SU 15
Which of the following statements is correct regarding information technology (IT) governance?
A primary goal of IT governance is to balance risk versus return over IT and its processes.
The firewall system that limits access to a computer by routing users to replicated Web pages is
A proxy server.
An online data entry program is used for original entry of vendor invoices. A batch check-writing program occasionally prepares a check for a vendor not yet included in the vendor file. Checks for such vendors contain nonsense characters in the payee field. The most effective programmed control to prevent this kind of error is to perform
A record lookup for vendors during data entry.
Dora Jones, an auditor for Farmington Co., noted that the Acme employees were using computers connected to Acme's network by wireless technology. On her next visit to Acme, Jones brought one of Farmington's laptop computers with a wireless network card. When she started the laptop to begin work, Jones noticed that the laptop could view several computers on Acme's network and that she had access to Acme's network files. Which of the following statements is the most likely explanation?
Acme was not using security on the network.
An employee in the receiving department keyed in a shipment from a remote terminal and inadvertently omitted the purchase order number. The best systems control to detect this error is
Completeness test.
Which of the following characteristics distinguishes computer processing from manual processing?
Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing.
Innovations in IT increase the importance of risk management because
Information system security is continually subject to new threats.
Which of the following is most likely a disadvantage for an entity that keeps data files prepared by personal computers rather than manually prepared files?
It is usually easier for unauthorized persons to access and alter the files.
Which of the following internal control procedures would prevent an employee from being paid an inappropriate hourly wage?
Limiting access to employee master files to authorized employees in the personnel department.
General controls in an information system include each of the following except
Logic tests.
In a large multinational organization, which of the following job responsibilities should be assigned to the network administrator?
Managing remote access.
Which of the following is a key difference in controls when changing from a manual system to a computer system?
Methodologies for implementing controls change.
Which of the following passwords would be most difficult to crack?
O?Ca!FlSi
Which of the following areas of responsibility are normally assigned to a systems programmer in a computer system environment?
Operating systems and compilers.
Matthews Corp. has changed from a system of recording time worked on clock cards to a computerized payroll system in which employees record time in and out with magnetic cards. The computer system automatically updates all payroll records. Because of this change,
Part of the audit trail is altered.
For control purposes, which of the following should be organizationally segregated from the computer operations function?
Systems development.
What is the primary objective of data security controls?
To ensure that data storage media are subject to authorization prior to access, change, or destruction
Which of the following is an advantage of a computer-based system for transaction processing over a manual system? A computer-based system
Will be more efficient at producing financial statements.
Which of the following controls is a processing control designed to ensure the reliability and accuracy of data processing? Limit Test Validity Check Test
Yes Yes
An auditor was examining a client's network and discovered that the users did not have any password protection. Which of the following would be the best example of the type of network password the users should have?
tR34ju78.
All of the following are adequate controls for protection against unauthorized access to sensitive information except
System access log.
As a result of technological developments facing businesses and CPAs,
System boundaries are becoming less distinct.
Authentication is the process by which the
System verifies the identity of the user.
An entity has the following invoices in a batch: Invoice Number Product Quantity Unit Price 201 F10 150 $ 5.00 202 G15 200 $10.00 203 H20 250 $25.00 204 K35 300 $30.00 Which of the following numbers represents the record count?
4
An entity has the following sales orders in a batch: Invoice # Product Quantity Unit Price 101 K 10 50 $ 5.00 102 M 15 100 $10.00 103 P 20 150 $25.00 104 Q 25 200 $30.00 105 T 30 250 $35.00 Which of the following numbers represents the record count?
5
An entity has the following invoices in a batch: Invoice Number Product Quantity Unit Price 201 F10 150 $ 5.00 202 G15 200 $10.00 203 H20 250 $25.00 204 K35 300 $30.00 Which of the following most likely represents a hash total?
810
A company wants to protect its IT system from unauthorized users accessing the system. Which of the following controls would best serve to mitigate this risk?
A biometric device.
One of the major problems in a computer system is that incompatible functions may be performed by the same individual. One compensating control is the use of
A computer log.
A company's web server has been overwhelmed with a sudden surge of false requests that caused the server to crash. The company has most likely been the target of
A denial of service attack.
Attacks on computer networks may take many forms. Which of the following uses the computers of innocent parties infected with Trojan horse programs?
A distributed denial-of-service attack.
An entity has many employees that access a database. The database contains sensitive information concerning the customers of the entity and has numerous access points. Access controls prevent employees from entry to those areas of the database for which they have no authorization. All salespersons have certain access permission to customer information. Which statement is true regarding the nature of the controls and risks?
A salesperson's access to customer information should extend only to what is necessary to perform his or her duties.
Which of the following statements is true regarding internal control objectives of information systems?
A secure system may have inherent risks due to management's analysis of trade-offs identified by cost-benefit studies.
Which of the following errors most likely would be detected by batch financial totals?
A transposition error on one employee's paycheck on a weekly payroll run.
