Computer processing has been performed as intended for the particular application.
Data received for processing are properly authorized and converted to machine-readable form. This answer is correct because input controls are designed to provide reasonable assurance that data received for processing by computer have been properly authorized, converted into machine sensible form and identified, and have not been lost, suppressed, added, duplicated, or otherwise improperly changed.
Which of the following is not an advantage of decentralized/distributed systems? Decentralized/distributed systems are more responsive to the needs of the end user. Data transmission costs are greatly reduced. Input/output bottlenecks associated with high traffic periods are largely avoided. Data security is enhanced.
Data security is enhanced. Because data processing in decentralized/distributed systems is carried out at multiple locations instead of a single, centralized location, these systems are inherently less secure than centralized systems.
Peetie's Pet Care has a system that examines large data sets to determine patterns in clients' use of its facilities. This is most likely an example of: Operational systems. Management information systems (MISs). Data-driven DSSs. Model-driven DSS.
Data-driven DSSs. (Correct!) This is a data-drive DSS that is engaging in data mining.
The ability to add or update documentation items in data dictionaries should be restricted to Database administrators. System programmers. System librarians. Application programmers.
Database administrators. This answer is correct. Access must be controlled to ensure integrity of documentation although "read" access should be provided to other parties as it is important for applications development and maintenance.
Which of the following components of a database is responsible for maintaining the referential integrity of the data in the system? Database management system (DBMS) Data query language (DQL). Data manipulation language (DML). Data definition language (DDL).
Database management system (DBMS) The database management system (DBMS) controls the storage and retrieval of the information maintained in a database and is responsible for maintaining the referential integrity of the data.
In a cyber-incident response plan, removal of the threat comes before Decision and action regarding event announcement or secrecy. Triage. Severity classification. Event logging.
Decision and action regarding event announcement or secrecy. Correct! This comes after removal of the threat.
COSO's enterprise risk management framework encompasses each of the following, except Enhancing risk response decisions. Decreasing inherent risk appetite. Improving deployment of capital. Seizing opportunities.
Decreasing inherent risk appetite. Correct! COSO's enterprise risk management framework does not include a goal of decreasing inherent risk appetite. Instead, the organization's realized risk is assessed compared to its desired risk appetite.
Internal auditors at Henry Flower's Flower shop are undertaking a comprehensive review of outsourcing contracts and policies as part of improving service quality. In the COBIT model, this is best classified as an example of Planning and Organization. Acquisition and Implementation. Delivery and Support. Monitoring
Delivery and Support. Correct! The task of reviewing outsourcing contracts is a part of assessing how to best deliver required IT services including operations, security, and training.
Most client/server applications operate on a three-tiered architecture consisting of which of the following layers? Desktop client, application, and database. Desktop client, software, and hardware. Desktop server, application, and database. Desktop server, software, and hardware.
Desktop client, application, and database. This answer is correct because the layers consist of the desktop client, an application server, and a database server.
Which of the following tasks comes first in business continuity management (BCM)? Embed the BCM in the culture. Determine business continuity strategies. Exercise, maintain, and review the plan. Develop and implement a BCM response
Determine business continuity strategies. Determine business continuity strategies is the third step in BCM but it is the earliest procedure listed for this question.
Which of the following provides the most reliable form of electronic authentication? Digital signature. Symmetric encryption. Asymmetric encryption. Digital certificate.
Digital certificate. When a digital certificate is requested, an independent background check is completed to confirm the identity of the requesting entity. Thus, a digital certificate provides a higher level of reliability than a digital signature.
Which of the following can be used to authenticate messages transmitted in a networked environment? Public/private key encryption. Digital signature. One-time password. Mathematical message digest.
Digital signature. A digital signature uses public/private key encryption technology to provide a means of authenticating messages delivered in a networked environment.
Which of the following conversion strategies is characterized by a manager removing the old system and installing the new system without the possibility of reverting to the original? Direct changeover Phased implementation Parallel conversion Integrated test facility
Direct changeover Correct! A direct changeover involves implementation of a new system without the possibility of reverting to the old system. It is often a risky strategy.
Robert the Grievous is reading an online summary production cost report and wants to know why the cost of sprockets, used in constructing orbital sanders, is so high. Robert most likely needs to: Data mine. Drill down. Slice and dice. Use the OLAP system.
Drill down. (Correct!) He needs to move from summary to detailed information to determine its cause.
The definition of internal control developed by the Committee of Sponsoring Organizations (COSO) in the professional standards includes the reliability of financial reporting, compliance with applicable laws and Effectiveness and efficiency of operations. Effectiveness of prevention of fraudulent occurrences. Incorporation of ethical business practice standards. Safeguarding of entity assets.
Effectiveness and efficiency of operations. This answer is correct. The requirement is to identify the reply, which is part of the definition of internal control developed by the Committee of Sponsoring Organizations (COSO). COSO defines internal control as a process—effected by an entity's board of directors, management, and other personnel—designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) reliability of financial reporting, (2) effectiveness and efficiency of operations, and (3) compliance with applicable laws and regulations.
Companies now can use electronic transfers to conduct regular business transactions. Which of the following terms best describes a system where an agreement is made between two or more parties to electronically transfer purchase orders, sales orders, invoices, and/or other financial documents? Electronic mail (e-mail). Electronic funds transfer (EFT). Electronic data interchange (EDI). Electronic data processing (EDP).
Electronic data interchange (EDI). This answer is correct. Electronic data interchange refers to the electronic transfer of documents between businesses.
Which of the following statements is false (untrue) regarding data analytics, data mining, and risk assessment? Emerging data analytic methods are unhelpful to risk assessment. Emerging data mining methods can help detect previously hidden relationships. Data analytic methods can help evaluate assumptions found in an organization's strategy Key risk indicators can be used to identify risk changes.
Emerging data analytic methods are unhelpful to risk assessment. Correct! This statement is false, and therefore it is the correct answer. In fact, many emerging data analytic methods are critical to risk assessment (e.g., data mining, data visualization, heat mapping, sentiment analysis).
Max's Hardware Boutique is considering using a CSP. Max should request all of the information below about the CSP except References from other CSP users. Privacy compliance policies. Employee salary information. Network infrastructure and load reports.
Employee salary information. Correct! This would be unusual information to request from a CSP. It is unclear what value this information would provide.
