ISC Chapter 2

Which of the following terms best describes a payroll system? A. Transaction processing system (TPS). B. Decision support system (DSS). C. Enterprise resource planning (ERP) system. D. Database management system (DBMS).

Choice "A" is correct. A payroll system is a transaction processing system. It may use a database management system to store its data, but it is not a database management system. Choice "B" is incorrect. A decision support system is a program that provides interactive support during the decision making process. A payroll application is not a decision support system, although it is possible that a payroll system might have some decision support capabilities relevant to payroll. Choice "C" is incorrect. An enterprise resource planning system is a cross-functional enterprise program that integrates and automates the many business processes that must work together, such as manufacturing, logistics, distribution, accounting, finance, and human resources. The payroll function might be a component of the human resources module of an ERP system, but it is not an ERP system in itself. Choice "D" is incorrect. A database management system is a program used by other systems to store and manage data, not an application system itself. All of these other systems more than likely use a DBMS as a repository of the data. A database management system is a tool.

General controls in an information system include each of the following, except: A. Logic tests. B. Security management. C. Software acquisition. D. Information technology infrastructure.

Choice "A" is correct. General controls ensure that an organization's control environment is well-managed and stable. Logic tests are not one of the components of general controls. Choice "B" is incorrect. Security management controls fall under the category of general controls. Choice "C" is incorrect. Software acquisition, as well as development, operations, and maintenance controls, all fall under general controls. Choice "D" is incorrect. The IT infrastructure is certainly a key component of general controls.

Which of the following is best described as a very large data repository that is centralized and used for reporting and analysis rather than for transactional purposes? A. Data mart B. Operational data store (ODS) C. Data warehouse D. Data lake

Choice "C" is correct. A data warehouse is best described as a very large data repository that is centralized and used for reporting and analysis rather than for transactional purposes. A data warehouse pulls data either directly from enterprise systems with transactional data or from an ODS. Choice "A" is incorrect. A data mart is more focused on a specific purpose, such as marketing or logistics, than a data warehouse. A data mart is often a subset of a data warehouse. Choice "B" is incorrect. An operational data store (ODS) is a repository of transactional data from multiple sources and is often an interim area between a data source and data warehouses. Choice "D" is incorrect. A data lake is a repository similar to a data warehouse, but it contains both structured and unstructured data, with data mostly being in its raw format. Given that a data lake contains both structured and unstructured data, it is generally not suitable for reporting and analysis until further standardization or syntheses are performed.

Savestone Solutions is a national business and individual tax software provider that pushes out annual updates to its web-based tax platforms so users can file returns for their clients based on the most updated tax laws. When significant tax legislation is released, the tax and development team at Savestone follow a very mechanized process to complete an updated release for applicable products, which includes the following steps: Define high-priority customer requirements using a product backlog. Assess whether changes are needed to the original product backlog at specific milestones spread across the duration of the project. Meet twice per day: in the morning to determine goals and in the afternoon to assess progress. Perform testing of new features once per week for the duration of the project. Which of the following system change approaches does Savestone most likely follow? A. Critical path method B. Waterfa

Choice "C" is correct. The Agile method is a change management methodology that was created to address shortfalls of the Waterfall method, another methodology used to implement change. The Agile method has a more flexible approach that is distinguished by its use of cross-functional teams that are dedicated to different functions and improvement initiatives that are tied to a list of the end customer's prioritized needs. The steps listed in Savestone Solution's mechanized process for completing updates aligns with the core Agile principles, which include satisfying customers early with continuous delivery of high-priority features, welcoming change, meeting frequently to make adjustments, and completing only work requested by the customer. Choice "A" is incorrect. The critical path method is a form of project management approach that identifies the longest sequence of dependent events in a project to determine the earliest point at which a project can be completed. While Savestone could likely apply this approach, the critical path method is not defined by the mechanized steps that Savestone implements. Choice "B" is incorrect. With the Waterfall method, there is no customer input and change can be difficult to manage. In addition, meetings and testing under the Waterfall method are not as frequent as the last two steps of the process. This conflicts with the first two steps of Savestone's mechanized process. Choice "D" is incorrect. Kaizen originated in Japan and is an approach adopted by the auto manufacturer, Toyota. It focuses more on continuous improvement through small improvements over time rather than short sprints that have a finite life.

In an effort to recognize improvement opportunities, a company is reviewing its in-house systems. The best reason for the company to consider switching to cloud computing as a solution is that it: A. Provides better program modification options. B. Is the best way to secure sensitive corporate information. C. Is accessible only from within the company on its Intranet. D. Usually has lower upfront costs for equipment and maintenance.

Choice "D" is correct. Cloud computing involves virtual servers available over the Internet. Upfront and maintenance costs are usually much cheaper than a particular software solution installed in-house. Cloud computing is a cost-efficient method to use, maintain, and upgrade. Choice "A" is incorrect. With cloud computing, program modification would depend on the service provider, which may be less responsive and flexible than in-house resources. Choice "B" is incorrect. Although cloud computing has a high level of security for customer data, a disadvantage of cloud computing is that a company's sensitive information has to be given to a third-party cloud service provider. Choice "C" is incorrect. Cloud computing is accessible over the Internet, not an Intranet system.

Savestone Solutions is a national business and individual tax software provider that pushes out annual updates to its web-based tax platforms so users can file returns for their clients based on the most updated tax laws. When significant tax legislation is released, the tax and development team at Savestone follow a very mechanized process to complete an updated release for applicable products, which includes the following steps: Define high-priority customer requirements using a product backlog. Assess whether changes are needed to the original product backlog at specific milestones spread across the duration of the project. Meet twice per day: in the morning to determine goals and in the afternoon to assess progress. Perform testing of new features once per week for the duration of the project. Which of the following system change approaches does Savestone most likely follow? A. Critical path method B. Waterfa

Choice "D" is correct. The Agile method is a change management methodology that was created to address shortfalls of the Waterfall method, another methodology used to implement change. The Agile method has a more flexible approach that is distinguished by its use of cross-functional teams that are dedicated to different functions and improvement initiatives that are tied to a list of the end customer's prioritized needs. The steps listed in Savestone Solution's mechanized process for completing updates aligns with the core Agile principles, which include satisfying customers early with continuous delivery of high-priority features, welcoming change, meeting frequently to make adjustments, and completing only work requested by the customer. Choice "A" is incorrect. The critical path method is a form of project management approach that identifies the longest sequence of dependent events in a project to determine the earliest point at which a project can be completed. While Savestone could likely apply this approach, the critical path method is not defined by the mechanized steps that Savestone implements. Choice "B" is incorrect. With the Waterfall method, there is no customer input and change can be difficult to manage. In addition, meetings and testing under the Waterfall method are not as frequent as the last two steps of the process. This conflicts with the first two steps of Savestone's mechanized process. Choice "C" is incorrect. Kaizen originated in Japan and is an approach adopted by the auto manufacturer, Toyota. It focuses more on continuous improvement through small improvements over time rather than short sprints that have a finite life.

A company's credit manager inadvertently processed an $800 credit memo to refund an item for which the customer had paid $300. Which of the following automated controls would assist the company in preventing such a data entry error? A. Reasonableness tests B. Field check tests C. Check digit tests D. Size check tests

Choice "A" is correct. A reasonableness test will likely prompt an error message when the offset transaction total exceeds the original transaction. Choice "B" is incorrect. A field check compares the field values in a transaction form to the field requirements (i.e., mandatory) and format restrictions (i.e., text, numeric, dates, etc.). Choice "C" is incorrect. Check digit tests determine whether an ID number entered is a valid entry (i.e., a bank number should have nine digits). Choice "D" is incorrect. A size check test compares the transaction with a predetermined threshold on a standalone basis. As such, this test will not be effective in preventing issuing a credit larger than the original transaction amount.

A cloud service provider's vision is to provide reliable and consistent network connectivity for all customers. Part of its corporate strategy for achieving that is heavily reliant on all of the following except: A. Utilizing a community cloud deployment model. B. Having all IT personnel on the company payroll. C. Owning the underlying physical IT infrastructure. D. Full autonomy over disaster recovery processes.

Choice "A" is correct. Aligning an organization's corporate strategy with its IT strategy promotes the effective implementation of IT governance, which is critical for cloud service providers (CSPs). The cloud computing deployment model utilized by CSPs will result in different levels of risk and can be public, private, hybrid, or community-based. Each model type has a unique risk profile because some environments may be fully shared with other companies, partially shared, or completely private. Utilizing a community cloud deployment model for the company's own infrastructure would not be ideal for a cloud service provider because it would remove several layers of control that it otherwise would have if it managed this function fully on site with a private cloud model. Although hosting a private network requires more maintenance, it allows a company to develop the network according to its own unique needs, using its own highly skilled IT staff. This sort of heightened control can also allow an organization to fine-tune disaster recovery speeds, offering flexibility that assigns faster recovery speeds to high-priority applications and lower speeds to others. Choice "B" is incorrect. Providing consistent connectivity for customers would require IT staff to be on payroll so they could respond immediately to any outages as well as provide ongoing maintenance to prevent network downtime. Relying on third-party IT staff could result in response time lags because the third-party provider may prioritize other clients first. Choice "C" is incorrect. Because the cloud service provider's vision is to provide clients connectivity that does not fail regularly, it would be most appropriate to have its own physical network, rather than share part or all of it. Networks that are on-premise, and fully maintained by the CSP, ensure more

Savestone Inc. is working with its outsourced IT provider to create documented strategies for dealing with short- and long-term system outages. Together, they created a plan. The plan aligns resources to enable a quick return to operations without harm to resources. This plan addresses which of the following concepts related to system availability? A. Business resiliency B. Change management C. Business continuity D. Disaster recovery

Choice "A" is correct. An organization's system availability is preserved by shoring up business resiliency practices, establishing a business continuity plan, and creating and testing a disaster recovery plan. Business resiliency refers to continuous operation or the ability to quickly return to operations after an event, whereas business continuity is more operations-focused in that it concentrates on continuing product and service delivery. Disaster recovery efforts are strategic plans an organization executes after the destruction of data, IT equipment, applications, and other corporate resources. This plan illustrates business resiliency because the focus is on the speed at which a company can return to operations. Choice "B" is incorrect. The scope of the plan covers business resiliency, which focuses on the speed at which a company can return to operations. Change management is not one of the three core components of system availability. Choice "C" is incorrect. This plan does not describe business continuity, which concentrates on being able to return to delivering products and services. This plan focuses on the speed at which a company can return to operations, which better aligns with business resiliency. Choice "D" is incorrect. This plan does not illustrate disaster recovery. Disaster recovery plans are about restoration after the destruction of resources due to a disaster rather than continuous operation or the ability to quickly return to operations after an event.

Which of the following identifies a potential threat posed by the use of blockchain? A. The resulting decentralization could lead to a decreased level of accountability. B. The shared ledger could promote a weaker control environment. C. The mutability of the transactions could make them subject to an increased risk of transactional fraud. D. Transaction processing could require greater human intervention.

Choice "A" is correct. Blockchain technology was developed to prevent Bitcoin from being replicated and to limit its initial creation so that there is only a finite number of Bitcoins. The value of blockchain is its resistance to alteration, multiparty transaction validation, and decentralized nature. Alteration is difficult because each block adds to all prior blocks, enabling everyone to view all blocks in the chain from the beginning of the entire chain. Given blockchain has no centralized management overseeing its activity, no particular entity can be held accountable or responsible if things go wrong. Choice "B" is incorrect. Transactions processed on blockchain's ledger should meet the processing integrity standards required by COSO's control environment. The immutability of blockchain can promote processing integrity which in turn contributes to commitment to competence, a principle of control environment. Choice "C" is incorrect. Blockchain is resistant to alteration and allows multiparty transaction validation as each 'block' adds to all prior blocks, enabling everyone to view all blocks since creation. The blockchain's immutability quality decreases the risk of transactional fraud. Choice "D" is incorrect. Blockchain transactions require limited human intervention through automation and the elimination of intermediaries.

Which of the following best describes a benefit of using a cloud service provider (CSP)? A. Redundancy and the ability to recover from a disaster is improved. B. Data processing is more efficient due to CSPs having purely decentralized virtual locations. C. Fixed pricing for usage that comes with CSPs makes budgeting more predictable. D. On-site hardware support is eliminated.

Choice "A" is correct. CSPs offer many benefits to their clients, including flexible pricing that varies based on resource consumption, a reduction in on-site hardware support by shifting to virtual resources, and processing data more efficiently by accessing advanced computing power not normally accessible due to significant up-front investment. CSPs also make organizations more resilient by enhancing their disaster recovery capabilities and making them more immune to system failures. CSPs provide clients the duplication of critical infrastructure so that if systems fail on-site or even at a CSP's premises, there are backups in place that create redundancy. In the event of a cyberattack or a natural disaster, these fail-safe practices help organizations recover faster. Choice "B" is incorrect. Data processing efficiency improvement is mainly driven by the scalability feature of a CSP, not by the decentralized virtual locations of the CSP. Choice "C" is incorrect. Pricing with CSPs is generally based on the usage of resources over a period of time. Those resources may be measured in metrics such as the time of computing resources used, the amount of storage consumed, or the number of licenses purchased. They are not usually fixed. Choice "D" is incorrect. Some on-site support at every organization will still be required for local IT equipment or networking devices that are not outsourced to the cloud. Examples include laptops or desktops for employees, and local routers and switches for connectivity.

The following depicts which type of cloud computing model? Uptime - data center - app design Managed by: org - CSP - org A. IAAS B. SAAS C. PAAS D. On-premises

Choice "A" is correct. Cloud computing deployment models vary in the resources and IT services offered to customers and include IaaS (Infrastructure-as-a-Service) providers, PaaS (Platform-as-a-Service) providers, SaaS (Software-as-a-Service) providers, and BPaaS (Business Process-as-a-Service) providers. IaaS providers offer customers access to virtual infrastructure, whereas the other deployment models add differing degrees of supplemental IT services to the infrastructure. An IaaS provides subscribers with a virtual data center complete with servers, storage, and networking and may offer operating systems and access to firewalls. It does not offer application design, tools, or data. It also does not support environment runtime or virtual management of that environment. Choice "B" is incorrect. A SaaS provider only gives the user the ability to use the application, not the capability to design it. The SaaS provider also is responsible for the uptime and data center operations. Choice "C" is incorrect. PaaS cloud providers are responsible for environment uptime, not the organization. Choice "D" is incorrect. On-premises models assume that an organization is entirely responsible for providing and supporting its own infrastructure on-site as well as the environment uptime and applications that run on that infrastructure.

When evaluating a cloud service provider's data security measures, a company would appropriately consider each of the following risk factors, except: A. The provider's vertical scalability. B. The provider's third-party suppliers. C. The provider's cloud-of-cloud agreements. D. The provider's multi-tenant architecture.