Controls in the information technology area are classified into the preventive, detective, and corrective categories. Which of the following is a preventive control?
Access control software.
All of the following are correct statements regarding a firewall except
An application firewall is an adequate substitute for a network firewall.
Which of the following types of control plans is particular to a specific process or subsystem, rather than related to the timing of its occurrence?
Application.
In the organization of the information systems function, the most important segregation of duties is
Assuring that those responsible for programming the system do not have access to data processing operations.
When a user enters a certain entity's system, a series of questions is asked of the user, including a name and mother's birth date. These questions are primarily intended to provide
Authentication of the user.
The headquarters' computer of a certain entity maintains a matrix of user names and the files/programs the user can access as well as what the user can do to/with the file or program. This matrix is primarily intended to provide
Authorization for processing.
Which of the following security controls may prevent unauthorized access to sensitive data via an unattended workstation connected to a server?
Automatic log-off of inactive users.
A company permits employees to work from home using company-owned laptops. Which of the following competitive advantages does the company most likely obtain as a result of this decision?
Availability.
Certain payroll transactions were posted to the payroll file but were not uploaded correctly to the general ledger file on the main server. The best control to detect this type of error would be
Balancing totals of critical fields.
Which of the following computerized control procedures is most effective in ensuring that files of data uploaded from personal computers to a server are complete and that no additional data are added?
Batch control totals, including control totals and hash totals.
A customer intended to order 100 units of product Z96014 but incorrectly ordered nonexistent product Z96015. Which of the following controls most likely would detect this error?
Check digit verification.
A customer notified a company that the customer's account did not reflect the most recent monthly payment. The company investigated the issue and determined that a clerk had mistakenly applied the customer's payments to a different customer's account. Which of the following controls would help to prevent such an error?
Closed-loop verification.
To maintain effective segregation of duties within the information technology function, an application programmer should have which of the following responsibilities?
Code approved changes to a payroll program.
A computer operator responsible for a particular job needed to know whether the job had already been run that day. The computer operator examined the
Console log.
Some data processing controls relate to all computer processing activities (general controls) and some relate to specific tasks (application controls). General controls include
Controls for documenting and approving programs and changes to programs.
Which of the following statements most accurately describes the impact that automation has on the controls normally present in a manual system?
Controls must be more explicit in a computer-based system because many processing points that present opportunities for human judgment in a manual system are eliminated.
Which of the following is a true statement regarding security over an entity's IT?
Controls should exist to ensure that users have access to and can update only the data elements that they have been authorized to access.
A company began issuing handheld devices to key executives. Each of the following factors is a reason for requiring changes to the security policy except
Convenience of the device.
Which of the following activities would most likely be performed in the computer processing department?
Conversion of information to machine-readable form.
Which of the following information technology (IT) departmental responsibilities should be delegated to separate individuals?
Data entry and application programming.
In a large firm, custody of an entity's data is most appropriately maintained by which of the following personnel?
Data librarian.
The increased use of database processing systems makes managing data and information a major information service function. Because the databases of an organization are used for many different applications, they are coordinated and controlled by a database administrator. The functions of a database administrator are
Database design, database operation, and database security.
If a control total were to be computed on each of the following data items, which would best be identified as a hash total for a payroll computer application?
Department numbers.
What is the role of the systems analyst in an IT environment?
Designing systems, preparing specifications for programmers, and serving as intermediary between users and programmers.
The purpose of check digit verification of an account number on an update transaction is to
Detect a transposition of an account number entered into the system.
A retail store uses batch processing to process sales transactions. The store has batch control total and other control checks embedded in the information processing system of the sales subsystem. While comparing reports, an employee notices that information sent to the subsystem was not fully processed. Which of the following types of controls is being exercised by the employee?
Detective.
Review of the audit log is an example of which type of security control?
Detective.
Which of the following should not be the responsibility of a database administrator?
Develop applications to access the database.
Which of the following is considered an application input control?
Edit check.
A client who recently installed a new accounts payable system assigned employees a user identification code (UIC) and a separate password. Each UIC is a person's name, and the individual's password is the same as the UIC. Users are not required to change their passwords at initial log-in, nor do passwords ever expire. Which of the following statements does not reflect a limitation of the client's computer-access control?
Employees are not required to take regular vacations.
Which of the following is the most effective user account management control in preventing the unauthorized use of a computer system?
Employees are required to renew their accounts semiannually.
The significance of hardware controls is that they
Ensure the proper execution of machine instructions.
Which of the following statements is inconsistent with the key principles of the COBIT 5 framework?
Enterprise governance and management are treated as the same activity.
Able Co. uses an online sales order processing system to process its sales transactions. Able's sales data are electronically sorted and subjected to edit checks. A direct output of the edit checks most likely would be a
File of all rejected sales transactions.
Which of the following risks can be minimized by requiring all employees accessing the information system to use passwords?
Firewall vulnerability.
Which of the following is a network security system that is used to control network traffic and to set up a boundary that prevents traffic from one segment from crossing over to another?
Firewall.
