ACCT 3900 Chapter 15.1-4
Which of the following statements is correct regarding information technology (IT) governance?
A primary goal of IT governance is to balance risk versus return over IT and its processes.
The firewall system that limits access to a computer by routing users to replicated Web pages is
A proxy server.
Dora Jones, an auditor for Farmington Co., noted that the Acme employees were using computers connected to Acme's network by wireless technology. On her next visit to Acme, Jones brought one of Farmington's laptop computers with a wireless network card. When she started the laptop to begin work, Jones noticed that the laptop could view several computers on Acme's network and that she had access to Acme's network files. Which of the following statements is the most likely explanation?
Acme was not using security on the network.
Which of the following is not among the seven CSF implementation steps?
Action plan review.
Which of the following characteristics distinguishes computer processing from manual processing?
Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing.
Which of the following CSF implementation steps and COBIT 2019 implementation phases are paired correctly?
Conduct a Risk Assessment;Create a Target Profile/Where do we want to be?
Innovations in IT increase the importance of risk management because
Information system security is continually subject to new threats.
Which of the following categories of enablers (or components) is classified as resources under COBIT?
Information.
Which of the following is most likely a disadvantage for an entity that keeps data files prepared by personal computers rather than manually prepared files?
It is usually easier for unauthorized persons to access and alter the files.
General controls in an information system include each of the following except
Logic tests.
Which of the following is a key difference in controls when changing from a manual system to a computer system?
Methodologies for implementing controls change.
Which of the following passwords would be most difficult to crack?
O?Ca!FlSi
After segregating the duties of system analysts and file librarians and imposing proper supervision, a company tests whether incidents deemed to be the result of incompatible job responsibilities continue to exist. Which COBIT governance system principle is this paired with?
Tailored to enterprise needs.
What is the primary objective of data security controls?
To ensure that storage media are subject to authorization prior to access, change, or destruction.
Which of the following is an advantage of a computer-based system for transaction processing over a manual system? A computer-based system
Will be more efficient at producing financial statements.
An auditor was examining a client's network and discovered that the users did not have any password protection. Which of the following would be the best example of the type of network password the users should have?
tR34ju78.
All of the following are adequate controls for protection against unauthorized access to sensitive information except
System access log.
As a result of technological developments facing businesses and CPAs,
System boundaries are becoming less distinct.
What should be examined to determine if an information system is operating according to prescribed procedures?
System control.
Which of the following statements, if included as the description of a data attribute, describes the nature of the elements in the attribute?
"The size of the warehouse is the amount of type A inventory that may be stored."
ISACA establishes a phased five-stage data management approach to guide the establishment or improvement of a data governance program. Arrange the following activities in the order defined by ISACA. 1. Establish and evolve data architecture 2. Define, execute, assure data quality, and clean polluted data 3. Establish a data governance foundation 4. Focus on data analytics 5. Realize data democratization
3, 1, 2, 5, 4
Authentication is the process by which the
System verifies the identity of the user.
Attacks on computer networks may take many forms. Which of the following uses the computers of innocent parties infected with Trojan horse programs?
A distributed denial-of-service attack.
A company wants to protect its IT system from unauthorized users accessing the system. Which of the following controls would best serve to mitigate this risk?
A biometric device.
One of the major problems in a computer system is that incompatible functions may be performed by the same individual. One compensating control is the use of
A computer log.
A company's web server has been overwhelmed with a sudden surge of false requests that caused the server to crash. The company has most likely been the target of
A denial of service attack.
An entity has many employees that access a database. The database contains sensitive information concerning the customers of the entity and has numerous access points. Access controls prevent employees from entry to those areas of the database for which they have no authorization. All salespersons have certain access permission to customer information. Which statement is true regarding the nature of the controls and risks?
A salesperson's access to customer information should extend only to what is necessary to perform his or her duties.
Which of the following statements is true regarding internal control objectives of information systems?
A secure system may have inherent risks due to management's analysis of trade-offs identified by cost-benefit studies.
Controls in the information technology area are classified into the preventive, detective, and corrective categories. Which of the following is a preventive control?