Choice "A" is correct. Cloud computing involves using virtual servers over the Internet rather than housing data on-site. In assessing data security for a cloud service provider, its third-party suppliers, architecture to support users, and cloud-of-cloud agreements are all critical aspects of data security evaluation. Vertical scalability, also known as "scaling up," refers to adding more memory, computing power, and resources to the cloud. Although vertical scalability is important, it does not relate to data security. Choice "B" is incorrect. The risk is that third-party suppliers will be able to access company data, so this is a critical risk factor to evaluate when choosing a cloud service provider. Choice "C" is incorrect. A cloud-of-cloud agreement should contain information on data security measures in place to protect data. Choice "D" is incorrect. Tenants are user groups and applications that share access to the cloud. Multiple tenants present more risk for data security, so this is a critical risk factor for evaluating a cloud service provider.

Which of the following procedures would most likely be triggered in a disaster recovery plan? A. How to perform restoration using backup copies of critical files off-site. B. Translate data for storage purposes with a cryptography. C. Purchase an uninterrupted power supply (UPS) when an event occurs. D. Maintain a listing of all passwords with the network administrator in an encrypted database.

Choice "A" is correct. Disaster recovery (DR) requires significant planning to create policies and align resources so that operations can be restored in the event of a system failure. The steps in a DR plan include assessing risks, identifying critical data and programs, developing a plan handling those programs and data, assigning personnel, and testing the plan. Performing a system restoration from backup copies of critical data is a fundamental part of any disaster recovery plan. System backups may vary in the way organizations execute them, but they typically are either full, incremental, or differential backups. Disaster recovery plans would then be tailored to the type of restoration required with their unique backup structure. Choice "B" is incorrect. Using data encryption to store data would be an action taken prior to an event to prevent unauthorized use of information if access controls failed. It would not be an action to take after a disaster. Choice "C" is incorrect. An uninterrupted power supply (UPS) is a part of system availability controls and would already be in place prior to an event happening. This purchase would not be triggered by executing a disaster recovery plan. Choice "D" is incorrect. Password lists should not be maintained by one person even if it is in an encrypted repository. Moreover, this is not a task that would occur as a result of a disaster.

Precision Business Advisors is meeting with senior management on ways to manage its exposure to different IT risks in its business operations by adhering to the COSO framework, Enterprise Risk Management—Integrating with Strategy and Performance. Precision should follow the guidance on defining risk outlined in which of the framework's following components? A. Strategy and Objective-Setting B. Governance and Culture C. Review and Revisions D. Performance

Choice "A" is correct. Enterprise Risk Management—Integrating with Strategy and Performance is a framework applicable to cloud computing governance that groups risk management methods into five components and 20 supporting principles. The five components include 1) Governance and Culture, 2) Strategy and Objective-Setting, 3) Performance, 4) Review and Revision, and 5) Information, Communication, and Reporting. Defining risk appetite is one of the four principles within the Strategy and Objective-Setting component. A company's risk appetite will influence the type of cloud computing model it will adopt, with organizations that have a lower risk appetite opting for an infrastructure-as-a-service (IaaS) model that allows for more control and those with a higher tolerance choosing either a platform-as-a-service (PaaS) or software-as-a-service (SaaS) model, which offer less customization and control than PaaS or an on-premises solution. Choice "B" is incorrect. The Governance and Culture component sets the tone for enterprise risk management by establishing board oversight and a culture aligned with the organization's target behaviors, but it is not the component in which risk is defined. Choice "C" is incorrect. The Review and Revisions component assists organizations in assessing substantial change, reviewing risk and performance, and pursuing improvement initiatives in risk management. It is not the component that helps define risk. Choice "D" is incorrect. The Performance component helps organizations prioritize risk based on an already-defined risk appetite. This is not the component used for assessing risk appetite.

Jane has just started at Collins Publishing. Her manager has asked her to identify risks and potential control deficiencies at the organization. Which documentation technique would be the most effective for completing this task? A. Flowchart B. Data flow diagram C. System interface diagram D. Process narrative

Choice "A" is correct. Flowcharts are visual representations of how documents and information flow through a process from both a logical and physical standpoint. This allows designers and users to evaluate where risks exist and what, if any, controls are in place or should be put in place. Choice "B" is incorrect. Data flow diagrams visually depict the logical flow of data for business processes but do not incorporate the physical aspects and, as a result, may not allow for all risks to be identified. Choice "C" is incorrect. System interface diagrams focus on the interfacing of clients and systems and does not depict how the information flows or where risks could reside beyond the interface and user interactions. Choice "D" is incorrect. Narratives are written documents with no pictorial representations. This makes it difficult to follow how information flows through the process and thus to determine where risks exist.

Having an exit strategy for a cloud service provider (CSP) is a response to which of the following risks? A. Lack of application portability (vendor lock-in) B. Favorable regulation changes C. CSP violation of service level agreement D. Unfavorable operational budget variances

Choice "A" is correct. Having a proper exit strategy allows organizations to cut ties with a CSP in the event an unforeseen incident occurs, a business changes its model or its needs change, or another CSP becomes available that has more favorable offerings. Robust exit strategies allow companies to have more control over their data, applications, and their cost structure. It also minimizes the risk of service disruptions to customers and employees. Vendor lock-in is the risk that an organization is unable to be portable in terms of moving its CSP-centered operations to another provider. This form of lock-in may be the result of the structure of contractual agreements, excessive investment that would require additional expense to move, or a high degree of customization that would require significant effort to switch to a new provider. Having exit strategies in place that prevent these exit barriers from originating in the first place helps reduce this risk. Choice "B" is incorrect. Unfavorable regulatory changes may impact the company negatively and change its requirements that affect the way a CSP collects, stores, or processes sensitive data. Favorable changes on the other hand would assume no changes to these practices, and thus would not be a reason to have an exit strategy. Choice "C" is incorrect. A service level agreement (SLA) in itself should provide an organization the option to exit a relationship with a CSP. An SLA outlines performance expectations and other requirements for both parties. A CSP violating an SLA is a risk, but not a risk tied to the need for an exit strategy because the exit is implicit in the contract. Choice "D" is incorrect. While unfavorable budget variances that result from poor operating performance may cause an organization to look for ways to leave a CSP, that is unrelated to the ris

Which of the following tasks do programmers perform in a development computing environment? A. Create source code and prototypes. B. Test functionality immediately before deployment. C. Debug and test code for errors. D. Deploy the final application to end users.

Choice "A" is correct. IT changes should be managed and implemented in segregated environments within an organization. The most common environments include development, testing, staging, production, and disaster recovery. In a development computing environment, programmers write code to create application prototypes. This environment may also be used for debugging and modifying existing code and for using automation tools with preconfigured code to streamline production. Choice "B" is incorrect. This describes a staging environment in which personnel test application functionality prior to releasing the software in the production environment, not a development environment. Choice "C" is incorrect. While a development environment is often used to debug and test code for errors, its primary use is for initial software product creation. A testing environment is solely for debugging and testing code for errors, which may be kept separate from a development environment to focus on error reduction rather than initial prototypes. Choice "D" is incorrect. Deploying completed software products to end users is done in a production environment, which is a live environment in which employees perform core job functions and should only be deployed after testing is complete.

During the risk assessment process of a business impact analysis (BIA), resources are categorized by the impact to the day-to-day operations of an organization. If the organization could work around the loss of an information resource for days or perhaps a week, but eventual restoration of the resource must occur, this would imply that the information resource should be categorized as: A. Medium impact (M). B. High impact (H). C. Low impact (L). D. No impact

Choice "A" is correct. In a business impact analysis, organizations identify and assess risks as well as assign resources to one of the following three categories: 1) high-impact (H); 2) moderate- or medium-impact (M); or 3) low-impact (L). An information resource should be categorized as an M-impact if there is a work-around for its loss in the short term, but recovery is necessary for long-term operations. There may also be some form of cost recovery and it is possible that the organization fails to meet its objectives or maintain its reputation. Choice "B" is incorrect. An information resource would be categorized as high impact if the organization cannot operate without the information resource for even a short period of time. Choice "C" is incorrect. An information resource would be categorized as low impact if the organization could operate without the information resource for an extended period of time. Choice "D" is incorrect. "No impact" is not a categorization used in this risk assessment process.

Eric is reviewing the network infrastructure layout for one of his clients in a SOC 2® engagement. He identifies an appliance (Device A) that reads the source and destination fields of a data packet and then efficiently routes those packets to another appliance (Device B) that connects to a broader group of devices such as servers, printers, and end-user machines in the network. Devices A and B are likely which of the following? A. Device A = router, Device B = switch B. Device A = modem, Device B = router C. Device A = switch, Device B = gateway D. Device A = modem, Device B = gateway

Choice "A" is correct. Key components of an organization's IT architecture include network assets such as routers, modems, switches, servers, and firewalls. Part of that architecture is also the way in which these devices are connected, with differing topologies available for interconnectivity, as well as the human capital required to operate this equipment. Device A describes a more sophisticated piece of equipment that can interpret data packets and route them according to how they are encoded, which describes the functionality of a router. Device B requires less sophistication. It simply needs to connect the router to other machines on the network without providing any advanced routing capabilities, which closely aligns with the functionality of a switch. Choice "B" is incorrect. A modem converts analog signals into digital signals rather than reading packet headers and footers in a data packet to route it most efficiently. As such, Device A is not a modem. Routers can execute actions that are more advanced than just relaying a signal to other devices, and therefore it is not Device B. Choice "C" is incorrect. A switch is not equipped to read source and destination fields within a data packet to route the data packet efficiently. As such, Device A requires more advanced hardware than a switch. Conversely, Device B needs less sophisticated capabilities. It only needs to relay a signal, and therefore Device B is not a gateway. Choice "D" is incorrect. A modem connects a client's network to an internet service provider's (ISP) network. It receives analog signals from the ISP and translates them into digital signals. Therefore, Device A is not a modem. A gateway does connect devices in a network, but it provides the more advanced feature of translating protocols. Since this level of sophistication is not required, Devic

Devices that have a primary function of enabling other machines in a network to share an IP address so that identities may be hidden are referred to as: A. Network address translation firewalls. B. Application-level gateways. C. Circuit-level gateways. D. Software-defined wide-area network (SD-WAN) devices.

Choice "A" is correct. Network infrastructure refers to hardware, software, physical layout, and the functionality of a company's internal IT ecosystem. The hardware used includes gateways which connect networks that use different protocols, physical or software defined wide-area networks used for organizational connectivity, and firewalls which are critical for ensuring user activity as well as traffic that passes across a network is authorized. A network address translation firewall allows machines on a private network to share a single public address so that it masks their true private addresses. While the other devices listed may include ancillary functionality that allows them to be combined with firewall features that perform this same task, it is not their primary function. Choice "B" is incorrect. Application-level gateways are resource-intensive devices that inspect packets but do not assign IP addresses to other devices on the same network as their primary function. Choice "C" is incorrect. A circuit-level gateway is a form of firewall that verifies the source of data packets that traverse its network, but its primary purpose is not to share IP addresses with other machines. Choice "D" is incorrect. Software-defined wide-area networks (SD-WAN) are networks that are optimized using software that is integrated into the hardware, rather than solely physical connections. Its primary function is not to allow multiple devices to share a network address.

In integration testing within a testing or development computing environment, companies perform which of the following tasks? A. Evaluate whether separate components will function together when combined. B. Verify that combined modules work as designed in totality. C. Test program modules or units at the smallest increment of an application. D. Confirm the application meets end-user requirements.

Choice "A" is correct. Organizations generally have separate computing environments that segregate development from testing and live environments. The five most common environments include development, testing, staging, production, and disaster recovery. It is during integration testing when organizations test different components or modules in an application to determine whether they will work once combined. This kind of testing also helps for future system maintenance and updates by exposing security vulnerabilities that could lead to future patches. Choice "B" is incorrect. The form of testing described is system testing, which focuses on whether the system will work as a whole. Integration testing is less in scope than system testing. Choice "C" is incorrect. Testing software at the smallest increment level refers to unit testing, a process that can be broken down by function so programmers can evaluate units of code rather than considering the broader system as a whole. Choice "D" is incorrect. This task describes acceptance testing, which determines whether a developed product meets defined end-user requirements. It is not performed in integration testing.

An IT department is considering the replacement of discontinued software with new software. In order to ensure the completeness and accuracy of data processing within the new software, the department would appropriately designate which of the following installation processes as the safest option? A. Parallel B. Phased C. Pilot D. Direct

Choice "A" is correct. Organizations have multiple options when converting their computer systems, such as software, hardware, and data, from one information system to another. The choice will vary for each company depending on its own unique needs. Common version methods include direct, parallel, pilot, phased, and hybrid. The parallel method is considered the safest option as the new system is implemented while the old system is still in active use for an extended period. This method allows the organization to compare the new system operating results against those of the old system and make any modifications to the new system, as necessary. Choice "B" is incorrect. The phased method gradually adds volume to the new system while operating the old system concurrently. Because the volume on the new system is initially small, system flaws might not be identified in time until the volume ramps up. Choice "C" is incorrect. The pilot method performs a conversion on a small scale within a test environment while continuing to use the older system. However, given the test is conducted in a test environment instead of the live production environment, it is less safe than the parallel method. Choice "D" is incorrect. The direct method involves the organization ceasing the use of the old system as soon as the new system is up and running. If the new system does not work as expected, the organization's operations could be severely hindered.

A company's network administrator discovered that critical software updates have not been installed on the network in a timely manner. Which of the following is a control that would directly address this situation? A. Creating and implementing a patch management policy. B. Initiating penetration testing on the network. C. Ensuring that the hard drive containing the update is encrypted. D. Performing a log analysis to ensure that the software is functioning properly.

Choice "A" is correct. Patch management is an important part of minimizing security threats and works in conjunction with vulnerability management solutions. As bugs are discovered in applications, software vendors release updates, called patches, so that customers can correct those vulnerabilities. To ensure future critical software updates are installed timely, creating and implementing a patch management policy will directly address the deficiency. Choice "B" is incorrect. Penetration testing can help expose vulnerabilities of the network. However, it would not ensure patches are analyzed and installed timely to remediate vulnerabilities. Choice "C" is incorrect. Encrypting the hard drive containing the update can prevent unauthorized access to the updates. However, it would not ensure patches are analyzed and installed timely to remediate vulnerabilities. Choice "D" is incorrect. Log analysis can help detect anomalies, but it cannot ensure patches are analyzed and installed timely to remediate vulnerabilities.

Which of the following components of an effective patch management program should be performed after testing and deployment, which should then be followed by monitoring so that any system issues can be identified and resolved after deployment? A. Verifying patches deployed B. Using a vulnerability tool C. Approving and deploying patches D. Evaluating new patch releases

Choice "A" is correct. Patch management is the process of identifying specific software bugs and vulnerabilities so that they can be mitigated by implementing patches in between new software releases. Applying patches improves system functionality, and it minimizes the attack surface that a fraudster can exploit. The verification of successful patching should be performed after testing and deployment and subsequently be monitored to resolve any identified issues after deployment. Choice "B" is incorrect. The use of a vulnerability tool helps organizations track security controls and identify weaknesses on their own so that management may identify patches needed. Verifying patches deployed would most likely be performed after testing and deployment. Choice "C" is incorrect. Approval and deployment of patches occurs after IT administrators have successfully reviewed and tested patches. Verifying patches deployed would most likely be performed after testing and deployment. Choice "D" is incorrect. As new patches are released by vendors and vulnerabilities are discovered, IT managers must evaluate those patches and determine how they will impact the organization. This occurs prior to the implementation of patches.