Which of the following is an electronic device that separates or isolates a network segment from the main network while maintaining the connection between networks?
Firewall.
The two broad groupings of information systems control activities are general controls and application controls. General controls include controls
For developing, modifying, and maintaining computer programs.
Parity checks and echo checks are examples of
Hardware controls.
In an automated payroll processing environment, a department manager substituted the time card for a terminated employee with a time card for a fictitious employee. The fictitious employee had the same pay rate and hours worked as the terminated employee. The best control to detect this action using employee identification numbers is a
Hash total.
General controls include Physical controls. Access controls. Hardware controls. Environmental controls. Logical controls.
I, II, III, IV, and V.
The risks created by rapid changes in IT have not affected which concepts of internal control? Cost-benefit analysis Control environment Reasonable assurance Management's responsibility
I, II, III, and IV.
Which of the following risks are greater in computerized systems than in manual systems? Erroneous data conversion Erroneous source document preparation Repetition of errors Concentration of data
I, III, and IV.
Spoofing is one type of malicious online activity. Spoofing is
Identity misrepresentation in cyberspace.
Which of the following control activities should be taken to reduce the risk of incorrect processing in a newly installed computerized accounting system?
Independently verify the transactions.
Which of the following statements is true concerning the COBIT 5 framework?
Information and organizational structures are among the enablers identified in COBIT 5.
A client installed the sophisticated controls using the biometric attributes of employees to authenticate user access to the computer system. This technology most likely replaced which of the following controls?
Passwords.
Which of the following classifications of security controls includes smoke detectors, generators, security guards, and ID badges?
Physical.
An organization relied heavily on e-commerce for its transactions. Evidence of the organization's security awareness manual would be an example of which of the following types of controls?
Preventive.
The most critical aspect of separation of duties within information systems is between
Programmers and computer operators.
Which one of the following represents a lack of internal control in a computer-based system?
Programmers have access to change programs and data files when an error is detected.
Which of the following is the best policy for the protection of a company's vital information resources from computer viruses?
Prudent management procedures instituted in conjunction with technological safeguards.
A systems engineer is developing the input routines for a payroll system. Which of the following methods validates the proper entry of hours worked for each employee?
Reasonableness check.
An employee mistakenly enters April 31 in the date field. Which of the following programmed edit checks offers the best solution for detecting this error?
Reasonableness.
An important function of a database administrator is
Redefining and restructuring the database.
Which of the following statements presents an example of a general control for a computerized system?
Restricting access to the computer center by use of biometric devices.
Which of the following activities would most likely detect computer-related fraud?
Reviewing the systems-access log.
To ensure the completeness of update in an online system, separate totals are accumulated for all transactions processed throughout the day. The computer then agrees these totals to the total of items accepted for processing. This is an example of
Run-to-run totals.
Which of the following controls most likely could prevent computer personnel from modifying programs to bypass programmed controls?
Segregation of duties for computer programming and computer operations.
All of the following are correct statements regarding general controls except
Segregation of duties is less important because IT facilitates the separation of functions (authorization, recording, and access to assets).
Which of the following statements best characterizes the function of a physical access control?
Separates unauthorized individuals from computer resources.
Which one of the following input validation routines is not likely to be appropriate in a real-time operation?
Sequence check.
Which of the following is a validity check?
The computer flags any transmission for which the control field value did not match that of an existing file record.
Robert is the data administrator (DA) for Big Time Corporation. An example of Robert's responsibilities as the DA is to monitor
The database industry.
A small client recently put its cash disbursements system on a server. About which of the following internal control features would an auditor most likely be concerned?
The server is operated by employees who have cash custody responsibilities.
If a payroll system continues to pay employees who have been terminated, control weaknesses most likely exist because
There were inadequate manual controls maintained outside the computer system.
Your firm has recently converted its purchasing cycle from a manual process to an online computer system. Which of the following is a probable result associated with conversion to the new automatic system?
Traditional duties are less segregated.
An accounts payable clerk is accused of making unauthorized changes to previous payments to a vendor. Proof could be uncovered in which of the following places?
Transaction logs.
Which of the following is a computer program that appears to be legitimate but performs some illicit activity when it is run?
Trojan horse.
A network firewall is designed to provide adequate protection against which of the following?
Unauthenticated logins from outside users.
When a client's accounts payable computer system was relocated, the administrator provided support through a dial-up connection to a server. Subsequently, the administrator left the company. No changes were made to the accounts payable system at that time. Which of the following situations represents the greatest security risk?
User accounts are not removed upon termination of employees.
Which of the following is a password security problem?
Users are assigned passwords when accounts are created but do not change them.
A customer's order was never filled because an order entry clerk transposed the customer identification number while entering the sales transaction into the system. Which of the following controls would most likely have detected the transposition?
Validity check.
Which of the following input controls would prevent an incorrect state abbreviation from being accepted as legitimate data?
Validity check.
An accounts payable program posted a payable to a vendor not included in the online vendor master file. A control that would prevent this error is a
validity check