ISC M2
Which of the following best describes a benefit of using a cloud service provider (CSP)? A. Fixed pricing for usage that comes with CSPs makes budgeting more predictable. B. Redundancy and the ability to recover from a disaster is improved. C. On-site hardware support is eliminated. D. Data processing is more efficient due to CSPs having purely decentralized virtual locations.
B. Redundancy and the ability to recover from a disaster is improved.
A pick ticket, the list provided to the warehouse or inventory function detailing the items and quantities that should be picked and packaged and sent to the shipping department for an order, is a common document found in which transaction cycle? A. Disbursement cycle B. Revenue cycle C. Purchasing cycle D. Human resources and payroll cycles
B. Revenue cycle
A global manufacturing firm has operations across three different continents that operate autonomously by using three distinct groups for finance, IT, and human resources. In an effort to improve service levels and reduce costs, the firm consolidated each of these into one global organization for each function. Some local staff was still needed for on-site support and information gathering, but this led to a reduction in costs of 30 percent and faster decision making. This illustrates gaining efficiencies through: A. Enhanced reporting. B. Shared services. C. Automation. D. Outsourcing.
B. Shared services.
What is the primary purpose of the Open Systems Interconnection (OSI) model? A. Defines hardware components in a network B. Standardizes how networking devices communicate C. Manages cloud computing services D. Designs network topologies
B. Standardizes how networking devices communicate
An organization houses its network servers at a facility within a known floodplain. It decided to raise the floors in the room where the network servers reside to avoid flood damage. This is an example of what type of control? A. Logical access control B. System availability control C. Physical access control D. Data encryption control
B. System availability control
When an organization employs business process automation, it is looking to identify and automate business processes. Which of the following would not be an attribute that would make a process a good candidate for business process automation? A. The process is repetitive. B. The process changes regularly. C. The process is recurring. D. The process is currently manual and objective.
B. The process changes regularly.
Each of the following is considered an end-user device (EUD) except: A. A laptop computer B. A desktop computer C. A router D. A computer tablet
C. A router
Each of the following is considered a function of the Transport Layer in the Open Systems Interconnection (OSI) model except: A. Dividing data into smaller packets for transmission B. Ensuring data integrity during transmission C. Adding routing and address headers to data packets D. Reassembling data packets in the correct order
C. Adding routing and address headers to data packets
Pearlin Corp., a global IT services organization, has operations in three different countries and is creating its disaster recovery plan. Prior to identifying applications that are critical to its mission, Pearlin should perform which of the following activities? A. Assign responsibilities to key personnel in each country. B. Test the global disaster recovery plan. C. Assess risks at all facilities in each country. D. Develop a plan for handling mission-critical applications.
C. Assess risks at all facilities in each country.
Sagger Corp. has historically used two systems to execute biweekly payroll runs. One system tracks hours for labor productivity which are then extracted by an employee and loaded into another system that processes payroll so that payments are automatically deposited into employee accounts. To eliminate this repetitive manual extraction process, a senior accountant and programmer write a program that extracts the timekeeping data from the first system and loads it into the second system at the end of each workday for every employee, without the intervention of a human. This is an example of what type of business process change? A. Neural network B. Large language models C. Robotic process automation D. Natural language processing software
C. Robotic process automation
Creataw Textile Manufacturing recently purchased fabric to be used as raw materials for weaving a new line of garments. Creataw's senior accountant posted the purchase of the fabric to the general ledger in the company's accounting information system (AIS). Which of the following steps would she have performed prior to this step? A. Adjust for accruals B. Prepare the trial balance C. Record the journal entry D. Record corrections and adjustments
C. Record the journal entry
A consumer-packaged goods (CPG) organization outsources its IT services to a managed services provider. For its distribution system to be continuous and lean, the CPG company specifies in its service level agreement that it must take no longer than eight hours to restore its IT systems. This is an example of which of the following metrics? A. Agreed service time (AST) B. Mean time to repair (MTTR) C. Recovery time objective (RTO) D. Recovery point objective (RPO)
C. Recovery time objective (RTO)
Which type of network topology is best described as connecting all nodes in a circular path, where data must go through every other device between the source and destination? A. Bus topology B. Mesh topology C. Ring topology D. Star topology
C. Ring topology
The finance division of an EV (electric vehicle) manufacturer works directly with customers in the last phase of the buying process to set up their car loans. This process includes checking the customer's credit and approving or denying a loan based on their credit history. In which of the following transaction cycles would this occur? A. Treasury cycles B. Purchasing and disbursement cycles C. Sales and cash collection cycles D. Production and fixed asset cycles
C. Sales and cash collection cycles
A cloud service provider's vision is to provide reliable and consistent network connectivity for all customers. Part of its corporate strategy for achieving that is heavily reliant on all of the following except: A. Having all IT personnel on the company payroll. B. Owning the underlying physical IT infrastructure. C. Utilizing a community cloud deployment model. D. Full autonomy over disaster recovery processes.