In a database containing a Customers table and a SalesOrder table, you are interested in retrieving only customer data for customers who have corresponding sales orders. Which SQL join type would you use in this scenario to achieve your goal? A. INNER JOIN B. FULL JOIN C. RIGHT JOIN D. LEFT JOIN

Choice "A" is correct. Structured query language (SQL) is a computer language to interact with data (tables, records, and attributes) in a relational database. Through SQL statements, records and entire tables can be created, updated, deleted, and viewed (and ultimately extracted). INNER JOIN will retrieve only the data for which there is a match in both tables, ensuring that you get customer data for those customers who have corresponding sales orders. Choice "B" is incorrect. A FULL JOIN would return all rows from both tables, whether or not there are matching records. Choice "C" is incorrect. A RIGHT JOIN would return all sales order data, including those without corresponding customers. Choice "D" is incorrect. A LEFT JOIN would return all customer data, including those without corresponding sales orders.

The layer within the OSI (Open Systems Interconnection) model that is responsible for formatting data packets for transmission across specific hardware within a network so that they reach the correct device is known as which of the following? A. Data Link Layer (Layer 2) B. Transport Layer (Layer 4) C. Session Layer (Layer 3) D. Physical Layer (Layer 1)

Choice "A" is correct. The core components of a company's IT architecture include its servers, operating systems, end-user applications and devices, and networking hardware and software. Within the networking domain of its architecture are various applications and equipment that correspond with the seven layers of the OSI (Open System Interconnection) model, including Layer 1) Physical, Layer 2) Data Link, Layer 3) Network, Layer 4) Transport, Layer 5) Session, Layer 6) Presentation, and Layer 7) Application. In the Data Link Layer (Layer 2), data packets are formatted for transmission and given identifiers (MAC addresses) and then continue through to the next OSI layer, either the Physical Layer (Layer 1) or the Network Layer (Layer 3), depending on whether a packet is being sent or received. When a data packet is initially created, it starts at the application level (Layer 7) and flows down to the Physical Layer (Layer 1) to be transmitted to its destination. This signal is received at Layer 1 and flows up through to Layer 7 on the receiving end. Choice "B" is incorrect. The Transport Layer supports communication between devices by setting the rules for how each device is referenced, the amount of data that can be transmitted, and validating the data's integrity. It does not format data for transmission across different types of hardware. Choice "C" is incorrect. The Session Layer allows devices to communicate with each other by establishing, holding, and terminating sessions. It does not format packets for transmission across hardware. Choice "D" is incorrect. The Physical Layer is the layer in which a message is converted into bits from the Data Link layer or converted from bits to a format that the Data Link Layer can interpret. The Physical Layer does not format packets to be transmitted across specific types of

What is the primary purpose of the ETL (extract, transform, and load) method? A. Managing existing data for analysis. B. Collecting data through surveys. C. Tracking web usage via cookies. D. Capturing new data sources.

Choice "A" is correct. The data life cycle describes the sequential steps all business data must go through from creation, through its use, storage, and final disposal. The process can be summarized in eight steps: definition, capture, preparation, synthesis, analytics and usage, publication, archival, and purging. ETL is a method for managing existing data by extracting it from various sources, transforming it into a usable format, and loading it for analysis. Choice "B" is incorrect. Collecting data through surveys is a form of active data collection, which is separate from the ETL process. Choice "C" is incorrect. Tracking web usage via cookies is a form of passive data collection, which is separate from the ETL process. Choice "D" is incorrect. Creating new data sources may involve activities such as data collection, data creation, or data generation, but these activities are different from the ETL process.

Which of the following represents key considerations when obtaining data from external sources? A. Data integrity, data safety, and copyrights B. Data archival, data purging, and data preparation C. Data synthesis, data analytics, and data publication D. Data completeness, data accuracy, and data integration

Choice "A" is correct. The data life cycle describes the sequential steps all business data must go through from creation, through its use, storage, and final disposal. The process can be summarized in eight steps: definition, capture, preparation, synthesis, analytics and usage, publication, archival, and purging. When data is obtained from an external source, there is added complexity, such as integrity, safety, and copyrights. These complexities primarily relate to data security, data confidentiality, and data encryption, which are key considerations when dealing with external data sources. Choice "B" is incorrect. Data archival, data purging, and data preparation are steps in the data life cycle but are not directly related to obtaining data from external sources. Choice "C" is incorrect. Data synthesis, data analytics, and data publication are steps in the data life cycle but are not directly related to obtaining data from external sources. Choice "D" is incorrect. Data completeness and data accuracy are important but are not the primary focus and key considerations when obtaining data from external sources.

Bill is looking to obtain a list of all orders along with corresponding customer names for a customer behavior analysis. There are two relevant tables in the SQL database with the following schema: 'Orders' table: order_id (integer), customer_id (integer), product_sku (variable character string) 'Customers' table: customer_id (integer), customer_name (variable character string) Which of the following SQL queries will correctly provide Bill with what he needs? A. SELECT Orders.order_id, Customers.customer_name, Orders.product_sku FROM Orders JOIN Customers ON Orders.customer_id = Customers.customer_id; B. SELECT Orders.order_id, Customers.customer_name, Orders.product_sku FROM Orders LEFT JOIN Customers ON Orders.order_id = Customers.customer_id; C. SELECT Orders.order_id, Customers.customer_name, Orders.product_sku FROM Orders JOIN Customers D. SELECT Orders.order_id, Customers.customer_name, Orders.product_s

Choice "A" is correct. This query would offer Bill the list of orders with corresponding customer names. Using the JOIN and ON clauses, the query correctly links the customer_id attribute (foreign key) in the 'Orders' table to the customer_id attribute (primary key) in the 'Customers' table. JOIN should point to the main table where the vast majority of the attributes could be found, whereas ON should point to the second table to pull in additional attributes by linking the foreign key in the main table to the primary key in the second table. Choice "B" is incorrect. This query incorrectly links the order_id on the 'Orders' table to the customer_id in the 'Customers' table. Choice "C" is incorrect. This query is missing key information to link the foreign key in the 'Orders' table to the primary key in the 'Customer' table. Choice "D" is incorrect. The WHERE clause is used to filter results from the main table, not to retrieve data from the second table.

Which of the following is the system conversion method for a new software program that performs a changeover on a small scale before implementing a new system as a whole later? A. A pilot conversion B. A phased conversion C. A parallel conversion D. A direct conversion

Choice "A" is correct. When converting to a new system within a business unit or on a company-wide scale, organizations can follow implementation approaches that are tailored to their unique needs. Five common system conversion approaches include the direct approach, parallel approach, pilot approach, phased approach, or some form of hybrid. Each of these approaches adopts the new system and discontinues the legacy system at different increments, allowing organizations to assume varying levels of risk during a conversion. A pilot conversion approach is when an organization tests a new system on a small scale in a non-production environment to establish feasibility. If the test is successful, the organization implements the new system to the rest of the organization. Choice "B" is incorrect. A phased approach follows a schedule that gradually or incrementally implements a new system. The new system could be phased in by location or introduced partially by module if that is congruent with company operations. This approach does not launch a test on a small scale in a non-production environment. Choice "C" is incorrect. A parallel conversion approach involves implementing a new system while continuing to operate the existing system, allowing both systems to be used simultaneously. This approach does not test the new system on a small scale but instead implements it in full in a production environment. Choice "D" is incorrect. A direct conversion approach is when a business completely stops using a legacy system and immediately cuts over to the new system. A direct changeover does not assume any testing on a large or small scale in non-production or production environments.

Which of the following is a common document found in the production cycle? A. Sales invoice B. Bill of materials C. Bill of lading D. Receiving report

Choice "B" is correct. A bill of materials is a detailed document specifying all of the components and quantities required to manufacture a product. This document is part of the production cycle. Choice "A" is incorrect. A sales invoice is part of the revenue cycle. Choice "C" is incorrect. A bill of lading is part of the revenue cycle. Choice "D" is incorrect. A receiving report is part of the purchasing and disbursement cycle.

Financial Horizon Co. is performing a business impact analysis and is at the stage in which it is defining disruption impacts and estimating losses. Management identifies an event that, if it occurred, would still allow the company to partially function for a few days, but it is possible that the organization's objectives might not be met. The category of this event and the metric used to estimate the loss expressed as a percentage of the asset's value refers to which of the following, respectively? A. Medium-impact (M); Single loss expectancy (SLE) B. Medium-impact (M); Exposure factor (EF) C. Low-impact (L); Single loss expectancy (SLE) D. Low-impact (L); Exposure factor (EF)

Choice "B" is correct. A business impact analysis is an assessment that helps organizations identify and assess risk across business units, and it helps determine how quickly operations can be restored after a disaster. Part of a business impact analysis involves categorizing the intensity of the impact and estimating losses using various metrics. Disruption impacts may be high-impact (H), moderate- or medium-impact (M), or low-impact (L). Losses can be estimated using the annualized rate of occurrence (ARO), exposure factor (EF), single loss expectancy (SLE), and annualized loss expectancy (ALE). A system outage that would allow an organization to partially function temporarily for days or a week but still potentially reach its objectives describes an M category. The loss estimation metric that is measured in dollars but expressed as a percentage of an asset's total value is the EF. Choice "A" is incorrect. The SLE is the cost of an individual loss expressed as a dollar amount, not as a percentage of the asset's value. Choice "C" is incorrect. An L-category impact would allow a company to continue operating well beyond a few days and still meet its objectives. An SLE is the cost of a single loss measured in dollars, not a percentage of an asset's value. Choice "D" is incorrect. An L-category impact would still allow an organization to operate for an extended period of time and would not cause a company to fail to meet its objectives.

What is the primary disadvantage of using a cold site as a disaster recovery site? A. Cold site compilers may not have adequate processing capacity. B. Delivery of equipment and software may be delayed. C. Frequent upgrades to equipment and software increase costs. D. Existing equipment or software at the site may not be compatible.

Choice "B" is correct. A cold site is a facility with adequate space and infrastructure such as power, telecommunication connections, etc. but does not contain IT equipment. As such, as disasters happen, a cold site would require IT equipment to be delivered to the site. Choice "A" is incorrect. A cold site does not contain IT equipment and, therefore, does not have processing capacity. Choice "C" is incorrect. A cold site does not contain IT equipment. Choice "D" is incorrect. A cold site only contains basic infrastructure (i.e., power, telecommunication connection) and, therefore, does not have compatibility issues with existing IT equipment.

Dr. Hennig has created a business concerning implementation of responsibility accounting systems for clients. He started small but has grown tremendously. He assigns each customer a unique customer ID. When he established his forms, he put a control in place to make sure the ID number was always five digits in length. In doing this, he could ensure that no one can enter an ID more than five digits in length. Which input edit check has Dr. Hennig employed? A. Field check B. Validity check C. Completeness check D. Sign check

Choice "B" is correct. A validity check verifies data against predefined rules or reference data. Given that the control enforces five digits (a predefined rule) for the customer ID, this would be considered a type of validity check. Choice "A" is incorrect as field checks designate the type—not the number of characters—input into a field. Choice "C" is incorrect as a completeness check verifies that the required data has been entered into a field but does not limit the number of characters. Choice "D" is incorrect as a sign check is an input edit check that limits whether a numeric input can be positive or negative and does not limit the number of characters input into a field.

Erwin, McEntyre, and Associates is an audit and consulting firm specializing in SOC 2® engagements. During an interview with general counsel in one of its audits, an Erwin associate learned about a legal settlement paid to one of its former clients. To confirm that this payment was properly reported based on applicable accounting standards, the associate most likely accessed which of the following accounting information system (AIS) modules? A. Transaction processing system (TPS) B. Financial reporting system (FRS) C. Management reporting system (MRS) D. Enterprise resource planning (ERP) system

Choice "B" is correct. An AIS is a system used by accountants, financial managers, and nonfinancial managers that records transaction data and compiles that data using accounting rules to generate reports so the organization can make decisions. An AIS is generally comprised of three main subsystems, or modules, known as the transaction processing system (TPS), financial reporting system (FRS), and management reporting system (MRS). The FRS module is an AIS subsystem that combines daily data from the TPS and other sources as well as data on infrequent events such as legal settlements, mergers, acquisitions, or natural disasters. While the TPS module would be the system in which the journal entry for a legal settlement is recorded, the FRS module generates the reports and would be the most appropriate to confirm it was reported correctly according to applicable accounting standards. Choice "A" is incorrect. The TPS module is the system in which the auditor should check to review the journal entry of the legal settlement. However, this is not the module that generates the reports and, therefore, would not be used to validate the way the settlement was reported. Choice "C" is incorrect. The MRS subsystem provides internal financial information to managers so they can make daily business decisions related to activities such as budgeting and variance analysis. While an MRS may be used to evaluate a legal settlement's impact on operations, it is not the module an auditor would use to ensure the legal settlement was recorded appropriately based on the applicable accounting standards. Choice "D" is incorrect. An ERP is a comprehensive cross-functional system that is more than a module, or subsystem, of an AIS. An AIS would be integrated within an ERP rather than an ERP within an AIS.

An organization is conducting a Beta test with its top customer. The developer will not be present during the test, and the customer gets to test the software at its own site. What type of test is this? A. Integration test B. Acceptance test C. Validation test D. Unit test

Choice "B" is correct. An acceptance test ensures that the software works correctly for the intended user in his or her normal work environment. Choice "A" is incorrect. Integration tests exercise an entire subsystem and ensure that a set of components operates smoothly together. Choice "C" is incorrect. Validation tests focus on visible user actions and user-recognizable outputs from the system. These tests answer the question, "Did we build the right thing?" Choice "D" is incorrect. Unit tests are used to validate the smallest components of a system, ensuring that they handle known input and output correctly.

An internal auditor is tasked with conducting an analysis of the company's payment processing network architecture. To examine the efficiency and distribution of the organization's payment network, the internal auditor would most likely see if the organization uses which of the following hardware components to decentralize its computing power? A. Switching hardware B. Edge-enabled devices C. Routers D. Gateways

Choice "B" is correct. An organization's IT architecture typically includes several hardware components including routers, switches, servers, gateways, and edge-enabled devices, for information to successfully transmit across its network. Together, these devices direct traffic, convert protocols when required, and protect data from origin to destination. Edge-enabled devices work differently than traditional network structures. In a traditional network, a command is transmitted from a user's device to a server. That server then executes a specific command and sends a response back to the user. Edge-enabled devices perform the function of the server of a tradition network by shifting most or all of the computational power to the edge-enabled device where the initial request was originated. An internal auditor looking for decentralization of computing power would therefore look for edge-enabled devices. Choice "A" is incorrect. A switch, or switching hardware, connects devices so that data can flow across a network, but it does not compute or execute functions on the device. Choice "C" is incorrect. Routers examine the source and destination of a packet and route it using the most efficient path across a network. They typically do not compute most or all of the functions as a server would. Choice "D" is incorrect. Gateways serve as access points between networks, converting the format of the data so that it can be transmitted across networks using different protocols. Their primary function is not to decentralize computing power.

