AIS Midterm 2 Study Review (5,7,8,9,10)
What type of security controls are authorization controls? a. Corrective controls b. Detective controls c. Preventive controls
C
A digital signature is A. Created by hashing a document and then encrypting the hash with the signer's private key B. Created by hashing a document and then encrypting the hash with the signer's public key C. Created by hashing a document and then encrypting the hash with the signer's symmetric key D. None of the above
A
In the ERM model, COSO specified four types of objectives that management must meet to achieve company goals. Which of the following is NOT one of those types? A. Responsibility objectives B. Strategic objectives C. Compliance objectives D. Reporting objectives E. Operations objectives
A
Kiting is a scheme in which: a. insufficient funds are covered up by deposits made at one bank by checks drawn at another bank. b. a computer system is infiltrated under false pretenses. c. an external user impersonates an internal user. d. None of the above.
A
The least expensive and least effective option for replacing computer equipment lost in a disaster is: a. leasing a cold site. b. real-time mirroring c. creating a hot site. d. All of the above are ineffective options in disaster recovery.
A
The same key is used to encrypt and decrypt in which type of encryption systems? a. Symmetric encryption systems b. Asymmetric encryption systems c. Neither of the above
A
Which data entry application control would detect and prevent entry of alphabetic characters as a price of an inventory item? A. Field check B. Limit check C. Reasonableness check D. Sign check
A
Which of the following can be used to detect whether confidential information has been disclosed? a. A digital watermark b. Information rights management (IRM) software c. Data loss prevention (DLP) software d. None of the above
A
Which of the following causes the majority of computer security problems? A. Human errors B. Software errors C. Natural disasters D. Power outages
A
Which of the following is a fraud in which later payments on account are used to pay off earlier payments that were stolen? A. Lapping B. Kiting C. Ponzi scheme D. Salami Technique
A
Which of the following is a preventive control? A. Training B. Log analysis C. CIRT D. Virtualization
A
Able wants to send a file to Baker over the Internet and protect the file so that only Baker can read it and can verify that it came from Able. What should Able do? A. Encrypt the file using Able's public key, and then encrypt it again using Baker's private key. B. Encrypt the file using Able's private key, and then encrypt it again using Baker's private key. C. Encrypt the file using Able's public key, and then encrypt it again using Baker's public key D. Encrypt the file using Able's private key, and then encrypt it again using Baker's public key.
D
According to sound internal control concepts, which of the following systems duties should be segregated? a. Programming and Systems Administration b. Computer operations and programming c. Custody and record keeping. d. Answers 1 and 2 are correct.
D
Defense in depth utilizes what techniques to assure security? a. Employs multiple layers of controls b. Provides redundancy of controls c. Utilizes overlapping and complementary controls d. All of the above e. None of the above
D
Which step would a computer incident response team (CIRT) team take first in the incident response process? a. Containment of the problem b. Recovery c. Follow up d. Recognition that the problem exists
D
Which of the following statements about the control environment is false? A. Management's attitude toward internal control and ethical behavior have little impact on employee beliefs or actions B. An overly complex or unclear organizational structure may be indicative of problems that are more serious C. A written policy and procedures manual is an important tool for assigning authority and responsibility. D. Supervision is especially important in organizations that cannot afford elaborate responsibility reporting or are too small to have an adequate separation of duties.
A
Which of the following techniques is the most effective way for a firewall to use to protect the perimeter? A. Deep packet inspection B. Packet filtering C. Access control list D. All of the above are equally effective
A
Which type of network filtering screens individual IP packets based solely on the information in that packet's header fields? a. Static packet filtering b. Stateful packet filtering c. Deep packet filtering d. None of the above
A
Once fraud has occurred, which of the following will reduce fraud losses? (select all correct answers) A. Insurance B. Regular backup of data and programs C. Contingency plan D. Segregation of duties
A B C
Which of the following conditions is/are usually necessary for a fraud to occur? (select all correct answers) A. Pressure B. Opportunity C. Explanation D. Rationalization
A B D
After the Sarbanes-Oxley Act (SOX) was passed, the Securities and Exchange Commission (SEC) required management to do which of the following: a. use the same audit firm for at least two consecutive audit years. b. report material internal control weaknesses. c. disclose all weaknesses regardless of materiality. d. conduct 100% substantive testing of all internal controls.