A client that recently installed a new accounts payable system assigned employees a user identification code (UIC) and a separate password. Each UIC is a person's name, and the individual's password is the same as the UIC. Users are not required to change their passwords at initial log-in nor do passwords ever expire. Which of the following statements does not reflect a limitation of the client's computer-access control? Employees can easily guess fellow employees' passwords. Employees are not required to change passwords. Employees can circumvent procedures to segregate duties. Employees are not required to take regular vacations.
Employees are not required to take regular vacations. This answer is correct because the information provided includes no information addressing regular vacations.
According to COSO, the presence of a written code of conduct provides for a control environment that can Override an entity's history and culture. Encourage teamwork in the pursuit of an entity's objectives. Ensure that competent evaluators are implementing and monitoring internal controls. Verify that information systems are providing persuasive evidence of the effectiveness of internal controls.
Encourage teamwork in the pursuit of an entity's objectives. Correct! A code of conduct helps facilitate shared goals and encourages teamwork.
Which of the following would provide the most security for sensitive data stored on a personal computer? Using a secure screen saver program. Using an eight-bit encoding scheme for hardware interfaces. Encrypting data files on the computer. Using a conventional file structure scheme.
Encrypting data files on the computer. This answer is correct because encryption involves coding of the data files and, accordingly, encrypted sensitive data provides security because the files cannot be read by those without knowledge of the encryption code.
Which of the following statements is correct concerning the security of messages in an electronic data interchange (EDI) system? Removable drives that can be locked up at night provide adequate security when the confidentiality of data is the primary risk. Message authentication in EDI systems performs the same function as segregation of duties in other information systems. Encryption performed by a physically secure hardware device is more secure than encryption performed by software. Security at the transaction phase in EDI systems is not necessary because problems at that level will be identified by the service provider.
Encryption performed by a physically secure hardware device is more secure than encryption performed by software. This answer is correct. Encryption can be used to ensure the privacy and security of EDI messages both during transmission and when stored. Hardware-based encryption is inherently more secure than software-based encryption, as software can be more easily accessed and altered than hardware.
During the process of electronically transmitting data, which of the following IT controls would provide the most assurance that unauthorized disclosure of sensitive information would be prevented? Encryption. Restricted access. A strongly worded confidentiality warning. Separate transmission of the data file and its password.
Encryption. Correct! Encryption can provide privacy (protection of data against unauthorized access) and authentication (user identification). It can protect data that is stored (i.e., data at rest) or transmitted (i.e., data in motion) and verify data authenticity.
Checkpoint auto leasing is a small company with six employees. The best action that it can take to increase its internal control effectiveness is Hire temporary employees to aid in the segregation of duties. Hire a bookkeeper to perform monthly "write up" work. Clearly delegate responsibilities to each employee for the functions that they are assigned. Engage the owner in direct participation in the activities, including financial record-keeping, of the business.
Engage the owner in direct participation in the activities, including financial record-keeping, of the business. This is the best answer since engaging the owner in the activities of the business is an important compensating control in small organizations.
Each of the following would help prevent incorrect postings to the general ledger in a computerized accounting system, except Validating the posting date of the transaction. Restricting the ability to post directly to accounts with subsidiary ledgers. Performing a range check on the general ledger account in the transaction. Establishing a unique transaction number for each general ledger posting.
Establishing a unique transaction number for each general ledger posting. Correct! Although there are cases in which transaction numbers might be useful (e.g., identifying duplicate transactions), many accounting systems do not include transaction numbers for general ledger postings.
Business transformation through blockchain is likely to occur __________________ and requires ___________ adoption. Quickly; supplier Eventually; widespread Eventually; supplier Quickly; widespread
Eventually; widespread Correct! Blockchain requires widespread user adoption; business transformation cannot occur until there is sufficient adoption among users. Therefore, blockchain transformation will likely not occur quickly.
Which of the following technologies is specifically designed to exchange financial information over the World Wide Web? Hypertext markup language (HTML). Extensible business reporting language (XBRL). Hypertext transfer protocol (HTTP). Transmission control program/Internet protocol (TCP/IP).
Extensible business reporting language (XBRL). XBRL is specifically designed to exchange financial information over the World Wide Web.
Which of the following is not a limitation of internal control? Human judgment in decision making may be faulty. External forces may attack the system. Management may override internal control. Controls may be circumvented by collusion.
External forces may attack the system. (Correct!) This answer is the best answer because this is a business risk; it is not a limitation of internal control.
Which of the following statements is false (i.e., untrue)? External parties can help prioritize resources to prevent and manage cyber risks. External parties should always be informed about cyber incidents. External, financial statement auditors are unavailable as consultants related to cyber risks. External communication about cyber security may be relevant to financial analysts.
External parties should always be informed about cyber incidents. Correct! This is a false statement. Communication about cyber incidents to external parties should be selective and appropriate to their roles. For example, few banks publicly announce when they have lost money in a theft or cyber-hack.
Kentucky Fried Opossums reports annually on its environmental impact to the Commonwealth of Kentucky. This is an example of: Internal, financial reporting. Internal, nonfinancial reporting. External, financial reporting External, nonfinancial reporting
External, nonfinancial reporting (Correct!) This answer is correct because this is an external report, and it is nonfinancial. (Environmental impact is not in currency.)
Which of the following correctly identifies ETL? Educate, transform, listen. E-business, transaction, ledger. Extract, transform, load. Environmental translation ledger.
Extract, transform, load. Correct! The ETL process consists of extracting, transforming, and loading data.
Spirit Line Beverages sponsors a contest for its programmers with prizes for the winning teams. This is an example of ______________ that is intended to __________________. Online marketing; build social media data Industrial espionage; build internal data Data mining; use big data Gamification; build motivation and team rapport
Gamification; build motivation and team rapport Correct! This is an example of gamification that is intended to motivate participants.
Consider the following statements: I. LANs use dedicated lines. II. WANs use dedicated lines. Both I and II are true. I is true, but II is not. II is true, but I is not. Neither I nor II is true.
I is true, but II is not. LANs use dedicated lines, but WANs use public or shared lines. Hence, I is true, but II is not.