Access control software.
All of the following are correct statements regarding a firewall except
An application firewall is an adequate substitute for a network firewall.
Which of the following is an important senior management responsibility with regard to information systems security?
Assessing exposures.
When a user enters a certain entity's system, a series of questions is asked of the user, including a name and mother's birth date. These questions are primarily intended to provide
Authentication of the user.
The headquarters' computer of a certain entity maintains a matrix of user names and the files/programs the user can access as well as what the user can do to/with the file or program. This matrix is primarily intended to provide
Authorization for processing.
Which of the following security controls may prevent unauthorized access to sensitive data via an unattended workstation connected to a server?
Automatic log-off of inactive users.
A company permits employees to work from home using company-owned laptops. Which of the following competitive advantages does the company most likely obtain as a result of this decision?
Availability.
Which of the following is not a criterion the Assurance Services Executive Committee (ASEC) identifies for defining a set of data and evaluating its integrity?
Consistent over time.
Some data processing controls relate to all computer processing activities (general controls) and some relate to specific tasks (application controls). General controls include
Controls for documenting and approving programs and changes to programs.
Which of the following statements most accurately describes the impact that automation has on the controls normally present in a manual system?
Controls must be more explicit in a computer-based system because many processing points that present opportunities for human judgment in a manual system are eliminated.
Which of the following is a true statement regarding security over an entity's IT?
Controls should exist to ensure that users have access to and can update only the data elements that they have been authorized to access.
A company began issuing handheld devices to key executives. Each of the following factors is a reason for requiring changes to the security policy except
Convenience of the device.
A company discovered incidents of unauthorized access to its internal system. Which of the following actions or practices is involved in implementation phase 5 of COBIT 2019?
Creating a list of authorized employees who should be assigned usernames and passwords.
Which of the following is a true statement about data democratization?
Data democratization aims at building a single source of reference for data searching.
Which of the following issues would be of most concern to an auditor relating to an organization's information security policy?
Data integrity.
Which of the following is a true statement regarding data owners and data stewards?
Data owners make decisions about the data, and data stewards ensure the data are used and adopted properly.
To manage its transactional data, Fort Company established the data stewardship structure in its data management program. Which of the following roles is responsible for authorizing access to transactional data?
Data steward.
A retail store uses batch processing to process sales transactions. The store has batch control total and other control checks embedded in the information processing system of the sales subsystem. While comparing reports, an employee notices that information sent to the subsystem was not fully processed. Which of the following types of controls is being exercised by the employee?
Detective
Review of the audit log is an example of which type of security control?
Detective.
A client who recently installed a new accounts payable system assigned employees a user identification code (UIC) and a separate password. Each UIC is a person's name, and the individual's password is the same as the UIC. Users are not required to change their passwords at initial log-in, nor do passwords ever expire. Which of the following statements does not reflect a limitation of the client's computer-access control?
Employees are not required to take regular vacations.
Which of the following is the most effective user account management control in preventing the unauthorized use of a computer system?
Employees are required to renew their accounts semiannually.
The significance of hardware controls is that they
Ensure the proper execution of machine instructions.
Which of the following statements is inconsistent with the key principles of the COBIT 5 framework?
Enterprise governance and management are treated as the same activity.
Which of the following is a key area in the governance objectives under COBIT?
Evaluate, direct, and monitor.
Which of the following provides a valid example of data categorization under data taxonomy and data classification?
Financial/Internal
Which of the following is an electronic device that separates or isolates a network segment from the main network while maintaining the connection between networks?
Firewall
Which of the following risks can be minimized by requiring all employees accessing the information system to use passwords?
Firewall vulnerability.
Which of the following is a network security system that is used to control network traffic and to set up a boundary that prevents traffic from one segment from crossing over to another?
Firewall.
The two broad groupings of information systems control activities are general controls and application controls. General controls include controls
For developing, modifying, and maintaining computer programs.
Which of the following is a false statement about the COBIT 2019 framework?
Governance and management activities and structures can be combined to support a holistic approach.