Savestone Inc. is working with its outsourced IT provider to create documented strategies for dealing with short- and long-term system outages. Together, they created a plan. This plan addresses long-term outages related to the destruction of resources. This plan addresses which of the following concepts related to system availability? A. Business continuity B. Disaster recovery C. Business resiliency D. Change management

Choice "B" is correct. An organization's system availability is preserved by shoring up business resiliency practices, establishing a business continuity plan, and creating and testing a disaster recovery plan. Business resiliency refers to continuous operation or the ability to quickly return to operations after an event, whereas business continuity is more operations-focused in that it concentrates on continuing product and service delivery. Disaster recovery efforts are strategic plans an organization executes after the destruction of data, IT equipment, applications, and other corporate resources. This plan describes the scope of disaster recovery, which is the destruction of resources after a disaster. Choice "A" is incorrect. This plan does not describe business continuity. Business continuity is related to maintaining or returning to a state in which the company can deliver products and services. Disaster recovery plans are about restoration after the destruction of resources due to a disaster, not continuing to deliver products and services. Choice "C" is incorrect. The scope of business resiliency is not solely on long-term outages due to the destruction of resources and, therefore, does not align with this plan. Choice "D" is incorrect. This plan illustrates the concept of business continuity, which continues the delivery of products and services. Change management is not one of the three concepts related to system availability.

During a SOC 2® engagement, a service auditor who is evaluating a service organization's business continuity plan should determine whether the company performs all of the following except: A. Focus only on components that can impair the company significantly. B. Evaluate hiring practices for all positions annually. C. Periodically revise the plan based on test results. D. Consider only relevant and likely scenarios.

Choice "B" is correct. Business continuity plans are strategic policies and procedures designed to help a company restore operations after a system disruption from both an IT and non-IT perspective in the most efficient manner possible. These plans are generally more comprehensive than disaster recovery plans. They contain procedures for all business processes, which include those that involve human resources, relationships with customers and suppliers, and relocating facilities. In a SOC 2® engagement in which an auditor is evaluating a service organization's business continuity plans, the auditor would validate whether the plan is periodically revised, only consider scenarios that are likely to occur, and only consider issues that could significantly impair the company's ability to continue delivering products and services after an outage. Evaluating the hiring practices for all positions is a standard business practice that would occur on an as-needed basis and would not be a priority in business continuity plans because it is not directly related to re-establishing a company's ability to deliver services or products. Choice "A" is incorrect. Company resources are limited, and it would not be practical to attempt to protect the organization from all possible risks that could result in a negative outcome. As such, business continuity plans should only focus on components that could cause significant impairment. Choice "C" is incorrect. Just as a company's operations change, so too should its business continuity plans. Outdated restorative plans may delay the ability to continue product or service delivery. Choice "D" is incorrect. During a time after a system disruption when the sole focus is to continue delivering products and services, continuity plans should only include critical steps to achieve that and nothing

Timbercan Inc. is a large conglomerate with a portfolio of businesses within the health care industry that has primarily grown through acquisitions. It recently acquired nine new hospitals to add to its existing inventory of 50 hospitals. In an effort to allow health records to flow freely between each hospital chain, Timbercan immediately invested $20 million in a new platform that was intended to connect to each hospital's existing electronic health records (EHR) system. After beginning implementation, Timbercan started reviewing existing processes and learned that additional custom programming costing $10 million would be needed so that the platform could connect to each chain's unique application programming interfaces (APIs). Timbercan also learned that it could have built its own custom application for $25 million after it thoroughly reviewed how the existing EHR used by the newly acquired hospitals worked. Wha

Choice "B" is correct. Business process automation involves the use of computer applications and robotic devices to perform repetitive tasks so that humans can assume more skilled roles. Automation also involves modifications to processes that are nontechnical in nature such as management reviewing all processes to ensure they know what to alter, evaluating the new and existing processes to identify waste, or simply reordering the sequence of a process so that it better accommodates human interaction. These are all subjective, nontechnical adjustments that require human judgment. Therefore, to improve a process using automation, organizations should first examine the existing process to understand the information that is exchanged and how each transaction or event works, as well as the knowledge required to complete each task. Process discovery should occur prior to the implementation of any new solutions. In the case of Timbercan, it started the implementation of the EHR prior to knowing what current processes entailed. This resulted in $5 million in software development costs that could have been avoided if Timbercan developed its own custom application. Choice "A" is incorrect. Governance policies for automation could be useful, but the problem in this example is not that the automation itself needed improvement. The failure was the way in which the EHR system was implemented. Choice "C" is incorrect. Modifying the company's approach to evaluating potential companies to acquire would not have saved Timbercan money or effort in the implementation of a new system. Rather, the approach to implementation was the problem. Choice "D" is incorrect. Diversification of service offerings allows organizations to minimize risk related to fluctuations in revenue across health procedures and services. While revenue associated wit

Which of the following statements about a data warehouse is correct? A. It is contained within an operational database. B. It must be continuously updated to remain relevant. C. It provides data to operational databases. D. It is created from a data mart for a special purpose.

Choice "B" is correct. Data warehouses are very large, centralized data repositories used for reporting and analysis rather than transactional purposes. Transaction data from enterprise systems or an operational data store are frequently pushed to a data warehouse to combine into a single repository that can be used to create data marts or for a variety of other purposes. Given data warehouses are frequently the source of reporting and analytics, they must be continuously updated to remain relevant. Choice "A" is incorrect. A data warehouse can be considered the downstream repository of operational databases. Data is pushed from various operational data stores and stored in a data warehouse, which is a single repository. It is not contained within an operational database. Choice "C" is incorrect. Operational databases supply data to a data warehouse rather than a data warehouse supplying data to an operational database. Choice "D" is incorrect. A data mart is a subset of a data warehouse rather than a data warehouse being a subset of a data mart.

A service auditor in a SOC 2® engagement is testing the claim made by management that only certain personnel have access to client files. To test this claim, the auditor samples three client folders on a shared drive to track the service organization's employee access to those shared folders. In which of the following logs could he or she most likely look to find this information? A. Network logs B. Event logs C. Firewall logs D. Proxy logs

Choice "B" is correct. Logging is the process of recording system events in logs so that companies can track and analyze different activities at a certain point in time and across time. Commonly used log types include application logs, change logs, event logs, firewall logs, network logs, and proxy logs. Event logs are a form of logging that catalogs various types of events that occur on a system, such as activity at the device level recorded in endpoint logs; access to files, which is documented in security logs; and authenticating users, which is tracked in directory logs. Security event logs would tell the auditor which users accessed shared files, and that could then be cross-referenced with a list of authorized personnel to test the service organization's claim. Choice "A" is incorrect. Network logs record data related to a company's perimeter, such as activity on its access points, routers, and servers. This type of log would not typically record access to specific directories or folders. Choice "C" is incorrect. Firewall logs record user traffic, but they focus on details such as whether the flow of that traffic across a company's network was authorized or restricted, the actions that the firewall took, and the protocols used. Records of access to specific folders or files would be obtained from another log type. Choice "D" is incorrect. Proxy logs record data generated by a proxy server, which is used to access the internet. While it is possible that records related to users who accessed virtually shared files could be found in proxy logs, the more conventional type of data found in this log is the URL being accessed, the related IP addresses, and the network ports being used.

A device that transforms data from one protocol to another and acts as an intermediary between networks is a: A. Switch. B. Gateway. C. Server. D. Router.

Choice "B" is correct. Most modern organizations have a complex IT architecture that has multiple interconnected components such as on-premises and virtual servers, cabled switching equipment, routers, wireless access points, and gateways. To manage this infrastructure, organizations must hire or outsource personnel with expertise in networking to support these devices as well as any applications running on their infrastructure. A gateway is a device that connects different networks by acting as an intermediary, transforming data from one protocol to another. A common transformation is from a company's private IP address on its local network to a public IP address for external communication on the web. Choice "A" is incorrect. Switches are devices that connect different components within a network, but they typically do not translate protocols, converting one protocol to another. Choice "C" is incorrect. Servers are physical or virtual machines that execute functions based on requests from a device or user, typically in a client/server model. They do not act as intermediaries between networks, but rather as computing nodes or components within a network. Choice "D" is incorrect. Routers are network devices that act as intermediaries that connect different components within a network, but they do not perform protocol translation.

The finance division of an EV (electric vehicle) manufacturer works directly with customers in the last phase of the buying process to set up their car loans. This process includes checking the customer's credit and approving or denying a loan based on their credit history. In which of the following transaction cycles would this occur? A. Treasury cycles B. Sales and cash collection cycles C. Production and fixed asset cycles D. Purchasing and disbursement cycles

Choice "B" is correct. The accounting function within an organization is comprised of multiple transaction cycles including the revenue cycle, treasury cycle, purchasing and disbursement cycle, and the sales and collection cycle. In each of these cycles, economic events are recorded in an accounting information system (AIS). The finance department of an EV maker working with a customer to finance a vehicle involves collecting cash, even though those collections are spread over time. This example also involves verifying the customer's credit history to potentially approve a loan. Both of these activities fall within the sales and cash collection cycle. Choice "A" is incorrect. The treasury cycle does deal with cash management, which is related to collections. However, the treasury cycle does not involve validating someone's credit history to approve or deny a loan. Choice "C" is incorrect. Production and fixed asset cycles correspond with the phase in which a vehicle is being manufactured, not the phase in which it is sold and the organization is collecting payment. Choice "D" is incorrect. This would not fall in the purchasing cycle because the purchase is from the perspective of the EV maker's finance division, not the customer. Only if the manufacturer is procuring products or services for itself would the purchase fall within the purchasing and disbursement cycle.

Which of the following best describes what an analyst does when formatting all zip codes to ensure each data point contains five digits? A. Ensuring completeness of the data. B. Cleaning data. C. Encrypting data. D. Integrating data sources.

Choice "B" is correct. The data life cycle describes the sequential steps all business data must go through from creation, through its use, storage, and final disposal. The process can be summarized in eight steps: definition, capture, preparation, synthesis, analytics and usage, publication, archival, and purging. Formatting zip codes to have a consistent length of five digits is a data-cleaning task. Data cleaning involves tasks like correcting inconsistencies, standardizing formats, and ensuring data quality. Choice "A" is incorrect. Ensuring completeness refers to tasks related to verifying that data is not missing or that it contains all the expected data. Formatting zip codes is more about data standardization and consistency rather than completeness. Choice "C" is incorrect. Encrypting data involves encoding it to protect it from unauthorized access. It is not relevant to the action of formatting zip codes to ensure they contain five digits. Data encryption is focused on security, whereas this task is more about data quality and consistency. Choice "D" is incorrect. Data integration involves combining data from multiple sources into a unified format, whereas formatting zip codes is about standardizing data within a single dataset.

Which of the following programming languages would most likely be used to run queries to retrieve specific subsets within a data set during data extraction? A. C B. SQL C. C++ D. JavaScript

Choice "B" is correct. The extraction phase of an extract, transform, and load (ETL) process involves pulling data and getting it into a usable format. It is common to use some variation of structure query language (SQL) to select the tables and data needed for input into an analytical model. SQL is a type of code that uses commands such as SELECT, FROM, and WHERE to query a database. Although there are various adaptations of SQL, most variations adhere to a very similar structure. Programming languages such as C++, C, and JavaScript can be used to pull data, and often integrate SQL commands or adopt modified SQL commands into their native code, but some form of SQL is the most commonly used language for ETL processes. Choice "A" is incorrect. C can perform similar functions as SQL, but SQL is the language most likely being used for pulling records in a database. Choice "C" is incorrect. C++ can execute SQL queries, but it is broader in terms of the application it has. SQL is more narrowly focused and the most likely one to be used. Choice "D" is incorrect. JavaScript is more focused on Web programming and a host of other applications. SQL is the most likely choice here to extract data from a database.

Management is evaluating a newly installed system by applying metrics that examine how easily the system can scale volume up or down, the speed at which it can process transactions, and the amount of uptime over a given period. If the system meets predetermined standards in each of these categories, then implementation will be considered complete. This sort of change control testing is an example of: A. Reviewing logging. B. Establishing acceptance criteria. C. Using continuous adoption. D. Using continuous monitoring.

Choice "B" is correct. The procedures and protocols for testing change management controls can be selected from an array of options that are unique to the program, configuration, or infrastructure being implemented during a transition. Such practices may involve reviewing logs, performing tests, using monitoring techniques, adopting testing using continuous adoption, or using acceptance criteria to evaluate the effectiveness of change. Acceptance criteria can be qualitative or quantitative and may measure categories such as performance, functionality, scalability, and compliance. In this scenario, management is using scalability as the criteria by assessing transaction volume scaling up or down and performance as the acceptance criteria by measuring the speed of transactions and the amount of uptime. These three measures help the organization judge whether the implementation was successful. Choice "A" is incorrect. Analyzing logs involves reviewing events or instances of change in a system and may include evaluating application logs, change logs, event logs, firewall logs, network logs, or proxy logs. This analysis does not require the adoption of standards to deem an implementation successful. Choice "C" is incorrect. Continuous adoption refers to the concept of developing and testing software on a continuous basis rather than at pre-determined, fixed intervals. It does not require the use of metrics or standards to validate a successful implementation. Choice "D" is incorrect. Continuous monitoring is the continual review of change, the identification and solving of problems, and it involves keeping stakeholders accountable. While monitoring may involve the use of metrics to determine project implementation success, it is not a vanguard of the practice.

Duggan Industries is working to find areas for improvements with its vendor interactions. They want to have a visual representation of the logical relationships between the servers and the vendors to demonstrate how they logically interact with one another and what physical connections exist. Duggan Industries should employ which type of documentation technique? A. Flowchart B. Process narrative C. System interface diagram D. Data flow diagram

Choice "C" is correct as system interface diagrams essentially demonstrate how users and functions, both internal and external to an organization, interface with the organization's systems. This can include diagramming simple, logical relationships between functional areas, such as servers and offices, to actual networks and employees, vendors, and customers. These diagrams show how all the parties logically interact with one another and assist in the development and monitoring of physical connections. Choice "A" is incorrect. Flowcharts are visual representations of how documents and information flow through a process from both a logical and physical standpoint; however, it is focused on these flows and not the logical and physical interactions of the system and its users. Choice "B" is incorrect as narratives are written documents with no pictorial representations. This makes it difficult to follow how information flows through the process and how users interact with the systems themselves. Choice "D" is incorrect as data flow diagrams visually depict the logical flow of data for business processes but do not incorporate the physical aspects and, as a result, may not allow for an understanding of how the system and users interact.