C. Utilizing a community cloud deployment model.
Due to the volume of transactions being processed on a blockchain, organizations should focus on what type of controls when applying the COSO internal control framework? A. Corrective and preventative B. Preventative and detective C. Predictive and corrective D. Detective and corrective
B. Preventative and detective
Which of the following activities would fall within the Performance component of the COSO Integrating with Strategy and Performance Framework? A. Defining risk appetite B. Prioritizing risk C. Reviewing risk and performance D. Reporting on risk
B. Prioritizing risk
An accounting information system (AIS) is distinguished from an enterprise resource planning (ERP) system by the fact that: A. An AIS stores financial data, whereas an ERP stores shipping data. B. An AIS uses a centralized database allowing different departments to collaborate in real time whereas an ERP does not. C. An AIS is control-oriented, whereas an ERP is used exclusively for planning. D. AIS data is used only by financial managers, whereas ERP data is used by all managers.
A. An AIS stores financial data, whereas an ERP stores shipping data.
Which of the following would be considered a primary advantage of edge-enabled devices in a network? A. Allows faster network response times by processing data closer to the source B. Reduces the need for firewalls C. Eliminates the need for centralized servers D. Provides unlimited storage capacity
A. Allows faster network response times by processing data closer to the source
The COSO Enterprise Risk Management Framework emphasizes that risk increases when an organization changes its cloud deployment model from: A. Public to on-premises. B. Private to public. C. Hybrid to private. D. Public to hybrid.
B. Private to public.
A controller is developing a disaster recovery plan for a corporation's computer systems. In the event of a disaster that makes the company's facilities unusable, the controller has arranged for the use of an alternate location and the delivery of duplicate computer hardware to this alternate location. Which of the following recovery plans would best describe this arrangement? A. Hot site. B. Cold site. C. Back-up site procedures. D. Hot spare site agreement.
B. Cold site.
Andrew is the CFO of a biotech company developing new drugs to combat mental illness. As the operations become more complex due to the company's rapid growth, Andrew is in need of an application that allows every department to collaborate in real time. Specifically, the procurement department needs to manage the requisitions from the clinical research departments to ensure the drug inventory level is appropriate and issues purchase orders to vendors; the project management office needs to monitor research project progress and project spend; the accounting department needs to produce reliable financial statements for external and internal reporting purposes; and the finance department needs accurate data to produce a high-quality forecast for an investor presentation. The application that can meet all of these requirements is: A. An enterprise resource planning system (ERP) B. An accounting information system (AIS)
A. An enterprise resource planning system (ERP)
Which of the following is a common document found in the production cycle? A. Bill of materials B. Receiving report C. Sales invoice D. Bill of lading
A. Bill of materials
During a post implementation review of an accounting information system (AIS), a CPA learned that an AIS with few customized features had been budgeted and scheduled to be installed over nine months for $3 million (including hardware, software, and consulting fees). An in-house programmer was assigned as the project manager and had difficulty keeping the project on schedule. The implementation took 18 months, and actual costs were 30% over budget. Many features were added to the system on an ad-hoc basis, with the project manager's authorization. The end-users are very satisfied with the new system. The steering committee, however, is dissatisfied about the scope creep and would like a recommendation to consider before approving initiation of another large project. Based on those findings, the CPA should recommend implementing a: A. Change management system. B. Contract management system. C. Budgeting system. D. Pro
A. Change management system.
Which method of backup involves copying all data items that have changed since the last full backup? A. Differential. B. Incremental. C. Full. D. Off-schedule.
A. Differential.
A piece of hardware that connects devices within a network by reading and converting protocols so that traffic can be transmitted across those devices is most likely which of the following networking components? A. Gateway B. Firewall C. Router D. Switch
A. Gateway
Diego Co. is investigating installing an enterprise resource planning (ERP) software solution. Which of the following statements is/are correct? I. Security around access controls for multiple systems is centralized. II. The implementation period for all enterprise modules is relatively quick. III. ERPs are frequently purchased because they are cost effective compared to other like solutions. A. I only is correct. B. II and III only are correct. C. I and III only are correct. D. I and II only are correct.