Which of the following is true about denial-of-service attacks? I. A denial-of-service attack takes advantage of a network communications protocol to tie up the server's communication ports so that legitimate users cannot gain access to the server. II. If the denial-of-service attack is successful, the attacker can gain access to unprotected resources on the server. I only. II only. Both I and II. Neither I nor II.
I only. A denial-of-service attack prevents legitimate users from accessing the system by flooding the server with hundreds of incomplete access requests. The object of the attack is to prevent access to the system: the attacker does not actually gain access to information on the system.
Which of the following is true of enterprise resource planning (ERP) systems? I. The online analytical processing system (OLAP) provides data warehouse capabilities for the ERP system. II. The ability of an ERP system to provide an integrated view of transactions in all parts of the system is a function of the online transaction processing (OLTP) system. I only. II only. Both I and II. Neither I nor II.
I only. The online analytical processing system (OLAP) incorporates data warehouse and data mining capabilities within the ERP. The online transaction processing system (OLTP) records the day-to-day operational transactions and enhances the visibility of these transactions throughout the system. It is primarily the OLAP and not the OLTP, that provides an integrated view of transactions in all parts of the system. The OLTP is primary concerned with collecting data (and not analyzing it) across the organization
Which of the following procedures would enhance the control of a computer operations department? I. Periodic rotation of operators. II. Mandatory vacations. III. Controlled access to the facility. IV. Segregation of personnel who are responsible for controlling input and output. I, II. I, II, III. III, IV. I, II, III, IV.
I, II, III, IV. This answer is correct. All of the above practices are effective control measures. Periodic rotation and mandatory vacations provide other personnel with the ability to detect operator problems. Controlled access and segregation of duties allow for the separation of incompatible functions.
Which of the following is true of batch processing? I. In batch processing, data is captured in a transaction file as transactions occur. II. Periodically (once a day, once a week, etc.), the group of transactions in the transaction file are edited, sorted, and then the transactions are used to update the master file. I only. II only. Both I and II. Neither I nor II.
II only. In batch processing, transactions are first gathered together in a group and then keyed into a transaction file. Periodically, the transaction file is edited, sorted, and then the transactions are used to update the master file.
Which of the following statements is (are) true. I. A greater level of control is necessary in automated than manual systems. II. The uniformity of transaction processing is higher in automated than manual systems. Both I and II. I only. II only. Neither I or II.
II only. Statement II is correct. Automated transaction processing results in a greater uniformity of transactions.
Which of the following is least likely to be a benefit of a big data initiative? IT cost savings. Targeted marketing. Improved system monitoring. Better compliance.
IT cost savings. (Correct!) Big data projects are likely to be expensive. Therefore, IT cost savings from big data are unlikely.
Control Objectives for Information and Related Technology (COBIT) provides a framework for Internet-based systems. IT governance and management of enterprise IT. Auditing IT Systems. The implementation for new technology.
IT governance and management of enterprise IT. This answer is correct. COBIT provides a framework for IT governance and management of enterprise IT.
What is an example of the use of the cloud to access hardware? IaaS PaaS SAP ERP
IaaS IaaS is the use of the cloud to access virtual hardware.
Which of the following procedures should be included in the disaster recovery plan for an Information Technology department? Replacement of personal computers for user departments. Identification of critical applications. Physical security of warehouse facilities. Cross-training of operating personnel.
Identification of critical applications. This answer is correct because a disaster recovery plan must identify the critical applications.
Which of the following is not a principle related to the component of the control environment? Demonstrate a commitment to integrity and ethical values. Demonstrate a commitment to attract, develop and retain competent individuals. Identify and assess changes that could significantly impact the system of internal control. Hold individuals accountable for their internal control responsibilities.
Identify and assess changes that could significantly impact the system of internal control. To identify and assess changes that could significantly impact the system of internal control is a principle of the risk assessment component.
In which of the following stages of computer system development would training occur? Planning phase. Analysis phase. Design phase. Implementation phase.
Implementation phase. Note: Most systems' life cycle descriptions call this phase the installation and operation phase. During this phase, the users are trained on the new system, the data is converted from the old system to the new system, and the system is moved from the program development area to the production library.
An accountant at Holly Golightly Tattoos builds a spreadsheet to manage the customer database. Because of the rapid growth of the business, the spreadsheet quickly becomes unmanageably complex. This problem illustrates which of the following issues? Inadequate scope and scalability Lack of strategic focus Lack of strategic investment Digitization
Inadequate scope and scalability Correct! Inadequate scope and scalability is an example of creating a system that is too small for a much larger problem. The spreadsheet in this case was an inadequate tool for addressing a much larger problem (i.e., customer relationship management).
Audit committee members of issuers are required, under the Sarbanes-Oxley Act of 2002, to maintain which of the following traits? Integrity. Diligence. Independence. Proficiency.
Independence. Correct! SOX requires audit committee members to be independent of the firm.
According to the AICPA ASEC, the requirement of notice related to privacy states: Individuals must receive informed consent before participating in research. Individuals must receive informed consent regarding the availability of systems operations. A subelement of information quality. Individuals must be told about privacy policies including why information is collected, used, retained, and disclosed.
Individuals must be told about privacy policies including why information is collected, used, retained, and disclosed. Correct! According to the AICPA ASEC principles, the principles of notice require the above-described actions.
Which of the following factors is not included in the control environment component of internal control? Commitment to competence. Organizational structure. Integrity and ethical values. Information and communication.
Information and communication. This answer is correct. Information and communication is a separate component of internal control.
In a large public corporation, evaluating internal control procedures should be the responsibility of Accounting management staff who report to the CFO. Internal audit staff who report to the board of directors. Operations management staff who report to the chief operations officer. Security management staff who report to the chief facilities officer.
Internal audit staff who report to the board of directors. The key to recognizing the correctness of this answer is that the question asks who should engage in "evaluating" internal control procedures (not design or implement control procedures). Among the offered choices, an independent internal audit staff, i.e., who report to the board of directors or an audit committee, but not the CFO, are best qualified to monitor and evaluate internal control procedures.
The primary target audience of COBIT includes ___________ while the primary target audience of COSO includes __________________. Internal auditors; external auditors Board of directors; management Board of directors; external auditors Management; internal auditors
Internal auditors; external auditors Correct! This is a true statement. Internal and external auditors are part of the target audience for both statements. However, COBIT is primarily focused on internal organizational IT processes, and therefore includes internal auditors as a primary focus. In contrast, COSO is primarily focus on external processes, and therefore includes a primary focus on external auditors.
