SU 15

As a result of technological developments facing businesses and CPAs, a. System boundaries are becoming less distinct. b. Computer programmers and operators have eliminated the need for accountants. c. Internet use has spread, and e-business control over user interaction has been simplified. d. Better controls have resulted in a reduction in threats.

a. System boundaries are becoming less distinct.

Using standard procedures developed by information center personnel, staff members download specific subsets of financial and operating data as they need it. The staff members analyze the data on their own personal computers and share results with each other. Over time, the staff members learn to modify the standard procedures to get subsets of financial and operating data that were not accessible through the original procedures. The greatest risk associated with this situation is that a. The data obtained might be incomplete or lack currency. b. The data definition might become outdated. c. The server data might be corrupted by staff members' updates. d. Repeated downloading might fill up storage space on staff members' personal computers.

a. The data obtained might be incomplete or lack currency.

Which of the following is not an element of the completeness and accuracy criterion the Assurance Services Executive Committee (ASEC) uses to define a set of data? a. The intended use of the data. b. The level of precision of the data. c. The margin of error of the data. d. The unit used to measure the data.

a. The intended use of the data.

When evaluating a cloud service provider's data security measures, a company would appropriately consider each of the following risk factors, except a. The provider's vertical scalability. b. The provider's third-party suppliers. c. The provider's multi-tenant architecture. d. The provider's cloud-of-cloud agreements.

a. The provider's vertical scalability.

Which of the following is a password security problem? a. Users are assigned passwords when accounts are created but do not change them. b. Users have accounts on several systems with different passwords. c. Users copy their passwords on note paper, which is kept in their wallets. d. Users select passwords that are not listed in any online dictionary.

a. Users are assigned passwords when accounts are created but do not change them.

Which of the following statements, if included as the description of a data attribute, describes the nature of the elements in the attribute? a. "The data is retrieved from the 20X0 government census report." b. "The size of the warehouse is the amount of type A inventory that may be stored." c. "Volume is measured in cubic meters." d. "Sales data include transactions occurring between 1/1/20X0 and 12/31/20X0."

b. "The size of the warehouse is the amount of type A inventory that may be stored."

A company's accounts payable clerk obtained the payroll supervisor's computer password. The clerk then used the password to obtain unauthorized access to the company's payroll files. Any of the following can be used to prevent such unauthorized access to the payroll files, except a. A smart card. b. A digital signature. c. Multifactor authentication. d. Multimodal authentication.

b. A digital signature.

Which of the following statements is true regarding internal control objectives of information systems? a. Primary responsibility of viable internal control rests with the internal audit division. b. A secure system may have inherent risks due to management's analysis of trade-offs identified by cost-benefit studies. c. Control objectives primarily emphasize output distribution issues. d. An entity's corporate culture is irrelevant to the objectives.

b. A secure system may have inherent risks due to management's analysis of trade-offs identified by cost-benefit studies.

All of the following are correct statements regarding a firewall except a. A network firewall regulates traffic to an entire network. b. An application firewall is an adequate substitute for a network firewall. c. A firewall alone is not an adequate defense against computer viruses. d. A firewall is a combination of hardware and software that separates an internal network from an external network (e.g., the Internet) and prevents passage of traffic deemed suspicious.

b. An application firewall is an adequate substitute for a network firewall.

Which of the following types of control plans is particular to a specific process or subsystem, rather than related to the timing of its occurrence? a. Detective. b. Application. c. Corrective. d. Preventive.

b. Application.

Which of the following CSF implementation steps and COBIT 2019 implementation phases are paired correctly? CSF Steps - COBIT 2019 phases a. Prioritize and Scope; Orient - Where are we now? b. Conduct a Risk Assessment; Create a Target Profile - Where do we want to be? c. Determine, Analyze, and Prioritize Gaps - How do we get there? d. Implement Action Plan - Did we get there?

b. Conduct a Risk Assessment; Create a Target Profile - Where do we want to be?

