4100 2

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Restricting access of users to specific portions of the system as well as specific tasks, is an example of A) authentication. B) authorization. C) identification. D) threat monitoring.

A ________ determines if all required data items have been entered. A) completeness check B) field check C) limit check D) range check

A computer operator accidentally used the wrong master file when updating a transaction file. As a result, the master file data is now unreadable. Which control could best have prevented this from happening? A) Header record. B) Validity check. C) Trailer record. D) Parity check.

A control procedure designed so that the employee that records cash received from customers does not also have access to the cash itself is an example of a(n) A) preventive control. B) detective control. C) corrective control. D) authorization control.

A copy of a database, master file, or software that will be retained indefinitely as a historical record is known as a(n) A) archive. B) cloud computing. C) differential backup. D) incremental backup.

A customer forget to include her account number on her check, and the accounts receivable clerk credited her payment to a different customer with the same last name. Which control could have been used to most effectively to prevent this error? A) Closed-loop verification. B) Duplicate values check. C) Reasonableness test. D) Reconciliation of a batch control total.

A facility that is pre-wired for necessary telecommunications and computer equipment, but doesn't have equipment installed, is known as a A) cold site. B) hot site. C) remote site. D) subsidiary location.

A hash total is an example of which control below? A) Data entry control. B) Data transmission control. C) Processing control. D) Output control.

A payroll clerk accidentally entered an employee's hours worked for the week as 380 instead of 38. The data entry control that would best prevent this error would be A) a limit check. B) a check digit. C) batch total reconciliation. D) a field check.

A separate network located outside the organization's internal information system that permits controlled access from the Internet to selected resources is known as a(n) A) demilitarized zone. B) intrusion detection system. C) intrusion prevention system. D) firewall.

A store policy that allows retail clerks to process sales returns for $1,000 or less, with a receipt dated within the past 30 days, is an example of A) general authorization. B) specific authorization. C) special authorization. D) generic authorization.

A validity check is an example of A) a data entry control. B) an output control. C) a data transmission control. D) an input control.

A well-known hacker started her own computer security consulting business. Many companies pay her to attempt to gain unauthorized access to their network. If she is successful, she offers advice as to how to design and implement better controls. What is the name of the testing for which the hacker is being paid? A) Penetration test. B) Vulnerability scan. C) Deep packet inspection D) Buffer overflow test.

A(n) ________ helps employees act ethically. A) boundary system B) diagnostic control system C) interactive control system D) belief system

Which of the following is a key control regarding the minimization of system downtime? A) fault tolerance B) disaster recovery plans C) backup procedures D) all of the above

According to The Sarbanes-Oxley Act of 2002, the audit committee of the board of directors is directly responsible for A) hiring and firing the external auditors. B) performing tests of the company's internal control structure. C) certifying the accuracy of the company's financial reporting process. D) overseeing day-to-day operations of the internal audit department.

According to the COSO Enterprise Risk Management Framework, the risk assessment process incorporates all of the following components except A) reporting potential risks to auditors. B) identifying events that could impact the enterprise. C) evaluating the impact of potential events on achievement of objectives. D) establishing objectives for the enterprise.

According to the ERM model, ________ help the company address all applicable laws and regulations. A) compliance objectives B) operations objectives C) reporting objectives D) strategic objectives

According to the Trust Services Framework, the reliability principle of availability is achieved when the system produces data that A) is available for operation and use at times set forth by agreement. B) is protected against unauthorized physical and logical access. C) can be maintained as required without affecting system availability, security, and integrity. D) is complete, accurate, and valid.

All of the following are associated with asymmetric encryption except A) speed. B) private keys. C) public keys. D) no need for key exchange.

All of the following controls for online entry of a sales order would be useful except A) check digit verification on the dollar amount of the order. B) validity check on the inventory item numbers. C) field check on the customer ID and dollar amount of the order. D) concurrent update control.

An REA diagram must link every event to at least one ________ and two ________. A) resource; agents B) agent; resources C) transaction; entities D) resource; relationships

An entity-relationship diagram A) can represent the contents of any database. B) is only used in conjunction with REA models. C) can show a limited number of entities and relationships. D) is used only to design new databases.

At a movie theater box office, all tickets are sequentially prenumbered. At the end of each day, the beginning ticket number is subtracted from the ending number to calculate the number of tickets sold. Then, ticket stubs collected at the theater entrance are counted and compared with the number of tickets sold. Which of the following situations does this control detect? A) Some customers presented tickets purchased on a previous day when there wasn't a ticket taker at the theater entrance (so the tickets didn't get torn.) B) A group of kids snuck into the theater through a back door when customers left after a show. C) The box office cashier accidentally gives too much change to a customer. D) The ticket taker admits his friends without tickets.

Cancellation and storage of documents means A) documents are defaced and stored. B) documents are defaced before being shredded. C) cancellation data are copied from documents before they are stored. D) data are copied from a document and stored before it is being shredded.

Consider Helge's processes regarding the purchasing inventory and supplies, renting display space, and paying for purchased items. A well-designed REA diagram would A) include eight unique entities. B) include nine unique entities. C) include seven unique entities. D) include ten unique entities.

Consider Helge's processes regarding the purchasing inventory and supplies, renting display space, and paying for purchased items. A well-designed REA diagram would A) reflect minimum cardinalities of 1 for the relationship between Vendor and Cash Disbursement entities. B) reflect the same number of 0 and 1 minimum cardinalities. C) reflect more maximum cardinalities of M than of 1. D) reflect maximum cardinalities of M for the relationship between Inventory and Purchase entities.

Consider Helge's processes regarding the purchasing inventory and supplies, renting display space, and paying for purchased items. In a well-designed REA diagram, what entities would reflect economic duality? A) Purchases and Cash Disbursements B) Display Space Rental and Cash Disbursements C) Inventory and Purchases D) Cash and Cash Disbursements

Effective segregation of accounting duties is achieved when which of the following functions are separated? A) Authorization, recording, and custody. B) Recording, monitoring, and information system. C) Authorization, monitoring, and risk assessment. D) Recording, risk assessment, and control procedures.

Encryption is a necessary part of which information security approach? A) Defense in depth. B) Time based defense. C) Continuous monitoring. D) Synthetic based defense.

Error logs and review are an example of A) data entry controls. B) data transmission controls. C) output controls. D) processing controls.

Every citizen in the United States has one social security number, but no two citizens have the same social security number. Thus, the cardinality that exists between social security numbers and citizens is A) one-to-one. B) one-to-many. C) many-to-many. D) many-to-none.

Identify one weakness of encryption below. A) Encrypted packets cannot be examined by a firewall. B) Encryption provides for both authentication and non-repudiation. C) Encryption protects the privacy of information during transmission. D) Encryption protects the confidentiality of information while in storage.

Identify the detective control below. A) Reconciling the bank statement to the cash control account. B) Approving customer credit prior to approving a sales order. C) Maintaining frequent backup records to prevent loss of data. D) Ensuring that the employee who records cash received from customers does not also have access to the cash itself.

Identify the first step in protecting the confidentiality of intellectual property below. A) Identifying who has access to the intellectual property. B) Identifying the means necessary to protect the intellectual property. C) Identifying the weaknesses surrounding the creation of the intellectual property. D) Identifying what controls should be placed around the intellectual property.

Identify the item below that would be classified as a resource by the REA data model. A) An IOU from a customer. B) The customer. C) A customer sale. D) A loan from a vendor.

Identify the minimum cardinality of any REA diagram relationship. A) 0 or 1. B) 0 or N. C) 1 or N. D) none of the above.

Identify the primary means of protecting data stored in a cloud from unauthorized access. A) authentication B) authorization C) virtualization D) securitization

Identify the statement below that is not true of the 2013 COSO Internal Control updated framework. A) It more efficiently deals with control implementation and documentation issues. B) It more effectively deals with control implementation and documentation issues. C) It provides users with more precise guidance. D) It adds many new examples to clarify the framework concepts.

Identify the statement below which is true. A) Cloud computing is a control technique for system availability. B) Cloud computing eliminates the need for backup of applications and data. C) Cloud computing eliminates the need for companies to own their own software and servers. D) Cloud computing refers to the practice of storing application files and backup data on satellites "in the clouds."

Identify the type of information below that is least likely to be considered confidential by an organization. A) Audited financial statements. B) Legal documents. C) Top executives' salaries. D) New product development plans.

If an organization asks you to disclose your social security number, but decides to use it for a different purpose than the one stated in the organization's privacy policies, the organization has likely violated which of the Generally Accepted Privacy Principles? A) Collection. B) Access. C) Security. D) Quality.

If an organization asks you to disclose your social security number, but fails to establish a set of procedures and policies for protecting your privacy, the organization has likely violated which of the Generally Accepted Privacy Principles? A) Management. B) Notice. C) Choice and consent. D) Use and retention.

If invoices are processed in groups of fifty, which fields from the document shown below would not be used to create a hash control total? A) Amount. B) Item Number. C) Quantity Ordered. D) Sales Order number.

If the time an attacker takes to break through the organization's preventive controls is greater than the sum of the time required to detect the attack and the time required to respond to the attack, then security is A) effective. B) ineffective. C) overdone. D) undermanaged.

In the time-based model of information security, R represents A) the time it takes to respond to and stop the attack. B) the time it takes for the organization to detect that an attack is in progress. C) the time it takes an attacker to break through the various controls that protect the organization's information assets. D) the time it takes to assess threats and select risk response.

Independent checks on performance include all the following except A) data input validation checks. B) reconciling hash totals. C) preparing a trial balance report. D) supervisor review of journal entries and supporting documentation.

Information security procedures protect information integrity by A) preventing fictitious transactions. B) reducing the system cost. C) making the system more efficient. D) making it impossible for unauthorized users to access the system.

It was 8:03 A.M. when Jiao Jan, the Network Administrator for South Asian Technologies, was informed that the intrusion detection system had identified an ongoing attempt to breach network security. By the time that Jiao had identified and blocked the attack, the hacker had accessed and downloaded several files from the company's server. Using the notation for the time-based model of security, in this case A) D > P B) P > D C) P > C D) C > P

The best example of an effective payroll transaction file financial total would most likely be A) sum of net pay. B) total number of employees. C) sum of hours worked. D) total of employees' social security numbers.