B
All of the following are classifications of computer fraud except: a. Input fraud. b. Reconciliation fraud. c. Computer instructions fraud. d. Processor fraud. e. Output fraud.
B
COSO identified five interrelated components of internal control. Which of the following is NOT one of those five? A. Risk assessment B. Internal control policies C. Monitoring D. Information and communication
B
Online processing controls include a. validity checks on the customer item numbers. b. sign checks on inventory-on-hand balances. c. limit checks. d. All of the above.
B
The control procedure designed to restrict what portions of an information system an employee can access and what actions he or she can perform is called A. Authentication B. Authorization C. Intrusion prevention D. Intrusion detection
B
To achieve effective segregation of duties, certain functions must be separated. Which of the following is the correct listing of the accounting-related functions that must be segregated? A. Control, recording, and monitoring B. Authorization, recording, and custody C. Control, custody, and authorization D. Monitoring, recording, and planning
B
Which of the following combinations of credentials is an example of multifactor authentication? A. Voice recognition and a fingerprint reader B. A PIN and an ATM card C. A password and a user ID D. All of the above
B
Which of the following devices should NOT be placed in the demilitarized zone (DMZ)? a. Web server b. Sales department server c. Mail server d. Remote access server
B
Which of the following is corrective control designed to fix vulnerabilities? A. Virtualization B. Patch management C. Penetration testing D. Authorization
B
Which of the following measures the amount of data that might be potentially lost as a result of a system failure? A. Recovery time objective (RTO) B. Recovery point objective (RPO) C. Disaster recovery plan (DRP) D. Business continuity plan (BCP)
B
Which of the following statements about obtaining consent to collect and use a customer's personal information is true? A. The default policy in Europe is opt-out, but in the United States the default is opt-in. B. The default policy in Europe is opt-in, but in the United States the default is opt-out. C. The default policy in both Europe and the United States is opt-in. D. The default policy in both Europe and the United States is opt-out.
B
Which of the following statements are false? A. The psychological profiles of white-collar criminals differ from those of violent criminals. B. The psychological profiles of white-collar criminals are significantly different from those of the general public. C. There is little difference between computer fraud perpetrators and other types of white-collar criminals. D. Some computer fraud perpetrators do not view themselves as criminals.
B
Which of the following statements is true? A. COSO's enterprise risk management is narrow in scope and is limited to financial controls. B. COSO's internal control integrated framework has been widely accepted as the authority on internal controls. C. The Foreign Corrupt Practices Act had no impact on internal accounting control systems. D. It is easier to add controls to an already designed system than to include them during the initial design stage.
B
Which of the following statements is true? A. Encryption and hashing are both reversible (can be decoded) B. Encryption is reversible, but hashing is not. C. Hashing is reversible, but encryption is not D. Neither hashing nor encryption is reversible.
B
Which of the following statements is true? A. Encryption is sufficient to protect confidentiality and privacy B. Cookies are text files that only store information. They cannot perform any actions C. The controls for protecting confidentiality are not effective for protecting privacy D. All of the above are true
B
Which of the following statements is true? A. Symmetric encryption is faster than asymmetric encryption and can be used to provide non-repudiation of contracts B. Symmetric encryption is faster than asymmetric encryption but cannot be used to provide nonrepudiation of contracts C. Asymmetric encryption is faster than symmetric encryption and can be used to provide nonrepudiation of contracts D. Asymmetric encryption is faster than symmetric encryption but cannot be used to provide nonrepudiation of contracts
B
Which of the following statements is true? A. The concept of defense-in-depth reflects the fact that security involves the use of a few sophisticated technical controls B. Information security is necessary for protecting confidentiality, privacy, integrity of processing, and availability of information resources C. The time-based model of security can be expressed in the follow formula: P < D + R D. Information security is primarily an IT issue, not a managerial concern.
B
Which of the following statements is true? a. Hashing is reversible, but encryption is not. b. Encryption is reversible, but hashing is not. c. Both encryption and hashing are reversible. d. Neither hashing nor encryption are reversible.