Which of the following is not a criterion the Assurance Services Executive Committee (ASEC) identifies for defining a set of data and evaluating its integrity? a. Purpose. b. Consistent over time. c. Complete and accurate. d. Necessary for understanding the data.

b. Consistent over time.

Which of the following is a true statement about data democratization? a. Data democratization is the creation of a central platform accessible by all staff in a company. b. Data democratization aims at building a single source of reference for data searching. c. Data democratization is the delegation of data control to the different levels in an organization. d. Data democratization increases ease of access to data at the expense of data security.

b. Data democratization aims at building a single source of reference for data searching.

Review of the audit log is an example of which type of security control? a. Governance. b. Detective. c. Preventive. d. Corrective.

b. Detective.

The two broad groupings of information systems control activities are general controls and application controls. General controls include controls a. Relating to the correction and resubmission of faulty data. b. For developing, modifying, and maintaining computer programs. c. Designed to assure that only authorized users receive output from processing. d. Designed to ensure that all data submitted for processing have been properly authorized.

b. For developing, modifying, and maintaining computer programs.

Which of the following is a false statement about the COBIT 2019 framework? a. A governance framework should reflect relevant compliance standards. b. Governance and management activities and structures can be combined to support a holistic approach. c. The COBIT Performance Management model uses capability levels and maturity levels to measure performance. d. A governance system design may be unique to a particular organization.

b. Governance and management activities and structures can be combined to support a holistic approach.

Innovations in IT increase the importance of risk management because a. The objective of complete security is becoming more attainable. b. Information system security is continually subject to new threats. c. Closed private systems have proliferated. d. Privacy is a concern for only a very few users.

b. Information system security is continually subject to new threats.

Which of the following categories of enablers (or components) is classified as resources under COBIT? a. Culture, ethics, and behavior. b. Information. c. Organizational structures. d. Processes.

b. Information.

Which of the following is most likely a disadvantage for an entity that keeps data files prepared by personal computers rather than manually prepared files? a. Attention is focused on the accuracy of the programming process rather than errors in individual transactions. b. It is usually easier for unauthorized persons to access and alter the files. c. Random error associated with processing similar transactions in different ways is usually greater. d. It is usually more difficult to compare recorded accountability with physical count of assets.

b. It is usually easier for unauthorized persons to access and alter the files.

Which of the following classifications of security controls includes smoke detectors, generators, security guards, and ID badges? a. Technical. b. Physical. c. Administrative. d. Logical.

b. Physical.

All of the following are adequate controls for protection against unauthorized access to sensitive information except a. Automatic log-off. b. System access log. c. Device authorization table. d. Passwords and ID numbers.

b. System access log.

What should be examined to determine if an information system is operating according to prescribed procedures? a. System capacity. b. System control. c. System complexity. d. Accessibility to system information.

b. System control.

Authentication is the process by which the a. System verifies that the user is entitled to enter the transaction requested. b. System verifies the identity of the user. c. User identifies himself or herself to the system. d. User indicates to the system that the transaction was processed correctly.

b. System verifies the identity of the user.

Management is concerned that data uploaded from a personal computer to the company's server may be erroneous. Which of the following controls would best address this issue? a. Server data should be backed up on a regular basis. b. The data uploaded to the server should be subject to the same edits and validation routines that online data entry would require. c. Two persons should be present at the personal computer when it is uploading data. d. The users should be required to review a random sample of processed data.

b. The data uploaded to the server should be subject to the same edits and validation routines that online data entry would require.

A small client recently put its cash disbursements system on a server. About which of the following internal control features would an auditor most likely be concerned? a. Programming of the applications is in BASIC, although C++ is a more up-to-date, flexible programming language. b. The server is operated by employees who have cash custody responsibilities. c. Only one employee has the password to gain access to the cash disbursement system. d. There are restrictions on the amount of data that can be stored and on the length of time that data can be stored.

b. The server is operated by employees who have cash custody responsibilities.