Doug, an IT administrator for a mini-nuclear reactor plant, is tasked by the CIO with determining the financial and operational impact of a system failure for the software application that controls the cooling of the reactor cores. Critical resources and affected departments must be identified, as well as the time it takes to return to full operation. Which of the following is the document in which these findings would be reported? A. Crisis management plan B. Cybersecurity assessment report C. Business impact analysis report D. Business continuity plan

Choice "C" is correct. A business impact analysis (BIA) is an assessment of an organization's processes, departments, and business units that are vital to the organization's survival. A BIA also determines the impact to the company if those processes or business units fail and how long it takes to return to normal operations after a system disruption. A BIA report outlining findings is the end product of performing this kind of analysis. The BIA process first starts with establishing the proper methodology to use, followed by identifying critical resources, defining disruption impacts, estimating losses, and establishing recovery priorities, and then the BIA report is produced. Choice "A" is incorrect. A crisis management plan is a policy that is intended to lessen the impact of a crisis by outlining the steps an organization should take in such a case. It does not analyze the affected departments and report the time it takes to return to full operations. Choice "B" is incorrect. Cybersecurity assessments are engagements in which an auditor or a team of cybersecurity experts evaluate an organization's vulnerabilities and risks related to areas such as network security, access controls, and the handling of sensitive data. It does not consider the impact of an incident or the amount of time it takes to return to normal operations. Choice "D" is incorrect. A business continuity plan is a set of contingency and mitigation procedures that organizations follow to continue operations in the event of a disaster. It does not analyze and report on the time it takes to return to normal operations, but it outlines the steps to return to partial and/or full operations.

Suzie, the Senior Accounting Director for her organization, is working with the IT department on a business impact analysis (BIA). They are determining the optimal maximum tolerable downtime (MTD) and the mean time to repair (MTTR) for the company's general ledger software should an outage occur. In which of the following BIA steps would this occur? A. Identify critical resources. B. Define disruption impacts. C. Establish recovery priorities. D. Estimate losses.

Choice "C" is correct. A business impact analysis (BIA) is critical in establishing an effective business resiliency program that ensures a company's survival in the event of a system failure or disruption. BIAs generally have the following steps: 1) establish the BIA approach, 2) identify critical resources, 3) define disruption impacts, 4) estimate losses, 5) establish recovery priorities, 6) create the BIA report, and 7) implement BIA recommendations. Determining the optimal MTD and MTTR that a specific resource can tolerate would occur in step 5, which focuses on establishing recovery priorities. It is in this stage that management must develop metrics such as the MTD and MTTR to prioritize recovery strategies and decide how long different systems or applications can be down without causing catastrophic damage to the organization. Choice "A" is incorrect. The second step, identifying critical resources, involves an organization recognizing its critical functions and determining which IT resources are needed to perform them. This step requires interviews and creating documentation, but it does not encompass calculating the MTD and MTTR. Choice "B" is incorrect. Defining the impact of disruption is step three in a BIA and involves identifying and evaluating the impact of a service disruption in specific applications or processes. Establishing the MTD and MTTR for a company's general ledger system would not fall within this step. Choice "D" is incorrect. Estimating losses would be the fourth step in which management outlines a comprehensive list of risks and assigns those risks a probability. Calculating the MTD and MTTR would occur in a later step (fifth step).

A pick ticket, the list provided to the warehouse or inventory function detailing the items and quantities that should be picked and packaged and sent to the shipping department for an order, is a common document found in which transaction cycle? A. Disbursement cycle B. Human resources and payroll cycles C. Revenue cycle D. Purchasing cycle

Choice "C" is correct. A pick ticket is a list provided to the warehouse or inventory function detailing the items and quantities that should be picked and packaged and sent to the shipping department for an order. This is a part of the shipping step in the revenue cycle.

A transaction processing system would appropriately include each of the following activities for an online bookseller, except: A. Receiving internet orders. B. Shipping. C. Monitoring competitor price changes. D. Processing payroll.

Choice "C" is correct. A transaction processing system (TPS) converts economic events into financial transactions and distributes information to support daily operations and functions. Of the choices given, shipping, payroll processing, and receiving internet orders are all transaction activities. Monitoring competitor price changes is an activity that organizations regularly perform, but it is not a "transaction" that would be captured in a TPS. Choice "A" is incorrect. Receiving and processing internet orders from customers represent transaction activities that would be captured in a TPS. Choice "B" is incorrect. Shipping activities are economic events that would be converted into transactions and captured in a TPS. Choice "D" is incorrect. The withdrawal of cash from company bank accounts and deposits into employee accounts for salaries and wages are payroll transactions that would be recorded in a TPS.

Doter Labs develops medical devices and heavily relies on advanced CAD (computer-aided design) software for product development. The company set a target of six hours as the maximum amount of time for restoring IT operations and regaining access to all CAD applications. This is an example of which of the following system availability metrics? A. Maximum Tolerable Downtime (MTD) B. Mean Time to Repair (MTTR) C. Recovery Time Objective (RTO) D. Recovery Point Objective (RPO)

Choice "C" is correct. An organization's system performance and downtime can be evaluated by using various availability metrics. These are often used in contracts with third-party service organizations as well as for internal IT system targets and disaster recovery plans. Common metrics include Maximum Tolerable Downtime (MTD), Recovery Point Objective (RPO), Recovery Time Objective (RTO), Mean Time to Repair (MTTR), Recovery Time Actual (RTA), and Recovery Point Actual (RPA). The RTO refers to the maximum amount of time it should take to restore IT operations after a system failure. In this scenario, Doter Labs established an RTO specifically for its CAD software of six hours. Choice "A" is incorrect. The MTD is defined by RTO and refers to the maximum amount of time that a company can endure an outage without causing long-term damage (the inverse of RTO). It is not a target that the organization is attempting to reach. Choice "B" is incorrect. The MTTR is the average amount of time it takes to repair a damaged device or restore IT operations after a system failure, which is multiple measurements over time. It is not a target that the company is trying to achieve. Choice "D" is incorrect. The RPO is the maximum threshold a company sets for dollars lost, data lost, or some other similar critical metric. Time is not part of the threshold.

Mishinor Manufacturing is a supplier of smartphone components specializing in touch screens. Since labor costs for product engineers and prices for raw materials have surged, senior management made the decision to outsource a portion of these product inputs to remain profitable. For outsourced labor and materials, the company put the following process in place: requirements for engineering certifications and degrees for outsourced product engineers located in foreign countries. This process helps minimize which of the following risks related to outsourcing? A. Staff turnover B. Security risk C. Risk due to outsourcer qualifications D. Language skills

Choice "C" is correct. Business process improvements that can be achieved by adopting IT-driven solutions include robotic process automation, natural language processing software, neural networks, shared services, offshore operations, and outsourcing. Outsourcing comes with the following risks: a potential decrease in product quality, service quality, productivity, language skills, security, and missing or insufficient qualifications of those being outsourced. Requiring certifications with industry-wide standards or degrees from accredited universities will help reduce any risk of poor performance due to a lack of qualifications of those being outsourced. Choice "A" is incorrect. Engineering certifications and degrees would only address the risk of insufficient qualifications related to outsourced individuals. This would not address the risk of staff turnover, as retention policies would need to be established. Choice "B" is incorrect. Security risk would not be addressed by any of the controls because Mishinor would still be required to share proprietary data with the company to which Mishinor outsourced. Thus, this risk would still exist. Choice "D" is incorrect. The risk of language skills will still exist regardless of whether requirements exist related to degrees for outsourced product engineers. The certifications or degrees may be in other languages. The requirement for engineering certifications and degrees for outsourced product engineers better relates to the risk of missing or insufficient qualifications.

Which of the following types of cloud computing deployment models can have at least some of its infrastructure on the organization's premises? A. Hybrid and public B. Community and private C. Private and hybrid D. Public and community

Choice "C" is correct. Cloud computing is a technology service delivery model in which a cloud service provider (CSP) sells a mixture of storage, processing power, manpower, and software. The three main types of cloud computing models are software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS). Those models have varying forms of shared environments with other clients including public, private, hybrid, or community. In a private cloud model, the cloud (inclusive of hardware, software, and networks) is used and owned by a single organization and is managed by its own employees, the CSP, a third party, or a combination of these parties on the premises. In contrast, community and public cloud infrastructures are shared by multiple organizations that are on the CSP's premises. Choice "A" is incorrect. Public cloud deployment models share computing resources with other clients that are housed at the CSP's site, not on a client's premises. Choice "B" is incorrect. The infrastructure in a community cloud is shared with multiple organizations that support a common interest. These are housed on a CSP's premises, not at one of the subscribing organization's locations. Choice "D" is incorrect. Both public and community cloud deployment models involve shared resources with other companies, and those resources are housed on a CSP's premises, not the client's premises.

Which of the following steps in the data life cycle involves extract, transform, and load (ETL); active data collection; or passive data collection? A. Synthesis B. Purge C. Capture D. Publication

Choice "C" is correct. Creating or capturing data is the first step in the data life cycle, and data can be collected through a variety of methods, including extract, transform, and load (ETL); active data collection; and passive data collection. Creating or capturing data is the first step in the data life cycle, and data can be collected through a variety of methods. Three such methods are (1) extract, transform, and load (ETL); (2), active data collection; and (3) passive data collection. Choice "A" is incorrect. The synthesis step is a bridge between preparation and usage. Once you have determined how you intend to use the captured data, you can create calculated fields to prepare that data for quicker usage and analysis. Choice "B" is incorrect. The purge step occurs at the end of the data life cycle when the data is completely removed (purged) from the company's storage systems. Choice "D" is incorrect. The publication step is related to making data available for wider distribution, sharing, or communication. This step involves creating reports, charts, or dashboards or sharing insights rather than directly capturing or collecting data.

Which of the following models would the database administrator require the details of when needing to fine-tune performance issues related to a foreign key and column data type? A. Logical data model B. Conceptual data model C. Physical data model D. Abstract data model

Choice "C" is correct. Data models describe the high-level design of data structures in an information system. There are different aspects to data models, including conceptual, logical, and physical. These models are created in stages. They start with conceptual (least complex), moving through logical and into physical (the most complex). A physical data model is the most detailed representation of data structures compared to conceptual or logical data models. The administrator could see the foreign key and column data types. Choice "A" is incorrect. A logical data model is a more detailed representation of the data structures in an information system at the level of the data itself, thus providing more detail than a conceptual data model. However, the administrator could not view the column data types in the logical data model. Choice "B" is incorrect. A conceptual data model is a high-level, big-picture representation of the data structures in an information system. The administrator could not see the foreign key and column data types. Choice "D" is incorrect. An abstract data model is not commonly used in the context of database administration. An abstract data model typically refers to a high-level, conceptual representation of data structures and relationships, similar to a conceptual data model.

Which of the following best describes a repository of transactional data from multiple sources and is often an interim area between a data source and data warehouse? A. Strategic data store B. Data lake C. Operational data store (ODS) D. Data mart

Choice "C" is correct. Data storage is a type of technology specifically designed for the retention of information and to help with accessibility for authorized users to perform business activities effectively and efficiently. Common types of data storage include operational data store (ODS), data warehouse, data mart, and data lake. An ODS is a repository of transactional data from multiple sources and is often an interim area between a data source and data warehouses. ODS data sets are smaller and are frequently overwritten as transactions are modified, processed, and reported. Choice "A" is incorrect. A strategic data store is not a standard term used in the context of data architecture and data storage. Choice "B" is incorrect. A data lake is a repository similar to a data warehouse, but it contains both structured and unstructured data, with data mostly being in its natural or raw format. Choice "D" is incorrect. A data mart is a subset of a data warehouse and is more focused on a specific purpose such as marketing or logistics.

Pearlin Corp., a global IT services organization, has operations in three different countries and is creating its disaster recovery plan. Prior to identifying applications that are critical to its mission, Pearlin should perform which of the following activities? A. Assign responsibilities to key personnel in each country. B. Test the global disaster recovery plan. C. Assess risks at all facilities in each country. D. Develop a plan for handling mission-critical applications.

Choice "C" is correct. Disaster recovery plans are the procedures a company has in place for restoring IT operations in the event of a system failure after a disaster. The sequential steps in a disaster recovery plan include assessing organizational risks, identifying applications and data that are critical, developing a plan to handle those applications, designating personnel responsible during a disaster, and testing the disaster recovery plan. Assessing risks must occur before all other steps so that the organization can define the scope of the applications and resources that need to be included in the disaster recovery plan. Without this, a disaster recovery plan may have too broad of a focus, or it may place an inordinate amount of attention on areas in the business that do not pose significant risks to its mission. Choice "A" is incorrect. Assigning personnel would only occur after identifying applications that are mission-critical so that the organization does not assign employees to systems that are out of scope. Only after the scope is defined would Pearlin begin to allocate personnel in each country. Choice "B" is incorrect. Testing the disaster recovery plan would be the last step, occurring only after a plan has been formulated and implemented. Once all prior steps have occurred, Pearlin could coordinate a global test of its plan. Choice "D" is incorrect. Developing a plan for applications that are critical to the mission would occur after first identifying which applications are critical. Once the scope of mission-critical applications is defined, a plan could be developed.

Fergus Company has a centralized processing system housed in its corporate headquarters. Which of the following statements is/are correct? I. Centralized processing means that all processing is performed at some central location. II. A disadvantage of centralized processing is the transmission cost of the data to be processed to the central location. III. Fergus is assured of using the same application programs to process the data on each of the distributed computer systems because it has procedures that dictate that on-site personnel at the remote locations update the programs all at the same time. A. III only is correct. B. I only is correct. C. I and II only are correct. D. II and III only are correct.

Choice "C" is correct. In this question, the examiners want to know which of a series of statements is/are correct. Statement I says that centralized processing means that all processing is performed at some central location. While there are combinations of centralized and decentralized processing, and while it might be better to say that all "significant" processing is performed at some central location, in theory, centralized processing does mean all processing is performed at a central location. Statement I is correct. Statement II says that a disadvantage of centralized processing is the transmission cost of the data to be processed to the central location. While transmission cost has decreased significantly in recent years, Statement II is correct. Statement III says Fergus is assured of using the same application programs to process the data on each of the distributed computer systems because it has procedures that dictate that on-site personnel at the remote locations update the programs all at the same time. It would be nice if this statement were true, but dictated procedures do not ensure anything. Procedures may or may not be followed and may or may not be performed properly. Statement III is incorrect.

The protective software and/or hardware that allows users to access the internet without exposing the organization's IT assets to unauthorized users is called a(n): A. Router. B. Switch. C. Firewall. D. Server.

Choice "C" is correct. Networking devices provide connectivity and security by routing traffic, acting as an intermediary, and providing a safe means to transmit data. These devices can be stand-alone or have multi-functionality with a single piece of equipment or software providing several of these functions. The protective device or program that protects an organization's IT resources by filtering network traffic through security protocols is a firewall. This prevents unauthorized access as well as prevents employees from downloading malicious content. Choice "A" is incorrect. A router, like a switch, connects devices in a company's network, but it performs higher functions such as assigning IP addresses. However, protecting a company's IT assets through security measures is not one of those core functions. Choice "B" is incorrect. A switch connects devices within a company's network, but it does not protect a company's IT resources by filtering traffic like a firewall does. Choice "D" is incorrect. A server is a machine that coordinates computers and applications within a network and executes commands in response to requests from those devices. It may have a firewall as a feature, but its core function is not designed to do that.

