ACT 4240A Chapter 15 Monitoring and Auditing AIS

Which of the statements below best defines an embedded audit module? -A test data technique that enables test data to be continually evaluated during the normal operation of a system. -A programmed module added to the system so that the auditors can monitor and collect data over online transactions. -A parallel simulation module that uses a set of input data to validate system integrity. -A module in which the auditors create fictitious situations and perform a wide variety of tests over the system.

-A programmed module added to the system so that the auditors can monitor and collect data over online transactions.

Regarding data transmission security of wireless networks, all access points should be configured with encryption to maintain confidentiality and data integrity. Select correct statements on data transmission security. (Select all that apply) -The wired equivalent privacy (WEP) algorithm should be used for maintaining confidentiality. -All access points should be configured with encryption to maintain confidentiality. -The wi-fi protected access (WPA) algorithm can provide effective authentication and encryption for data transmission. -A firm should take time to carefully evaluate necessary changes over the default configuration of all access points that have been deployed.

-All access points should be configured with encryption to maintain confidentiality. -The wi-fi protected access (WPA) algorithm can provide effective authentication and encryption for data transmission.

Management controls are security controls that focus on management of risk and information system security. Give examples of management controls in wireless networks. (Select all that apply) -Assigning roles and responsibilities of end users -Creating policies and procedures regarding security issues -Conducting risk assessment regarding security issues -Preventing and detecting physical security breaches

-Assigning roles and responsibilities of end users -Creating policies and procedures regarding security issues -Conducting risk assessment regarding security issues

What is the white-box approach in auditing systems? Select all statements that apply. -Auditors need to create test cases to verify specific logic and controls in a system. -The white-box approach is also called auditing around the computer. -It requires auditors to understand the internal logic of the system/application being tested.

-Auditors need to create test cases to verify specific logic and controls in a system. -It requires auditors to understand the internal logic of the system/application being tested.

Data governance is the convergence of which of the following items? (Select all that apply) -Business process management on data -Risk management on data -Data quality, data management, and data policies -Data accuracy of financial statements

-Business process management on data -Risk management on data -Data quality, data management, and data policies

What is continuous auditing? (Select all that apply) -Continuous auditing is to perform audit-related activities on a continuous basis. -Testing in continuous audits often consists of continuous controls monitoring and continuous data assurance. -Continuous auditing is to automate all audit-related activities.

-Continuous auditing is to perform audit-related activities on a continuous basis. -Testing in continuous audits often consists of continuous controls monitoring and continuous data assurance.

What is data mining used for? (Select all that apply) -Data mining is the process of searching and analyzing the data in a data warehouse for decision making. -Data mining is the process of searching for patterns in the data in a data warehouse. -Firms use data mining techniques to process daily transactions. -Data mining is used to identify patterns in making predictions.

-Data mining is the process of searching and analyzing the data in a data warehouse for decision making. -Data mining is the process of searching for patterns in the data in a data warehouse. -Data mining is used to identify patterns in making predictions. Reason: Firms use operational databases for daily operations such as processing transactions.

Match the term to its definition. -Data warehouse <-> -Operational database <-> -a centralized collection of firm-wide data for a relatively long period of time; data are nonvolatile -used for daily operations and usually includes data for the current fiscal year only; data are volatile

-Data warehouse <-> a centralized collection of firm-wide data for a relatively long period of time; data are nonvolatile -Operational database <-> used for daily operations and usually includes data for the current fiscal year only; data are volatile

Select correct statements regarding a virtual private network (VPN). (Check all that apply) -A VPN is designed to ensure security for transmitting data to trading partners only. -Encryption technology is required in designing a VPN. -VPNs are for LANs only. -It is commonly used for employees to have remote access to their firm's network.

-Encryption technology is required in designing a VPN. -It is commonly used for employees to have remote access to their firm's network.

Select the benefits of using wireless technology. (Select all that apply) -Secured data transmission using a wireless network -Freely setting up or removing wireless networks at different locations -Convenient online access without a physical network using cables for connections

-Freely setting up or removing wireless networks at different locations -Convenient online access without a physical network using cables for connections

One widely used tool in auditing a system is generalized audit software (GAS). GAS is frequently used to perform substantive tests and is used for testing of controls through transactional-data analysis. Select the best statement in describing GAS. -GAS refers to software that has the capability to directly read and access data from a couple of specific operating systems such as UNIX and Windows. -GAS provides auditors with an independent means to gain access to various types of data for analysis. -Popular software packages of GAS include Oracle and SAP.

-GAS provides auditors with an independent means to gain access to various types of data for analysis.

Which of the following frameworks/regulations is most relevant to data governance? -COBIT -COSO -ISO 27001 -GDPR

-GDPR Reason: General Data Protection Regulation is a global standard that provides a strategic vision of how organizations need to ensure data privacy.

