AIS Exam 2 Ch 4, 7, 8
Using a file-oriented approach to data and information, data is maintained in a. many interconnected files. b. a decentralized database. c. many separate files. d. a centralized database.
c. many separate files.
Which of the following is an example of a detective control? a. Physical access controls. b. Encryption. c. Incident response teams. d. Continuous monitoring.
d. Continuous monitoring.
Duplicate checking of calculations and preparing bank reconciliations and monthly trial balances are examples of what type of control? a. Preventive control b. Corrective control c. Authorization control d. Detective control
d. Detective control
Identify one potential outcome of the update anomaly. a. unintentional loss of data b. None of these c. inability to add new data d. inconsistent data
d. inconsistent data
Which of the following combinations of credentials is an example of multifactor authentication? A. Voice recognition and a fingerprint reader B. A PIN and an ATM card C. A password and a user ID D. All of the above
A PIN and an ATM card
Which of the following is a corrective control designed to fix vulnerabilities? A. Virtualization B. Patch management C. Penetration testing D. Authorization
Patch management
A well-known hacker started her own computer security consulting business. Many companies pay her to attempt to gain unauthorized access to their network. If she is successful, she offers advice as to how to design and implement better controls. What is the name of the testing for which the hacker is being paid? A. Penetration test B. Vulnerability scan C. Deep packet inspection D. Buffer overflow test
Penetration test
The problem of changes being incorrectly recorded in a database is known as a. an update anomaly. b. an insert anomaly. c. a memory anomaly. d. a delete anomaly.
a. an update anomaly.
The use of a data warehouse in strategic decision making is often referred to as a. business intelligence. b. analytical modeling. c. data analysis. d. managerial accounting.
a. business intelligence.
The ________ is responsible for the database. a. database administrator b. data coordinator c. database master d. database manager
a. database administrator
In a well-structured relational database, a. every column in a row must be single valued. b. one table must be related to all other tables. c. foreign keys cannot be null. d. there must be at least two foreign keys.
a. every column in a row must be single valued.
File-oriented approaches create problems for organizations because of a. multiple master files. b. multiple transaction files. c. multiple users. d. a lack of sophisticated file maintenance software.
a. multiple master files.
The definition of the lines of authority and responsibility and the overall framework for planning, directing, and controlling is laid out by the a. organizational structure. b. internal environment. c. budget framework. d. control activities.
a. organizational structure.
Emma Kolb is a system analyst at a manufacturing company located in the Midwest. She has been asked to analyze the company's accounting information system and to recommend cost-effective improvements. After noting that the same production files have been saved and stored independently on several databases, she recommends that they be stored only once. Implementation of her recommendation would benefit the company by contributing to a. reduce data redundancy. b. data independence. c. data integration. d. increase data sharing.
a. reduce data redundancy.
The steps that criminals take to find known vulnerabilities and learn how to take advantage of those vulnerabilities is called a. research. b. social engineering. c. reconnaissance. d. scanning and mapping the target.
a. research.
As a result of an internal risk assessment, Berryhill Insurance decided it was no longer profitable to provide flood insurance in the southern states. Berryhill apparently chose to ________ the risk of paying flood claims in the southern states. A. reduce B. share C. avoid D. accept
avoid
Which of the following is false regarding a well-structured relational database? a. All nonkey attributes in a table must describe a characteristic of the object identified by the primary key. b. A foreign key cannot be null. c. A primary key cannot be null. d. Every column in a row must be single valued.
b. A foreign key cannot be null.
Effective segregation of accounting duties is achieved when which of the following functions are separated? a. Authorization, monitoring, and risk assessment. b. Authorization, recording, and custody. c. Recording, risk assessment, and control procedures. d. Recording, monitoring, and information system.
b. Authorization, recording, and custody.
The principle of holding individuals accountable for their internal control responsibilities in pursuit of objectives belongs to which of the COSO's Internal Control Model's component? a. Control activities. b. Control environment. c. Risk assessment. d. Information and communication.
b. Control environment.