Which of the following are intermediary devices on a computer network that transform data into different protocols? A. Switches B. Routers C. Gateways D. Servers

Choice "C" is correct. Networking equipment provides connectivity for computer networks using a combination of hardware and software. Common devices in an organization's network include routers, switches, gateways, servers, and firewalls. These devices can be deployed locally using LANs that provide a limited geographic scope, or they can span larger areas using WANs and internet connectivity to connect cities or countries. Gateways are intermediary devices on a computer network that transform data into different protocols so that data can flow between networks. Choice "A" is incorrect. Like routers, switches also connect a company's network devices, but they do not have as much functionality. Choice "B" is incorrect. Routers are hardware devices that manage network traffic by reading source and destination fields within information packets to determine the proper path for a data packet to flow. Routers also act as a link between modems, the internet, and switches to provide network connectivity. Choice "D" is incorrect. Servers are machines or software that provide services or share data with other machines on a network, known as clients.

An analyst for Rathway Inc. is designing a database for an e-commerce website. The analyst has a table called Product_Details with the following attributes: ProductID, ProductName, SupplierID, Category, and UnitPrice. Each product has a unique ProductID. To adhere to the principles of database normalization, which of the following actions should the analyst take to meet the requirements of the Second Normal Form (2NF)? A. Ensure that each product has a unique ProductName. B. Allow multiple suppliers to provide products with the same ProductID. C. Make sure that Category depends on the entire primary key. D. Set the UnitPrice for each product to be the same.

Choice "C" is correct. Normalization is a database design technique that reduces data redundancy and eliminates undesirable characteristics like insertion, update, and deletion anomalies. Normalization rules divide larger tables into smaller tables and link them using relationships. The purpose is to eliminate redundant (repetitive) data and reasonably assure data is stored logically. In the context of 2NF, it's essential that each non-key attribute (such as Category in this case) depend on the entire primary key (ProductID). This ensures that the data is organized efficiently and eliminates partial dependencies. Choice "A" is incorrect. In the context of 2NF, the focus is on how data is structured and how attributes are related to the primary key, not on uniqueness of individual attributes like ProductName. Choice "B" is incorrect. Given Product ID is likely the primary key of the table, each record needs to be uniquely identified by the primary key to be in incompliance with First Normal Form (1NF). Using the same primary key for different suppliers in the Product_Details table violates 1NF and in turns violates 2NF. Choice "D" is incorrect. In the context of 2NF, ensuring that the UnitPrice is the same for all products does not have a direct impact on how attributes are related to the primary key or how data is structured in a way that eliminates partial dependencies.

The importance of a customer web application is the immediacy of restoring functionality because extended downtime results in lost retail sales. Which of the following system backup methods is most appropriate given the company's business needs? A. Incremental B. No backup C. Full D. Differential

Choice "C" is correct. One component of an organization's plan for business resiliency, disaster recovery, and business continuity is its strategy for system backups. Backing up data and the systems in which it flows improves redundancy and availability, protecting the company in the event of a system failure. The three main types of system backups include a full backup, incremental backup, and differential backup. The time it takes to create backup files and restore a system after an outage varies with each backup type, which means companies must align their IT system objectives with these variables. The web application requires the quickest restoration time of the potential options, with restoration immediacy being its priority. Therefore, a full system backup should be implemented. Choice "A" is incorrect. The web app should not use an incremental backup since it would take the longest time to restore. Choice "B" is incorrect. The web application requires the quickest restoration time of the potential options, with restoration immediacy being its priority. Therefore, a full system backup should be implemented. Not having a backup would put the web application at risk. Choice "D" is incorrect. Since the requirement is for the quickest restoration time of the potential options, differential backups would take longer to restore the application than a full backup would.

The chief information officer (CIO) of a growing nationwide clothing retailer is looking to implement a system backup strategy that is moderately quick to restore and affordable yet current in that it captures newly generated data each day. To accomplish this, she is considering combining two forms of backup since the company pays an outside firm an hourly rate based on the amount of time it takes to perform each backup. What kind of backup strategy is the CIO likely to move forward with? A. Daily full and daily differential backup B. Weekly differential and daily full backup C. Daily incremental and weekly full backup D. Daily incremental and daily differential backup

Choice "C" is correct. Organizations most often implement three types of system backups: full backup, incremental backup, and differential backup. Companies must align their corporate strategy as it relates to budgeting and resiliency when selecting one or more of these backup procedures because the cost, time to copy, and time to restore vary greatly across all three. An incremental backup will take the least amount of time each day since it only captures new data that have occurred since the most recent daily backup and, therefore, would capture new data while incurring the lowest daily cost. Performing a weekly full backup is the most time-consuming and expensive of all approaches, but it requires the shortest amount of time to restore. Therefore, the combination of these two backups achieves the CIO's goals of affordability, recency of data capture, and a moderately fast restoration time. Choice "A" is incorrect. Daily full backups would provide the most recent data and be the quickest to restore. However, it is more resource-intensive, making it too costly in this scenario. Also, performing a differential and full backup would duplicate efforts and incur unneeded costs. Choice "B" is incorrect. Daily full backups would accomplish the goal of including the most current data and provide a quick restoration time. However, it would not be as affordable since it is generally time-consuming to perform full backups, especially daily. Moreover, it would be costly to perform both a full backup and a daily incremental backup, which would be duplicative in this case. Choice "D" is incorrect. A daily incremental and differential backup are both partial forms of backup. Applying both approaches each day would be duplicative as it is not necessary for the purpose of capturing the most recent data. Also, this would be costly, an

Jimmy works for S.F. Industries. He is responsible for placing orders for inventory. Jimmy is part of which business process? A. Revenue process B. Manufacturing process C. Expenditure process D. Human resources and payroll process

Choice "C" is correct. Placing an order for goods is the first step in the expenditure process. Choice "A" is incorrect as order placement applies to the expenditure process, not the revenue process. Choice "B" is incorrect as order placement applies to the expenditure process, not the manufacturing process. Choice "D" is incorrect as order placement applies to the expenditure process, not the human resources and payroll process.

The finance department of a large multinational organization has receiving offices in seven different countries that each receive invoices through the mail and process those payments in the country of origin. This has proven to be costly due to duplication of staff and the manual act of physically going through mail. To become more efficient and lower costs, the company stops accepting paper payments in all countries except for one and shifts to electronic payments only. Any paper payments that are received will be processed through an invoice recognition program that extracts key data using optical character recognition (OCR) technology. That data is then gathered by the finance team to process mass payments in batches. This business process improvement solution combines which of the following principles? A. Automation and outsourcing B. Natural language processing (NLP) and large language models (LLMs) C. Rob

Choice "C" is correct. Process improvement is often realized through the use of accounting information systems and new technology like robotic process automation (RPA), neural networks, natural language processing (NLP) applications, and large language models (LLMs). Improvements in business processes can also be achieved by outsourcing a specific function to an external entity, which may require using a foreign organization, referred to as offshoring. The invoice recognition program that extracts data from paper payments is an example of robotic process automation because it takes a non-skilled, repetitive task and automates it using a software application. The consolidation of receiving departments to accept paper payments occurs in only one country illustrates the concept of shared services, which is based on the idea that redundant services in an organization are sought out and combined. Choice "A" is incorrect. While the company is automating the repetitive task of going through the mail, it is unclear whether or not this function is being outsourced or performed in-house. Choice "B" is incorrect. Natural language processing technology is used to interpret human language so that an application can perform a task rather than a human. Large language models understand and generate human language and can perform complex tasks like translation, writing code, and creating content. Neither of these concepts is described in this example. Choice "D" is incorrect. Neural network technology is modeled after the way neurons in a human brain work, which is a more complex form of technology than performing a basic task such as invoice recognition. Offshoring could apply since the organization is global and the receiving function is in another country. However, neither the domestic nor foreign locations are mentioned. Also, whet

Each of the following projects would fall under the scrutiny of an entity's change management policy, except: A. Fixing a software bug after the platform release. B. Updating a version of the entity's existing software system. C. Purging data from a financial application's data cache. D. Installing a new module to an existing enterprise resource planning system already in place.

Choice "C" is correct. Purging data from cache (temporary storage for quick access) is a routine process and is not a change to the system. Choice "A" is incorrect. Bug fixes require code changes and, therefore, are subject to the change management policy. Choice "B" is incorrect. Updating the software version constitutes a change to the software (i.e., new patches, bug fixes, etc.), which would fall under the scrutiny of the entity's change management policy. Choice "D" is incorrect. Installing a new module changes the composition of the enterprise resource management planning system. As such, the change is subject to the change management policy.

Physical controls designed to protect a facility against overheating or flooding and to improve system availability should have which of the following effects on availability performance metrics? A. Increase the recovery time actual (RTA). B. Increase the maximum tolerable downtime (MTD). C. Decrease the mean time to repair (MTTR). D. Decrease the recovery point objective (RPO).

Choice "C" is correct. System availability can be enhanced by superior physical controls such as biometric security, physical barriers, strategic placement of equipment to minimize hazards, fire suppression systems, and Heating, Ventilation, and Air Conditioning (HVAC) systems. The implementation of any or a combination of these controls will have a direct or indirect effect on certain metrics. Direct effects might include the RTA decreasing significantly if newly installed physical controls shorten the time to recover, and an indirect effect may be manifested in goal-based metrics that could be lowered as realistic expectations for downtime improve. If systems are available more often due to physical controls that improve availability, the average time it takes to repair a damaged facility will decrease, decreasing the MTTR. This is because, on average, system uptime increases while the number of system outage occurrences decreases, causing the average over time to go down. Choice "A" is incorrect. The recovery time to actual (RTA) will only decrease with the implementation of controls if it is changed at all. The RTA may not decrease for an individual event, but it should not go up with new physical controls either. Choice "B" is incorrect. The maximum tolerable downtime (MTD) may influence the decision to implement physical controls so that availability improves, but it will not decrease naturally as a result of having those controls. The MTD is at least in part a subjective metric set by management. Choice "D" is incorrect. The recovery point objective is a subjective measure set by management that is typically based on a threshold for data lost, money lost, or a certain amount of system inoperability.

An organization has decided to implement a backup system that involves copying only the data items that have changed since the last backup. What type of backup is this system called? A. Intermittent backup B. Full backup C. Incremental backup D. Differential backup

Choice "C" is correct. System availability controls are mechanisms that prevent system downtime and loss of data that may result from routine service disruptions or natural disasters. These controls include physical controls for IT infrastructure, logical controls, sources of uninterrupted power, tools that offer redundancy, and system backups. There are three main types of backup: incremental, differential, and full. An incremental backup involves copying only the data that have changed since the last backup. This produces a set of incremental backup files, each containing the results of one day's transactions. Choice "A" is incorrect. Intermittent is not a type of backup. Choice "B" is incorrect. A full backup is an exact copy of the entire database. These are usually created less frequently, with either a differential or incremental backup created in between full backups. Choice "D" is incorrect. A differential backup copies all changes made since the last full backup. Thus, each new differential backup file contains the cumulative effects of all activity since the last full backup.

A CPA is working closely with a client's IT administrator to understand all the accounting applications that need to be supported so that the company will have either uninterrupted operations or a quick return to operations after a system incident. The IT administrator's focus on the ability to quickly rebound best describes which of the following concepts? A. Crisis management B. Availability controls C. Business resiliency D. Incident response

Choice "C" is correct. System availability is an organization's strategic ability to recover from an incident. This is accomplished by having plans in place to support business resiliency, business continuity, system availability controls, crisis management, and disaster recovery. The business resiliency component focuses on continuous operations and the ability to return to operations quickly. This requires organizations to identify activities necessary to their core operations and the threats to those operations so that management can build a robust business resiliency program that mitigates those threats. Choice "A" is incorrect. Crisis management focuses on the overall response to an adverse event and would be broader than just the ability to rebound quickly. Crisis management also has the context of an event that has escalated to the point of being a crisis, which is its primary focus rather than just a speedy recovery. Choice "B" is incorrect. System availability controls are designed to prevent system disruptions as opposed to rebounding from a disruption after it has occurred. Availability controls include mechanisms that provide system redundancy, continuous monitoring using availability metrics, and frequent updates so that IT infrastructure is not outdated. Choice "D" is incorrect. Incidence response generally focuses on points of specific recovery after an incident has occurred rather than broader recovery functions. Specific responses may be geared toward recovering from a cyberattack, power outage, or natural disaster.

Regarding the availability of an organization's IT systems, which of the following describes the difference between mirroring and replication? A. Mirroring creates an exact copy of data at a point in time for version control, whereas replication copies a database and transfers it to a different location. B. Mirroring copies data to a different machine at the same site, but replication copies data to the same machine but to a different database at the same site. C. Replication copies data to another database at a different geographical location, whereas mirroring creates an exact copy of the data on another device. D. Replication copies data to another database on a different machine at the same site, whereas mirroring copies data to databases across geographically dispersed locations.

Choice "C" is correct. System availability risks may occur as a result of the failure of IT infrastructure, insufficient capacity and resources, or a lack of business resiliency. There are various IT safeguards and processes that can be used to mitigate these risks, including both mirroring and replication, which involve backing up data. Replication is the copying and transferring of data to a different database that is located in a geographically different location. Similarly, mirroring copies data and transfers it to a different database on another machine but not in a different location. Choice "A" is incorrect. Mirroring does not provide version control. It creates the exact copy of the data for redundancy purposes. Choice "B" is incorrect. Replication copies data to a different database but not on the same machine. The site at which the copy is maintained is also different. Choice "D" is incorrect. Replication does involve copying data to another database, but not at the same site. Mirroring copies data but does not store copies across geographically dispersed locations.

Which of the following steps in the development of a business continuity plan should a company initiate first? A. Prepare recovery procedures. B. Develop an emergency contact list. C. Conduct a business-impact analysis. D. Identify critical personnel.

Choice "C" is correct. The appropriate order for developing a business continuity plan for disaster recovery is as follows: Assess the key risks, identify mission-critical applications and data, develop a plan for handling these applications, determine responsibilities for parties involved in disaster recovery, and test the recovery plan. Of the choices given above, the business-impact analysis has to happen before identifying critical and emergency personnel and preparing recovery procedures themselves. Choice "A" is incorrect. The recovery procedures are based on the business-impact analysis. Choice "B" is incorrect. The emergency contact list will be developed after the impact analysis is performed. Choice "D" is incorrect. Critical personnel will be identified after the business-impact analysis is performed.

Which of the following best describes an example of active data collection as a method of collecting data? A. Taking existing user data from a master database, cleaning the unnecessary data, and loading the transformed data into an analysis tool. B. Tracking web usage of users by pulling data from cookies. C. Interviewing users directly to gather information on user addresses. D. Obtaining information about customers based on time stamps when they interact with a website.

Choice "C" is correct. The collection of data through direct interviews with users is an example of the active data collection method of collecting data. Directly asking a party for data is considered active collection, whether in person, through a survey, or other means. Choice "A" is incorrect. The method of taking existing data, transforming it, and loading it describes the ETL data collection method rather than the active data collection method. Choice "B" is incorrect. Tracking web usage by pulling data from cookies is considered an example of passive data collection since it can be done without direct permission or communication with the respective users. Choice "D" is incorrect. Tracking user information through time stamps tied to website interactions would be considered passive data collection rather than active data collection since the data is collected without permission or direct communication.