Local area network (LAN) devices include hubs and switches. Match the correct descriptions for hubs and switches. -Hubs <-> -Switches <-> -containing multiple ports, broadcasting data packets -an intelligent device that provides a path for connections of hosts in a LAN, direct data packets bases on media access controls addresses

-Hubs <-> containing multiple ports, broadcasting data packets -Switches <-> an intelligent device that provides a path for connections of hosts in a LAN, direct data packets bases on media access controls addresses

What is the black-box approach in auditing systems? Select all statements that apply. -Auditors must gain detailed knowledge of the systems' internal logic. -It is adequate when automated systems applications are relatively simple. -It is to audit around the computer. -The advantage of this approach is that the systems will not be interrupted for auditing purposes.

-It is adequate when automated systems applications are relatively simple. -It is to audit around the computer. -The advantage of this approach is that the systems will not be interrupted for auditing purposes.

Select the correct statement regarding the black-box approach in auditing systems. -It is also called auditing around the computer. -The systems are often interrupted for auditing purposes. -Auditors must have detailed knowledge of the systems' internal logic.

-It is also called auditing around the computer.

Match the devices used in each type of networks. -LAN <-> -VPN <-> -WAN <-> -access points -switches -firewalls

-LAN <-> switches -VPN <-> access points -WAN <-> firewalls

Select correct descriptions about local area networks (LANs) and wide area networks (WANs). -LANS <-> -WANS <-> -mainly use routers and firewalls -mainly use hubs and switches

-LANS <-> mainly use hubs and switches -WANS <-> mainly use routers and firewalls

Determine the following activities are audit related or management related in continuous auditing. -Related audit activity <-> -Related management activity <-> -Control monitoring -Control assurance

-Related audit activity <-> Control assurance -Related management activity <-> Control monitoring

Auditors can use computer-assisted audit techniques (CAATs) in which areas? -Test of details of transactions and balances -Compliance tests of IT general and application controls -Analytical review procedures -Predictive business analytics and forecasting

-Test of details of transactions and balances -Compliance tests of IT general and application controls -Analytical review procedures

The operating system (OS) must achieve fundamental control objectives to consistently and reliably perform its functions. Which of the following are the control objectives of the OS? (Select all that apply) -The OS must protect itself from users. -The OS must protect users from each other. -The OS must protect users from themselves. -The OS must be user friendly for end users. -The OS must be protected from itself.

-The OS must protect itself from users. -The OS must protect users from each other. -The OS must protect users from themselves. -The OS must be protected from itself.

Which of following statements about CAATs is not correct? -The test data technique uses a set of hypothetical transactions to examine the programmed checks and program logic in programs. -The embedded audit module may require the auditor to have a good working knowledge of computer programming and a solid understanding of IT risks that may exist in a system. -Parallel simulation attempts to simulate or reproduce the firm's actual processing results. -The integrated test facility is a programmed module or segment that is inserted into an application program to monitor and collect data based on daily transactions.

-The integrated test facility is a programmed module or segment that is inserted into an application program to monitor and collect data based on daily transactions.

Identify the main purposes for a wide area network (WAN). (Check all that apply). -To provide corporate access to the Internet -To ensure secured access from each office in different cities -To provide remote access to employees or customers -To link various sites within the firm

-To provide corporate access to the Internet -To provide remote access to employees or customers -To link various sites within the firm

How can a business make a wide area network secure? (Check all that apply). -Use a virtual private network -Use dedicated leased lines -Use a local area network

-Use a virtual private network -Use dedicated leased lines

Select relevant technologies in performing continuous auditing. (Select all that apply) -XML and XBRL -Data analytics and/or data mining -CAATs -OS, LANs, and WANs

-XML and XBRL -Data analytics and/or data mining -CAATs

In our electronic world, all or most accounting records are stored in a database. A database is: -a centralized repository that collects data from the beginning of a company's operation until today -a file with big data collected from various sources inside and outside a company -a shared collection of logically related data that meets the information needs of a firm

-a shared collection of logically related data that meets the information needs of a firm

Technical controls of wireless networks are security controls which that are primarily implemented and executed through mechanisms contained in computing-related equipment such as ______ ______ (AP) management and encryption setup.

-access -point

A wireless network is comprised of two fundamental architectural components: ______ points and ______.

-access -stations / station

The operating system performs the tasks that enable a computer to operate. It is comprised of system utilities and programs that: (Select all that apply) -allocate computer resources to users and applications. -it is the main function in managing a database. -control the flow of multiprogramming. -ensure the integrity of the system.

-allocate computer resources to users and applications. -control the flow of multiprogramming. -ensure the integrity of the system.