Lauren Smith was relaxing after work with a colleague at a local bar. After a few drinks, she began expressing her feelings about her company's new control initiatives. It seems that as a result of controls put in place by the company, she now has to be more creative in solving problems and avoiding actions that might have a negative effect on her company's reputation. The level of control that the company is using in this case is a(n) A) boundary system. B) diagnostic control system. C) interactive control system. D) belief system.

Melissa is a staff accountant for Quality Paper Company, which has strict corporate policies on appropriate use of corporate resources. The first week of March, Melissa saw Kent, the branch manager putting printer paper and toner into his briefcase on his way out the door. This situation best reflects a weakness in which aspect of internal environment, as discussed in the COSO Enterprise Risk Management Framework? A) Integrity and ethical values. B) Risk management philosophy. C) Restrict access to assets. D) Methods of assigning authority and responsibility.

Modest Expectations Investment Services (MEIS) allows customers to manage their investments over the Internet. If customers attempt to sell more shares of a stock than they have in their account, an error message is displayed. This is an example of a A) reasonableness test. B) field check. C) validity check. D) limit check.

Modest Expectations Investment Services (MEIS) allows customers to manage their investments over the Internet. If customers attempt to spend more money than they have in their account, an error message is displayed. This is an example of a A) reasonableness test. B) field check. C) validity check. D) limit check.

Multi-factor authentication A) involves the use of two or more basic authentication methods. B) is a table specifying which portions of the systems users are permitted to access. C) provides weaker authentication than the use of effective passwords. D) requires the use of more than one effective password.

One way to circumvent the counterfeiting of public keys is by using A) a digital certificate. B) digital authority. C) encryption. D) cryptography.

REA models are usually depicted in which diagramming form? A) Entity-relationship diagrams. B) Economics-relationship diagrams. C) Entity-resource diagrams. D) Stock-flow diagrams.

Reducing management layers, creating self-directed work teams, and emphasizing continuous improvement are all related to which aspect of internal environment? A) Organizational structure. B) Methods of assigning authority and responsibility. C) Management philosophy and operating style. D) Commitment to competence.

ShareIt is a social networking site that boasts over a million registered users and a quarterly membership growth rate in the double digits. As a consequence, the size of the information technology department has been growing very rapidly, with many new hires. Each employee is provided with a name badge with a photo and embedded computer chip that is used to gain entry to the facility. This is an example of a(n) A) authentication control. B) biometric device. C) remote access control. D) authorization control.

The COSO Enterprise Risk Management Integrated Framework stresses that A) risk management activities are an inherent part of all business operations and should be considered during strategy setting. B) effective risk management is comprised of just three interrelated components; internal environment, risk assessment, and control activities. C) risk management is the sole responsibility of top management. D) risk management policies, if enforced, guarantee achievement of corporate objectives.

The REA data model approach facilitates efficient operations by all the following except A) standardizing source document format. B) identifying non-value added activities. C) storing financial and nonfinancial data in the same database. D) organizing data to simplify data retrieval and analysis.

The Trust Services Framework reliability principle that states access to the system and its data should be accessible to meet operational and contractual obligations to legitimate users is known as A) availability. B) security. C) privacy. D) integrity.

The Trust Services Framework reliability principle that states that users must be able to enter, update, and retrieve data during agreed-upon times is known as A) availability. B) security. C) maintainability. D) integrity.

The control that protects records from errors that occur when two or more users attempt to update the same record simultaneously is called A) concurrent update controls. B) cross-footing balance test. C) data conversion controls. D) recalculation of batch totals.

The data entry control that would best prevent entering an invoice received from a vendor who is not on an authorized supplier list is A) a validity check. B) an authorization check. C) a check digit. D) closed-loop verification.

The first step in developing an REA diagram for a specific transaction cycle begins with identifying A) relevant events. B) agents involved. C) resources affected. D) relationship cardinalities.

The largest differences between the COSO Integrated Control (IC) framework and the COSO Enterprise Risk Management (ERM) framework is A) IC is controls-based, while the ERM is risk-based. B) IC is risk-based, while ERM is controls-based. C) IC is required, while ERM is optional. D) IC is more applicable to international accounting standards, while ERM is more applicable to generally accepted accounting principles.

The maximum acceptable down time after a computer system failure is determined by a company's A) recovery time objective. B) recovery point objective. C) recovery objective. D) maximum time recovery objective.

The most important element of any preventive control is A) the people. B) the performance. C) the procedure(s). D) the penalty.

The organization chart for Renata Corporation includes a controller and an information processing manager, both of whom report to the vice president of finance. Which of the following would be a control weakness? A) Assigning the programming and operating of the computer system to an independent control group which reports to the controller B) Providing for maintenance of input data controls by an independent control group which reports to the controller C) Periodically rotating assignment of application processing among machine operators, who all report to the information processing manager D) Providing for review and distribution of system-generated reports by an independent control group which reports to the controller

The principle of holding individuals accountable for their internal control responsibilities in pursuit of objectives belongs to which of the COSO's Internal Control Model's component? A) Control environment. B) Risk assessment. C) Control activities. D) Information and communication.

The process of defining a database so that it faithfully represents all aspects of the organization including its interactions with the external environment is called A) data modeling. B) data designing. C) data development. D) data definition.

The process of maintaining a table listing all established connections between the organization's computers and the internet to determine whether an incoming packet is part of an ongoing communication initiated by an internal computer is known as A) packet filtering. B) deep packet inspection. C) access control list. D) access control matrix

The process that allows a firewall to be more effective by examining the data in the body of an IP packet, instead of just the header, is known as A) deep packet inspection. B) stateful packet filtering. C) static packet filtering. D) an intrusion prevention system.

The purpose of the COSO Enterprise Risk Management framework is A) to improve the organization's risk management process. B) to improve the organization's financial reporting process. C) to improve the organization's manufacturing process. D) to improve the organization's internal audit process.

The security technology that evaluates IP packet traffic patterns in order to identify attacks against a system is known as A) an intrusion prevention system. B) stateful packet filtering. C) static packet filtering. D) deep packet inspection.

The steps that criminals take to identify potential points of remote entry is called A) scanning and mapping the target. B) social engineering. C) research. D) reconnaissance.

This network access control determines which IP packets are allowed entry to a network and which are dropped. A) access control list B) deep packet inspection C) stateful packet filtering D) static packet filtering

To ensure compliance with copyrights and to protect itself from software piracy lawsuits, companies should ________. A) periodically conduct software audits B) update the operating system frequently C) buy software from legitimate suppliers D) adopt cloud operating platforms

Upon acquiring a new computer operating system, management at Berryhill worried that computer virus might cripple the company's operation. Management decided to install anti-virus software and to build a firewall for its operating system. Berryhill chose to ________ the risk of being crippled by computer virus.

Verifying the identity of the person or device attempting to access the system is an example of A) authentication. B) authorization. C) identification. D) threat monitoring.

Virtualization refers to the ability of A) running multiple systems simultaneously on one physical computer. B) eliminating the need for a physical computer. C) using the Internet to perform all needed system functions. D) using web-based security to protect an organization.

What is the minimum number of external agents that must participate in each REA event? A) 0 B) 2 C) 1 D) 3

What is the primary objective of ensuring systems and information are available for use whenever needed? A) To minimize system downtime. B) To minimize system expense. C) To maximize system processing speed. D) To maximize sales.

When a computer system's files are automatically duplicated on a second data storage system as they are changed, the process is referred to as A) real-time mirroring. B) batch updating. C) consistency control. D) double-secure storage.

Which COBIT5 management practice addresses the importance of locating and designing the data centers housing mission-critical servers and databases so as to minimize the risks associated with natural and human-caused disasters? A) DSS01.04 B) DSS04.07 C) DSS03.05 D) DSS04.04

Which component of the COSO Enterprise Risk Management Integrated Framework is concerned with understanding how transactions are initiated, data are captured and processed, and information is reported? A) Information and communication. B) Internal environment. C) Event identification. D) Objective setting.

Which is a true statement about the REA data model? A) The REA data model classifies entities into three distinct categories. B) The term REA is an acronym that stands for resources, entities, and agents. C) Using an REA data model is not helpful when creating an R-E diagram. D) The term REA is an acronym that stands for resources, entities, and activities.

Which of the below keeps a record of the network traffic permitted to pass through a firewall? A) Intrusion detection system. B) Vulnerability scan. C) Log analysis. D) Penetration test.

Which of the following data entry controls would not be useful if you are recording the checkout of library books by members? A) Sequence check. B) Prompting. C) Validity check. D) Concurrent update control.

Which of the following duties could be performed by the same individual without violating segregation of duties controls? A) Approving accounting software change requests and testing production scheduling software changes. B) Programming new code for accounting software and testing accounting software upgrades. C) Approving software changes and implementing the upgraded software. D) Managing accounts payable function and revising code for accounting software to more efficiently process discount due dates on vendor invoices.

Which of the following graphical symbols represents a minimum cardinality of zero and a maximum cardinality of one? A) O| B) || C) O< D) |<

Which of the following is a commonly used technique to identify potential events? A) Using data mining. B) Browsing news articles. C) Hiring a business process consultant. D) None of the above.

Which of the following is an example of a preventive control? A) The creation of a "security-aware" culture. B) The creation of a "Log user friendly" culture. C) The creation of a "continuous monitoring" culture. D) The creation of a chief information security officer position.

Which of the following is not a basic principle of the COSO ERM framework? A) Companies are formed to create value for society. B) Management must decide how much uncertainty it will accept to create value. C) Uncertainty results in risk. D) Uncertainty results in opportunity.

Which of the following is not a factor of internal environment according to the COSO Enterprise Risk Management Framework? A) Analyzing past financial performance and reporting. B) Providing sufficient resources to knowledgeable employees to carry out duties. C) Disciplining employees for violations of expected behavior. D) Setting realistic targets for long-term performance.