A. I only is correct.
An organization has decided to implement a backup system that involves copying only the data items that have changed since the last backup. What type of backup is this system called? A. Incremental backup B. Differential backup C. Intermittent backup D. Full backup
A. Incremental backup
In an effort to eliminate paper and create transparency in the logistics industry, Elige Supply Chain Inc. implemented a blockchain following the COSO internal control framework. In line with the framework, Elige educated its internal stakeholders on all relevant blockchain processes and developed software that continuously analyzed supply chain functions. Which two components of the COSO framework does Elige adhere to by executing these actions? A. Information and communication; monitoring activities B. Risk assessment; control activities C. Monitoring activities; risk assessment D. Control activities; monitoring activities
A. Information and communication; monitoring activities
COSO's guidance in its Enterprise Risk Management Framework asserts that organizations should do all of the following when adopting a cloud service provider (CSP), except: A. Keep separate and distinct risk management strategies for the CSP and the organization. B. Create a steering committee to oversee CSP implementation. C. Consider how adopting a CSP may affect the organization's risk profile. D. Define the systems and infrastructure controlled by the CSP versus the organization.
A. Keep separate and distinct risk management strategies for the CSP and the organization.
The CFO of a U.S.-based hospital chain is looking for ways to help fight a severe shortage in radiologists and rising salaries for the few it can find. It discovers Precision Radiology Labs, a technology-based company that allows physicians to submit patient scans to a hub where they are reviewed by licensed radiology doctors in Canada. The readings are returned to local physicians and then patient treatment is prescribed accordingly. The service that Precision Radiology Labs offers is an example of which type of offshore outsourcing? A. Knowledge process provider B. Business process provider C. Research and development provider D. Information technology by a managed services provider (MSP)
A. Knowledge process provider
Using continuous monitoring techniques to analyze and review large volumes of transactions on a blockchain is a practice supported by which of the COSO internal control framework components? A. Monitoring activities B. Control activities C. Control environment D. Risk assessment
A. Monitoring activities
Which of the following are benefits of using a cloud service provider (CSP)? A. Processing and storage can be rented in units of time, scaling up during peak usage times. B. Virtual machines can be stored off site or on a company's premises. C. Flexibility to perform any maintenance needed on the underlying infrastructure. D. Ensure the application is running on the latest version of the operating system.
A. Processing and storage can be rented in units of time, scaling up during peak usage times.
The receiving department of a Mishinor logistics company enters the quantities and tracking numbers of packages it receives into its accounting information system (AIS). These are used to reconcile tracking and quantity information on invoices that the accounts payable clerk uses to make payments. In which of the following transaction cycles would this occur? A. Purchasing and disbursement cycles B. Production and fixed asset cycles C. Treasury cycles D. General ledger and reporting cycles
A. Purchasing and disbursement cycles
Which of the following is a measure of performance that is typically cited within a service-level agreement with outsourced IT providers? A. Response time B. User responsibilities C. Data privacy requirements D. Controls necessary to protect exchanged information
A. Response time
The finance department of a large multinational organization has receiving offices in seven different countries that each receive invoices through the mail and process those payments in the country of origin. This has proven to be costly due to duplication of staff and the manual act of physically going through mail. To become more efficient and lower costs, the company stops accepting paper payments in all countries except for one and shifts to electronic payments only. Any paper payments that are received will be processed through an invoice recognition program that extracts key data using optical character recognition (OCR) technology. That data is then gathered by the finance team to process mass payments in batches. This business process improvement solution combines which of the following principles? A. Robotic process automation (RPA) and shared services B. Neural networks and offshoring C. Automation and out
A. Robotic process automation (RPA) and shared services
Which of the following statements regarding a computer network is incorrect? A. Servers act as an intermediary among different networks. B. Routers manage traffic on a network. C. Switches can divide one connection into multiple connections. D. Gateways convert protocols to communicate with other network devices.
A. Servers act as an intermediary among different networks.
When evaluating a cloud service provider's data security measures, a company would appropriately consider each of the following risk factors, except: A. The provider's vertical scalability. B. The provider's third-party suppliers. C. The provider's multi-tenant architecture. D. The provider's cloud-of-cloud agreements.
A. The provider's vertical scalability.
What is managed by the organization for SaaS?