Gregory is a CPA who is in the process of normalizing data within his tax client's database to reduce redundant data and reasonably assure that data is logically stored. As part of the process of normalization, which of the following should be the first step taken by Gregory to normalize his tax-client data? A. Conform the data, which involves requiring all non-key attributes in the table to depend on the entire primary key. B. Ascertain whether each column in the table describes only the primary key, establishing that none of the non-key attributes depend on other non-key attributes. C. Determine whether each field in the table contains only one piece of information and whether each record is uniquely identifiable through the use of a primary key. D. Conform the data by requiring all non-key attributes in the table to depend on another non-key attribute.

Choice "C" is correct. The first step in normalizing data is to determine whether the data conforms to the first normal form (1NF), which will make sorting and filtering data easier. Each field must contain only one piece of information and each record in every table must be uniquely identified. Choice "A" is incorrect. Conforming data by requiring all non-key attributes in the table to depend on the entire primary key best describes the second step in the normalization process. This second step is to confirm the data to the second normal form, or 2NF. The first step of normalizing data is to determine whether the data conforms to the first normal form (1NF). Choice "B" is incorrect. Ascertaining whether each column in the table describes only the primary key, establishing that none of the non-key attributes depend on other non-key attributes, best describes the third step of the normalization process (3NF). This should be performed after 1NF and 2NF. Choice "D" is incorrect. Requiring all non-key attributes in the table to depend on another non-key attribute is not one of the three steps in normalization. None of the non-key attributes should depend on other non-key attributes, per the third step (3NF).

Each of the following would be considered a complexity when obtaining data from an external source except: A. Safety. B. Integrity. C. Format. D. Copyrights.

Choice "C" is correct. The format of data is not considered a complexity when obtaining data from an external source. Data can come in different formats, but through the preparation and synthesis stages of the data life cycle, the data may be cleaned up for appropriate use by the organization. Integrity, safety, and copyrights are three complexities to consider when obtaining data from an external source. Choice "A" is incorrect. Integrity, safety, and copyrights are three complexities to consider when obtaining data from an external source. Choice "B" is incorrect. Integrity, safety, and copyrights are some complexities to consider when obtaining data from an external source. The integrity of data may be compromised when obtaining it from an external source. Choice "D" is incorrect. Copyrights would be considered a complexity to consider when obtaining data from an external source, as certain information may not be usable unless signing a contract or agreement with the external party stating the terms of use.

Lauren is a system administrator for a biotech company's cloud enterprise resource planning system (ERP). She was informed by the ERP vendor that there was a bug in a recent patch release. The bug allows sales order forms to be processed without selecting a valid customer ID on the sales order form. In fact, the bug would set the customer_id field to a dummy system-generated value. To quantify the magnitude of the impact of this bug, Lauren uses SQL queries to query the two tables in the ERP database with the following schema: 'Orders' table: order_id (integer), customer_id (integer), product_sku (variable character string) 'Customers' table: customer_id (integer), customer_name (variable character string) Which of the following query would most likely help Lauren identify the number of sales orders that do not have a valid customer name? A. SELECT COUNT(Orders.order_id) FROM Orders JOIN Customers ON Orders.order_i

Choice "C" is correct. This query uses LEFT JOIN to join the 'Orders' and 'Customers' tables on the customer_id field, then filters and counts the rows in which the customer_name field is not valid (i.e., NULL), given that the dummy ID would not be present in the 'Customers' table. The LEFT JOIN clause will provide a list of sales orders that don't have a corresponding customer_name in the 'Customers' table. Choice "A" is incorrect. This query incorrectly links the order_id on the 'Orders' table to the customer_id in the 'Customers' table. Choice "B" is incorrect. The INNER JOIN clause will yield only the list of orders that contain a valid customer name. It will not return the count of sales order that does not have a valid customer name. Choice "D" is incorrect. Given that the bug will automatically set the customer_ID to a system-generated dummy ID, this query will yield no results given every sales order contains a customer ID, but not every customer ID is valid.

Each of the following are advantages of using a cloud services provider (CSP), except: A. Customers only rent as much computing power as they need. B. The CSP offers distributed redundancy for data processing. C. Customers are not responsible for maintenance and tech support on hardware. D. The CSP only buys as much infrastructure as it needs each month.

Choice "D" is correct. A CSP is an organization that provides virtual services such as hosting, application delivery, providing an online platform for service or product delivery, and storage. The CSP performs all maintenance on the physical equipment, and depending on the type of cloud deployment model, the CSP may also maintain the application, environment runtime, firewalls, and operating systems. Some advantages of using a CSP include renting only the computing power or storage needed, not being responsible for maintaining or repairing equipment, and obtaining distributed redundancy by having multiple locations for off-site servers and processing power so that if one location fails, the others are used as a failover. However, it is not the CSP that benefits from buying as much infrastructure as needed but rather the CSP's customer that only rents what is required. Choice "A" is incorrect. Renting only what is needed as opposed to buying equipment and it being idle for long periods of time is one of the primary advantages of using a CSP. Choice "B" is incorrect. Distributed redundancy refers to the strategy of having multiple locations for virtual equipment so that in the event one site fails, another can assume computing operations. This is an advantage of using a CSP. Choice "C" is incorrect. Not being responsible for maintenance or tech support is a cost-saving benefit for CSP clients because they avoid making capital investments in equipment and the human capital costs of hiring employees to manage that infrastructure.

Gibbs Energy Inc. is a power producer and distribution network operator that runs a power grid which generates, transmits, and distributes power to customers. These core business functions require a large amount of computing power to run highly customized software applications. These applications often require modifications to the operating system. Since the usage of energy and computing power varies, Gibbs rents servers, storage, and firewalls from a cloud service provider (CSP). What type of CSP does Gibbs most likely use? A. Software-as-a-Service B. Platform-as-a-Service C. Business-Process-as-a-Service D. Infrastructure-as-a-Service

Choice "D" is correct. A cloud service provider gives its clients the ability to scale its usage of virtual resources up or down, depending on the demand for computing power at any given time. This is a particularly good value proposition for companies that have cyclical demand, such as energy companies that use more power when the weather changes. Since Gibbs is only looking to rent infrastructure and run the rest of the environment, including application design and uptime, the company would likely use an IaaS provider. This type of CSP does not provide support beyond virtual infrastructure but maintains the flexibility of scaling usage up or down. Choice "A" is incorrect. Software-as-a-Service providers manage much more on the range of offerings than other cloud service providers, making SaaS deployment models a poor fit for Gibbs. Choice "B" is incorrect. Platform-as-a-Service solutions allow users to develop and maintain their own application, but generally not operating systems. Since Gibbs has its own customized application that requires frequent modifications to its operating system, this CSP model would not be a good fit. Choice "C" is incorrect. A Business Process-as-a-Service model would not be a good fit for Gibbs because it only needs virtual infrastructure, not any additional processes or core business functions.

It may be challenging to apply the COSO control environment component from the internal control framework to blockchain applications because: A. Blockchain ledgers are transparent and viewable by anyone. B. Most blockchains are costly to implement and maintain. C. Not all trust services criteria apply to blockchains. D. Blockchains are decentralized by design.

Choice "D" is correct. Applying the COSO internal control framework can help implement controls to evaluate and mitigate some of the risks associated with blockchain technology. This is because each of the five components has implications for blockchain in some way. However, due to blockchain's decentralized nature and general lack of control by a single person or group, blockchain technology does not have an environment that can be controlled like a conventional organization. The control environment principles within the internal framework focus on exercising oversight, establishing structure and responsibility, and demonstrating a commitment to competence. These are difficult for blockchains that are truly decentralized because there is no main entity that is held accountable. Rather, different facets of the blockchain such as voting and mining could be held by the same or different individuals. Choice "A" is incorrect. The fact that blockchains are transparent and all transactions can be viewed by anyone would make applying a COSO component easier, not more challenging. Choice "B" is incorrect. Some blockchains can be costly and difficult to implement, but that does not address the challenges that may be associated with applying the control environment component. Even if a blockchain is inexpensive to deploy, there are other inherent structural characteristics that make it difficult to have a robust control environment with strong oversight and accountability. Choice "C" is incorrect. All five trust services criteria, as well as all five COSO internal control components, apply to blockchains. The five trust services criteria include security, availability, processing integrity, confidentiality, and privacy. Each of these has relevance to one or more aspects of a blockchain.

Morrin Corp. provides Physician Practices Plus (PPP) with complete revenue cycle management services which helps PPP collect on its receivables, provide a payment portal for clients, issue refunds, and manage all other billing functions. This is referred to as what type of model? A. Payment processing network B. Infrastructure-as-a-Service C. Platform-as-a-Service D. Business processes-as-a-Service

Choice "D" is correct. Cloud computing deployment models range from only offering outsourced computing power to providing that in addition to maintaining runtime, managing the virtual environment, providing cybersecurity, and designing the application. An IaaS (Infrastructure-as-a-Service) provides the basic infrastructure, while a PaaS (Platform-as-a-Service) provides everything but application design and usage, and a SaaS (Software-as-a-Service) covers everything except the application usage. A BPaaS (Business Process-as-a-Service) provider delivers business process outsourcing services to a user, such as managing the revenue cycle for a company. Since part of Morrin's services include such a crucial component to a PPP's operations as revenue collection combined with cloud service, it meets the definition of a BPaaS model. Choice "A" is incorrect. A payment processing network is a third party that settles payments for its clients, but that is generally its only function. A cloud service provider, coupled with consulting or management services, would be required to execute the other functions performed by Morrin. Choice "B" is incorrect. Morrin is not an IaaS provider because in addition to providing virtual computing resources such as servers, storage, and networking, it also provides a critical business function. IaaS providers only offer the virtual resources. Choice "C" is incorrect. While a PaaS (Platform-as-a-Service) provider offers more than just virtual computing resources like servers, storage, and networking, it does not provide the critical business function of revenue cycle management that Morrin offers.

Which of the following are benefits of using a cloud service provider (CSP)? A. Ensure the application is running on the latest version of the operating system. B. Virtual machines can be stored off site or on a company's premises. C. Flexibility to perform any maintenance needed on the underlying infrastructure. D. Processing and storage can be rented in units of time, scaling up during peak usage times.

Choice "D" is correct. Cloud service providers (CSP) are organizations that provide some level of outsourced computing to its clients, ranging from virtual data centers and servers to environment management and application design. The type of CSP chosen will vary based on the individual needs of an organization. Infrastructure-as-a-Service (IaaS) CSPs provide basic virtual resources, whereas a Software-as-a-Service (SaaS) CSP operates everything except the use of the application. Platform-as-a-Service CSPs provide options between an IaaS and a SaaS. The consumption of processing power and storage can be rented in units of time across all types of CSPs. It can also be rented based on the amount of storage space used, access to different types of software, or the number of licenses. Virtual machines are stored off-site, not on a company's premises. CSP customers also do not have the ability to perform maintenance on the underlying infrastructure. Choice "A" is incorrect. Although PaaS and SaaS CSPs are responsible to keep the operating system up to date, it is the user's responsibility to ensure the operating systems are up to date when dealing with IaaS CSPs. Choice "B" is incorrect. Virtual machines are stored off-site, not on a company's premises. Choice "C" is incorrect. Maintenance on the underlying infrastructure supporting that virtual environment is the CSP's responsibility and is not accessible by the user.

Which of the following is a key factor that enables companies to gather information without direct user permission (passive data collection)? A. User-provided data B. Social media surveys C. Secure data encryption D. Artificial intelligence algorithms

Choice "D" is correct. Creating or capturing data is the first step in the data life cycle, and data can be collected through a variety of methods, including extract, transform, and load (ETL); active data collection; and passive data collection. Companies gather information without direct permission from users through tracking web usage via cookies, gathering time stamps of user interactions, and using the Internet of Things and artificial intelligence. This implies that artificial intelligence algorithms play a role in passive data collection without requiring direct user permission. Choice "A" is incorrect. Passive data collection methods involve collecting data without direct user input or permission. Users do not actively provide this data; it is gathered through mechanisms like tracking web usage and time stamps without explicit user consent. Choice "B" is incorrect. Social media surveys are an active data collection method where users actively participate by providing survey responses. This is not passive data collection. Choice "C" is incorrect. Secure data encryption is a security measure that protects data from unauthorized access. While encryption is important for safeguarding data, it is not a method for gathering data.

You are designing a database for a retail business, and data quality is a top priority. You need to create a system that uniquely identifies each product in your inventory. Which type of attribute should you use for this purpose? A. Product ID - SKU (Stock Keeping Unit) B. Composite Primary Key - ManufacturerID + ProductCode C. Foreign Key - StoreLocation D. Primary Key -Inventory ID

Choice "D" is correct. Database keys help to uniquely identify each record in a table (and thus, uniquely identify each field at a cross-section of attribute and record) and facilitate the relationships between related tables. This option is correct because it aligns with the attribute type asked in the question, which is the primary key. A primary key is an attribute used to ensure that each record in a table is unique. It is the fundamental attribute for uniquely identifying records in a database table. Choice "A" is incorrect. The SKU is an attribute often used to identify products in inventory uniquely. However, the question is asking about the type of attribute in which case, the primary key best describes the type of attribute to ensure the uniqueness of each record in the table. Choice "B" is incorrect. This is an example of a composite primary key where two attributes are combined to identify a product uniquely. A composite primary key can be used to uniquely identify records when a single attribute is insufficient; however, the question is asking about the type of attribute in which case, the primary key best describes the type of attribute to ensure the uniqueness of each record in the table. Choice "C" is incorrect. Foreign keys are attributes used to establish relationships between tables, particularly when one table needs to reference another.

A company switches all processing to an alternative site, and staff members report to the alternative site to verify that they are able to connect to all major systems and perform all core business processes from the alternative site. Which of the following best identifies the activities performed by the staff? A. Authentication validation. B. Segregation control testing. C. Closed loop verification. D. Disaster recovery planning

Choice "D" is correct. Disaster recovery planning involves a company ensuring that it is able to restore and continue its operations in the event that its computing systems are shut down or destroyed. Staff members verifying the effectiveness of an alternative site established to allow business to continue in the event its systems are shut down is an example of disaster recovery planning. Choice "A" is incorrect. Authentication validation involves establishing the identity of a system or user and verifying that it is valid. Choice "B" is incorrect. Segregation control testing ensures that any controls that have been established to ensure that specific responsibilities are segregated amongst different employees are working as intended. Choice "C" is incorrect. Closed loop verification involves one party verifying the identity of another party.

Which of the following controls would most likely ensure that an entity can reconstruct its financial records? A. Personnel independent of data entry performing manual audit logs of financial records. B. System flowcharts with documentation of financial data input and output. C. Firmware controls installed by a computer manufacturer. D. Cloud-based backup copies of financial records.