Which of the following is not one of the 10 internationally recognized best practices for protecting the privacy of customers' personal information? A) Provide free credit report monitoring for customers. B) Inform customers of the option to opt-out of data collection and use of their personal information. C) Allow customers' browsers to decline to accept cookies. D) Utilize controls to prevent unauthorized access to, and disclosure of, customers' information.

Which of the following is not one of the three fundamental information security concepts? A) Information security is a technology issue based on prevention. B) Security is a management issue, not a technology issue. C) The idea of defense-in-depth employs multiple layers of controls. D) The time-based model of security focuses on the relationship between preventive, detective and corrective controls.

________ are used to create digital signatures. A) Asymmetric encryption and hashing B) Hashing and packet filtering C) Packet filtering and encryption D) Symmetric encryption and hashing

Which of the following statements about REA modeling and REA diagrams is false? A) REA is an acronym for Resources, Entities, and Agents. B) REA data modeling does not include traditional accounting elements such as ledgers, chart of accounts, debits and credits. C) REA data modeling could be referred to as an events-based model. D) REA diagrams must include at least two activities, which together represent a give-get economic exchange.

Which of the following transactions is represented by the diagram below? A) A junkyard holds weekly sales where it sells its entire inventory. B) A shoe store sells products to consumers. C) A stay-at-home mom creates furniture for doll houses. When one piece is finished, she sells it on Amazon.com. D) Netflix sells movies to consumers through its online downloading service.

Which of the following transactions is represented by the diagram below? A) A lumber yard where customers may pay with cash for all purchases. B) A buy-here-pay-here auto dealer where a car buyer sends monthly cash payments to the dealer. C) A consulting firm that offers a variety of consulting services to other businesses. D) A department store that allows customers to carry a balance and to make installment payments, if they choose.

Which of the following transactions is represented by the diagram below? A) Each sale is associated with a single order, and there is a time lag between the time an order is taken and delivery of the product. B) Each sale can be comprised of multiple orders, and each order can be associated with multiple sales or no sales. C) Each sale can be comprised of multiple orders, and each order can be associated with one or more multiple sales. D) Each sale is associated with a single order and, there is no time lag between the time an order is taken and delivery of the product.

Which type of control is associated with making sure an organization's control environment is stable? A) general B) application C) detective D) preventive

Whitewater Rapids provides canoes to tourists eager to ride Whitewater river's rapids. Management has determined that there is one chance in a thousand of a customer being injured or killed. Settlement of resulting lawsuits has an average cost of $850,000. Insurance with a $100,000 deductible is available. It covers the costs of lawsuits, unless there is evidence of criminal negligence. What is the expected loss with insurance?

With regards to systems availability, deploying and using multiple components provides an AIS with A) fault tolerance. B) cost savings. C) enhanced processing speed. D) maximum sales.

You are assisting a manager from your company's headquarters in New York. The manager needs to interact online in real time with one of your company's affiliate overseas. The manager wants to make sure that her communications with the overseas affiliate won't be intercepted. What should you suggest to the manager? A) A virtual private network connection. B) A multifactor authentication network connection. C) A private cloud network connection. D) An asymmetric encryption system with digital signatures connection.

________ includes carefully monitoring system performance and user satisfaction to determine the need for making system enhancements and modifications. A) Operation and maintenance B) Conceptual design C) Physical design D) Implementation and conversion

________ is a data entry input control that requests each input data item and waits for an acceptable response, ensures that all necessary data are entered. A) Prompting B) Duplicate data check C) Closed-loop verification D) Check digit verification

________ is the risk that exists before management takes any steps to mitigate it. A) Inherent risk B) Residual risk C) Risk appetite D) Risk assessment

A ________ determines the correctness of the logical relationship between two data items. A) range check B) reasonableness test C) sign check D) size check

A ________ ensures input data will fit into the assigned field. A) limit check B) size check C) range check D) field check

A ________ shows how a project will be completed, including tasks and who will perform them as well as a timeline and cost estimates. A) performance evaluation B) project development plan C) steering committee D) strategic master plan

A ________ tests a numerical amount to ensure that it does not exceed a predetermined value. A) completeness check B) limit check C) range check D) sign check

A border router A) routes electronic communications within an organization. B) connects an organization's information system to the Internet. C) permits controlled access from the Internet to selected resources. D) serves as the main firewall.

A facility that contains all the computing equipment the organization needs to perform its essential business activities is known as a A) cold site. B) hot site. C) remote site. D) subsidiary location.

A major financial institution hired a renowned security firm to attempt to compromise its computer network. A few days later, the security firm reported that it had successfully entered the financial institution's computer system without being detected. The security firm presented an analysis of the vulnerabilities that had been found to the financial institution. This is an example of a A) preventive control. B) detective control. C) corrective control. D) security control.

A neural network is a software program that has A) the ability to read text. B) the ability to learn. C) the capability to extract information from an individual's brain. D) the capability to inject information into an individual's brain.

A system that creates logs of all network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions is called A) log analysis. B) intrusion detection systems. C) continuous monitoring. D) defense in depth.

A(n) ________ measures company progress by comparing actual performance to planned performance. A) boundary system B) diagnostic control system C) interactive control system D) belief system

Abbie Johnson is a programmer at Healtheast network. Abbie has recently developed a new computer program for Healtheast. As part of the testing process, Abbie needs to use realistic patients data to ensure that the system is working properly. To protect privacy, management at Healtheast uses a program that replaces private patient information with fake values before sending the data to Abbie for testing. The program that replaces patient information with fake values is called A) data encryptioning. B) data masking. C) data wiping. D) data redacting.

According to the ERM model, ________ help to deal with the effectiveness and efficiency of company operations, such as performance and profitability goals. A) compliance objectives B) operations objectives C) reporting objectives D) strategic objectives

According to the Trust Services Framework, the confidentiality principle of integrity is achieved when the system produces data that A) is available for operation and use at times set forth by agreement. B) is protected against unauthorized physical and logical access. C) can be maintained as required without affecting system availability, security, and integrity. D) is complete, accurate, and valid.

An accounting policy that requires a purchasing manager to sign off on all purchases over $10,000 is an example of A) general authorization. B) specific authorization. C) special authorization. D) generic authorization.

An electronic document that certifies the identity of the owner of a particular public key. A) Asymmetric encryption. B) Digital certificate. C) Digital signature. D) Public key.

As a result of an internal risk assessment, Berryhill Insurance decided it was no longer profitable to provide flood insurance in the southern states without a general rate increase. Berryhill apparently chose to ________ the risk of paying flood claims in the southern states by raising its insurance rate.

Assume that you are looking at a REA diagram that depicts only one event. Which of the following must be on the REA diagram? A) An external agent. B) An internal agent. C) both A and B D) neither A nor B

Checksums is an example of a(n) A) data entry control. B) data transmission control. C) output control. D) processing control.

Cindy Vindoolo logged on to her e-mail account to find that she had received 50 e-mails from a company called LifeCo that promised her extreme weight loss if she bought their diet pills. Cindy angrily deleted all 50 e-mails, realizing she was a victim of A) telemarketing. B) spam. C) direct mail. D) MLM.

Classification of confidential information is the responsibility of whom, according to COBIT5? A) External auditor. B) Information owner. C) IT security professionals. D) Management.

Data masking is also referred to as A) encryption. B) tokenization. C) captcha. D) cookies.

Duplicate checking of calculations and preparing bank reconciliations and monthly trial balances are examples of what type of control? A) Preventive control B) Detective control C) Corrective control D) Authorization control

Duplicate checking of calculations is an example of a ________ control, and procedures to resubmit rejected transactions are an example of a ________ control. A) corrective; detective B) detective; corrective C) preventive; corrective D) detective; preventive

Encryption has a remarkably long and varied history. The invention of writing was apparently soon followed by a desire to conceal messages. One of the methods, was the simple substitution of numbers for letters, for example A = 1, B = 2, etc. This is an example of A) a hashing algorithm. B) symmetric key encryption. C) asymmetric key encryption. D) a public key.

Every person in the world has a birthdate, but no person has more than one birthdate. Thus, the cardinality that exists between birthdate and people is A) one-to-one. B) one-to-many. C) many-to-many. D) many-to-none.

Helping employees understand entity goals and objectives and then holding them accountable for achieving them are all related to which aspect of internal environment? A) Organizational structure. B) Methods of assigning authority and responsibility. C) Management philosophy and operating style. D) Commitment to competence.

Hiring decisions at Maarja's Razors are made by Maimu Maarja, the Director of Human Resources. Pay rates are approved by the Vice President for Operations. At the end of each pay period, supervisors submit time cards to Kasheena, who prepares paycheck requisitions. Paychecks are then distributed through the company's mail room. This represents a(n) ________ segregation of duties. A) partial B) effective C) ineffective D) limited

How is expected loss calculated when performing risk assessment? A) Impact times expected loss. B) Impact times likelihood. C) Inherent risk times likelihood. D) Residual risk times likelihood.

Identify the item below that would be classified as an agent by the REA data model. A) An IOU from a customer. B) The customer. C) A customer sale. D) A loan from a vendor.

Identify the most correct statement with regards to an event. A) An event identified by management will occur. B) An event identified by management may or may not occur. C) An event identified by management may not trigger other events. D) It is easy to determine which events are most likely to occur.

Identify the most likely relationship where cardinalities have zero minimums and N maximums. A) Agent-event relationship. B) Resource-event relationship. C) Event-event relationship. D) Agent-agent relationship.

Identify the preventive control below. A) Reconciling the bank statement to the cash control account. B) Approving customer credit prior to approving a sales order. C) Maintaining frequent backup records to prevent loss of data. D) Counting inventory on hand and comparing counts to the perpetual inventory records.

If an organization asks you to disclose your date of birth and your address, but refuses to let you review or correct the information you provided, the organization has likely violated which of the Generally Accepted Privacy Principles? A) Collection. B) Access. C) Security. D) Choice and consent.

If an organization asks you to disclose your social security number, but fails to tell you about its privacy policies and practices, the organization has likely violated which of the Generally Accepted Privacy Principles? A) Management. B) Notice. C) Choice and consent. D) Use and retention.