B
Which of the following uses encryption to create a secure pathway to transmit data? a. Encryption tunnel b. Virtual Private Network (VPN) c. Demilitarized Zone d. None of the above.
B
Which type of fraud is associated with 50% of all auditor lawsuits? A. Kiting B. Fraudulent financial reporting C. Ponzi Schemes D. Lapping
B
A weakness that an attacker can take advantage of to either disable or take control of a system is called a(n) A. Exploit B. Patch C. Vulnerability D. Attack
C
Access controls include the following: a. require employee logouts when the workstations are left unattended. b. prohibitions against visitors roaming the building in which computers are stored. c. Both a and b. d. Neither a nor b.
C
According to Statement on Auditing Standards No. 99 (SAS 99) an auditor should do all of the following during an audit except: a. Incorporate a technology focus. b. Identify, assess, and respond to risks. c. Acquire malpractice insurance in case the auditor does not detect an actual fraud during the audit. d. Document and communicate findings.
C
Confidentiality focuses on protecting A. Personal information collected from customers B. A company's annual report stored on its website C. Merger and acquisition plans D. All of the above
C
Data entry controls do NOT include a. field checks. b. sign checks. c. parity checks. d. range checks.
C
Disaster recovery and testing plans should be done: a. only when a disaster seems imminent. b. only immediately after disaster recovery is designed. c. at least annually. d. only if determined to be necessary.
C
One of the 10 Generally Accepted Privacy Principles concerns security. According to GAAP, what is the nature of the relationship between security and privacy? A. Privacy is a necessary, but not sufficient, precondition to effective security B. Privacy is both necessary and sufficient to effective security. C. Security is a necessary, but not sufficient, precondition to protect privacy. D. Security is both necessary and sufficient to protect privacy
C
The ERM model includes an element called Risk Response. According to that element, which of the following is an appropriate way to respond to risk? a. Implement a system to effectively monitor risk. b. Estimate material risk assessments. c. Share the risk with another. d. All of the above.
C
There are many threats to accounting information systems. Which of the following is an example of an Intentional Act. a. War and attack by terrorists b. Hardware or software failure c. Computer fraud d. Logic errors
C
What is an assumption underlying the valuation of internal controls? a. Costs are more difficult to quantify than revenues. b. The primary cost analyzed is overhead. c. The internal control should at least provide reasonable assurance that control problems do not develop. d. None of the above.
C
Which of the following actions are used to reduce a fraud loss after a fraud occurs? a. Implement a fraud hotline. b. Conduct periodic external and internal audits. c. Maintain adequate insurance. d. Develop a strong system of internal controls.
C
Which of the following controls checks the accuracy of input data by using it to retrieve and display other related information? a. Prompting b. Validity check c. Closed-loop verification d. All of the above.
C
Which of the following controls would prevent entry of a nonexistent customer number in a sales transaction? A. Field check B. Completeness check C. Validity check D. Batch total
C
Which of the following creates an environment where computer fraud is less likely to occur? a. Hire employees without adequate security and criminal checks. b. Assume that corporate security policies are understood by all employees. c. Increase the penalties for committing fraud. d. None of the above.
C
Which of the following is a control procedure relating to both the design and the use of documents and records? A. Locking blank checks in a drawer B. Reconciling the bank account C. Sequentially prenumbering sales invoices D. Comparing actual physical quantities with recorded amounts.
C
Which of the following is a detective control? A. Hardening endpoints B. Physical access controls C. Penetration testing D. Patch management
C
Which of the following is a fundamental control for protecting privacy? a. Information rights management (IRM) software b. Training c. Encryption d. None of the above
C
Which of the following is a major privacy-related concern? a. Spam b. Identity theft c. Both spam and identity theft d. Neither spam nor identity theft
C
Which of the following is considered a financial pressure (as opposed to emotional or lifestyle pressures) that can lead to employee fraud? a. Gambling habit. b. Greed. c. Poor credit ratings. d. Job dissatisfaction.