Choice "D" is correct. Having the capability to reconstruct financial records in the event of a disruption would be part of a disaster recovery (DR) and business continuity plan. DR plans enable companies to recover from losses of services in less time than would otherwise be possible, restoring core operations first, followed by those systems that are not as critical. Having backup copies, be it in the cloud or on premise, would sufficiently serve as a means by which financial records could be restored. In a cloud-based solution, an organization uses virtual computing power to store backup copies of data as opposed to a physical machine stored on a company's property. Choice "A" is incorrect. Employees performing audit logs of financial records is a needed control but not one that would restore corrupted or lost data. Choice "B" is incorrect. System and data flowcharts are useful for understanding how a system functions but are not a substitute for actual copies of financial records. Choice "C" is incorrect. Firmware is software that typically comes with hardware that directs that specific piece of hardware how to operate. This would not allow a company to reconstruct financial records.

Service organizations have contracts with their clients with terms outlining standards for system availability, such as an agreed service time (AST), a minimal amount of downtime (DT), and the mean time to repair (MTTR) a damaged device. This is referred to as a: A. Business continuity plan. B. Business impact analysis. C. Crisis management plan. D. Service level agreement.

Choice "D" is correct. Organizations often use performance metrics as benchmarks for measuring a system's availability. These metrics may include an agreed service time (AST), minimal amount of downtime (DT), recovery time objective (RTO), and the mean time to repair (MTTR). Each of these performance indicators measures a different aspect of availability and resiliency that can be used to manage IT operations. Service level agreements (SLAs) are agreements between a service organization and its clients in which performance expectations are specified. These documents list specific terms that the service organization must meet as a part of its contractual agreement to serve the client. SLAs are often tied to a client's business model or to promises it makes to its customers. Choice "A" is incorrect. A business continuity plan is a set of procedures that an organization creates to follow in the event of a disaster so that it can continue to be operational. It is not an agreement with a client or external party. Choice "B" is incorrect. A business impact analysis is an assessment of an organization's critical functions or departments and the impact if they fail. It is not a contractual agreement with an external party on system performance metrics. Choice "C" is incorrect. A crisis management plan is a policy that organizations create that is implemented when a large-scale incident occurs that has an adverse effect on its operations and stakeholders. It is not an agreement with a client that specifies system performance.

Which of the following terms best describes a set of instructions that tell the database engine how to organize data to be in compliance with the data models and specify how the data will be stored and accessed? A. Snowflake schema B. Star schema C. Data model D. Database schema

Choice "D" is correct. Relational databases must be designed with normalization in mind, and databases are supported by data models and database schemas. Data models are conceptual representations of the data structures in an information system and are not restricted to relational databases only. A database schema is a set of instructions to tell the database engine how to organize data to be in compliance with the data models. It defines the actual structure of the database, including the tables, columns, and relationships between the data entities. A database schema specifies how the data will be stored and, ultimately, accessed in the database. Choice "A" is incorrect. A snowflake schema is similar to a star schema, but with the dimension tables further normalized. Choice "B" is incorrect. The star schema is the most common schema for dimensional modeling, and it is also the simplest schema for dimensional modeling. Choice "C" is incorrect. Data models describe the high-level design of data structures in an information system. Even though a data model and a database schema may be related, they are not the same thing. A data model is a high-level design of the data structures in an information system, whereas a database schema is the actual implementation and execution of that design in a specific relational database.

A database table, tblProducts, has the following fields: ProductID ProductName SupplierID CategoryID UnitPrice Which SQL statement would result in a list of all records in which the product prices are greater than $50, and the results are listed from the highest price to the lowest price? A. SELECT * FROM (tblProducts) WHERE (UnitPrice > 50) ORDER BY (UnitPrice) B. SELECT (UnitPrice) FROM (tblProducts) WHERE (UnitPrice>50) ORDER BY (UnitPrice) DESC C. SELECT * FROM (tblProducts) WHERE (UnitPrice) IS GREATER THAN 50 ORDER BY (UnitPrice) DESC D. SELECT * FROM (tblProducts) WHERE (UnitPrice > 50) ORDER BY (UnitPrice) DESC

Choice "D" is correct. Structured query language (SQL) is a computer language used to interact with data (tables, records, and attributes) in a relational database. Through SQL statements, records and entire tables can be created, updated, deleted, and viewed (and extracted). The SQL clauses correctly use the wildcard (*) after the SELECT command to include all attributes in the tblProducts table. The clauses also correctly filter the data set using WHERE to pass the condition of 'UnitPrice' being greater than 50. The ORDER BY and DESC commands sort the data set by 'UnitPrice' in descending order. The query results will list all records in which the product prices are greater than $50, from the highest price to the lowest price. Choice "A" is incorrect. This query did not include the DESC command to sort the results from the highest price to the lowest price. Choice "B" is incorrect. The clauses incorrectly SELECT only the 'UnitPrice' attribute. This query will result in a list of UnitPrice that are greater than $50 from the highest to lowest and contain no other product attributes. Choice "C" is incorrect. 'IS GREATER THAN' is not a valid command. An operator ">" is required to pass the condition to the WHERE command.

In addressing IT system availability risks, replication is different from mirroring in that it: A. Allows operations to resume quickly at the same site. B. Can not be combined with mirroring. C. Is used for database redundancy. D. Copies and transfers data to a different physical site.

Choice "D" is correct. System availability risk is the possibility that a system could become unavailable for a temporary or prolonged period due to software or hardware failures, network connectivity disruptions, capacity, or load-balancing issues, cyberattacks, or natural and manmade disasters. Mirroring and replication address system availability risks by ensuring that data loss is prevented. This is achieved by making copies of databases that can be used to restore a primary database that has failed. Mirroring is a process that applies to data storage and backup and entails copying a database onto a different machine for the purpose of data redundancy in the event the primary database fails. Replication involves copying and transferring data between different databases located in different sites, such as a geographically different data center or the cloud. Replication allows operations to resume quickly using data in the secondary site after a system failure. Choice "A" is incorrect. Mirroring allows operations to resume at the same site rather than a secondary site. This provides for a quick recovery of any data loss or system disruption. Choice "B" is incorrect. Mirroring can be combined with replication. This is a common technique that is applied to boost system redundancy beyond that which is achieved using either of these methods alone. Choice "C" is incorrect. Both mirroring and replication are used for database redundancy, but the manner in which they serve that purpose is different. Replication transfers data to a different site, and mirroring transfers data to a different machine.

The COSO Enterprise Risk Management for Cloud Computing publication provides guidance for organizations trying to decide whether to avoid, reduce, accept, or share risk in which of the following components? A. Control Activities B. Risk Assessment C. Event Identification D. Risk Response

Choice "D" is correct. The COSO Enterprise Risk Management for Cloud Computing publication is a resource that gives organizations specific guidance on how to apply its Enterprise Risk Management (ERM) framework to a cloud computing environment. The components within this framework that can be applied include Internal Environment, Objective-Setting, Event Identification, Risk Assessment, Risk Response, Control Activities, Information and Communication, and Monitoring. The Risk Response component prompts an organization to respond to risk by either avoiding it, reducing its likelihood, sharing it with another entity such as an insurance company, or accepting the risk in full. This is a strategic decision made by management that will vary according to the industry in which a company operates and the cost of each option. Choice "A" is incorrect. The Control Activities component guides entities that are considering a cloud computing environment by outlining how to modify traditional controls and entity-level controls for the cloud computing environment, not whether to accept, reduce, accept, or share risk. Choice "B" is incorrect. The Risk Assessment component helps management understand the risk that different cloud strategies might pose to an organization, not whether that risk should be accepted, reduced, shared, or avoided altogether. Choice "C" is incorrect. Event Identification is the component in which management must consider how adopting a cloud services provider could affect its risk, which focuses on how risk is created or eliminated, not how it is managed.

Which of the following COSO components and principles would help a company focus on preventative controls due to the volume and speed of transactions that occur on a blockchain? A. Component: risk assessment; principle: identifies and analyzes significant change B. Component: control environment; principle: demonstrates commitment to integrity and ethical values C. Component: control activities; principle: deploys control activities through policies and procedures D. Component: monitoring activities; principle: conducts ongoing and/or separate evaluations

Choice "D" is correct. The Committee of Sponsoring Organizations (COSO) created a five-point framework, known as the Internal Control—Integrated Framework, that has 17 principles that can be applied to a blockchain to help evaluate risks. The five components include the control environment, risk assessment, control activities, information and communication, and monitoring activities. Principle 16, "conducts ongoing and/or separate evaluations", within the monitoring activities component emphasizes the importance of preventative controls through the application of continuous monitoring. This focus is derived from the volume and speed of transactions being processed on a blockchain, making it practical to prevent an unwanted event from occurring through continual monitoring, which would be in addition to detecting or remediating it after the event occurs. Choice "A" is incorrect. The ninth principle, titled "identifies and analyzes significant change", in the risk assessment component recommends using strong change-control processes when deploying or modifying a blockchain. The focus of this principle is on establishing change-control processes to help manage deploying or amending a blockchain, not preventing an unwanted event through preventative controls. Choice "B" is incorrect. Principle one, called "demonstrates commitment to integrity and ethical values", is geared toward board-oriented governing, not controls related to the volume or speed of transactions. Choice "C" is incorrect. Principle 12, "deploys control activities through policies and procedures", recommends that policy changes be made to address certain internal controls, risks, and accounting for a blockchain. These policy and procedure recommendations do not focus on addressing controls related to the volume and speed of transactions.

A SOC 2® auditor is assessing the governing authority of a blockchain, attempting to determine whether it is centralized or decentralized. Which COSO component and associated principle would help evaluate this? A. Component: risk assessment; principle: specifies suitable objectives B. Component: control environment; principle: demonstrates commitment to competence C. Component: control activities; principle: selects and develops general controls over technology D. Component: control environment; principle: enforces accountability

Choice "D" is correct. The Committee of Sponsoring Organizations (COSO) created an internal control framework with five control components that have 17 principles that can be applied to blockchain to evaluate risks. The five components include the control environment, risk assessment, control activities, information and communication, and monitoring activities. The fifth principle, titled "enforces accountability", within the control environment component involves identifying who is responsible and has authority within a blockchain. Decentralized blockchains have distributed governance across multiple participants, whereas centralized blockchains have concentrated governance with a smaller group responsible for authorization and accountability. Applying the fifth COSO principle when evaluating a blockchain model would help assess governing authority. Choice "A" is incorrect. The fifth principle, "specifies suitable objectives", recommends that objectives be established so that the implementation of a blockchain supports reliable financial data. This principle focuses more on the reliability of the data rather than on who governs it. Choice "B" is incorrect. The principle of "demonstrating commitment to competence" helps to reevaluate competencies by continuously monitoring the ecosystem in which the blockchain operates to understand new developments. It does not assist in understanding governing authority. Choice "C" is incorrect. The 11th principle, "deploys control activities through policies and procedures", provides considerations for policies regarding internal controls, managing risk, and accounting for blockchain applications. This principle has more of an administrative focus than one on governance.

A business analyst is attempting to diagnose why encrypted data is getting corrupted during transmission, causing decryption to fail. At what layer in the Open Systems Interconnection (OSI) model is the issue most likely occurring? A. Network layer B. Application layer C. Session layer D. Presentation layer

Choice "D" is correct. The Open Systems Interconnection (OSI) model is a construct used to explain how different protocols work in a network by breaking network functions into seven layers. Data travels through these layers using a process called encapsulation starting with the Application layer, layer 7, and ending with the Physical layer, layer 1, which is then transmitted to the receiving device. The Presentation layer, or layer 6, converts data received by the Application layer into a form that other devices can interpret such as a JPEG (Joint Photographic Experts Group) or ASCII (American Standard Code for Information Interchange). Encryption also occurs during this transformation, making layer 6 the most likely place where the corruption is occurring in this example. Choice "A" is incorrect. The Network layer, layer 3, is the point in which the routing and address headers or footers are added to the data packet so that it reaches the correct destination, but encryption does not occur at this layer. Choice "B" is incorrect. The Application layer, layer 7, is the point in the OSI model in which the user application interfaces with the network protocol required to transmit a message. Encryption occurs in a subsequent layer. Choice "C" is incorrect. In layer 5, the Session layer, communication is established and maintained so that dialogue between devices can occur. Encryption occurs in a previous layer.

A controller is developing a disaster recovery plan for a corporation's computer systems. In the event of a disaster that makes the company's facilities unusable, the controller has arranged for the use of an alternate location and the delivery of duplicate computer hardware to this alternate location. Which of the following recovery plans would best describe this arrangement? A. Back-up site procedures. B. Hot site. C. Hot spare site agreement. D. Cold site.

Choice "D" is correct. The arrangement that the controller would be looking for would be a cold site. The reason is the use of an alternate location (either a hot site or a cold site) and then the delivery of duplicate computer hardware (that makes it a cold site). Choice "A" is incorrect. There should certainly be written procedures for the use of the back-up site, but that is not the name of the arrangement. There may or may not be written procedures. Choice "B" is incorrect. With a hot site, the hardware would already be on the floor at the alternate location and available for use. Nothing would have to be delivered, unless the organization had some company-specific hardware that was not included in the disaster recovery contract. If so, that hardware would have to be delivered to the alternate location. Choice "C" is incorrect. This is not a commonly used term to describe disaster recovery facilities.

Which of the following would describe an example of data synthesis? A. Copying data from one spreadsheet to another. B. Extracting data from a database to perform keyword analysis. C. Creating a chart to visualize monthly website traffic. D. Calculating key anniversary dates based on each employee's hiring date.

Choice "D" is correct. The data life cycle describes the sequential steps all business data must go through from creation, through its use, storage, and final disposal. The process can be summarized in eight steps: definition, capture, preparation, synthesis, analytics and usage, publication, archival, and purging. The synthesis step is a bridge between preparation and usage; once the intended use of the captured data has been determined, calculated fields can be created to prepare that data for quicker usage and analysis. Calculating key anniversary dates based on individual hire dates is an example of data synthesis to derive new meaningful insights from existing data. Choice "A" is incorrect. Copying data between spreadsheets is a data transfer or consolidation task rather than the creation of new data or calculated fields. Choice "B" is incorrect. This refers to data extraction and analysis, where extracting data is the initial step, and keyword analysis is a form of data analysis, not data synthesis. Choice "C" is incorrect. Creating a chart for visualization is more about data presentation, not synthesis.

A piece of hardware that connects devices within a network by reading and converting protocols so that traffic can be transmitted across those devices is most likely which of the following networking components? A. Firewall B. Switch C. Router D. Gateway

Choice "D" is correct. Various devices in a network are used so that the network can function properly, including switches, routers, and gateways. Each of these devices plays a unique role in connecting the network, helping information to flow securely from origin to destination. As data packets move across a network, different formats of the data may be required in each network for the packet to be transmitted. A gateway is a device that serves as an access point between networks that changes the protocols being used so that data can flow between those networks. Choice "A" is incorrect. A firewall is a hardware or a software solution that protects an organization's network by filtering the data and analyzing it for potential threats. It does not convert protocols so that traffic can be transmitted across networks. Choice "B" is incorrect. A switch is a piece of hardware that connect devices and networks by relaying a signal or splitting that signal into multiple paths. It does not convert protocols during this process. Choice "C" is incorrect. A router is a device that directs traffic in a network to take the most efficient path, but it does not convert protocols so that data can be transferred.