What is the primary objective of data security controls? a. To establish a framework for controlling the design, security, and use of computer programs throughout an organization. b. To ensure that storage media are subject to authorization prior to access, change, or destruction. c. To formalize standards, rules, and procedures to ensure the organization's controls are properly executed. d. To monitor the use of system software to prevent unauthorized access to system software and computer programs.

b. To ensure that storage media are subject to authorization prior to access, change, or destruction.

A network firewall is designed to provide adequate protection against which of the following? a. A computer virus. b. Unauthenticated logins from outside users. c. Insider leaking of confidential information. d. A Trojan horse application.

b. Unauthenticated logins from outside users.

ISACA establishes a phased five-stage data management approach to guide the establishment or improvement of a data governance program. Arrange the following activities in the order defined by ISACA. 1. Establish and evolve data architecture 2. Define, execute, assure data quality, and clean polluted data 3. Establish a data governance foundation 4. Focus on data analytics 5. Realize data democratization a. 3, 2, 1, 5, 4 b. 3, 2, 1, 4, 5 c. 3, 1, 2, 5, 4 d. 3, 1, 2, 4, 5

c. 3, 1, 2, 5, 4

A company wants to protect its IT system from unauthorized users accessing the system. Which of the following controls would best serve to mitigate this risk? a. A keystroke log. b. A transaction log. c. A biometric device. d. Public key encryption.

c. A biometric device.

The firewall system that limits access to a computer by routing users to replicated Web pages is a. A packet filtering system. b. Kerberos. c. A proxy server. d. An authentication system.

c. A proxy server.

An online data entry program is used for original entry of vendor invoices. A batch check-writing program occasionally prepares a check for a vendor not yet included in the vendor file. Checks for such vendors contain nonsense characters in the payee field. The most effective programmed control to prevent this kind of error is to perform a. A verification of vendors in the check-writing program. b. A batch control total check on vendor payments. c. A record lookup for vendors during data entry. d. A completeness test on fields in the check-writing program.

c. A record lookup for vendors during data entry.

When a user enters a certain entity's system, a series of questions is asked of the user, including a name and mother's birth date. These questions are primarily intended to provide a. Authorization for processing. b. Access control to computer hardware. c. Authentication of the user. d. Data integrity control.

c. Authentication of the user.

A company permits employees to work from home using company-owned laptops. Which of the following competitive advantages does the company most likely obtain as a result of this decision? a. Integrity. b. Reliability. c. Availability. d. Confidentiality.

c. Availability.

Which of the following IT controls would a company appropriately use to mitigate the risk of unauthorized access to its payroll data? a. Validity checks. b. A neural network. c. Biometric devices. d. Employee purchase cards.

c. Biometric devices.

A customer intended to order 100 units of product Z96014 but incorrectly ordered nonexistent product Z96015. Which of the following controls most likely would detect this error? a. Redundant data check. b. Hash total. c. Check digit verification. d. Record count.

c. Check digit verification.

An employee in the receiving department keyed in a shipment from a remote terminal and inadvertently omitted the purchase order number. The best systems control to detect this error is a a. Compatibility test. b. Sequence check. c. Completeness test. d. Reasonableness test.

c. Completeness test.

Some data processing controls relate to all computer processing activities (general controls) and some relate to specific tasks (application controls). General controls include a. Controls designed to ascertain that all data submitted to computer processing have been properly authorized. b. Controls that relate to the correction and resubmission of data that were initially incorrect. c. Controls for documenting and approving programs and changes to programs. d. Controls designed to assure the accuracy of the processing results.

c. Controls for documenting and approving programs and changes to programs.

Which of the following statements most accurately describes the impact that automation has on the controls normally present in a manual system? a. Transaction trails are more extensive in a computer-based system than in a manual system because a one-for-one correspondence always exists between data entry and output. b. Responsibility for custody of information assets is more concentrated in user departments in a computer-based system than it is in a manual system. c. Controls must be more explicit in a computer-based system because many processing points that present opportunities for human judgment in a manual system are eliminated. d. The quality of documentation becomes less critical in a computer-based system than it is in a manual system because data records are stored in machine-readable files.

c. Controls must be more explicit in a computer-based system because many processing points that present opportunities for human judgment in a manual system are eliminated.