According to COSO, which of the following components of enterprise risk management addresses an entity's integrity and ethical values? Information and communication. Internal environment. Risk assessment. Control activities.
Internal environment. Integrity and ethical values are part of the internal environment.
The machine language for a specific computer May be changed by the programmer. Is the same as all the other computer languages. Is determined by the engineers who designed the computer. Is always alphabetic.
Is determined by the engineers who designed the computer. This answer is correct because the machine language must be designed for the specific computer and, therefore, is determined by the engineers who design the computer.
Which of the following is the primary advantage of using a value-added network (VAN)? It provides confidentiality for data transmitted over the Internet. It provides increased security for data transmissions. It is more cost effective for the company than transmitting data over the Internet. It enables the company to obtain trend information on data transmissions.
It provides increased security for data transmissions. This is the best answer because increased security is a common motivation for the use of a value-added network.
According to the COSO ERM framework, which of the following is least likely to impede the independence of a board member? Jane was a partner at the accounting firm that conducted the organization's financial statement audit five years ago but has no existing business or contractual relationships with the entity or its key stakeholders currently. June has a material consulting contract with the organization related to facilitating marketing and sales promotion. Laura is a board member of the organization's major competitor. Megan has served on the board for 15 years.
Jane was a partner at the accounting firm that conducted the organization's financial statement audit five years ago but has no existing business or contractual relationships with the entity or its key stakeholders currently. Correct! The COSO ERM framework does not list former financial statement auditors as having a potential independence impediment regarding board membership. In addition, the absence of a current business or contractual relationship (as is the case here) is a consideration for a board member's independence. Hence, Jane's independence is not impaired, according to the COSO ERM framework.
A tire company has created a dashboard to evaluate the following measures: Customer Lifetime Value (CLV) (i.e., the value realized to the company from each customer), Customer Acquisition Cost (CAC) (costs of acquiring each customer), Customer Satisfaction & Retention, and the number of new and existing customers. Which of the following best describes this initiative: Prescriptive analytics KPIs Predictive analytics Audit data analytics
KPIs Correct! The company is identifying its most critical measures of customers as a part of managing these measures.
A small accounting firm buys SaaS from a third-party CSP. As a part of this process, the accounting firm regularly requests and receives data about the system's performance of the CSP. This is an example of managing which of the following cloud-computing risks? Unauthorized cloud activity Lack of CSP transparency Cyber attack Disaster recovery
Lack of CSP transparency Correct! This is an example of requiring information from the CSP to ensure transparency.
Gus McCrae, an accountant at Lonesome Dove Cattle Ranch, builds a spreadsheet to track cow movements between locations. However, there are so few movements of cattle between locations that the spreadsheet is unhelpful. This problem illustrates which of the following issues? Inadequate scope and scalability Lack of strategic focus Lack of strategic engagement Digitization
Lack of strategic focus Correct! This spreadsheet was not needed and should not have been created.
A distributed processing environment would be most beneficial in which of the following situations? Large volumes of data are generated at many locations and fast access is required. Large volumes of data are generated centrally and fast access is not required. Small volumes of data are generated at many locations, fast access is required, and summaries of the data are needed promptly at a central site. Small volumes of data are generated centrally, fast access is required, and summaries are needed monthly at many locations.
Large volumes of data are generated at many locations and fast access is required. This answer is correct because a distributed data processing system is useful when processing is done in multiple locations. It enables processing of a large volume of transactions and fast access to data.
After journal entries are recorded, they are posted to: General journals. Ledger accounts. Income statement. Expense reports.
Ledger accounts. (Correct!) Journal entries are first recorded in general journals. Then they are posted to ledger accounts.
The state of emerging online payment systems is: Increasing reliance on financial institutions. Improved security. Improved privacy. Lower costs to sellers.
Lower costs to sellers. Correct! This statement is true.
Which of the following constitutes a weakness in the internal control of a computer system? One generation of backup files is stored in an off-premises location. Machine operators distribute error messages to the control group. Machine operators do not have access to the complete systems manual. Machine operators are supervised by the programmer.
Machine operators are supervised by the programmer. This answer is correct because machine operators should not be supervised by the programmer. Good internal control in a computer system requires that operators, programmers, and the library function be segregated.
In a computer-based system, the equivalent of a subsidiary ledger is a Transaction file. Archive file. Master file. Reference file.
Master file. A master file holds account and account balance information and is roughly equivalent to a ledger (or subsidiary ledger) in a manual system.
Which of the following is not a type of control under the control activity component of the COSO framework for internal control? Supervisory controls. Physical controls. Monitoring controls. Verifications.
Monitoring controls. Monitoring is a separate component of internal control.
Which of the following components of internal control are characterized by ongoing activities and separate evaluations? The control environment. Risk assessment. Monitoring. Information and communication.
Monitoring. This answer is correct. Monitoring is characterized by ongoing activities and separate evaluations.
Which of the following is most likely to be linked to a bar-coding or RFID system that scans parts? Parallel simulation Cost driver Move ticket Operations list
Move ticket Correct! Move tickets are likely to be linked to an automated system that scans parts. In fact, the move ticket itself is increasingly likely to be an electronic, not a physical, "document."
Acme Corp. uses data on the strength of a user's touch on a keyboard to partially authenticate users. This is an example of: Big data. Biometrics. Multifactor authentication. Integrated authentication.
Multifactor authentication. Correct! Why? Because the system will not use only the user's touch on keyboard, it will also use other authentication metrics (notice the "partially" in the sentence above).
A data analyst at Hubert Humbert Fashion Designers is using a component of its organization-wide ERP system to analyze customer sales to determine the optimal opening and closing times for its retail stores. The analyst is most likely using the _________ component of the system. CRM OLAP OLTP Supply chain management
OLAP Correct! This is an example of a data mining application within an online analytical processing (OLAP) system.
An accountant at Hubert Humbert Fashion Designers is using a component of its organization-wide ERP system to prepare a payroll tax return. The accountant is most likely using the _________ component of the system. CRM OLAP OLTP Supply chain management
OLTP Correct! The preparation of a simple payroll report is an application of an online transaction processing (OLTP) system.