In creating an entity-relationship diagram, ________ is anything about which an organization wants to collect and store information. A) a data model B) an entity C) a schema D) a tuple

In the time-based model of information security, D represents A) the time it takes to respond to and stop the attack. B) the time it takes for the organization to detect that an attack is in progress. C) the time it takes an attacker to break through the various controls that protect the organization's information assets. D) the time it takes to assess threats and select risk response.

Internal controls are often segregated into A) detective controls and preventive controls. B) general controls and application controls. C) process controls and general controls. D) system controls and application controls.

Melissa is a staff accountant for Quality Paper Company suspected that management might have used "creative accounting" to improve company performance. This situation best reflects a weakness in which aspect of internal environment, as discussed in the COSO Enterprise Risk Management Framework? A) Integrity and ethical values. B) Risk management philosophy. C) Restrict access to assets. D) Methods of assigning authority and responsibility.

New employees of Baker Technologies are assigned user names and appropriate permissions. Each of them were given a company's issued laptop that have an integrated fingerprint reader. In order to log in, the user's fingerprint must be recognized by the reader. This is an example of a(n) A) authorization control. B) biometric device. C) remote access control. D) defense in depth.

Personnel policies such as background checks, mandatory vacations, and rotation of duties tend to deter A) unintentional errors. B) employee fraud or embezzlement. C) fraud by outsiders. D) disgruntled employees.

Text that was transformed into unreadable gibberish using encryption is called A) plaintext. B) ciphertext. C) encryption text. D) private text.

The "get" event represents an activity which A) includes a promise to engage in future economic exchanges. B) increases the organization's stock of an economic resource. C) reduces the organization's stock of a resource that has economic value. D) increases the organization's liabilities.

The REA data model A) is used in many areas of business and science. B) was developed specifically for use in designing accounting information systems. C) classifies data into relationships, entities and accounts. D) is a graphical technique for portraying a database schema.

The Spontaneous Combustion Rocket Shoppe in downtown Fargo, North Dakota, generates three quarters of its revenue from orders taken over the Internet. The revenue clearing account is debited by the total of cash and credit receipts and credited by the total of storefront and Internet sales. This is an example of a A) data integrity test. B) zero-balance test. C) trial balance audit. D) cross-footing balance test.

The Trust Services Framework reliability principle that states access to the system and its data should be controlled and restricted to legitimate users is known as A) availability. B) security. C) privacy. D) integrity.

The batch processing data entry control that sums a field that contains dollar values is called A) record count. B) financial total. C) hash total. D) sequence check.

The best example of an effective payroll transaction file record count would most likely be A) sum of net pay. B) total number of employees. C) sum of FICA. D) total of employees' social security numbers.

The control that verifies accuracy by comparing two alternative ways of calculating the same total is called A) concurrent update controls. B) cross-footing balance test. C) data conversion controls. D) recalculation of batch totals.

The definition of the lines of authority and responsibility and the overall framework for planning, directing, and controlling is laid out by the A) control activities. B) organizational structure. C) budget framework. D) internal environment.

The examination of the relationships between different sets of data is called A) top-level reviews. B) analytical reviews. C) reconciliation of independently maintained records. D) comparison of actual quantities with recorded amounts.

The inventory tracking system shows that 12 laptop were on hand before a customer brings two laptops to the register for purchase. The cashier accidentally enters the quantity sold as 20 instead of 2. Which data entry control would most effectively prevent this error? A) Limit check. B) Sign check. C) Field check. D) Validity check.

The maximum amount of time between backups is determined by a company's A) recovery time objective. B) recovery point objective. C) recovery objective. D) maximum time recovery objective.

The maximum cardinality of any REA diagram relationship is A) zero or one. B) one or many. C) zero or many. D) many or none.

The primary purpose of the Foreign Corrupt Practices Act of 1977 was A) to require corporations to maintain a good system of internal control. B) to prevent the bribery of foreign officials by American companies. C) to require the reporting of any material fraud by a business. D) All of the above are required by the act.

The principle of identifying and assessing changes that could significantly impact the system of internal control belongs to which of the COSO's Internal Control Model's component? A) Control environment. B) Risk assessment. C) Control activities. D) Information and communication.

The process of turning off unnecessary features in the system is known as A) deep packet inspection. B) hardening. C) intrusion detection. D) modaling.

The steps that criminals take to trick an unsuspecting employee into granting them access is called A) scanning and mapping the target. B) social engineering. C) research. D) reconnaissance.

This protocol specifies the structure of packets sent over the internet and the route to get them to the proper destination. A) access control list B) Internet protocol C) packet switching protocol D) transmission control protocol

To minimize the risk of system downtime, Grizzly Corporation stores its data on multiple disk drives simultaneously. This practice is called A) downtime minimization plan. B) redundant arrays of independent drives. C) redundant arrays of independent backups. D) patch backup management.

Tools called ________ can be used to identify unused and, therefore, unnecessary programs that represent potential security threats. A) router scanners B) vulnerabilities scanners C) deep inspection scanners D) TCP scanners

What is the most effective way to ensure information system availability? A) High bandwidth. B) Maintain a hot site. C) Maintain a cold site. D) Frequent backups.

Which of the following graphical symbols represents a minimum cardinality of one and a maximum cardinality of one? A) O| B) || C) O< D) |<

Which of the following is a control related to design and use of documents and records? A) Locking blank checks in a drawer or safe. B) Sequentially prenumbering sales invoices. C) Reconciling the bank statement to the general ledger. D) Comparing physical inventory counts with perpetual inventory records.

Which of the following is an example of a turnaround document? A) A receipt a customer must use to return the goods purchased. B) A telephone bill the customer must return with payment. C) A paycheck stub that must be used in the employee's tax return. D) A customer loyalty card used every time a customer purchases goods or services.

Which of the following is an important control to prevent buffet overflow vulnerabilities? A) Limit check. B) Size check. C) Range check. D) Field check.

Which of the following is not a common design feature of housing mission-critical servers and databases? A) Adequate air-conditioning systems to reduce the likelihood of damage due to overheating. B) Overhead sprinklers to provide protection from fire. C) Cables with special plugs that cannot be easily removed. D) Surge-protection devices to provide protection against temporary power fluctuations.

Which of the following is not a component of the COSO Enterprise Risk Management Integrated Framework (ERM)? A) Monitoring. B) Ethical culture. C) Risk assessment. D) Control environment.

Which of the following is not a key method of monitoring performance? A) Performing internal control evaluation. B) Implementing a benefit incentive plan. C) Implementing effective supervision. D) Implementing a whistleblower hotline.

Which of the following is not a requirement of effective passwords? A) Passwords should be changed at regular intervals. B) Passwords should be no more than 8 characters in length. C) Passwords should contain a mixture of upper and lowercase letters, numbers and characters. D) Passwords should not be words found in dictionaries.

Which of the following is not an objective of a disaster recovery plan? A) Minimize the extent of the disruption, damage or loss. B) Establish a permanent alternative means of processing information. C) Resume normal operations as soon as possible. D) Train employees for emergency operations.

Which of the following is not one of the basic actions that an organization must take to preserve the confidentiality of sensitive information? A) Identification of information to be protected. B) Backing up the information. C) Controlling access to the information. D) Training.

Which of the following is not one of the essential criteria for successfully implementing each of the principles that contribute to systems reliability, as discussed in the Trust Services Framework? A) Developing and documenting policies. B) Effectively communicating policies to all outsiders. C) Designing and employing appropriate control procedures to implement policies. D) Monitoring the system and taking corrective action to maintain compliance with policies.

Identify the most important component of a disaster recovery plan below. A) Documentation. B) Operating instructions. C) Periodic testing. D) On-site and off-site storage.

Which of the following is the most effective way in uncovering fraud schemes that require ongoing perpetrator's attention? A) Hiring a forensic specialist. B) Requiring employees to take mandatory vacations. C) Installing security cameras to monitor employees activities. D) Implementing a fraud hotline.

Which of the following statements is true about the development of an REA model? A) Events that pertain to the entry of data are included in the REA model. B) The objective is to model basic value-chain activities. C) REA diagrams model individual transactions and data collections. D) Information retrieval events are modeled as events in the REA model.

Which of the following transactions is represented by the diagram below? A) Each sale is associated with a single order, and there is a time lag between the time an order is taken and delivery of the product. B) Each sale can be comprised of multiple orders, and each order can be associated with multiple sales or no sales. C) Each sale can be comprised of multiple orders, and each order can be associated with one or more sales. D) Each sale is associated with a single order, and there is no time lag between the time an order is taken and delivery of the product.

Which of the following transactions is represented by the diagram below? A) Vendors send a bill for each inventory item purchased which is payable on receipt. B) A single purchase of inventory is paid for with multiple payments. C) Inventory vendors send a monthly bill for merchandise delivered. The seller does not accept or allow installment payments. D) Some inventory purchases are paid for with multiple payments and some payments may apply to multiple purchases.

Which systems use the same key to encrypt communications and to decrypt communications? A) Asymmetric encryption. B) Symmetric encryption. C) Hashing encryption. D) Public key encryption

Which type of audit assesses employee compliance with management policies and procedures? A) External audit. B) Internal audit. C) Compliance audit. D) Operational audit.

Which type of control prevents, detects, and corrects transaction errors and fraud? A) general B) application C) detective D) preventive

Which type of software blocks outgoing messages containing key words or phrases associated with an organization's sensitive data? A) Anti-virus software. B) Data loss prevention software. C) A digital watermark. D) Information rights software.

Who bears the responsibility for information security in an organization? A) CIO. B) CISO. C) CFO. D) COO.

Whose responsibility is it to determine the amount of time an organization can afford to be without its information system? A) The board of directors. B) Senior management. C) External auditors. D) COBIT.

Why are threats to accounting information systems increasing? A) Many companies have invested significant resources to protect their assets. B) Many companies do not realize that data security is crucial to their survival. C) Many companies believe that protecting information is a vital strategic requirement. D) Computer control problems are often overestimated and overly emphasized by management.

With regards to the database design process, accountants may provide the greatest value to their organization by participating in A) implementation and conversion. B) data modeling. C) database operation and maintenance. D) system auditing.