Application Usage
What is managed by the organization for PaaS
Application Use and Application Design, Tools, and Data
Which of the following best describes the primary disadvantage of a bus topology? A. Expensive to implement and maintain B. A single point of failure can bring down the entire network C. Requires a central hub to function D. Cannot support wireless connections
B. A single point of failure can bring down the entire network
Which of the following correctly describes the relationship between an enterprise resource planning (ERP) system and an accounting information system (AIS)? A. AIS contains the real-time collaboration feature that ERP lacks. B. AIS is part of an ERP. C. ERP typically consists of decentralized databases. Each database would handle the processing of a transaction cycle. D. A human resources information system (HRIS) is a subsystem of an AIS.
B. AIS is part of an ERP.
Savestone Solutions is a national business and individual tax software provider that pushes out annual updates to its web-based tax platforms so users can file returns for their clients based on the most updated tax laws. When significant tax legislation is released, the tax and development team at Savestone follow a very mechanized process to complete an updated release for applicable products, which includes the following steps: Define high-priority customer requirements using a product backlog. Assess whether changes are needed to the original product backlog at specific milestones spread across the duration of the project. Meet twice per day: in the morning to determine goals and in the afternoon to assess progress. Perform testing of new features once per week for the duration of the project. Which of the following system change approaches does Savestone most likely follow? A. Waterfall method B. Agile method
B. Agile method
Which type of firewall inspects the contents of data packets? A. Circuit-level gateway B. Application-level gateway C. Network address translation firewall D. Stateful multilayer inspection firewall
B. Application-level gateway
It may be challenging to apply the COSO control environment component from the internal control framework to blockchain applications because: A. Blockchain ledgers are transparent and viewable by anyone. B. Blockchains are decentralized by design. C. Most blockchains are costly to implement and maintain. D. Not all trust services criteria apply to blockchains.
B. Blockchains are decentralized by design.
Doug, an IT administrator for a mini-nuclear reactor plant, is tasked by the CIO with determining the financial and operational impact of a system failure for the software application that controls the cooling of the reactor cores. Critical resources and affected departments must be identified, as well as the time it takes to return to full operation. Which of the following is the document in which these findings would be reported? A. Business continuity plan B. Business impact analysis report C. Crisis management plan D. Cybersecurity assessment report
B. Business impact analysis report
Morrin Corp. provides Physician Practices Plus (PPP) with complete revenue cycle management services which helps PPP collect on its receivables, provide a payment portal for clients, issue refunds, and manage all other billing functions. This is referred to as what type of model? A. Infrastructure-as-a-Service B. Business processes-as-a-Service C. Platform-as-a-Service D. Payment processing network
B. Business processes-as-a-Service
A CPA is working closely with a client's IT administrator to understand all the accounting applications that need to be supported so that the company will have either uninterrupted operations or a quick return to operations after a system incident. The IT administrator's focus on the ability to quickly rebound best describes which of the following concepts? A. Incident response B. Business resiliency C. Availability controls D. Crisis management
B. Business resiliency
Which of the following controls would most likely ensure that an entity can reconstruct its financial records? A. Firmware controls installed by a computer manufacturer. B. Cloud-based backup copies of financial records. C. Personnel independent of data entry performing manual audit logs of financial records. D. System flowcharts with documentation of financial data input and output.
B. Cloud-based backup copies of financial records.
Apexom Exchange Inc. operates in the U.S. and adheres to KYC (Know Your Customer) laws by requiring all traders to validate their identity, address, nationality, occupation, and income. Following these laws establishes structure and accountability by ensuring that the company can identify the transacting parties. Which of the following COSO internal control framework components and principles would Apexom follow to satisfy these requirements? A. Component: risk assessment; principle: assesses fraud risk B. Component: control environment; principle: enforces accountability C. Component: monitoring activities; principle: conducts ongoing and/or separate evaluations D. Component: information and communication; principle: communicates externally
B. Component: control environment; principle: enforces accountability
A company's network administrator discovered that critical software updates have not been installed on the network in a timely manner. Which of the following is a control that would directly address this situation? A. Initiating penetration testing on the network. B. Creating and implementing a patch management policy. C. Ensuring that the hard drive containing the update is encrypted. D. Performing a log analysis to ensure that the software is functioning properly.
B. Creating and implementing a patch management policy.
An enterprise resource planning (ERP) system has which of the following advantages over multiple independent functional systems? A. The time to implement an ERP system is significantly less. B. Data input is less intensive because a central repository is used. C. ERP systems are more cost effective. D. Integration is less costly.