First Federal S&L has an online real-time system, with terminals installed in all of its branches. This system will not accept a customer's cash withdrawal instructions in excess of $1,000 without the use of a "terminal audit key." After the transaction is authorized by a supervisor, the bank teller then processes the transaction with the audit key. This control can be strengthened by Online recording of the transaction on an audit override sheet. Increasing the dollar amount to $1,500. Requiring manual, rather than online, recording of all such transactions. Using parallel simulation.
Online recording of the transaction on an audit override sheet. This answer is correct because documentation of all situations in which the "terminal audit key" has been used will improve the audit trail.
HMDs: Are fully immersive. Include three optical displays. Partly result from the IoT. Depend on an unoccluded field of vision.
Partly result from the IoT. Correct? HMDs attach sensors to glasses or helmets and are therefore a type of IoT device.
Mobile devices that connect to important organizational systems should be Reticulated. Allowed. Banned. Password protected with strong passwords or multifactor authentication.
Password protected with strong passwords or multifactor authentication. Correct! If mobile devices are allowed on the system, they must be protected either by strong passwords or multifactor authentication. This is a basic cybersecurity requirement that should be present in any organization.
The Resource Development Company mines for rare earth minerals in developing countries. The company is currently assessing aspects of risk to determine which risks are most and least important. This analysis most likely occurs as a part of which component in the ERM framework? Governance and Culture Performance Strategy and Objective-Setting Information, Communication, and Reporting
Performance Correct! The listed activity concerns risk prioritization, which occurs in the performance component of ERM, not in the governance and culture component. This component is concerned with risk identification and assessment, which helps an organization achieve its strategy and business objectives.
An organization relied heavily on e-commerce for its transactions. Evidence of the organization's security awareness manual would be an example of which of the following types of controls? Preventive. Detective. Corrective. Compliance.
Preventive. This answer is correct because the use of such a manual is designed to prevent breaches of security.
Which of the following can be discovered using a data-mining process? Data structure. Previously unknown information. Artificial intelligence. Standard query reporting.
Previously unknown information. Correct! The purpose of data mining is to discover new insights and relationships. For example, data mining can be useful in determining what is likely to occur in the future.
_____ concerns the completeness, validity, accuracy, timeliness, and authorization of system process. Quality Processing integrity Privacy Access
Processing integrity Correct! According to the AICPA ASEC principles, this is the definition of processing integrity.
An employee mistakenly enters April 31 in the date field. Which of the following programmed edit checks offers the best solution for detecting this error? Online prompting. Mathematical accuracy. Preformatted screen. Reasonableness.
Reasonableness. April has only 30 days. The reasonableness test will catch this error.
An employee mistakenly enters April 31 in the date field. Which of the following programmed edit checks offers the best solution for detecting this error? Online prompting. Mathematical accuracy. Preformatted screen. Reasonableness.
Reasonableness. This answer is correct. A reasonableness test would not allow an invalid date to be accepted.
Requiring direct deposits instead of paying employees by checks improves accounting controls by: Separating duties in cash receipts. Reducing the likelihood of the theft of payroll payments. Facilitating advanced analytics of payroll data. Reducing the risk of violations of employment law.
Reducing the likelihood of the theft of payroll payments. (Correct!) Direct deposits move directly to employees' accounts, thereby lessening the likelihood that checks are deposited by someone other than employees.
Which of the following is usually a benefit of using electronic funds transfer for international cash transactions? Creation of multilingual disaster recovery plans. Reduction in the frequency of data entry errors. Off-site storage of foreign source documents. Improvement in the audit trail for cash transactions.
Reduction in the frequency of data entry errors. This answer is correct because electronic funds transfer systems minimize the need for entry of information and, therefore, reduce the chance of entry errors.
Which of the following is not a benefit of using an electronic data interchange (EDI) system? Reduction in the number of suppliers a company must deal with. Reduction in the ordering costs. Faster transaction processing. Reduction in the lead time between placing the order and receiving the goods.
Reduction in the number of suppliers a company must deal with. EDI does not necessarily reduce the number of suppliers a company works with.
Womping Wembley Corp. maintains three sets of backups, which are updated monthly, weekly, and daily. This approach illustrates a (an): Checkpoint and restart approach RAID approach Redundant backups approach. SANs approach
Redundant backups approach. Correct! This approach illustrates a grandfather, father, son approach to redundant backups which are often executed with this frequency.
Which of the following statements about risk appetite, tolerance, and risk indicators are true? Risk appetite applies to the development of strategy, tolerance applies in the implementation of strategy, and key risk indicators apply at any level of the business. Key risk indicators apply to the development of strategy, risk appetite applies in the implementation of strategy, and tolerance applies at any level of the business. Tolerance applies to the development of strategy, risk appetite applies in the implementation of strategy, and key risk indicators apply at any level of the business. Tolerance applies to the development of strategy, key risk indicators apply in the implementation of strategy, and risk appetite applies at any level of the business.
Risk appetite applies to the development of strategy, tolerance applies in the implementation of strategy, and key risk indicators apply at any level of the business. Correct! These are the correct descriptions of the relationship of these terms to the strategy development process.
According to COSO, which of the following components addresses the need to respond in an organized manner to significant changes resulting from international exposure, acquisitions, or executive transitions? Control activities Risk assessment Monitoring activities Information and communication
Risk assessment Correct! Risk assessment is the process of identifying, analyzing, and managing the risks involved in achieving the organization's objectives. Changes related to international exposure, acquisitions, or executive transitions create risks, which must be assessed, prioritized, and responded to.
According to the 17 COSO control principles, organizational objectives primarily relate to which fundamental component of internal control: Control activities. Control environment. Risk assessment. Monitoring.
Risk assessment. According to the COSO principles, risk assessment primarily relates to organizational objectives, risk assessment, fraud, and change management. Organizational objectives link to risk assessment since objectives help to define the risks that are to be assessed.
This is the process of identifying, analyzing, and managing the risks involved in achieving the organization's objectives. Control activities. Control environment. Information and communication. Risk assessment.
Risk assessment. Risk assessment is, "...the process of identifying, analyzing, and managing the risks involved in achieving the organization's objectives."