Auditors often use CAATs for tests of details of transactions and balances, ______ ______ procedures, compliance tests of IT general and application controls, operation system and network vulnerability assessments, etc.

-analytical -review

When a firm considers whether or not to implement continuous auditing, it should first evaluate the overall ______ and ______ of having continuous auditing as part of the firm's overall governance, risk, and compliance (GRC) effort.

-benefit / benefits -cost / costs

General security objectives for both wired LANs and wireless LANs include: ______, ______, ______, and access controls.

-confidentiality -integrity -availability

Common security objectives for both wired and wireless networks include: confidentiality, integrity, availability, and access control. Select the correct explanation for each term. -confidentiality <-> -integrity <-> -availability <-> -access control <-> -Restrict the rights of devices or individuals to access a network or resources within a network. -Detect any intentional or unintentional changes to the data during transmission. -Communication cannot be read by unauthorized parties. -Devices and individuals can access a network and its resources whenever needed.

-confidentiality <-> Communication cannot be read by unauthorized parties. -integrity <-> Detect any intentional or unintentional changes to the data during transmission. -availability <-> Devices and individuals can access a network and its resources whenever needed. -access control <-> Restrict the rights of devices or individuals to access a network or resources within a network.

The ______ ______ module is a programmed audit module that is added to the system under review. Hence, the auditors can monitor and collect data over online transactions. The collected data are analyzed by auditors in evaluating control risks and effectiveness.

-embedded -audit

During the course of an audit, the IS auditor should obtain sufficient, reliable, and relevant ______to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this ______.

-evidence -evidence

The ______ ______ ______ (GAS) refers to standard software that has the capability to directly read and access data from various database platforms. Auditors often use GAS to perform substantive tests and is used for testing of controls through transactional data analysis.

-generalized -audit -software

The ______ ______ ______ (ITF) approach is an automated technique that enables test data to be continually evaluated during the normal operation of a system. The auditor creates fictitious situations and performs a wide variety of tests over the system.

-integrated -test -facility

A ___ ___ ___ (LAN) is a group of computers, printers, and other devices connected to the same network and covers a limited geographic range such as a home, small office, or a campus building.

-local -area -network

Identify significant non-technical barriers and technical challenges that are encountered in implementing continuous auditing. -non-technical barrier <-> -technical challenge <-> -Defining the appropriate analytic that will effectively identify exceptions to controls -Readiness of the internal audit group to develop and adopt continuous auditing

-non-technical barrier <-> Readiness of the internal audit group to develop and adopt continuous auditing -technical challenge <-> Defining the appropriate analytic that will effectively identify exceptions to controls

Operational controls in wireless networks typically include -assigning roles and responsibilities of employees -protecting a firm's premises and facilities -preventing and detecting physical security breaches -providing security training to employees

-protecting a firm's premises and facilities -preventing and detecting physical security breaches -providing security training to employees

Local area network (LAN) devices include hubs and switches. From a security perspective, ______ provide a significant improvement over ______.

-switches -hubs

The ____ ____ technique uses a set of input data to validate system integrity in auditing a system. When creating the test data, auditors need to prepare both valid and invalid data to examine critical logics and controls of the system.

-test -data

Find proper definitions of techniques for white-box approach in auditing systems. -test data technique <-> -parallel simulation <-> -integrated test facility <-> -enables test data to be continually evaluated during the normal operation of a system -uses a set of input data to validate system integrity -attempts to simulate the firm's key features or processes

-test data technique <-> uses a set of input data to validate system integrity -parallel simulation <-> attempts to simulate the firm's key features or processes -integrated test facility <-> enables test data to be continually evaluated during the normal operation of a system

A ______ ______ ______ (VPN) securely connects a firm's WANs by sending/receiving encrypted packets via virtual connections over the public Internet to distant offices, salespeople, and business partners.

-virtual -private -network

A ____ ____ network (WAN) links different sites together; transmits information across geographically dispersed networks; and covers a broad geographic area such as a city, region, nation, or an international link.

-wide -area

True or false: A local area network is a group of computers, printers, and other devices connected to the same network and covers a large geographic range such as a city, a county, or a state.

False. Reason: A local area network (LAN) is a group of computers, printers, and other devices connected to the same network and covers a limited geographic range such as a home, small office, or a campus building.

True or false: Wide area networks devices include hubs and routers.

False. Reason: Wide area networks devices include firewalls and routers.