B. Data input is less intensive because a central repository is used.
An information technology director collected the names and locations of key vendors, current hardware configuration, names of team members, and an alternative processing location. What is the director most likely preparing? A. Data restoration plan. B. Disaster recovery plan. C. System security policy. D. System hardware policy.
B. Disaster recovery plan.
A company switches all processing to an alternative site, and staff members report to the alternative site to verify that they are able to connect to all major systems and perform all core business processes from the alternative site. Which of the following best identifies the activities performed by the staff? A. Closed loop verification. B. Disaster recovery planning. C. Authentication validation. D. Segregation control testing.
B. Disaster recovery planning.
An internal auditor is tasked with conducting an analysis of the company's payment processing network architecture. To examine the efficiency and distribution of the organization's payment network, the internal auditor would most likely see if the organization uses which of the following hardware components to decentralize its computing power? A. Switching hardware B. Edge-enabled devices C. Routers D. Gateways
B. Edge-enabled devices
The protective software and/or hardware that allows users to access the internet without exposing the organization's IT assets to unauthorized users is called a(n): A. Server. B. Firewall. C. Switch. D. Router.
B. Firewall.
Which of the following are network devices that assign IP addresses? A. Switches B. Firewalls C. Gateways D. Servers
B. Firewalls
Which of the following statements is (are) correct? I.Disaster recovery consists of plans for continuing operations in the event of destruction of not only program and data files but also processing capability. II.A warm site is an off-site location that has all of the electrical connections and other physical requirements for data processing but requires ordering the actual equipment to arrive in five to seven days. Warm sites are used when the possibility of a disaster occurring is remote. III.A hot site is an off-site location that is completely equipped to take over an organization's data processing. A. I and II only are correct. B. I and III only are correct. C. I, II, and III are correct. D. None of the listed choices is correct.
B. I and III only are correct.
A team of senior IT analysts for a newly launched digital asset trading exchange, Sagger, is responsible for the company's business resiliency program. One of the key functions of this group is ensuring that transactional data is backed up. Due to the volume of transactions that will occur each day and their goal of being as current as possible, the team wants to copy only data that has been generated since the prior day's backup to update its original database backup. What type of system backup should the team implement? A. Full backup B. Incremental backup C. Differential backup D. Copy-only backup
B. Incremental backup
Having an exit strategy for a cloud service provider (CSP) is a response to which of the following risks? A. Favorable regulation changes B. Lack of application portability (vendor lock-in) C. CSP violation of service level agreement D. Unfavorable operational budget variances
B. Lack of application portability (vendor lock-in)
Which of the following describes the primary function of the Transport Layer in the Open Systems Interconnection (OSI) model? A. Establish and maintain communication sessions B. Manage data transmission rules and ensure data integrity C. Add routing and address headers to data packets D. Convert data into electrical impulses for transmission
B. Manage data transmission rules and ensure data integrity
A multi-tenant cloud service provider serves: A. A single organization while allowing multiple users. B. More than one organization using shared virtual infrastructure. C. Multiple organizations each using an exclusive virtual server. D. A single organization using multiple virtual servers across different geographic locations.
B. More than one organization using shared virtual infrastructure.
An auditing firm is performing a SOC 2® engagement on a service organization specializing in managing IT services and has reached the point at which the lead auditor begins the walk-through of the company's backup procedures. The service organization's IT administrator demonstrates the procedures he performs for the weekly full backup and the daily incremental backup. One of the more recent full backups occurred on the first day of the current month. If the auditor wants to restore all data through day nine of the current month, which of the following combinations of backup procedures should he request? A. One full backup only B. One full backup and one incremental backup C. Eight incremental backups and one full backup D. One differential backup only
B. One full backup and one incremental backup
A domestic Fintech company is considering outsourcing some of its product engineering team to another country, but management is evaluating the potential risks of making that move. The main concerns include onshore team morale and the quality of work from the outsourced team. The outsourced team would test code written by the domestic team, look for opportunities for streamline the code, and handle technical support calls after the domestic country's normal business hours. Which of the following strategies would be the least effective in hedging against these risks? A. Compensate the domestic team for product innovations that are sold to consumers. B. Offer bonuses to all employees that achieve target customer satisfaction ratings. C. Award incentives to the outsourced team when errors are found in the test code. D. Require all employees to obtain a common IT credential and receive corporate training.