C
Which of the following is not an example of computer fraud? A. Theft of money by altering computer records B. Obtaining information illegally using a computer C. Failure to perform preventive maintenance on a computer D. Unauthorized modification of a software program
C
Which of the following is the most important, basic, and effective control to deter fraud? A. Enforced vacations B. Logical access control C. Segregation of duties D. Virus protection controls
C
Which of the following items are considered detective controls? a. Log analysis b. Intrusion detection systems c. Both log analysis and Intrusion Detection Systems d. None of the above
C
Which of the following represents an organization that issues documentation as to the validity and authenticity of the owner of a public key? a. Symmetric Key Infrastructure b. Digital Clearing House c. Certificate Authority d. Digital Signature Repository
C
Which of the following system(s) compares actual performance with planned performance? a. Boundary system b. Belief system c. Diagnostic control system d. Interactive control system e. None of the above.
C
The Sarbanes Oxley Act is the most important business-oriented legislation in the past 80 years. Which of the following are elements of the Sarbanes Oxley Act? a. the establishment of the Public Company Accounting Oversight Board. b. the prohibition against auditors performing certain services for their audit clients such as bookkeeping and human resource functions. c. audit committee members must be independent of the audited company. d. All of the above. e. None of the above.
D
The time based model of security does not include which factor to evaluate the effectiveness of an entity's security controls a. The time it takes an attacker to break through the entity's preventative controls. b. The time it takes to determine that an attack is in progress. c. The time it takes to respond to an attack. d. The time it takes to evaluate the financial consequences from an attack.
D
Threats to system availability include: a. hardware and software failures. b. natural disasters. c. human error. d. All of the above.
D
What is (are) a principle(s) behind enterprise risk management (ERM)? a. Uncertainty can result in opportunity. b. The ERM framework can help management manage uncertainty. c. Uncertainty results in risk. d. All of the above. e. None of the above.
D
What is the first step in protecting the confidentiality of intellectual property and other sensitive business information? a. Encrypt the data. b. Install information rights management software. c. Employ deep packet inspection techniques on all incoming packets. d. Identify where confidential data resides and who has access to it.
D
Which functions should be segregated? a. Authorization and recording b. Authorization and custody c. Recording and custody d. All of the above. e. None of the above.
D
Which of the follow statements is true? A. VPNs protect the confidentiality of information while it is in transit over the Internet B. Encryption limits firewalls' ability to filter traffic C. A digital certificate contains that entity's public key D. All of the above are true.
D
Which of the following are internal control functions? a. Preventive controls b. Detective controls. c. Corrective controls. d. All of the above are internal control functions.
D
Which of the following are internationally recognized best practices for protecting the privacy of customers' personal information. a. Organizations should explain the choices available and obtain their consent to the collection of customer data prior to its collection. b. Use and retention of customer information as described by their privacy policy. c. Disclosure to third parties only according to their privacy policy. d. All of the above.
D
Which of the following backup procedures copies all changes made since the last full backup? a. Incremental backup b. Differential backup c. Archive backup d. None of the above.
D
Which of the following can organizations use to protect the privacy of a customer's personal information when giving programmers a realistic data set with which to test a new application? A. Digital signature B. Digital watermark C. Data loss prevention D. Data masking
D
Which of the following control procedures is most likely to deter lapping? A. Encryption B. Continual update of the access control matrix C. Background check on employees D. Periodic rotation of duties
D
Which of the following is (are) a component(s) of COSO's internal control model? a. Control activities b. Risk assessment c. Monitoring d. All of the above.
D
Which of the following is NOT a factor that can influence encryption strength? a. Encryption algorithm b. Key length c. Policies for managing cryptographic keys d. All of the above affect encryption strength
D
Which of the following is NOT an independent check? A. Bank reconciliation B. Periodic comparison of subsidiary ledger totals to control accounts C. Trial balance D. Re-adding the total of a batch of invoices and comparing it with your first total
D
Which of the following is a method of controlling remote access? a. Border Routers b. Firewalls c. Intrusion Prevention Systems d. All of the above e. None of the above
D
Which of the following is an example of a corrective control? a. Authentication controls b. Encryption c. Log analysis d. Patch management
D
Which of the following is not a principle applicable to project development and acquisition controls? a. Strategic master plan b. Project controls c. Steering committee d. Network management
D
Which of the following is not one of the responsibilities of auditors in detecting fraud according to SAS No. 99? A. Evaluating the results of their audit tests B. Incorporating a technology focus C. Discussing the risks of material fraudulent misstatements D. Catching the perpetrators in the act of committing the fraud
D
Which of the following is not part of the fraud triangle? a. Pressure b. Opportunity c. Rationalization d. All are part of the fraud triangle.