A company discovered incidents of unauthorized access to its internal system. Which of the following actions or practices is involved in implementation phase 5 of COBIT 2019? a. Identifying that the company lacks usernames and passwords for authorized employees. b. Developing an action plan to create usernames and passwords for employees. c. Creating a list of authorized employees who should be assigned usernames and passwords. d. Testing whether incidents of unauthorized access exist after implementing the plan.

c. Creating a list of authorized employees who should be assigned usernames and passwords.

Which of the following issues would be of most concern to an auditor relating to an organization's information security policy? a. Auditor documentation. b. System efficiency. c. Data integrity. d. Rejected and suspense item controls.

c. Data integrity.

To manage its transactional data, Fort Company established the data stewardship structure in its data management program. Which of the following roles is responsible for authorizing access to transactional data? a. Data owner. b. Data regulator. c. Data steward. d. Data custodian.

c. Data steward.

The purpose of check digit verification of an account number on an update transaction is to a. Verify that the account number corresponds to an existing account in the master file. b. Require the account number to have the correct logical relationship with other fields. c. Detect a transposition of an account number entered into the system. d. Ensure that supporting documentation exists for the update transaction.

c. Detect a transposition of an account number entered into the system.

A retail store uses batch processing to process sales transactions. The store has batch control total and other control checks embedded in the information processing system of the sales subsystem. While comparing reports, an employee notices that information sent to the subsystem was not fully processed. Which of the following types of controls is being exercised by the employee? a. Preventive. b. Corrective. c. Detective. d. Input.

c. Detective.

Able Co. uses an online sales order processing system to process its sales transactions. Able's sales data are electronically sorted and subjected to edit checks. A direct output of the edit checks most likely would be a a. List of all voided shipping documents. b. Report of all missing sales invoices. c. File of all rejected sales transactions. d. Printout of all user code numbers and passwords.

c. File of all rejected sales transactions.

Which of the following is a network security system that is used to control network traffic and to set up a boundary that prevents traffic from one segment from crossing over to another? a. Router. b. Gateway. c. Firewall. d. Heuristic.

c. Firewall.

In an automated payroll processing environment, a department manager substituted the time card for a terminated employee with a time card for a fictitious employee. The fictitious employee had the same pay rate and hours worked as the terminated employee. The best control to detect this action using employee identification numbers is a a. Reasonableness test. b. Record count. c. Hash total. d. Financial total.

c. Hash total.

Which of the following risks are greater in computerized systems than in manual systems? I. Erroneous data conversion II. Erroneous source document preparation III. Repetition of errors IV. Concentration of data a. I and II. b. II and III. c. I, III, and IV. d. I, II, III, and IV.

c. I, III, and IV.

A client installed the sophisticated controls using the biometric attributes of employees to authenticate user access to the computer system. This technology most likely replaced which of the following controls? a. Use of security specialists. b. Reasonableness tests. c. Passwords. d. Virus protection software.

c. Passwords.

Which of the following is the best policy for the protection of a company's vital information resources from computer viruses? a. Stringent corporate hiring policies for staff working with computerized functions. b. Existence of a software program for virus prevention. c. Prudent management procedures instituted in conjunction with technological safeguards. d. Physical protection devices in use for hardware, software, and library facilities.

c. Prudent management procedures instituted in conjunction with technological safeguards.

A systems engineer is developing the input routines for a payroll system. Which of the following methods validates the proper entry of hours worked for each employee? a. Sequence check. b. Check digit. c. Reasonableness check. d. Capacity check.

c. Reasonableness check.

All of the following are correct statements regarding general controls except a. General controls relate to the organization's IT environment and sustain the conditions under which application controls can function properly. b. Treating IT as a separate functional area of the organization involves the designation of a chief information officer (CIO) or chief technology officer (CTO) and the establishment of an information systems steering committee to set a coherent direction for the organization's systems and prioritize information technology projects. c. Segregation of duties is less important because IT facilitates the separation of functions (authorization, recording, and access to assets). d. Controls over software acquisition, change, and maintenance include controls over systems software and controls over application software.

c. Segregation of duties is less important because IT facilitates the separation of functions (authorization, recording, and access to assets).