C. Award incentives to the outsourced team when errors are found in the test code.
Charlie, CPA is a senior service auditor in a SOC 2® engagement and has just started evaluating system documentation for an online platform used by lodging and travel firms to book trips. Charlie is evaluating a recent overhaul to the platform, so she starts with which of the following to serve as a benchmark for the original state that can be used to evaluate subsequent changes made to the system? A. System component inventory B. Acceptance criteria C. Baseline configuration D. Proxy logs
C. Baseline configuration
Bacchus, Inc. is a large multinational corporation with various business units around the world. After a fire destroyed the corporate headquarters and largest manufacturing site, plans for which of the following would help Bacchus ensure a timely recovery? A. Daily backup. B. Network security. C. Business continuity. D. Backup power.
C. Business continuity.
Management is evaluating a newly installed system by applying metrics that examine how easily the system can scale volume up or down, the speed at which it can process transactions, and the amount of uptime over a given period. If the system meets predetermined standards in each of these categories, then implementation will be considered complete. This sort of change control testing is an example of: A. Using continuous adoption. B. Reviewing logging. C. Closed loop verification. D. Using continuous monitoring.
C. Closed loop verification.
Which of the following steps in the development of a business continuity plan should a company initiate first? A. Identify critical personnel. B. Develop an emergency contact list. C. Conduct a business-impact analysis. D. Prepare recovery procedures.
C. Conduct a business-impact analysis.
Setting system parameters to meet a company's needs during an enterprise resource planning system implementation is known as: A. Migration. B. Deployment. C. Configuration. D. Business process integration.
C. Configuration.
Elitado Manufacturing's CFO is working on calculating the annualized rate of occurrence (ARO) and the annualized loss expectancy (ALE) for a business impact analysis (BIA) being performed by its IT department. At which of the following steps during the BIA would this occur? A. Define disruption impacts. B. Establish recovery priorities. C. Estimate losses. D. Establish the BIA approach.
C. Estimate losses.
Timbercan Inc. is a large conglomerate with a portfolio of businesses within the health care industry that has primarily grown through acquisitions. It recently acquired nine new hospitals to add to its existing inventory of 50 hospitals. In an effort to allow health records to flow freely between each hospital chain, Timbercan immediately invested $20 million in a new platform that was intended to connect to each hospital's existing electronic health records (EHR) system. After beginning implementation, Timbercan started reviewing existing processes and learned that additional custom programming costing $10 million would be needed so that the platform could connect to each chain's unique application programming interfaces (APIs). Timbercan also learned that it could have built its own custom application for $25 million after it thoroughly reviewed how the existing EHR used by the newly acquired hospitals worked. Wh
C. Examine existing business processes
Peame Mobile sells smartphones, tablets, and other supportive devices directly to consumers via its online marketplace and in-store retail locations. Which of the following economic event and transaction cycle pairings is correct? A. Customers place phone orders in the production and fixed asset cycle. B. Store employees are paid in the purchasing and disbursement cycle. C. Loan payments for retail locations are made in the treasury cycle. D. Investment earnings are recorded in the revenue and cash collections cycles.
C. Loan payments for retail locations are made in the treasury cycle.
Which of the following best describes a hot site? A. Location within the company that is most vulnerable to a disaster. B. Location where a company can install data processing equipment on short notice. C. Location that is equipped with the necessary hardware and possibly software. D. Location that is considered too close to a potential disaster area.
C. Location that is equipped with the necessary hardware and possibly software.
For an organization to allow trusted sources to transmit across the network, which type of firewall assigns internal network addresses to specific external sources? A. Circuit-level gateway B. Application-level gateway C. Network address translation firewall D. Stateful multilayer inspection firewall
C. Network address translation firewall
Which of the following is a key characteristic of a mesh network topology? A. All nodes are connected in a circular path. B. All nodes are connected to a central hub. C. Nodes are connected with multiple pathways for redundancy. D. Nodes share a single communication line.
C. Nodes are connected with multiple pathways for redundancy.
A hedge fund, Pearlin, is a U.S.-based investment company that specializes in what is known as quantamental investing, which makes stock picks based on algorithms that analyze social media posts, news articles, transcripts from earnings calls, and various other text-based sources. Pearlin uses a local consulting group with resources based out of India to create the software and run the algorithm multiple times per day and then sends the results to Pearlin for analysis. This type of business process utilizes: A. Robotic process automation (RPA) and offshoring. B. Large language models (LLMs) and insourcing. C. Offshoring and natural language processing (NLP). D. Offshoring and K-means clustering.