________ enables a system to continue functioning in the event that a particular component fails. A) An incremental backup procedure B) Fault tolerance C) Preventive maintenance D) A concurrent update control

________ is a plan that specifies how to resume not only IT operations but all business processes in the event of a major calamity. A) Disaster recovery plan B) Business continuity plan C) Real-time monitoring plan D) Business contingency plan

________ is/are an example of a preventive control. A) Continuous monitoring B) Encryption C) Emergency response teams D) Log analysis

________ is/are an example of a preventive control. A) Emergency response teams B) Encryption C) Log analysis D) Intrusion detection

________ remains after management implements internal control(s). A) Inherent risk B) Residual risk C) Risk appetite D) Risk assessment

How many principles are there in the 2013 updated COSO - Internal Control Framework? A) 5 B) 8 C) 17 D) 21

How many types of relationships are possible between entities? A) One. B) Two. C) Three. D) Four.

Identify a party below who was involved with developing the Trust Services Framework. A) FASB B) COSO C) AICPA D) PCAOB

Identify one aspect of systems reliability that is not a source of concern with regards to a public cloud. A) confidentiality B) privacy C) efficiency D) availability

Identify the notation below that is not used to represent cardinality information. A) UML. B) (Min, Max). C) DFD. D) Maximums only.

Identify one organization that quickly recovered from September 11th, 2001 due to its disaster recovery and business continuity plan. A) New York Stock Exchange B) NASDAQ C) New York Fire Department D) United Airlines

A ________ control ensures that the correct and most current files are being updated. A) cross-footing balance test B) data matching C) file labels D) write-protect mechanism

A ________ control entails verifying that the proper number of bits are set to the value 1 in each character received. A) echo check B) field check C) parity check D) trailer record

A ________ is created to guide and oversee systems development and acquisition. A) performance evaluation B) project development plan C) steering committee D) strategic master plan

A demilitarized zone A) routes electronic communications within an organization. B) connects an organization's information system to the Internet. C) permits controlled access from the Internet to selected resources. D) serves as the main firewall.

A disaster recovery plan typically does not include A) scheduled electronic vaulting of files. B) backup computer and telecommunication facilities. C) a system upgrade due to operating system software changes. D) uninterruptible power systems installed for key system components.

Identify the notation often used to represent cardinality information. A) Dotted lines. B) Greek characters. C) Crow's feet. D) Color coding.

A laptop computer belonging to the Novak group was stolen from the trunk of a sales manager's car while she was attending a conference. After reporting the theft, the manager considered the implications for the company's network security and concluded there was little to worry about because A) the computer was insured against theft. B) the computer was protected by a password. C) the data stored on the computer was encrypted. D) it was unlikely that the thief would know how to access the company data stored on the computer.

A process that takes plaintext of any length and transforms it into a short code is called A) asymmetric encryption. B) encryption. C) hashing. D) symmetric encryption.

A(n) ________ diagram graphically depicts a database's contents by showing entities and relationships. A) data flow B) flowchart C) entity-relationship D) REA

A(n) ________ helps top-level managers with high-level activities that demand frequent and regular attention. A) boundary system B) diagnostic control system C) interactive control system D) belief system

According to the ERM model, ________ help to ensure the accuracy, completeness and reliability of internal and external company reports. A) compliance objectives B) operations objectives C) reporting objectives D) strategic objectives

After the information that needs to be protected has been identified, what step should be completed next? A) The information needs to be placed in a secure, central area. B) The information needs to be encrypted. C) The information needs to be classified in terms of its value to the organization. D) The information needs to be depreciated.

All employees of E.C. Hoxy are required to pass through a gate and present their photo identification cards to the guard before they are admitted. Entry to secure areas, such as the Information Technology Department offices, requires further procedures. This is an example of a(n) A) authentication control. B) authorization control. C) physical access control. D) hardening procedure.

An entity-relationship diagram represents entities as ________ and the relationships between them as lines and ________. A) circles; squares B) squares; diamonds C) rectangles; diamonds D) rectangles; circles

As a result of an internal risk assessment, Berryhill Insurance decided it was no longer profitable to provide flood insurance in the southern states. Berryhill apparently chose to ________ the risk of paying flood claims in the southern states.

Identify the corrective control below. A) Reconciling the bank statement to the cash control account. B) Approving customer credit prior to approving a sales order. C) Maintaining frequent backup records to prevent loss of data. D) Counting inventory on hand and comparing counts to the perpetual inventory records.

At a movie theater box office, all tickets are sequentially prenumbered. At the end of each day, the beginning ticket number is subtracted from the ending number to calculate the number of tickets sold. Cash is counted and compared with the number of tickets sold. Which of the following situations does this control detect? A) Some customers presented tickets purchased on a previous day when there wasn't a ticket taker at the theater entrance (so the tickets didn't get torn.) B) A group of kids snuck into the theater through a back door when customers left after a show. C) The box office cashier accidentally gives too much change to a customer. D) The ticket taker admits his friends without tickets.

Best Friends, Incorporated is a publicly traded company where three BFF's (best friends forever) serve as its key officers. This situation A) violates the Sarbanes-Oxley Act. B) violates the Securities and Exchange Act. C) increases the risk associated with an audit. D) All of the above.

COBIT 5 management practice APO01.08 stresses the importance of ________ of both employee compliance with the organization's information security policies and overall performance of business processes. A) continuous improvement of B) continuous reviewing C) continuous monitoring D) continuous auditing

COSO requires that any internal deficiencies identified through monitoring be reported to whom? A) The external auditor. B) The company's management. C) The board of directors. D) The audit committee.

Cancellation and storage of documents is one example of a(n) A) output control. B) processing control. C) input control. D) data entry control.

Congress passed this federal law for the purpose of preventing financial statement fraud, to make financial reports more transparent and to strengthen the internal control of public companies. A) Foreign Corrupt Practices Act of 1977 B) The Securities Exchange Act of 1934 C) The Sarbanes-Oxley Act of 2002 D) The Securities Exchange Act of 1933

Data matching is an example of a(n) A) data entry control. B) data transmission control. C) processing control. D) input control.

Data modeling is an element of A) systems analysis. B) conceptual design. C) system analysis and conceptual design. D) system analysis and physical design.

Identify the item below that would be classified as an event by the REA data model. A) An IOU from a customer. B) The customer. C) A customer sale. D) A loan from a vendor.

Identify the last step in protecting the confidentiality of intellectual property below. A) Encrypt the information. B) Control access to the information. C) Train employees to properly handle the information. D) Identify and classify the information to be protected.

Encryption has a remarkably long and varied history. Spies have been using it to convey secret messages ever since there were secret messages to convey. One powerful method of encryption uses random digits. Two documents are prepared with the same random sequence of numbers. The spy is sent out with one and the spy master retains the other. The digits are used as follows. Suppose that the word to be encrypted is SPY and the random digits are 352. Then S becomes V (three letters after S), P becomes U (five letters after P), and Y becomes A (two letters after Y, restarting at A after Z). The spy would encrypt a message and then destroy the document used to encrypt it. This is an early example of A) a hashing algorithm. B) asymmetric key encryption. C) symmetric key encryption. D) public key encryption.

Every company can have more than one banking relationships, and each bank can have a business relationship with more than one company. Thus, the cardinality that exists between company and bank is A) one-to-one. B) one-to-many. C) many-to-many. D) many-to-none.

Every person in the world can have more than one friend, and each person in the world can be a friend to more than one person. Thus, the cardinality that exists between friends and people is A) one-to-one. B) one-to-many. C) many-to-many. D) many-to-none.

Form design is one example of a(n) A) output control. B) processing control. C) input control. D) data entry control.

Hiring qualified personnel is an example of a ________ control, and procedures to resubmit rejected transactions are an example of a ________ control. A) corrective; detective B) detective; corrective C) preventive; corrective D) detective; preventive

Identify the statement below which is not a useful control procedure regarding access to system outputs. A) Restricting access to rooms with printers. B) Coding reports to reflect their importance. C) Allowing visitors to move through the building without supervision. D) Requiring employees to log out of applications when leaving their desk.

Identify the statement below which is true. A) Requiring two signatures on checks over $20,000 is an example of segregation of duties. B) Although forensic specialists utilize computers, only people can accurately identify fraud. C) Internal auditors, rather than external auditors, can conduct evaluations of effectiveness of Enterprise Risk Management processes. D) Re-adding the total of a batch of invoices and comparing the total with the first total you calculated is an example of an independent check.

If an organization asks you to disclose your date of birth and your address, but fails to take any steps to protect your private information, the organization has likely violated which of the Generally Accepted Privacy Principles? A) Collection. B) Access. C) Security. D) Quality.

If an organization asks you to disclose your social security number, yet fails to permit you to opt-out before you provide the information, the organization has likely violated which of the Generally Accepted Privacy Principles? A) Management. B) Notice. C) Choice and consent. D) Use and retention.

In a private key system the sender and the receiver have ________, and in the public key system they have ________. A) different keys; the same key B) a decrypting algorithm; an encrypting algorithm C) the same key; two separate keys D) an encrypting algorithm; a decrypting algorithm

In the time-based model of information security, P represents A) the time it takes to respond to and stop the attack. B) the time it takes for the organization to detect that an attack is in progress. C) the time it takes an attacker to break through the various controls that protect the organization's information assets. D) the time it takes to assess threats and select risk response.

In which stage(s) of the database design process does data modeling occur? A) During the systems analysis stage. B) During the design stage. C) During both the systems analysis and design stages. D) After the design stage.

Information encrypted with the creator's private key that is used to authenticate the sender is called A) asymmetric encryption. B) digital certificate. C) digital signature. D) public key.

Information rights management software can do all of the following except A) limiting access to specific files. B) limit action privileges to a specific time period. C) authenticate individuals accessing information. D) specify the actions individuals granted access to information can perform.