Which of the following statements best characterizes the function of a physical access control? a. Protects systems from the transmission of Trojan horses. b. Provides authentication of users attempting to log into the system. c. Separates unauthorized individuals from computer resources. d. Minimizes the risk of incurring a power or hardware failure.

c. Separates unauthorized individuals from computer resources.

After segregating the duties of system analysts and file librarians and imposing proper supervision, a company tests whether incidents deemed to be the result of incompatible job responsibilities continue to exist. Which COBIT governance system principle is this paired with? a. Dynamic governance system. b. Governance distinct from management. c. Tailored to enterprise needs. d. End-to-end governance system.

c. Tailored to enterprise needs.

Which of the following is a computer program that appears to be legitimate but performs some illicit activity when it is run? a. Hoax virus. b. Web crawler. c. Trojan horse. d. Killer application.

c. Trojan horse.

When a client's accounts payable computer system was relocated, the administrator provided support through a dial-up connection to a server. Subsequently, the administrator left the company. No changes were made to the accounts payable system at that time. Which of the following situations represents the greatest security risk? a. User passwords are not required to be in alpha-numeric format. b. Management procedures for user accounts are not documented. c. User accounts are not removed upon termination of employees. d. Security logs are not periodically reviewed for violations.

c. User accounts are not removed upon termination of employees.

Which of the following is an advantage of a computer-based system for transaction processing over a manual system? A computer-based system a. Does not require as stringent a set of internal controls. b. Will produce a more accurate set of financial statements. c. Will be more efficient at producing financial statements. d. Eliminates the need to reconcile control accounts and subsidiary ledgers.

c. Will be more efficient at producing financial statements.

Which of the following provides a valid example of data categorization under data taxonomy and data classification? Data taxonomy; data classfication a. public; confidential b. product; manufacturing c. financial; internal d. sensitive; manufacturing

c. financial; internal

Which of the following is the most effective user account management control in preventing the unauthorized use of a computer system? a. Management encourages employees to save passwords on their desktops to prevent them from forgetting or entering the wrong passwords. b. An account manager is responsible for authorizing and issuing new accounts. c. The passwords and usernames of failed log-in attempts are logged and documented in order to cite attempted infiltration of the system. d. Employees are required to renew their accounts semiannually.

d. Employees are required to renew their accounts semiannually.

Which of the following is a key area in the governance objectives under COBIT? a. Align, plan, and organize. b. Build, acquire, and implement. c. Deliver, service, and support. d. Evaluate, direct, and monitor.

d. Evaluate, direct, and monitor.

Which of the following risks can be minimized by requiring all employees accessing the information system to use passwords? a. Collusion. b. Data entry errors. c. Failure of server duplicating function. d. Firewall vulnerability.

d. Firewall vulnerability.

General controls include I. Physical controls. II. Access controls. III. Hardware controls. IV. Environmental controls. V. Logical controls. a. I and IV. b. II, III, and IV. c. I, II, and III. d. I, II, III, IV, and V.

d. I, II, III, IV, and V.

Spoofing is one type of malicious online activity. Spoofing is a. Trying large numbers of letter and number combinations to access a network. b. Eavesdropping on information sent by a user to the host computer of a website. c. Accessing packets flowing through a network. d. Identity misrepresentation in cyberspace.

d. Identity misrepresentation in cyberspace.

What approach is used to implement the CSF in the context of COBIT 2019? a. Rapid approach. b. Inclusive approach. c. Radical approach. d. Incremental approach.

d. Incremental approach.

Which of the following control activities should be taken to reduce the risk of incorrect processing in a newly installed computerized accounting system? a. Segregation of duties. b. Ensure proper authorization of transactions. c. Adequately safeguard assets. d. Independently verify the transactions.

d. Independently verify the transactions.