C. Offshoring and natural language processing (NLP).
A service auditor has been assigned to review a service organization's business continuity plan in a SOC 2® engagement. The auditor will evaluate whether the company's plan addressed all of the following except: A. Areas or operations lacking critical personnel. B. Risks that could significantly impair operations. C. Periodic testing resulting in plan modifications. D. Unlikely risks that would cease operations.
D. Unlikely risks that would cease operations.
Gibbs Energy Inc. is a power producer and distribution network operator that runs a power grid which generates, transmits, and distributes power to customers. These core business functions require a large amount of computing power to run highly customized software applications. These applications often require modifications to the operating system. Since the usage of energy and computing power varies, Gibbs rents servers, storage, and firewalls from a cloud service provider (CSP). What type of CSP does Gibbs most likely use? A. Software-as-a-Service B. Platform-as-a-Service C. Business-Process-as-a-Service D. Infrastructure-as-a-Service
D. Infrastructure-as-a-Service
The following depicts which type of cloud computing model? Uptime: The organization Data center: Cloud service provider Application design: The organization A. Platform-as-a-Service (PaaS) B. On-premises C. Software-as-a-Service (SaaS) D. Infrastructure-as-a-Service (IaaS)
D. Infrastructure-as-a-Service (IaaS)
Which of the following is a key difference in controls when changing from a manual system to a computer system? A. Internal control principles change. B. Internal control objectives differ. C. Control objectives are more difficult to achieve. D. Methodologies for implementing controls change.
D. Methodologies for implementing controls change.
A transaction processing system would appropriately include each of the following activities for an online bookseller, except: A. Shipping. B. Processing payroll. C. Receiving internet orders. D. Monitoring competitor price changes.
D. Monitoring competitor price changes.
Streaming service provider Biscalli has developed a recommendation engine to recommend content to its subscribers based on their content history, ratings for that content, and the device on which that content was viewed. The history and ratings are used in an input layer within the engine that stack-ranks similar content. That content is then assigned weights within another hidden layer, and recommendations are made to the subscriber that target certain types of content on specific devices in an output layer. This business process most likely uses a recommendation engine based on: A. Decision trees. B. Logistic regression. C. K-means clustering. D. Neural networks.
D. Neural networks.
A business analyst is attempting to diagnose why encrypted data is getting corrupted during transmission, causing decryption to fail. At what layer in the Open Systems Interconnection (OSI) model is the issue most likely occurring? A. Network layer B. Application layer C. Session layer D. Presentation layer
D. Presentation layer
Each of the following projects would fall under the scrutiny of an entity's change management policy, except: A. Updating a version of the entity's existing software system. B. Installing a new module to an existing enterprise resource planning system already in place. C. Fixing a software bug after the platform release. D. Purging data from a financial application's data cache.
D. Purging data from a financial application's data cache.
Rulert Systems, a company that manufactures parts for light detection and ranging hardware used in self-driving vehicles, recently started outsourcing several of its components due to a sharp rise in manufacturing costs. Rulert clearly outlined manufacturing procedures in its service agreements, ensured local workers were properly trained, and ensured hired staff were bilingual, yet its end product kept failing in test drives. This is most likely an example of what type of outsourcing risk? A. Productivity risk related to lower wages B. Qualifications of outsourcers risk C. Labor insecurity risk of foreign nations D. Quality risk related to materials
D. Quality risk related to materials
Savestone Insurance is considering large premium increases for its clients for its upcoming fiscal year due to significant losses from tornadoes in the current year. To do that, it performs a business impact analysis to estimate losses. This process involves using the average value of the assets it insures and multiplying them by the likelihood of damage from a natural disaster based on historical weather patterns. This allows Savestone to estimate the cost of an individual loss, which is referred to as the: A. Annualized rate of occurrence (ARO). B. Annualized loss expectancy (ALE). C. Exposure factor (EF). D. Single loss expectancy (SLE).
D. Single loss expectancy (SLE).
Which of the following procedures would an entity most likely perform that would be found in its disaster recovery plan? A. Perform a business impact analysis. B. Maintain antivirus software to prevent illicit activity. C. Establish an uninterrupted power supply (UPS) D. Store duplicate copies of files off-site.
D. Store duplicate copies of files off-site.
Which of the following identifies a potential threat posed by the use of blockchain? A. The shared ledger could promote a weaker control environment. B. Transaction processing could require greater human intervention. C. The mutability of the transactions could make them subject to an increased risk of transactional fraud. D. The resulting decentralization could lead to a decreased level of accountability.