Which of the following network components is set up to serve as a security measure that prevents unauthorized traffic between different segments of the network? -Switch -Firewall -Virtual local area networks (VLANs) -Router

Firewall

The vice president of human resources has requested an audit to identify payroll overpayments for the previous year. Which would be the best audit technique to use in this situation? -Generalized audit software -Test data -Integrated test facility -Embedded audit module

Generalized audit software

Which of the following audit techniques should an IS auditor use to detect duplicate invoice records within an invoice master file? -Embedded audit module -Generalized audit software -Integrated test facility -Test data

Generalized audit software

An organization is planning to replace its wired networks with wireless networks. Which of the following approaches provides the most secure wireless network? -Implement wi-fi protected access (WPA2). -Disable the network interface card (NIC). -Implement wired equivalent privacy (WEP) protocol. -Allow access to only authorized media access control (MAC) addresses.

Implement wi-fi protected access (WPA2).

Unauthorized alteration of records in a database system would impair which of the following components of the CIA (related to security)? -Integrity -Availability -Authorization -Confidentiality

Integrity

_______ controls in wireless networks typically include protecting a firm's premises and facilities; preventing and detecting physical security breaches; and providing security training to employees, contractors, or third-party users.

Operational / Operation / Operating

Compare and contrast data warehouses and operational databases. -The data in a data warehouse are volatile because it includes big data. -The data in a data warehouse are updated when transactions are processed. -Operational databases are updated as transactions are processed and data warehouses are not.

Operational databases are updated as transactions are processed and data warehouses are not.

Which of the following is not a task performed by an operating system? -Provide controlled access to data and process data -Translate high-level languages to machine-level language -Manage job scheduling and multiprogramming -Support applications and facilitate their access to specified resources

Translate high-level languages to machine-level language

True or false: Common benefits of using wireless technology include mobility, rapid deployment, and flexibility and scalability of a network.

True

True or false: Most threats with regard to wireless networks typically involve an attacker with access to the radio link between a station and an access point, or between two stations.

True

According to the Institute of Internal Auditors' (IIA) professional practice standard, internal auditors must consider the use of computer-______, technology-based audit tools and other data analysis techniques when conducting internal audits.

assisted

The term "computer-assisted audit techniques (CAATs)" refers to any ______ audit techniques that can be used by an auditor to perform audits or achieve audit objectives.

automated

A local area network (LAN) is best described as a(n): -electronic library containing millions of items of data that can be reviewed, retrieved, and analyzed. -system that allows computer users to meet and share ideas and information. -method to offer specialized software, hardware, and data-handling techniques that improve effectiveness and reduce costs. -computer system that connects computers of all sizes, workstations, terminals, and other devices within a limited proximity.

computer system that connects computers of all sizes, workstations, terminals, and other devices within a limited proximity.

With ______ auditing, theoretically, an audit report/opinion can be issued simultaneously with, or shortly after, the occurrence of the events under review.

continuous

In today's electronic world, most accounting records are stored in a ______.

database

Unauthorized alteration of records in a database system can be prevented by employing: -computer matching. -regular review of audit trails. -key verification. -database access controls.

database access controls.

A type of attack called _____ could be described as the attacker passively monitors wireless networks for data, including authentication credentials.

eavesdropping

Computer-assisted audit techniques enable auditors to gather and analyze audit _______ to test the adequacy and reliability of financial information and internal controls in a computerized environment.

evidence

Management controls are security controls that focus on _______ risk and information system security

management

Data ______ is the process of searching for patterns in the data and analyzing these patterns for decision making.

mining

A common security threat, ______, is that the attacker steals or makes unauthorized use of a service.

misappropriation

The _____ system is the most important system software because it performs the tasks that enable a computer to operate.

operating

Security controls for wireless networks can be categorized into three groups: management, _______, and technical controls.

operational

Under the ______ simulation approach, the auditors write a computer program to reprocess the firm's actual data for a past period to generate simulated results to audit the system.

parallel

In a continuous auditing environment, the focus to evaluate internal controls ranges from control-based financial controls to ______-based operational controls.

risk

In auditing information systems, auditors use parallel _______ to verify the firm's key features or processes. Under this approach, the auditors write a computer program to reprocess the firm's actual data for a past period to generate simulated results.

simulation / simulations

Security controls for wireless networks can be categorized into three groups: management, operational, and _______ controls.

technical

Managers at a consumer products company purchased personal computer software from only recognized vendors and prohibited employees from installing nonauthorized software on their personal computers by enforcing a new end-user computing policy. To minimize the likelihood of computer viruses infecting any of its systems, the company should also: -institute program change control procedures. -recompile infected programs from source code backups. -restore infected systems with authorized versions. -test all new software on a stand-alone personal computer.

test all new software on a stand-alone personal computer.

One important operating system control is to protect the OS from ______ applications, which must not be able to gain control of or damage the operating system.

user / users / user's

A data ______ is a centralized collection of firm-wide data for a relatively long period of time.

warehouse

The data in a data ______ are pulled periodically from each of the operational databases (ranging from a couple of times a day to once a year) and often maintained for 5 to 10 years.

warehouse