Riley, Ripley, and RudBack are builders of high-end (i.e., expensive) customized homes. They want to create a report on the risks that they face in their human resources function. Which level of reporting would be appropriate to this goal? Portfolio view Risk view Risk category view Risk profile view
Risk profile view Correct! The risk profile view would be at the level of a specific unit within the entity (i.e., the human resource function).
At Multimedia Associates, there is some awareness of cybersecurity risks but not an organization-wide approach to managing these risks. In addition, the chief risk officer has assessed cybersecurity roles and risks but has not formalized these findings or shared them with critical stakeholders. Multimedia Associates evidences a ____________ implementation tier. Partial Risk-informed Repeatable Adaptable
Risk-informed Correct! The case evidences a risk-informed implementation tier, since the organization has some level of cybersecurity risk and has assessed roles and risks, but without sharing this information with relevant stakeholders.
According to COSO, a primary purpose of monitoring internal control is to verify that the internal control system remains adequate to address changes in Risks. The law. Technology. Operating procedures.
Risks. Correct! This is the primary purpose of monitoring internal control.
Which of the following artificial intelligence information systems cannot learn from experience? Neural networks. Case-based reasoning systems. Rule-based expert systems. Intelligent agents.
Rule-based expert systems. This answer is correct because rule-based expert systems do not learn from experience; they simply execute rules.
The Greensburg Agriculture Products employee survey related to fraud includes this statement: "We are discouraged from sharing our computer passwords with others." This statement best relates to which of the following fraud management principles and processes? Establishing a fraud risk management program Selecting, developing, and deploying fraud controls Selecting, developing, and deploying evaluation and monitoring processes Establishing a communication program to obtain information about potential frauds
Selecting, developing, and deploying fraud controls Correct! This survey question is asking whether a specific fraud risk control is in place. The question relates to selecting, developing, and deploying fraud controls.
Which of the following is an example of a non-financial transaction? Sending a purchase order to a vendor to purchase items for re-sale. Creating a cash receipt to mark receipt of a customer payment. Preparing a payroll check to send to an employee in payment of the current month's wages. Approving a vendor invoice for payment.
Sending a purchase order to a vendor to purchase items for re-sale. Sending a purchase order to a vendor to purchase items for re-sale is an example of a non-financial transaction, as it does not require a debit/credit entry in the accounting system (there is no completed transaction, just a request for a transaction).
Which of the following statements best characterizes the function of a physical access control? Protects systems from the transmission of Trojan horses. Provides authentication of users attempting to log in to the system. Separates unauthorized individuals from computer resources. Minimizes the risk of incurring a power or hardware failure.
Separates unauthorized individuals from computer resources. This answer is correct because physical access controls are those that limit the access to computer equipment, files, and documentation.
A computer sitting on a user's desk that includes a keyboard and a mouse is unlikely to be a(n): Desktop. Laptop. Server. Thin client.
Server Correct! Servers are generally in isolated (protected) locations and do not include a keyboard and a mouse for access. Servers are accessed from client computers.
Stagger Lee pretended to be an accountant in the payroll department to gain access to the Wichita Lineman Electrical Services Co. accounting system. This is an example of: Aliasing. Malware. Phishing. Spoofing.
Spoofing. (Correct!) From the very simple description of events in this case, this is the best answer.
Management of Johnson Company is considering implementing technology to improve the monitoring component of internal control. Which of the following best describes how technology may be effective at improving monitoring? Technology can identify conditions and circumstances that indicate that controls have failed or risks are present. Technology can assure that items are processed accurately. Technology can provide information more quickly. Technology can control access to terminals and data.
Technology can identify conditions and circumstances that indicate that controls have failed or risks are present. Monitoring involves collecting information to determine that controls are working.
DOUBLE-Which of the following is a general control rather than a transaction control activity? Technology development policies and procedures. Reconciliations. Physical controls over assets. Controls over standing data.
Technology development policies and procedures. (Correct!) This answer is correct because technology development policies and procedures are part of the general controls.
CFO Mar has been complicit in her public company's accounting fraud. She consults a lawyer as it becomes time for filing her firm's 10-K with the SEC. She is a little uncomfortable about what she might have to do. The lawyer will likely tell her that she will have to certify (and be potentially criminally liable for lying about) all of the following matters except: That she has reviewed the 10-K. That her CPA license is active. That she, along with the CEO, is responsible for establishing and maintaining her company's internal controls. That she has recently evaluated the effectiveness of the firm's internal controls.
That her CPA license is active. Correct. This is the one of these four choices that need not be certified. It is a fine thing if Mar is a CPA and if her license is active, but neither is required by SOX.
According to COSO, which of the following differences relevant to the risk assessment process is most likely to exist between a large entity and a small entity? The CEO of a small entity is more likely than the CEO of a large entity to be attuned to risks arising from internal factors through hands-on involvement with all levels of personnel. The risk assessment process in a small entity is more structured than in a large one because of the nature of some of the internal control components in a small entity. An owner-manager of a small entity will not normally learn about risks arising from external factors through direct contact with customers, suppliers, and other outsiders, whereas in large entities, this process is part of the entity's primary way of identifying new risk. Risk assessment in a small entity, as opposed to that in a large entity, can be problematic to implement because the in-depth involvement of the CEO and other key managers is a conflict of interest that must be addressed separately in the internal control assessment process.
The CEO of a small entity is more likely than the CEO of a large entity to be attuned to risks arising from internal factors through hands-on involvement with all levels of personnel. Correct! The engagement of the owner in a small entity is likely to improve the assessment of risks because of their hands-on involvement with all levels of personnel.
Which of the following bodies has developed a framework for enterprise risk management? The Committee of Sponsoring Organizations (COSO). The American Institute of Certified Public Accountants (AICPA). The Public Company Accounting Oversight Board (PCAOB). The Institute of Risk Management Professionals (IRMP).
The Committee of Sponsoring Organizations (COSO). This answer is correct. COSO has developed a framework for enterprise risk management.
Which of the following statements is correct regarding the requirements of the Sarbanes-Oxley Act of 2002 for an issuer's board of directors? Each member of the board of directors must be independent from management influence, based on the member's prior and current activities, economic and family relationships, and other factors. The board of directors must have an audit committee entirely composed of members who are independent from management influence. The majority of members of the board of directors must be independent from management influence. The board of directors must have a compensation committee, a nominating committee, and an audit committee, each of which is composed entirely of independent members.