Mara Kay is a system analyst for a national department store. She was tasked to identify previously unknown relationships in the company's sales data that can be used in future promotions. What technique would Mara most likely use? a. Data exploring b. Data mining c. Customer resource management d. Customer auditing
b. Data mining
________ in a well-structured relational database. a. Every table must be related to all other tables b. Every table must be related to at least one other table c. One table must be related to all other tables d. One table must be related to at least one other table
b. Every table must be related to at least one other table
Which of the following is not one of the three fundamental information security concepts? a. The time-based model of security focuses on the relationship between preventive, detective and corrective controls. b. Information security is a technology issue based on prevention. c. The idea of defense-in-depth employs multiple layers of controls. d. Security is a management issue, not a technology issue.
b. Information security is a technology issue based on prevention.
________ is the risk that exists before management takes any steps to mitigate it. a. Risk assessment b. Inherent risk c. Residual risk d. Risk appetite
b. Inherent risk
Why are threats to accounting information systems increasing? a. Many companies have invested significant resources to protect their assets. b. Many companies do not realize that data security is crucial to their survival. c. Computer control problems are often overestimated and overly emphasized by management. d. Many companies believe that protecting information is a vital strategic requirement.
b. Many companies do not realize that data security is crucial to their survival.
The COSO Enterprise Risk Management Integrated Framework stresses that a. risk management is the sole responsibility of top management. b. risk management activities are an inherent part of all business operations and should be considered during strategy setting. c. effective risk management is comprised of just three interrelated components; internal environment, risk assessment, and control activities. d. risk management policies, if enforced, guarantee achievement of corporate objectives.
b. risk management activities are an inherent part of all business operations and should be considered during strategy setting.
The steps that criminals take to trick an unsuspecting employee into granting them access is called a. scanning and mapping the target. b. social engineering. c. research. d. reconnaissance.
b. social engineering.
The purpose of the COSO Enterprise Risk Management framework is a. to improve the organization's internal audit process. b. to improve the organization's risk management process. c. to improve the organization's financial reporting process. d. to improve the organization's manufacturing process.
b. to improve the organization's risk management process.
Identify one potential outcome of the delete anomaly. a. inconsistent data b. unintentional loss of data c. None of these d. inability to add new data
b. unintentional loss of data
The process that uses automated tools to identify whether a system possesses any well-known security problems is known as a(n) a. penetration test. b. vulnerability scan. c. log analysis. d. intrusion detection system.
b. vulnerability scan.
Identify the statement below which is not a useful control procedure regarding access to system outputs. a. Restricting access to rooms with printers. b. Coding reports to reflect their importance. c. Allowing visitors to move through the building without supervision. d. Requiring employees to log out of applications when leaving their desk.
c. Allowing visitors to move through the building without supervision.
The principle of obtaining or generating relevant, high-quality information to support internal control belongs to which of the COSO's Internal Control Model's component? a. Control activities. b. Risk assessment. c. Information and communication. d. Control environment.
c. Information and communication.
________ is not a risk response identified in the COSO Enterprise Risk Management Framework. a. Sharing b. Acceptance c. Monitoring d. Avoidance
c. Monitoring
________ is an authorized attempt by an internal audit team or an external security consultant to attempt to break into the organization's information system. a. Vulnerability test b. Intrusion test c. Penetration test d. Log analysis test
c. Penetration test
The principle of identifying and assessing changes that could significantly impact the system of internal control belongs to which of the COSO's Internal Control Model's component? a. Control activities. b. Control environment. c. Risk assessment. d. Information and communication.
c. Risk assessment.
Upon acquiring a new computer operating system, management at Berryhill worried that computer virus might cripple the company's operation. Despite the concern, management did not think that the risk was high enough to justify the purchase of an anti-virus software. Berryhill chose to ________ the risk of being crippled by computer virus. a. share b. avoid c. accept d. reduce
c. accept
How do users retrieve data stored in a database? a. by viewing the appropriate data tables b. by specifying the primary keys c. by executing a query d. by performing a search
c. by executing a query
What acts as an interface between the database and the various application programs? a. database system b. database administrator c. database management system d. data warehouse
c. database management system
An attribute in a table that serves as a unique identifier in another table and is used to link the two tables is a a. primary key. b. relational key. c. foreign key. d. linkage key.
c. foreign key.