Information technology managers are often in a bind when a new exploit is discovered in the wild. They can respond by updating the affected software or hardware with new code provided by the manufacturer, which runs the risk that a flaw in the update will break the system. Or they can wait until the new code has been extensively tested, but that runs the risk that they will be compromised by the exploit during the testing period. Dealing with these issues is referred to as A) change management. B) cloud computing. C) patch management. D) user account management

Internal control is often referred to as a(n) ________, because it permeates an organization's operating activities and is an integral part of management activities. A) event B) activity C) process D) system

Is it best practice for an organization to practice periodically restoring a system from its backup files? A) No, doing so might introduce errors into the system's data. B) No, doing so takes the system offline and prevents customers from being able to access the system. C) Yes, doing so verifies the procedure and backup media are working correctly. D) Yes, doing so improves the efficiency of the system.

Kuzman Jovan called a meeting of the top management at Jovan Capital Management. Number one on the agenda was computer system security. "The risk of security breach incidents has become unacceptable," he said, and turned to the Chief Information Officer. "What do you intend to do?" Which of the following is the best answer? A) Evaluate and modify the system using COBOL. B) Evaluate and modify the system using the CTC checklist. C) Evaluate and modify the system using the Trust Services framework D) Evaluate and modify the system using the COSO Internal Control Framework.

Maintaining backup copies of files, correcting data entry errors, and resubmitting transactions for subsequent processing are examples of what type of control? A) Preventive control B) Detective control C) Corrective control D) Authorization control

Perimeter defense is an example of which of the following preventive controls that are necessary to provide adequate security? A) Training. B) Controlling physical access. C) Controlling remote access. D) Host and application hardening.

Petty cash is disbursed by the Manuela Luisina in the Cashier's Office. Manuela also maintains records of disbursements, places requests to the Finance Department to replace expended funds, and periodically reconciles the petty cash balance. This represents a(n) ________ segregation of duties. A) ideal B) effective C) ineffective D) limited

Prompting is a control that helps ensure A) transaction data are not lost. B) transactions data are accurate. C) transactions data are complete. D) transaction data are valid.

Reconciliation procedures is an example of A) a data entry control. B) a data transmission control. C) an output control. D) a processing control.

Relationships that affect the quantity of a resource are sometimes referred to as ________ relationships. A) commitment B) exchange C) stockflow D) duality

Residents in Berryhill received an e-mail stating that there is an armed robber on the loose. The e-mail claimed to be from the Berryhill police department, but it wasn't. Computer forensic experts later determined that the e-mail was sent from a computer lab in the Berryhill's public library. The police were then able to uniquely identify the computer that was used by means of its network interface card's ________ address. Security cameras later help the police to reveal the identity of the individual responsible for the hoax. A) IDS B) TCP/IP C) MAC D) DMZ

The "give" event represents an activity which A) includes a promise to engage in future economic exchanges. B) increases the organization's stock of an economic resource. C) reduces the organization's stock of a resource that has economic value. D) reduces the organization's liabilities.

The Bear Corporation uses a tool that embeds a code into all of its digital documents. It then scours the internet, searching for codes that it has embedded into its files. When Bear finds an embedded code on the internet, it knows that confidential information has been leaked. Bear then begins identifying how the information was leaked and who was involved with the leak. Bear is using A) an information rights management software. B) a data loss prevention software. C) a digital watermark. D) a stop leak software.

The Director of Information Technology for the city of Tampa, Florida formed a company to sell computer supplies and software. All purchases made on behalf of the City were made from her company. She was later charged with fraud for overcharging the City, but was not convicted by a jury. The control issue in this case arose because the Director had both ________ and ________ duties. A) custody; authorization B) custody; recording C) recording; authorization D) management; custody

The SEC, PCAOB, and FASB are best described as external influences that directly affect an organization's A) hiring practices. B) philosophy and operating style. C) internal environment. D) methods of assigning authority.

The Trust Services Framework reliability principle that states personal information should be protected from unauthorized disclosure is known as A) availability. B) security. C) privacy. D) integrity.

The Trust Services Framework reliability principle that states sensitive information be protected from unauthorized disclosure is known as A) availability. B) security. C) confidentiality. D) integrity.

The ________ disseminates information about fraud, errors, breaches and other improper system uses and their consequences. A) chief information officer B) chief operations officer C) chief security officer D) computer emergency response team

The accounting department at Aglaya Telecom records an average of 8,000 transactions per hour and have a recovery time objective of 240 minutes. Aglaya recently suffered a hardware malfunction and it took the company 16 hours to recover their lost data. How many transactions did Aglaya recover? A) 52,000 transactions. B) 5,200 transactions. C) 32,000 transactions. D) 3,200 transactions.

The accounting department at Aglaya Telecom records an average of 8,000 transactions per hour. A cost-benefit analysis leads management to conclude that the maximum acceptable amount of data loss is 32,000 transactions. If the firm's recovery time objective is 240 minutes, then the worst case recovery time objective is A) 4 hours. B) 8 hours. C) 16 hours. D) 24 hours.

The amount of risk a company is willing to accept in order to achieve its goals and objectives is A) inherent risk. B) residual risk. C) risk appetite. D) risk assessment.

The audit committee of the board of directors A) is usually chaired by the CFO. B) conducts testing of controls on behalf of the external auditors. C) provides a check and balance on management. D) does all of the above.

The batch processing data entry control that sums a non-financial numeric field is called A) record count. B) financial total. C) hash total. D) sequence check.

The batch processing data entry control that sums the number of items in a batch is called A) financial total. B) hash total. C) record count. D) sequence check.

The difference in the control totals is 720,000. Which data entry control would best prevent similar data entry errors in the future? A) Batch check. B) Validity check. C) Check digit. D) Sequence check.

The first step of the risk assessment process is generally to A) identify controls to reduce all risk to zero. B) estimate the exposure from negative events. C) identify the threats that the company currently faces. D) estimate the risk probability of negative events occurring.

The most common input-related vulnerability is called the A) softening attack. B) hardening attack. C) cross-site scripting attack. D) buffering attack.

The most effective way to protect network resources that are exposed to the internet, yet reside outside of a network is A) a firewall. B) employee training. C) a demilitarized zone. D) stateful packet filtering.

The principle of selecting and developing controls that might help mitigate risks to an acceptable level belongs to which of the COSO's Internal Control Model's component? A) Control environment. B) Risk assessment. C) Control activities. D) Information and communication.

The steps that criminals take to find known vulnerabilities and learn how to take advantage of those vulnerabilities is called A) scanning and mapping the target. B) social engineering. C) research. D) reconnaissance.

Using a combination of symmetric and asymmetric key encryption, Sofia sent a report to her home office in Indiana. She received an e-mail acknowledgement that her report had been received, but a few minutes later she received a second e-mail that contained a different hash total than the one associated with her report. This most likely explanation for this result is that A) the public key had been compromised. B) the private key had been compromised. C) the symmetric encryption key had been compromised. D) the asymmetric encryption key had been compromised.

What control are zero balance tests an example of? A) Data entry controls. B) Output controls. C) Processing controls. D) Source data controls.

What is the minimum number of agents that must participate in each REA event? A) 0 B) 2 C) 1 D) 3

Which of the following descriptions is not associated with symmetric encryption? A) A shared secret key. B) Faster encryption. C) Lack of authentication. D) Separate keys for each communication party.

When opening an Excel file, Sonja received a message saying that the file is locked for editing. This is happening because A) the file is corrupted due to a computer virus. B) Sonja opened the file as read-only. C) concurrent update controls have locked the file. D) there is no problem. Sonja is editing the file, so it is locked.

When the staff accountant enters a correct customer number, the data entry screen displays the customer name and address. This is an example of A) prompting. B) preformatting. C) closed-loop verification. D) error checking.

Which attribute below is not an aspect of the COSO ERM Framework internal environment? A) Enforcing a written code of conduct. B) Holding employees accountable for achieving objectives. C) Restricting access to assets. D) Avoiding unrealistic expectations.

Which internal control framework is widely accepted as the authority on internal controls? A) COBIT. B) ISACA framework. C) COSO Integrated Control. D) Sarbanes-Oxley control framework.

Which of the following factors is not a reason forensic investigators are increasingly used in accounting? A) The Sarbanes-Oxley Act. B) New accounting rules. C) Audit fee increases. D) Pressure from boards of directors.

Which of the following graphical symbols represents a minimum cardinality of zero and a maximum cardinality of many? A) O| B) || C) O< D) |<

Which of the following is an example of a detective control? A) Physical access controls. B) Encryption. C) Continuous monitoring. D) Incident response teams.

Which of the following is an independent check on performance? A) The Purchasing Agent physically reviews the contents of shipments and compares them with the purchase orders he has placed. B) Production teams perform quality evaluations of the products that they produce. C) The General Manager compares budgeted amounts with expenditure records from all departments. D) Petty cash is disbursed by Fred Haynes. He also maintains records of disbursements, places requests to finance to replace expended funds, and periodically reconciles the petty cash balance.

Which of the following is commonly true of the default settings for most commercially available wireless access points? A) The security level is set at the factory and cannot be changed. B) Security is set to an adjustable level that changes depending on the wireless network the device is connected. C) Security is set to the lowest level that the device is capable of handling. D) Security is set to the highest level that the device is capable of handling.

Which of the following is incorrect with regards to a data archive? A) Archives can be a copy of a database. B) Archives should be stored in different locations. C) Archives are usually encrypted. D) Physical and logical controls are the primary means of protecting archive files.

Which of the following is not a principle related to information and communicating in the updated COSO Integrated Control framework? A) Communicate relevant internal control matters to external parties. B) Obtain or generate relevant, high-quality information to support internal control. C) Surround internal control processes with information technology that enables discrepancies to be identified. D) Internally communicate the information necessary to support the other components of internal control.

Which of the following is not a step in an organization's incident response process? A) Recognition. B) Recovery. C) Isolation. D) Containment.

Which of the following is not an example of something monitored by a responsibility accounting system? A) Budgets. B) Quotas. C) Vendor analysis. D) Quality standards

Which of the following is not true regarding virtual private networks (VPN)? A) VPNs provide the functionality of a privately owned network using the Internet. B) Using VPN software to encrypt information while it is in transit over the Internet in effect creates private communication channels, often referred to as tunnels, which are accessible only to those parties possessing the appropriate encryption and decryption keys. C) It is more expensive to reconfigure VPNs to include new sites than it is to add or remove the corresponding physical connections in a privately owned network. D) The cost of the VPN software is much less than the cost of leasing or buying the infrastructure (telephone lines, satellite links, communications equipment, etc.) needed to create a privately owned secure communications network.