The board of directors must have an audit committee entirely composed of members who are independent from management influence. Correct! SOX requires that a public company's entire audit committee be independent.
A company has in place an authentication system that requires users to enter a logon name and password. In an effort to strengthen this method of authentication, the company's chief information officer (CIO) asked the technology steering committee to recommend a biometric control for the authentication process. Which of the following committee recommendations best meets the requirement of the CIO? The use of a number-generating token that generates a different seven-digit number every 30 seconds to allow system entry. The use of a voice-to-text converter on user workstations that allows users to speak their user name and password. The use of a picture selection screen in which a user must choose a matching photo to one that was selected when the system was first implemented. The installation of finger print scanners on all workstations.
The installation of finger print scanners on all workstations. Correct. Finger print scanners are an example of a physical biometric control.
Which of the following is not a risk of a strategy of a car rental company? Customer accident and damage incidents may be higher than expected. Customers may choose only low-margin cars and options. The organization has a well-defined plan to achieve its mission and vision and apply its core values. Cars may be stolen.
The organization has a well-defined plan to achieve its mission and vision and apply its core values. Correct! This is the definition of strategy, not a risk of a strategy.
An item in an organization's newsletter describes a fraud in which cyber criminals pretend to be IT staff who are asking about a system's reliability problem. This is an IT application of the COSO principle of: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. The organization communicates with external parties regarding matters affecting the functioning of internal control. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. Correct! This statement is true. This is an example of internally communicating information to support the functioning of internal controls.
Which of the following events is least likely to trigger a need for substantial change in a trucking company's strategy and business objectives? The organization implements a new, innovative AI-based system to monitor and allocate trucks to drivers and routes. The organization promotes the longtime CFO to the position of CEO. Annual sales grow at twice the expected rate. Federal legislation changes the number of hours that drivers can spend on the road and the number of consecutive days that they can drive.
The organization promotes the longtime CFO to the position of CEO. Correct! An internal promotion of a longtime member of the executive team is least likely to trigger a substantial change to an organization's strategy and business objectives.
Which of the following is the best description of the potential impact of a risk? The new ZYX product is more successful than planned. However, production capacity struggles to meet increased demand, resulting in delivery delays, unhappy customers, and adverse effects on the company's reputation. The risk of denial-of-service attacks due to legacy IT systems results in leaked customer data, regulatory penalties, loss of customers, and negative press. The risk of denial-of-service attacks impacts the company's ability to retain the confidentiality of customer data. The new ZYX product is more successful than planned. However, production capacity struggles to meet increased demand, resulting in unhappy top management.
The risk of denial-of-service attacks impacts the company's ability to retain the confidentiality of customer data. Correct! This is a precisely stated risk (denial-of-service attacks) that includes a precisely stated potential impact of the risk (i.e., inability to keep customer data confidential).
Which of the following is the best risk statement in relation to executive management's role in a major IT project undertaken by a large telecommunications company? The risk that executive management disregards project communications and meetings The risk that executive management disregards project communications and meetings, resulting in inadequate oversight, because of management's inattention and lack of focus The risk that executive management disregards project communications and meetings, which reduces project quality and the likelihood of successful integration with other systems The risk that executive management disregards project communications and meetings, despite frequent efforts by the project management team to inform executive management of the importance of their involvement and engagement
The risk that executive management disregards project communications and meetings, which reduces project quality and the likelihood of successful integration with other systems Correct! A well-formed, precise risk statement should include a statement of the risk (which this one does) and a statement of the impact of the risk (which this one also does). In fact, this statement includes two outcomes or consequences of the risk, (1) lower project quality and (2) a lower likelihood of successful integration with other systems.
Which of the following is correct concerning electronic commerce security? Since they cannot use both, companies must decide whether to use an electronic data interchange approach or an approach using the Internet. Companies that wish to use the Internet for electronic commerce must adhere to the Uniform Internet Service Provider Code of Conduct. Use of a Web site "home page" instead of encryption leads to greater security in electronic transactions. The successful use of a firewall will help assure the security of a firm's computer systems.
The successful use of a firewall will help assure the security of a firm's computer systems. This answer is correct because a firewall will limit who is able to access a database.
A problem with the chart below is that: This information would be better displayed in a pie chart. The categories should be sorted alphabetically instead of by "hours worked." The vertical axis of a bar chart should always start at zero. Bar charts should always include numbers on the bars.
The vertical axis of a bar chart should always start at zero. Correct! Using nonzero axes in bar charts visually distorts the size of differences.
According to COSO controls systems fail for all of the following reasons except: They are not designed or implemented properly. They are properly designed and implemented but environment changes have occurred making the controls ineffective. They are properly designed and implemented but management overrides them making them ineffective. They are properly designed and implemented but the way they operate has changed making them ineffective.
They are properly designed and implemented but management overrides them making them ineffective. This answer is correct. It is a limitation for all control systems no matter how effectively designed and implemented.
According to COSO, which of the following is a compliance objective? To maintain adequate staffing to keep overtime expense within budget. To maintain a safe level of carbon dioxide emissions during production. To maintain material price variances within published guidelines. To maintain accounting principles that conform to GAAP.
To maintain a safe level of carbon dioxide emissions during production. Maintaining a safe level of carbon dioxide emissions during production is, in the U.S.A., required for compliance with law or regulation.
Which of the following is a computer program that appears to be legitimate, but performs an illicit activity when it is run? Redundant verification. Parallel count. Web crawler. Trojan horse.
Trojan horse. A Trojan horse is an apparently legitimate program that contains an unauthorized code that performs malicious activities when the program is run. Trojan horse programs are often used to provide a "back door" to the victim's system, enabling the hacker to gain access to the targeted system.
According to the Sarbanes-Oxley Act of 2002, anyone who knowingly alters, destroys, covers up, or makes a false entry in any record or document with the intent to obstruct or influence the investigation of any matter within the jurisdiction of any department or agency of the United States may be fined and/or imprisoned for up to: Five years. Ten years. Fifteen years. Twenty years.
Twenty years. Correct! This is the maximum punishment for making a false entry with intent to obstruct an investigation.
Which of the following is a low-cost wired transmission medium? Router. Microwave media. Fiber optic cable. Twisted pair.