D. The resulting decentralization could lead to a decreased level of accountability.
Which of the following describes the primary purpose of a disaster recovery plan? A. To document how data will be backed up to expedite recovery. B. To document the location of off-site replacement facilities. C. To test how well prepared the company is to recover data. D. To specify the steps required to resume operations.
D. To specify the steps required to resume operations.
Physical controls designed to protect a facility against overheating or flooding and to improve system availability should have which of the following effects on availability performance metrics? A. Increase the maximum tolerable downtime (MTD). B. Decrease the recovery point objective (RPO). C. Increase the recovery time actual (RTA). D. Decrease the mean time to repair (MTTR).
D. Decrease the mean time to repair (MTTR).
Suzie, the Senior Accounting Director for her organization, is working with the IT department on a business impact analysis (BIA). They are determining the optimal maximum tolerable downtime (MTD) and the mean time to repair (MTTR) for the company's general ledger software should an outage occur. In which of the following BIA steps would this occur? A. Define disruption impacts. B. Estimate losses. C. Identify critical resources. D. Establish recovery priorities.
D. Establish recovery priorities.
Management of regional logistics firm, TLBOCo, is evaluating different cloud service providers (CSPs). During the evaluation process, management's primary focus is on understanding whether adverse incidents will be easier or harder to detect. Which of the following components of the COSO Enterprise Risk Management Framework does this align with? A. Risk Assessment B. Monitoring C. Risk Response D. Event Identification
D. Event Identification
Which of the following components controls the flow of data into and out of an organization's information system at network entry points during electronic commerce? A. Turnkey system B. Electronic lockbox C. Electronic envelope D. Firewall
D. Firewall
Agri-tech firm Rathway Inc. is about to roll out a new system for its design engineers that will allow different teams to work in sequence. It plans on using the "Waterfall" method because it wants to break the development process into chunks of manageable and distinct tasks. Rathway may use the Waterfall method as a way to: A. Shorten the time it takes to collect customer input to enhance design features in the new software. B. Increase productivity so that engineers will be engaged at every point in the process. C. Realize the benefits of the new system at each stage of completion. D. Focus on testing and change review.
D. Focus on testing and change review.
The film and production department creates streaming content and works on multiple projects across the company. Labor costs of this department would be allocated in the company's accounting information system (AIS) to each project based on the number of hours worked in the: A. Purchasing and disbursement cycles. B. Treasury cycles. C. General ledger and reporting cycles. D. Human resources and payroll cycles.
D. Human resources and payroll cycles.
Simms Corporation utilizes a disaster recovery provider in Mahwah, New Jersey. At that facility, Simms has contracted for a cold site. It is considering upgrading to a hot site contract. Which of the following actions must Simms take if it decides to upgrade its disaster recovery contract in this manner? I.Simms must ask its disaster recovery provider to store equipment on site so it can be installed immediately in the event of a disaster. II.Simms must contact its hardware vendors and arrange for equipment to be delivered to the facility when a disaster occurs. III.Simms must contact its disaster recovery provider and arrange for hardware to be available in case a disaster occurs. Depending on what Simms requires, the disaster recovery provider may provide specialized equipment or may provide Simms with access to standardized equipment already in its inventory. A. I only is correct. B. I and II only are correct.
D. III only is correct.
An application that supports different business functions and integrates multiple departments by allowing them to communicate in real-time while still functioning independently is: A. An accounting information system. B. A transaction processing system. C. A financial reporting system. D. An enterprise resource planning system.
D. An enterprise resource planning system.
Which of the following best describes organizations that offer virtual computing power and expertise to other companies on managing IT infrastructure? A. Consumer packaged goods (CPG) providers B. Business-to-business (B2B) payroll organizations C. Small and medium-sized tax consulting enterprises (SME) D. Cloud service providers (CSP)
D. Cloud service providers (CSP)
Which of the following characteristics describes a hot site? A. It takes 0 to 3 days to be operational B. Least expensive of all options C. Hardware is sometimes in place D. Connections are always in place
D. Connections are always in place
Cloud computing can best be defined as a model that: A. Streamlines business processes onto a well-secured and highly available in-house e-commerce platform to optimize customers' online experience. B. Is designed for rapid application deployment by making several virtual servers run on one physical host. C. Allows users to access network resources from remote locations through a virtual private network. D. Uses shared resources over the internet to rent storage space, processing power, or proprietary software on remote servers from another company.
D. Uses shared resources over the internet to rent storage space, processing power, or proprietary software on remote servers from another company.