According to The Sarbanes-Oxley Act of 2002, the audit committee of the board of directors is directly responsible for a. performing tests of the company's internal control structure. b. certifying the accuracy of the company's financial reporting process. c. hiring and firing the external auditors. d. overseeing day-to-day operations of the internal audit department.
c. hiring and firing the external auditors.
Inability to add new data to a database without violating the basic integrity of the database is referred to as the a. update anomaly. b. integrity anomaly. c. insert anomaly. d. delete anomaly.
c. insert anomaly.
Multi-factor authentication a. requires the use of more than one effective password. b. provides weaker authentication than the use of effective passwords. c. involves the use of two or more basic authentication methods. d. is a table specifying which portions of the systems users are permitted to access.
c. involves the use of two or more basic authentication methods.
According to the Trust Services Framework, the reliability principle of availability is achieved when the system produces data that a. can be maintained as required without affecting system availability, security, and integrity. b. is protected against unauthorized physical and logical access. c. is available for operation and use at times set forth by agreement. d. is complete, accurate, and valid.
c. is available for operation and use at times set forth by agreement.
According to the Trust Services Framework, the reliability principle of integrity is achieved when the system produces data that a. is available for operation and use at times set forth by agreement. b. is protected against unauthorized physical and logical access. c. is complete, accurate, and valid. d. can be maintained as required without affecting system availability, security, and integrity.
c. is complete, accurate, and valid.
A control procedure designed so that the employee that records cash received from customers does not also have access to the cash itself is an example of a(n) a. corrective control. b. authorization control. c. preventive control. d. detective control.
c. preventive control.
The steps that criminals take to study their target's physical layout to learn about the controls it has in place is called a. research. b. scanning and mapping the target. c. reconnaissance. d. social engineering.
c. reconnaissance.
The steps that criminals take to identify potential points of remote entry is called a. social engineering. b. reconnaissance. c. scanning and mapping the target. d. research.
c. scanning and mapping the target.
Identify the aspect of a well-structured database that is incorrect. a. Redundancy is minimized and controlled. b. Data is consistent. c. The primary key of any row in a relation cannot be null. d. All data is stored in one table or relation.
d. All data is stored in one table or relation.
Which of the following is not a basic principle of the COSO ERM framework? a. Uncertainty results in risk. b. Management must decide how much uncertainty it will accept to create value. c. Uncertainty results in opportunity. d. Companies are formed to create value for society.
d. Companies are formed to create value for society.
The principle of selecting and developing controls that might help mitigate risks to an acceptable level belongs to which of the COSO's Internal Control Model's component? a. Information and communication. b. Control environment. c. Risk assessment. d. Control activities
d. Control activities
Maintaining backup copies of files, correcting data entry errors, and resubmitting transactions for subsequent processing are examples of what type of control? a. Detective control b. Preventive control c. Authorization control d. Corrective control
d. Corrective control
Which of the following is an example of a corrective control? a. Encryption. b. Intrusion detection. c. Physical access controls. d. Incident response teams.
d. Incident response teams.
Verifying the identity of the person or device attempting to access the system is an example of a. authorization. b. threat monitoring. c. identification. d. authentication.
d. authentication.
The Trust Services Framework reliability principle that states that users must be able to enter, update, and retrieve data during agreed-upon times is known as a. integrity. b. security. c. maintainability. d. availability.
d. availability.
According to the ERM model, ________ help the company address all applicable laws and regulations. a. reporting objectives b. strategic objectives c. operations objectives d. compliance objectives
d. compliance objectives
According to the Trust Services Framework, the confidentiality principle of integrity is achieved when the system produces data that a. can be maintained as required without affecting system availability, security, and integrity. b. is available for operation and use at times set forth by agreement. c. is complete, accurate, and valid. d. is protected against unauthorized physical and logical access.
d. is protected against unauthorized physical and logical access.