Which of the following transactions is represented by the diagram below? A) Each sale is associated with a single order, and there is a time lag between the time an order is taken and delivery of the product. B) Each sale can be comprised of multiple orders, and each order can be associated with multiple sales or no sales. C) Each sale can be comprised of multiple orders, and each order can be associated with one or more sales. D) Each sale is associated with a single order, and there is no time lag between the time an order is taken and delivery of the product.

While this type of backup process takes longer than the alternative, restoration is easier and faster. A) archive B) cloud computing C) differential backup D) incremental backup

Why does COBIT5 DSS-05.06 stress the importance of restricting physical access to network printers? A) because hackers can use them to print out sensitive information B) because hackers often hide inside large network printers until night C) because document images are often stored on network printers D) because network printers are easier to hack into than computers

Why was the original 1992 COSO - Integrated Control framework updated in 2013? A) Congress required COSO to modernize. B) U.S. stock exchanges required more disclosure. C) As an effort to more effectively address technological advancements. D) As an effort to comply with the Information System Audit and Control Association requirements.

________ consists of translating the internal-level schema into the actual database structures that will be implemented in the new system. A) Systems analysis B) Conceptual design C) Physical design D) Implementation and conversion

________ copies all changes made since the last full backup. A) Archive B) Cloud computing C) Differential backup D) Incremental backup

________ is a data entry input control that involves checking the accuracy of input data by using it to retrieve and display other related information. A) Validity check B) Duplicate data check C) Closed-loop verification D) Check digit verification

________ is an authorized attempt by an internal audit team or an external security consultant to attempt to break into the organization's information system. A) Log analysis test B) Intrusion test C) Penetration test D) Vulnerability test

________ is not a risk response identified in the COSO Enterprise Risk Management Framework. A) Acceptance B) Avoidance C) Monitoring D) Sharing

Sequentially prenumbered forms are an example of a(n) A) data entry control. B) data transmission control. C) processing control. D) input control.

A ________ determines the correctness of the logical relationship between two data items. A) field check B) alpha-numeric check C) range check D) reasonableness test

A ________ determines whether the input data are of the proper type. A) limit check B) size check C) range check D) field check

A ________ is a data entry control that compares the ID number in transaction data to a master file to verify that the ID number exists. A) reasonableness test B) user review C) data matching D) validity check

A client approached Paxton Uffe and said, "Paxton, I need for my customers to make payments online using credit cards, but I want to make sure that the credit card data isn't intercepted. What do you suggest?" Paxton responded, "The most effective solution is to implement A) a data masking program." B) a virtual private network." C) a private cloud environment." D) an encryption system with digital signatures."

A completeness check is an example of a(n) A) data transmission control. B) output control. C) processing control. D) input control.

A document that shows all projects that must be completed and the related IT needs in order to achieve long-range company goals is known as a A) performance evaluation. B) project development plan. C) data processing schedule. D) strategic master plan.

A graphical depiction of a database's contents showing the various entities being modeled and the important relationships among them is called a(n) A) REA diagram. B) data diagram. C) ERP diagram. D) ER diagram.

A relationship is diagrammed below using the [Min, Max] notation. Which of the diagrams below represents the same relationship using the "crow's feet" notation? A) || |< B) |O O< C) |O |< D) || O<

A special purpose hardware device or software running on a general purpose computer, which filters information that is allowed to enter and leave the organization's information system, is known as a(n) A) demilitarized zone. B) intrusion detection system. C) intrusion prevention system. D) firewall.

A(n) ________ helps employees understand management's vision. It communicates company core values and inspires employees to live by those values. A) boundary system B) diagnostic control system C) interactive control system D) belief system

According to the ERM model, ________ help to align high level goals with the company's mission. A) compliance objectives B) operations objectives C) reporting objectives D) strategic objectives

According to the Trust Services Framework, the reliability principle of integrity is achieved when the system produces data that A) is available for operation and use at times set forth by agreement. B) is protected against unauthorized physical and logical access. C) can be maintained as required without affecting system availability, security, and integrity. D) is complete, accurate, and valid.

An access control matrix A) is the process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform. B) is used to implement authentication controls. C) matches the user's authentication credentials to his authorization. D) is a table specifying which portions of the system users are permitted to access.

Applying the COBIT5 framework, governance is the responsibility of A) internal audit. B) external audit. C) management. D) the board of directors.

Applying the COBIT5 framework, monitoring is the responsibility of A) the CEO. B) the CFO. C) the board of directors. D) all of the above

Applying the COBIT5 framework, planning is the responsibility of A) the CEO. B) the CFO. C) the board of directors. D) all of the above

Asymmetric key encryption combined with the information provided by a certificate authority allows unique identification of A) the user of encrypted data. B) the provider of encrypted data. C) both the user and the provider of encrypted data. D) either the user or the provider of encrypted data.

Compatibility tests utilize a(n) ________, which is a list of authorized users, programs, and data files the users are authorized to access or manipulate. A) validity test B) biometric matrix C) logical control matrix D) access control matrix

Each event in an REA model will in most cases have at least one ________ agent and one ________ agent involved with the event. A) internal; resource B) external; entity C) internal; employee D) internal; external

Identify the item below that is not a step you could take to prevent yourself from becoming a victim of identity theft. A) Shred all documents that contain your personal information. B) Only print your initial and last name on your personal checks. C) Monitor your credit reports regularly. D) Refuse to disclose your social security number to anyone or any organization.

Identify the item below which is not a piece of legislation passed to protect individuals against identity theft or to secure individuals' privacy. A) The Health Insurance Portability and Accountability Act (HIPAA). B) The Health Information Technology for Economic and Clinical Health Act (HITECH). C) The Gramm--Leach--Bliley Act. D) The Dodd-Frank Act.

Identify the statement below that is false with respect to cardinalities. A) Cardinalities describe the nature of the relationship between two entities. B) No universal standard exists for representing information about cardinalities in REA diagrams. C) The minimum cardinality can be zero or one. D) The maximum cardinality can be zero, one, or many.

If an organization asks you to disclose your date of birth and your address, but fails to establish any procedures for responding to customer complaints, the organization has likely violated which of the Generally Accepted Privacy Principles? A) Collection. B) Access. C) Security. D) Monitoring and enforcement.

If an organization asks you to disclose your social security number, yet fails to properly dispose of your private information once it has fulfilled its purpose, the organization has likely violated which of the Generally Accepted Privacy Principles? A) Management. B) Notice. C) Choice and consent. D) Use and retention.

In recent years, many of the attacks carried out by hackers have relied on this type of vulnerability in computer software. A) Code mastication. B) Boot sector corruption. C) URL injection. D) Buffer overflow.

In which stage(s) of the database design process is the completed data model used? A) only in the systems analysis stage B) only in the conceptual design stage C) in both the systems analysis and design stages D) neither the systems analysis nor the design stages

In which stage(s) of the database design process should accountants participate? A) the systems analysis stage B) the conceptual design stage C) the implementation and conversion stage D) in all of the stages above

It is industry standard to model attributes as ________ in entity-relationship diagrams. A) rectangles B) ovals C) diamonds D) There is no industry standard.

It is industry standard to model relationships as ________ in entity-relationship diagrams. A) rectangles B) ovals C) diamonds D) There is no industry standard.

Lauren Smith was relaxing after work with a colleague at a local bar. After a few drinks, she began expressing her feelings about her company's new control initiatives. It seems that as a result of controls put in place by the company, she now has to find ways to help her staff to better understand the company's vision and core values. The level of control that the company is using in this case is a(n) A) boundary system. B) diagnostic control system. C) interactive control system. D) belief system.

Loreen Tina is the chief lawyer for Tamara Incorporated. The CEO of Tamara Incorporated asks Loreen whether the company should periodically delete all company e-mail. If Loreen is well-versed in AIS best practices, she would mostly likely respond, A) Yes, if we are ever sued, the other attorney will not be able to comb through our e-mail for evidence. B) Yes, since e-mail requires a lot of storage space, deleting it periodically will reduce the amount of information we need to store. C) No, deleting an organization's e-mail is against the law. D) No, if we are ever sued we will not be able to draw upon our e-mail records to defend ourselves.

New employees of Baker Technologies are assigned user names and appropriate permissions. Their credentials are then entered into the company's information system's access control matrix. This is an example of a(n) A) authentication control. B) biometric device. C) remote access control. D) authorization control.

Nolwenn Limited has been diligent in ensuring that their operations meet modern control standards. Recently, they have extended their control compliance system by incorporating policies and procedures that require the specification of company objectives, uncertainties associated with objectives, and contingency plans. Nolwenn Limited is transitioning from a ________ to a ________ control framework. A) COSO-Integrated Framework; COBIT B) COBIT; COSO-Integrated Framework C) COBIT; COSO-ERM D) COSO-Integrated Framework; COSO-ERM E) COSO-ERM; COBIT

Of the following examples of fraud, which will be the most difficult to prevent and detect? Assume the company enforces adequate segregation of duties. A) A mail room employee steals a check received from a customer and destroys the documentation. B) The accounts receivable clerk does not record sales invoices for friends or family, so they can receive free goods. C) An employee puts inventory behind the dumpster while unloading a vendor's delivery truck, then picks up the inventory later in the day and puts it in her car. D) A credit manager issues credit cards to himself and a staff accountant in the accounting office, and when the credit card balances are just under $1,000, the staff accountant writes off the accounts as bad debt. The credit manager then issues new cards.

One of the key objectives of segregating duties is to A) ensure that no collusion will occur. B) achieve an optimal division of labor for efficient operations. C) make sure that different people handle different transactions. D) make sure that different people handle different parts of the same transaction.

Probably the most important change management control is A) monitoring user rights and privileges during the change process. B) testing all changes thoroughly prior to implementation on a stand-alone computer. C) updating all documentation to reflect changes made to the system. D) management's careful monitoring and review.

The COBIT5 framework primarily relates to A) best practices and effective governance and management of private companies. B) best practices and effective governance and management of public companies. C) best practices and effective governance and management of information technology. D) best practices and effective governance and management of organizational assets.