Parity checks and echo checks are examples of
Hardware controls.
General controls include Physical controls. Access controls. Hardware controls. Environmental controls. Logical controls.
I, II, III, IV, and V.
Which of the following risks are greater in computerized systems than in manual systems? Erroneous data conversion Erroneous source document preparation Repetition of errors Concentration of data
I, III, and IV.
Spoofing is one type of malicious online activity. Spoofing is
Identity misrepresentation in cyberspace.
What approach is used to implement the CSF in the context of COBIT 2019?
Incremental approach
Which of the following control activities should be taken to reduce the risk of incorrect processing in a newly installed computerized accounting system?
Independently verify the transactions.
Which of the following statements is true concerning the COBIT 5 framework?
Information and organizational structures are among the enablers identified in COBIT 5.
Matthews Corp. has changed from a system of recording time worked on clock cards to a computerized payroll system in which employees record time in and out with magnetic cards. The computer system automatically updates all payroll records. Because of this change,
Part of the audit trail is altered.
A client installed the sophisticated controls using the biometric attributes of employees to authenticate user access to the computer system. This technology most likely replaced which of the following controls?
Passwords.
Which of the following classifications of security controls includes smoke detectors, generators, security guards, and ID badges?
Physical
An organization relied heavily on e-commerce for its transactions. Evidence of the organization's security awareness manual would be an example of which of the following types of controls?
Preventive
Which of the following is the best policy for the protection of a company's vital information resources from computer viruses?
Prudent management procedures instituted in conjunction with technological safeguards.
Which of the following statements presents an example of a general control for a computerized system?
Restricting access to the computer center by use of biometric devices.
Which of the following activities would most likely detect computer-related fraud?
Reviewing the systems-access log.
SPACER
SPACER
All of the following are correct statements regarding general controls except
Segregation of duties is less important because IT facilitates the separation of functions (authorization, recording, and access to assets).
Which of the following statements best characterizes the function of a physical access control?
Separates unauthorized individuals from computer resources.
One of the data definition criteria identified by the Assurance Services Executive Committee (ASEC) is that the description identifies information that has not been included in the data set but is necessary for understanding the data. Which of the following is not an example of this criterion?
The analyst report from which the data are retrieved.
Using standard procedures developed by information center personnel, staff members download specific subsets of financial and operating data as they need it. The staff members analyze the data on their own personal computers and share results with each other. Over time, the staff members learn to modify the standard procedures to get subsets of financial and operating data that were not accessible through the original procedures. The greatest risk associated with this situation is that
The data obtained might be incomplete or lack currency.
Which of the following is not an element of the completeness and accuracy criterion the Assurance Services Executive Committee (ASEC) uses to define a set of data?
The intended use of the data.
When evaluating a cloud service provider's data security measures, a company would appropriately consider each of the following risk factors, except
The provider's vertical scalability.
A small client recently put its cash disbursements system on a server. About which of the following internal control features would an auditor most likely be concerned?
The server is operated by employees who have cash custody responsibilities.
Your firm has recently converted its purchasing cycle from a manual process to an online computer system. Which of the following is a probable result associated with conversion to the new automatic system?
Traditional duties are less segregated.
Which of the following is a computer program that appears to be legitimate but performs some illicit activity when it is run?
Trojan horse.
A network firewall is designed to provide adequate protection against which of the following?
Unauthenticated logins from outside users.
The description of a data attribute reads, "This forecast is prepared with the aid of a financial expert." To which of the following elements regarding the completeness and accuracy criterion provided by the Assurance Services Executive Committee (ASEC) to define a dataset does the above statement relate?
Uncertainty.
When a client's accounts payable computer system was relocated, the administrator provided support through a dial-up connection to a server. Subsequently, the administrator left the company. No changes were made to the accounts payable system at that time. Which of the following situations represents the greatest security risk?
User accounts are not removed upon termination of employees.
Which of the following is a password security problem?
Users are assigned passwords when accounts are created but do not change them.
Under the COBIT 2019 framework, which of the following statements is true?
Variant components for a governance system are designed for a specific context within a focus area.