D
Which of the following statements is true? A. "Emergency" changes need to be documented once the problem is resolved. B. Changes should be tested in a system separate from the one used to process transactions C. Change controls are necessary to maintain adequate segregation of duties D. All of the above are true
D
All other things being equal, which of the following is true? A. Detective controls are superior to preventive controls B. Corrective controls are superior to preventive controls C. Preventive controls are equivalent to detective controls D. Preventive controls are superior to detective controls.
D (Prevention not reaction)
Your current system is deemed to be 90% reliable. A major threat has been identified with an impact of $3,000,000. Two control procedures exist to deal with the threat. Implementation of control A would cost $100,000 and reduce the likelihood to 6%. Implementation of control B would cost $140,000 and reduce the likelihood to 4%. Implementation of both controls would cost $220,000 and reduce and likelihood to 2%. Given the data, and based solely on an economic analysis of costs and benefits, what should you do. A. Implement control A only. B. Implement control B only. C. Implement both controls A and B. D. Implement neither control.
B
Which of the following is the correct order of the risk assessment steps discussed in this chapter? A. Identify threats, estimate risk and exposure, identify controls, and estimate costs and benefits B. Identify controls, estimate risk and exposure, identify threats, and estimate costs and benefits C. Estimate risk and exposure, identify controls, identify threats, and estimate costs and benefits D. Estimate costs and benefits, identify threats, identify controls, and estimate risk and exposure.
A
Which of the following maintains two copies of a database in two separate data centers at all times and updating both copies in real-time as each transaction occurs. a. Real-time mirroring b. Full backups c. Incremental backups d. Archiving
A
Which of the following pressures are classified as Management Characteristics that can lead to financial statement fraud? a. High management and/or employee turnover b. Declining industry c. New regulatory requirements that impair financial stability or profitability d. Intense pressure to meet or exceed earnings expectations
A
According to the opportunity part of the fraud triangle, a person may do all of the following acts except: a. Convert the theft or misrepresentation for personal gain. b. Control the fraud. c. Commit the fraud. d. Conceal the fraud.
B
Modifying default configurations to turn off unnecessary programs and features to improve security is called A. User account management B. Defense-in-depth C. Vulnerability scanning D. Hardening
D
A facility that is not only pre-wired for telephone and Internet access but also contains all the computing and office equipment the organization needs to perform its essential business activities. a. Archive b. Checkpoint c. Cold site d. Hot site
D
A scheme where the perpetrator steals the cash or check that customer A mails in to pay its accounts receivable, then the perpetrator takes the funds from customer B to later cover that account. And so on with Customer C. a. Computer fraud b. Employee fraud c. Kiting d. Lapping
D
In order for an act to be legally considered fraud it must be all of the following except: a. A material fact. b. Justifiable reliance. c. A false statement. d. No intent to deceive. e. An injury or loss suffered by the victim.
D
Identity theft can be prevented by: a. monitoring credit reports regularly. b. sending personal information in encrypted form. c. immediately cancelling missing credit cards. d. shredding all personal documents after they are used. e. All of the above.
E
Online processing data entry controls include: a. prompting. b. closed loop verification. c. trailer record. d. echo check. e. Answers 1 and 2 only.
E
What criteria contribute to systems reliability? a. Developing and documenting policies b. Effectively communicating policies to all authorized users c. Designing appropriate control procedures d. Monitoring the system and taking corrective action e. All of the above f. None of the above.
E
Which of the following statements is true regarding authorization controls? a. Permits access to all aspects of an entity's operating system b. Permits the user to engage in all operating actions c. Permits the user unlimited ability to change information d. All of the above. e. None of the above.
E
General authorization is different from specific authorization. With general authorization an employee in the proper functional area can: a. authorize typical purchases of inventory items. b. approve purchases within normal customer credit limits. c. endorse checks for deposit. d. approve sales returns and allowances. e. approve vendor invoices for payment. f. All of the above.
F