The Sarbanes-Oxley Act (SOX) applies to A) all companies with gross annual revenues exceeding $500 million. B) publicly traded companies with gross annual revenues exceeding $500 million. C) all private and public companies incorporated in the United States. D) all publicly traded companies.

The accounting department at Aglaya Telecom records an average of 5,000 transactions per hour and have a recovery time objective of 120 minutes. Aglaya recently suffered a hardware malfunction and it took the company 20 hours to recover their lost data. How many transactions did Aglaya recover? A) 20,000 transactions. B) 30,000 transactions. C) 40,000 transactions. D) 50,000 transactions.

The accounting department at Synergy Hydroelectric records an average of 12,500 transactions per hour. By cost-benefit analysis, managers have concluded that the maximum acceptable loss of data in the event of a system failure is 50,000 transactions. If the firm's recovery time objective is 120 minutes, then the worst case recovery time objective is A) 2 hours. B) 4 hours. C) 6 hours. D) 8 hours.

The best example of an effective payroll transaction file hash total would most likely be A) sum of net pay. B) total number of employees. C) sum of hours worked. D) total of employees' social security numbers.

The first steps in protecting the privacy of personal information is to identify A) what sensitive information is possessed by the organization. B) where sensitive information is stored. C) who has access to sensitive information. D) All of the above are first steps in protecting privacy.

The most effective method for protecting an organization from social engineering attacks is providing A) a firewall. B) stateful packet filtering. C) a demilitarized zone. D) employee awareness training.

The principle of obtaining or generating relevant, high-quality information to support internal control belongs to which of the COSO's Internal Control Model's component? A) Control environment. B) Risk assessment. C) Control activities. D) Information and communication.

The process that screens individual IP packets based solely on the contents of the source and/or destination fields in the packet header is known as A) access control list. B) deep packet inspection. C) intrusion filtering. D) packet filtering.

The process that uses automated tools to identify whether a system possesses any well-known security problems is known as a(n) A) intrusion detection system. B) log analysis. C) penetration test. D) vulnerability scan.

The second step of the risk assessment process is generally to A) identify controls to reduce all risk to zero. B) estimate the exposure from negative events. C) identify the threats that the company currently faces. D) estimate the risk probability of negative events occurring.

The steps that criminals take to study their target's physical layout to learn about the controls it has in place is called A) scanning and mapping the target. B) social engineering. C) research. D) reconnaissance.

The system and processes used to issue and manage asymmetric keys and digital certificates are known as A) asymmetric encryption. B) certificate authority. C) digital signature. D) public key infrastructure.

The total overtime hours is 806. Which data entry control would best prevent similar data entry errors in the future? A) Sequence check. B) Validity check. C) Check digit. D) Reasonableness test.

There are "white hat" hackers and "black hat" hackers. Cowboy451 was one of the "black hat" hackers. He had researched an exploit and determined that he could penetrate the target system, download a file containing valuable data, and cover his tracks in eight minutes. Six minutes into the attack he was locked out of the system. Using the notation of the time-based model of security, which of the following must be true? A) P < 6 B) D = 6 C) P = 6 D) P > 6

This protocol specifies the procedures for dividing files and documents into packets to be sent over the Internet. A) access control list B) Internet protocol C) packet switching protocol D) transmission control protocol

To protect against malware, it is important that antivirus software automatically examine ________ introduced into a system. A) CDs B) e-mail C) flash drives D) all of the above

Turnaround documents are an example of a(n) A) data entry control. B) output control. C) processing control. D) input control.

Under CAN-SPAM legislation, an organization that receives an opt-out request from an individual has ________ days to implement steps to ensure they do not send out any additional unsolicited e-mail to the individual again. A) 2 B) 5 C) 7 D) 10

Upon acquiring a new computer operating system, management at Berryhill worried that computer virus might cripple the company's operation. Despite the concern, management did not think that the risk was high enough to justify the purchase of an anti-virus software. Berryhill chose to ________ the risk of being crippled by computer virus.

What confidentiality and security risk does using VoIP present to organizations? A) Internet e-mail communications can be intercepted. B) Internet photographs can be intercepted. C) Internet video can be intercepted. D) Internet voice conversations can be intercepted.

What is the standard cardinality pattern for a relationship between an event and an agent? A) 1:1. B) 0:1. C) 0:N. D) 1:N.

Which of the following graphical symbols represents a minimum cardinality of one and a maximum cardinality of many? A) O| B) || C) O< D) |<

Which of the following is an example of a corrective control? A) Physical access controls. B) Encryption. C) Intrusion detection. D) Incident response teams.

Which of the following is not a risk associated with the data input process? A) Data is invalid. B) Data is incomplete. C) Data is inaccurate. D) Data is corrupted.

Which of the following is not a violation of the Sarbanes-Oxley Act (SOX)? The management at Lasalle Investment group A) asked their auditors to make recommendations for the redesign of their information technology system and to aid in the implementation process. B) did not mention to auditors that the company had experienced material weaknesses in the company's internal control systems during the past year. C) selected the company's CEO to chair the audit committee. D) hired the manager from the external audit team as company CFO twelve months after the manager had worked on the audit.

Which of the following is not one of the five principles of COBIT5? A) meeting stakeholder needs B) covering the enterprise end-to-end C) enabling a holistic approach D) improving organization efficiency

Which of the following is not one of the rules in creating an REA data model? A) Each event is linked to at least one resource that it affects. B) Each event is linked to at least one other event. C) Each event is linked to at least two participating agents. D) All of the above are important rules.

Which of the following is not one of the three important factors determining the strength of any encryption system? A) Key length. B) Policies for managing cryptographic keys. C) Encryption algorithm. D) Storage of digital signatures.

Which of the following measures can protect a company from AIS threats? A) Take a proactive approach to eliminate threats. B) Detect threats that do occur. C) Correct and recover from threats that do occur. D) All of the above are proper measures for the accountant to take.

Which of the following preventive controls are necessary to provide adequate security for social engineering threats? A) Controlling physical access. B) Encryption. C) Profiling. D) Awareness training.

Which of the following statements is false regarding REA diagrams? A) Each organization will have its own unique REA diagram. B) An REA diagram for a given organization will change over time. C) Data modeling and REA diagram development involve complex and repetitive processes. D) Redrawing an REA diagram several times during development is uncommon.

Which of the following statements is true with regards to system availability? A) Human error does not threaten system availability. B) Threats to system availability can be completely eliminated. C) Proper controls can maximize the risk of threats causing significant system downtime. D) Threats to system availability include hardware and software failures as well as natural and man-made disasters.

Which of the following transactions is represented by the diagram below? A) Each sale is associated with a single order, and there is a time lag between the time an order is taken and delivery of the product. B) Each sale can be comprised of multiple orders, and each order can be associated with multiple sales or no sales. C) Each sale can be comprised of multiple orders, and each order can be associated with one or more sales. D) Each sale is associated with a single order, and there is no time lag between the time an order is taken and delivery of the product.

Which of the following was not an important change introduced by the Sarbanes-Oxley Act of 2002? A) New roles for audit committees B) New rules for auditors and management C) New rules for internal control requirements D) New rules for information systems development

Which type of audits can detect fraud and errors? A) External audits. B) Internal audits. C) Network security audits. D) all of the above

Which type of software provides an additional layer of protection to sensitive information that is stored in digital format, offering the capability not only to limit access to specific files or documents but also to specify the actions that individuals who are granted access to that resource can perform? A) Anti-virus software. B) Data loss prevention software. C) A digital watermark. D) Information rights software.

Whitewater Rapids provides canoes to tourists eager to ride Whitewater River's rapids. Management has determined that there is one chance in a thousand of a customer being injured or killed. Settlement of resulting lawsuits has an average cost of $850,000. Insurance with a $100,000 deductible is available. It covers the costs of lawsuits, unless there is evidence of criminal negligence. What is the impact of this risk without insurance? A) $10 B) $850 C) $100,000 D) $850,000

With a limited work force and a desire to maintain strong internal control, which combination of duties would result in the lowest risk exposure? A) Updating the inventory subsidiary ledgers and recording purchases in the purchases journal. B) Approving a sales return on a customer's account and depositing customers' checks in the bank. C) Updating the general ledger and working in the inventory warehouse. D) Entering payments to vendors in the cash disbursements journal and entering cash received from customers in the cash receipts journal.

________ includes all the activities associated with transferring data from existing systems to the new database AIS, testing the new system, and training employees how to use it. A) Systems analysis B) Conceptual design C) Physical design D) Implementation and conversion

________ involves copying only the data items that have changed since the last partial backup. A) Archive B) Cloud computing C) Differential backup D) Incremental backup

________ is a data entry input control that involves summing the first four digits of a customer number to calculate the value of the fifth digit, then comparing the calculated number to the number entered during data entry. A) Validity check B) Duplicate data check C) Closed-loop verification D) Check digit verification

________ is/are an example of a detective control. A) Physical access controls B) Encryption C) Emergency response teams D) Log analysis

________ tests a numerical amount to ensure that it does not exceed a predetermined value nor fall below another predetermined value. A) Completeness check B) Field check C) Limit check D) Range check

Lihat semua set pelajaran

4100 2

Set pelajaran terkait

Math(5169) #2

Neurological Conditions

Quiz 4 (Ch 9-10): Address Resolution and Basic Router Configuration CRC Fa22 CISN 304

Saunders-Pharm (GI)

OSU Geo 102

Test1 AUTOCAD 2

Chapter 3: Toxic Effects of Drugs

Chapter 5 Profit-Sharing Plans

2020 370Z COUPE CERTIFICATION

Sociology Chapter 12

POLS 1101E Chapt 6: Congress

DCSI 3210 Exam 3 (CH 11, 12, 14-16)

CHAPTER 6 WORKBOOK AND BLUE/RED MOD

PSYCH 221 (Ch.11 Stereotyping, Prejudice, and Discrimination)

GSWS 101 Mid Term Vocab

Marketing 255 Chapters 6-8

Oxytocin (Pitocin)

Chapter 8 test WHAP

Wehrs Test Questions

Kin 365 Exam 3