Which of the following statements is true concerning the COBIT 5 framework? a. Governance and management are synonyms for the activities of upper management. b. Information technology controls are most effectively designed and executed in isolation from other business processes. c. Minimization of risk and resource use are among the major goals of COBIT 5. d. Information and organizational structures are among the enablers identified in COBIT 5.

d. Information and organizational structures are among the enablers identified in COBIT 5.

Which of the following is a key difference in controls when changing from a manual system to a computer system? a. Internal control principles change. b. Internal control objectives differ. c. Control objectives are more difficult to achieve. d. Methodologies for implementing controls change.

d. Methodologies for implementing controls change.

Which of the following statements presents an example of a general control for a computerized system? a. Limiting entry of sales transactions to only valid credit customers. b. Creating hash totals from Social Security numbers for the weekly payroll. c. Restricting entry of accounts payable transactions to only authorized users. d. Restricting access to the computer center by use of biometric devices.

d. Restricting access to the computer center by use of biometric devices.

Which of the following activities would most likely detect computer-related fraud? a. Using data encryption. b. Performing validity checks. c. Conducting fraud-awareness training. d. Reviewing the systems-access log.

d. Reviewing the systems-access log.

One of the data definition criteria identified by the Assurance Services Executive Committee (ASEC) is that the description identifies information that has not been included in the data set but is necessary for understanding the data. Which of the following is not an example of this criterion? a. A description of the grading scale used by a gemstone company. b. The formula used to convert a measurement to different scales. c. The regression model used when only the independent variable is presented. d. The analyst report from which the data are retrieved.

d. The analyst report from which the data are retrieved.

A company has in place an authentication system that requires users to enter a logon name and password. In an effort to strengthen this method of authentication, the company's chief information officer (CIO) asked the technology steering committee to recommend a biometric control for the authentication process. Which of the following committee recommendations best meets the requirement of the CIO? a. The use of a number-generating token that generates a different seven-digit number every 30 seconds to allow system entry. b. The use of a voice-to-text converter on user workstations that allows users to speak their user name and password. c. The use of a picture selection screen in which a user must choose a matching photo to one that was selected when the system was first implemented. d. The installation of fingerprint scanners on all workstations.

d. The installation of fingerprint scanners on all workstations.

A company's purchasing department creates purchase orders based on electronic requests sent by operations. These requests are approved by operations, and no further approvals are required to place a purchase order. Purchasing clerks key the order information, including vendor names and prices, into the purchasing system based on the electronic requests. Which of the following is the best control to ensure that orders are entered accurately? a. Clerks use preformatted screens, which show the clerks the type of information expected, but do not restrict input. b. Approvals from management in operations are sent to clerks along with the order requests, which are then filled. c. A hash total of the total quantity of all items entered by purchasing clerks each day is compared to the total quantity of all the items originated by operations personnel. d. The purchasing system compares vendor information and prices entered by the clerks to master vendor and pricing data and rejects variances.

d. The purchasing system compares vendor information and prices entered by the clerks to master vendor and pricing data and rejects variances.

Your firm has recently converted its purchasing cycle from a manual process to an online computer system. Which of the following is a probable result associated with conversion to the new automatic system? a. Processing errors are increased. b. The firm's risk exposures are reduced. c. Processing time is increased. d. Traditional duties are less segregated.

d. Traditional duties are less segregated.

The description of a data attribute reads, "This forecast is prepared with the aid of a financial expert." To which of the following elements regarding the completeness and accuracy criterion provided by the Assurance Services Executive Committee (ASEC) to define a dataset does the above statement relate? a. Nature of the data element. b. Source of data. c. Accuracy, correctness, or precision. d. Uncertainty.

d. Uncertainty.

Under the COBIT 2019 framework, which of the following statements is true? a. A focus area includes the threat landscape, technology adoption strategy, and enterprise strategy and goals. b. Providing stakeholder value is a governance framework principle. c. A governance system should focus on covering the IT function end to end. d. Variant components for a governance system are designed for a specific context within a focus area.

d. Variant components for a governance system are designed for a specific context within a focus area.