Twisted pair. Twisted pair is a low-cost, comparatively low-quality transmission medium.
Winifred, an internal auditor, wants to access data about employee pay rates. She will go online and type in a(n) ______ on the ________, which is mostly written in ___________. Company name; company database; XBRL URL; www; HTML www; URL; HTML Employee name; registry; registry addresses
URL; www; HTML Correct! Typing in a URL (i.e., a web address or uniform resource locator) on the www (World Wide Web) will access these data. In addition, the core language of the web is HTML (i.e., HyperText Markup Language).
Adjusting journal entries are of additional concern when they are Automated accruals or deferrals, RFID driven, Unusual and automated. Unusual and manually posted.
Unusual and manually posted. Correct! Unusual, manually posted entries are of greater concern because they may indicate fraud or earnings management.
Which of the following is not true? Relational databases Are flexible and useful for unplanned, ad hoc queries. Store data in table form. Use trees to store data in a hierarchical structure. Are maintained on direct access devices.
Use trees to store data in a hierarchical structure. This answer is correct. Hierarchical databases use tree structures to organize data; relational databases use tables.
SnowDrift Ski Resorts has a meeting at which the CIO presents a plan for all IT personnel to evidence exceptional service quality in their interactions with other employees (i.e., their customers). This plan is likely to also be found in a (an) Use and connection policy. Procurement policy. Values and service culture policy. Regulatory compliance policy.
Values and service culture policy. Correct! This policy will state what is expected of IT function personnel in their interactions with clients and others. That is exactly the initiative that is described in this case.
Each of the listed IT policies is matched to its description except: Quality—statement of IT performance standards. Values and service culture—policies for ensuring the quality of live IT services. Electronic communications use—policy related to employ use of the Internet, intranet, email, and so on. Security—related to guarding against physical or electronic threats to IT.
Values and service culture—policies for ensuring the quality of live IT services. Correct! This is a false statement.The description given is of the "service management and operational service problem solving" policy.
An entity reviews its ERM practices. Which question is the organization least likely to investigate as a part of this review? What is the relationship between our strategy and objectives? How did the entity perform? Are we taking sufficient risks to attain desired performance? Were risk estimates accurate?
What is the relationship between our strategy and objectives? Correct! A review of ERM practices primarily focuses on realized versus targeted risk. This question is tangential to investigating realized versus targeted risks.
Encryption protection is least likely to be used in which of the following situations? When transactions are transmitted over local area networks. When wire transfers are made between banks. When confidential data are sent by satellite transmission. When financial data are sent over dedicated leased lines.
When transactions are transmitted over local area networks. This answer is correct. Various factors need to be considered. Encoding is important when confidential data are transmitted between geographically separated locations that can be electronically monitored. Although LANs may need encryption protection, the type of data and the described communication media make the other options appear more vulnerable.
Winthrop P. Snigledorf pays his employees in bitcoins to avoid paying payroll taxes and so that his employees don't have to pay income taxes on these earnings. Which of the following is an accurate assessment of these actions? Winthrop is correct—neither payroll taxes nor income taxes are due on wages paid in bitcoins. Winthrop is incorrect—payroll taxes need not be paid on wages paid in bitcoins; employees must pay income taxes on these earnings. Winthrop is incorrect—payroll taxes must be paid on wages paid in bitcoins; employees do not need to pay income taxes on these earnings. Winthrop is incorrect—both payroll taxes and income taxes must be paid on these earnings.
Winthrop is incorrect—both payroll taxes and income taxes must be paid on these earnings. Correct! Both payroll taxes and income taxes must be paid on these earnings. The IRS treats bitcoins as property; hence they are taxed the same as cash paid to employees would be.
While both views highlight risk severity, the _______ view of risk is from the entity-wide level while the _______ view of risk is from the perspective of units or levels with the entity. incident, root cause root cause, incident portfolio, profile profile, portfolio
portfolio, profile Correct! The portfolio view of risk is from the entity-wide perspective while the profile view of risk is from the level of units or levels within the entity.
Consider the following two descriptions: They help an entity create and maintain reliable data. They include models, policies, rules, or standards that determine which data is collected and how it is stored, arranged, integrated, and used in systems and in the organization. In relation to COSO's ERM framework related to leveraging information systems, statement 1 relates to ______________ while statement 2 relates to ____________________. data and information governance; processes and controls data and information governance; data management architecture processes and controls; data and information governance processes and controls; data management architecture
processes and controls; data management architecture Correct! Statement 1 is related to processes and controls (which help an entity create and maintain reliable data). Statement 2 is related to data management architecture, which refers to the fundamental design of the technology and related data.
In ERM, ______ focuses on the development of strategy and goals while _____ focuses on the implementation of strategy and variation from plans. tolerance; triggers key indicators; risk appetite risk appetite; tolerance internal control; portfolio view of risk
risk appetite; tolerance Correct! Risk appetite is the amount of risk an organization accepts in pursuit of a strategy and value. Risk appetite is focused on strategy and goals. Tolerance sets the boundaries of acceptable performance; it is related to strategy implementation and variation from plans.
Data from ______________ is typically structured, while data from ________ is typically unstructured. board meeting minutes; a governmental water scarcity report that is used by a beverage company staffing increases or decreases due to restructuring; email about decision making and performance. emerging interest in a new product from a competitor; an entity's risk tolerance marketing reports from website tracking services; government-produced geopolitical reports and studies
staffing increases or decreases due to restructuring; email about decision making and performance. Correct! Staffing data are typically structured; email is unstructured (text).
Match each statement below with the appropriate term that best describes it: After considering implemented controls, the desired level of the risk of a major cyber attack is low. Before considering controls, the level of risk of a major cyber attack is high. After considering implemented controls, the level of the risk of a major cyber attack is medium. Internal control; inherent risk; target residual risk target residual risk; internal control; inherent risk target residual risk; actual residual risk; assessed risk target residual risk; inherent risk; actual residual risk
target residual risk; inherent risk; actual residual risk Correct! Target residual risk is the desired risk after implementing a response. Statement I is a statement of target residual risk. Inherent risk is the risk, absent actions to change it. Statement II is a statement of inherent risk. Actual residual risk is the risk that remains after responding to it. Statement III is a statement of actual residual risk.