An auditor was examining a client's network and discovered that the users did not have any password protection. Which of the following would be the best example of the type of network password the users should have? a. trjunpqs. b. 34787761. c. tr34ju78. d. tR34ju78.

d. tR34ju78.

Each of the following would help prevent incorrect postings to the general ledger in a computerized accounting system, except a. Establishing a unique transaction number for each general ledger posting. b. Performing a range check on the general ledger account in the transaction. c. Validating the posting date of the transaction. d. Restricting the ability to post directly to accounts with subsidiary ledgers.

a. Establishing a unique transaction number for each general ledger posting.

Parity checks and echo checks are examples of a. Hardware controls. b. Access controls. c. Logical controls. d. Environmental controls.

a. Hardware controls.

Which of the following passwords would be most difficult to crack? a. O?Ca!FlSi b. language c. 12 HOUSE 24 d. pass56word

a. O?Ca!FlSi

An organization relied heavily on e-commerce for its transactions. Evidence of the organization's security awareness manual would be an example of which of the following types of controls? a. Preventive. b. Detective. c. Corrective. d. Compliance.

a. Preventive.

Which of the following is a true statement regarding data owners and data stewards? a. Data owners make decisions about the data, and data stewards ensure the data are used and adopted properly. b. Data owners make decisions about the data, and data stewards ensure the safeguards for the data. c. Data owners ensure that data assets are used and adopted properly, and data stewards ensure the IT controls for the data. d. Data owners ensure the safeguards for the data assets, and data stewards ensure that the data are used and adopted properly.

a. Data owners make decisions about the data, and data stewards ensure the data are used and adopted properly.

An employee mistakenly enters April 31 in the date field. Which of the following programmed edit checks offers the best solution for detecting this error? a. Reasonableness. b. Mathematical accuracy. c. Preformatted screen. d. Online prompting.

a. Reasonableness.

The significance of hardware controls is that they a. Ensure the proper execution of machine instructions. b. Reduce the incidence of user input errors in online systems. c. Ensure accurate programming of operating system functions. d. Ensure that run-to-run totals in application systems are consistent.

a. Ensure the proper execution of machine instructions.

Which of the following statements is inconsistent with the key principles of the COBIT 5 framework? a. Enterprise governance and management are treated as the same activity. b. The needs of stakeholders are the focus of all organizational activities. c. Information technology controls are considered to be intertwined with those of the organization's everyday operations. d. COBIT 5 can be applied even when other IT-related standards have been adopted.

a. Enterprise governance and management are treated as the same activity.

Attacks on computer networks may take many forms. Which of the following uses the computers of innocent parties infected with Trojan horse programs? a. A distributed denial-of-service attack. b. A man-in-the-middle attack. c. A brute-force attack. d. A password-cracking attack.

a. A distributed denial-of-service attack.

Which of the following statements is correct regarding information technology (IT) governance? a. A primary goal of IT governance is to balance risk versus return over IT and its processes. b. IT governance is an appropriate issue for organizations at the level of the board of directors only. c. IT goals should be independent of strategic goals. d. IT governance requires that the Control Objectives for Information and related Technology (COBIT) framework be adopted and implemented.

a. A primary goal of IT governance is to balance risk versus return over IT and its processes.

The headquarters' computer of a certain entity maintains a matrix of user names and the files/programs the user can access as well as what the user can do to/with the file or program. This matrix is primarily intended to provide a. Authorization for processing. b. Access control to computer hardware. c. Authentication of the user. d. Data integrity control.

a. Authorization for processing.

Which of the following computerized control procedures is most effective in ensuring that files of data uploaded from personal computers to a server are complete and that no additional data are added? a. Batch control totals, including control totals and hash totals. b. Passwords that effectively limit access to only those authorized to upload the data to the server. c. Self-checking digits to ensure that only authorized part numbers are added to the database. d. Field-level edit controls that test each field for alphanumerical integrity.

a. Batch control totals, including control totals and hash totals.

A customer notified a company that the customer's account did not reflect the most recent monthly payment. The company investigated the issue and determined that a clerk had mistakenly applied the customer's payments to a different customer's account. Which of the following controls would help to prevent such an error? a. Closed-loop verification. b. Field check. c. Completeness test. d. Checksum.

a. Closed-loop verification.

Which of the following characteristics distinguishes computer processing from manual processing? a. Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing. b. Errors or fraud in computer processing will be detected soon after their occurrence. c. The potential for systematic error is ordinarily greater in manual processing than in computerized processing. d. Most computer systems are designed so that transaction trails useful for audit purposes do not exist.

a. Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing.

Which of the following is a true statement regarding security over an entity's IT? a. Controls should exist to ensure that users have access to and can update only the data elements that they have been authorized to access. b. Controls over data sharing by diverse users within an entity should be the same for every user. c. The employee who manages the computer hardware should also develop and debug the computer programs. d. Controls can provide assurance that all processed transactions are authorized but cannot verify that all authorized transactions are processed.

a. Controls should exist to ensure that users have access to and can update only the data elements that they have been authorized to access.

One of the major problems in a computer system is that incompatible functions may be performed by the same individual. One compensating control is the use of a. Echo checks. b. A check digit system. c. Computer-generated hash totals. d. A computer log.

d. A computer log.

A company's web server has been overwhelmed with a sudden surge of false requests that caused the server to crash. The company has most likely been the target of a. Spoofing. b. Piggybacking. c. An eavesdropping attack. d. A denial of service attack.

d. A denial of service attack.

An entity has many employees that access a database. The database contains sensitive information concerning the customers of the entity and has numerous access points. Access controls prevent employees from entry to those areas of the database for which they have no authorization. All salespersons have certain access permission to customer information. Which statement is true regarding the nature of the controls and risks? a. Because there is no segregation of duties among the salespersons, risk of collusion is increased. b. Only one salesperson should be allowed access permission. c. Sales department personnel should not have access to any part of the database. d. A salesperson's access to customer information should extend only to what is necessary to perform his or her duties.

d. A salesperson's access to customer information should extend only to what is necessary to perform his or her duties.

Controls in the information technology area are classified into the preventive, detective, and corrective categories. Which of the following is a preventive control? a. Contingency planning. b. Hash total. c. Echo check. d. Access control software.

d. Access control software.

Dora Jones, an auditor for Farmington Co., noted that the Acme employees were using computers connected to Acme's network by wireless technology. On her next visit to Acme, Jones brought one of Farmington's laptop computers with a wireless network card. When she started the laptop to begin work, Jones noticed that the laptop could view several computers on Acme's network and that she had access to Acme's network files. Which of the following statements is the most likely explanation? a. Acme's router was improperly configured. b. Farmington's computer had the same administrator password as the server. c. Jones had been given root account access on Acme's computer. d. Acme was not using security on the network.

d. Acme was not using security on the network.

Which of the following is not among the seven CSF implementation steps? a. Orientation. b. Risk assessment. c. Gap prioritization. d. Action plan review.

d. Action plan review.

Which of the following security controls may prevent unauthorized access to sensitive data via an unattended workstation connected to a server? a. Use of a screen saver. b. Use of passwords to identify users. c. Encryption of data files. d. Automatic log-off of inactive users.

d. Automatic log-off of inactive users.

A company began issuing handheld devices to key executives. Each of the following factors is a reason for requiring changes to the security policy except a. Storage of sensitive data. b. Portability of the device. c. Vulnerability of the device. d. Convenience of the device.

d. Convenience of the device.

A client who recently installed a new accounts payable system assigned employees a user identification code (UIC) and a separate password. Each UIC is a person's name, and the individual's password is the same as the UIC. Users are not required to change their passwords at initial log-in, nor do passwords ever expire. Which of the following statements does not reflect a limitation of the client's computer-access control? a. Employees can easily guess fellow employees' passwords. b. Employees are not required to change passwords. c. Employees can circumvent procedures to segregate duties. d. Employees are not required to take regular vacations.

d. Employees are not required to take regular vacations.