The technique of using queries to investigate hypothesized relationships among data is called a. business intelligence. b. data mining. c. data analysis. d. online analytical processing.
d. online analytical processing.
According to the ERM model, ________ help to deal with the effectiveness and efficiency of company operations, such as performance and profitability goals. a. strategic objectives b. compliance objectives c. reporting objectives d. operations objectives
d. operations objectives
Information security procedures protect information integrity by a. making it impossible for unauthorized users to access the system. b. making the system more efficient. c. reducing the system cost. d. preventing fictitious transactions.
d. preventing fictitious transactions.
The problem of losing desired information from a database when an unwanted record is purged from the database is referred to as the ________ anomaly. A. purge B. erase C. delete D. integrity
delete
Emma Kolb is a system analyst at a manufacturing company located in the Midwest. She has been asked to analyze the company's accounting information system and to recommend cost-effective improvements. After noting that the several key managers do not have access to the production and sales information, she recommends that they should be uploaded to the company's internal network and be made available for search. Implementation of her recommendation would benefit the company by contributing to A. data independence. B. data integration. C. reduce data redundancy. D. increase data sharing.
increase data sharing.
Using a file-oriented approach to data and information, data is maintained in A. a centralized database. B. many interconnected files. C. many separate files. D. A decentralized database.
many separate files.
The technique of using queries to investigate hypothesized relationships among data is called A. business intelligence. B. online analytical processing. C. data analysis. D. data mining.
online analytical processing
To ensure compliance with copyrights and to protect itself from software piracy lawsuits, companies should ________. A. periodically conduct software audits B. update the operating system frequently C. buy software from legitimate suppliers D. adopt cloud operating platforms
periodically conduct software audits
The purpose of the COSO Enterprise Risk Management framework is A. to improve the organization's risk management process. B. to improve the organization's financial reporting process. C. to improve the organization's manufacturing process. D. to improve the organization's internal audit process.
to improve the organization's risk management process.
The primary purpose of the Foreign Corrupt Practices Act of 1977 was A. to require corporations to maintain a good system of internal control. B. to prevent the bribery of foreign officials by American companies. C. to require the reporting of any material fraud by a business. D. All of the above are required by the act.
to prevent the bribery of foreign officials by American companies.
Which of the following attributes would most likely be a primary key? A. Supplier name B. Supplier number C. Supplier zip code D. Supplier account balance
Supplier number
The relational data model portrays data being stored in ____________ . A. Hierarchies B. Tables C. Objects D. Files
Tables
The amount of risk a company is willing to accept in order to achieve its goals and objectives is a. risk assessment. b. risk appetite. c. residual risk. d. inherent risk.
b. risk appetite.
The Trust Services Framework reliability principle that states access to the system and its data should be accessible to meet operational and contractual obligations to legitimate users is known as A. Availability B. Security C. Privacy D. Integrity
Availability
Which of the following is a preventive control? A. Training B. Log analysis C. CIRT D. Virtualization
Training
Compatibility tests utilize a(n) ________, which is a list of authorized users, programs, and data files the users are authorized to access or manipulate. A. Validity test B. Biometric matrix C. Logical control matrix D. Access control matrix
Access control matrix
The control procedure designed to restrict what portions of an information system an employee can access and what actions he or she can perform is called _____________ . A. Authentication B. Authorization C. Intrusion prevention D. Intrusion detection
Authorization
To achieve effective segregation of duties, certain functions must be separated. Which of the following is the correct listing of the accounting-related functions that must be segregated? A. Control, recording, and monitoring. B. Authorization, recording, and custody. C. Control, custody, and authorization. D. Monitoring, recording, and planning.
Authorization, recording, and custody.
The Trust Services Framework reliability principle that states sensitive information be protected from unauthorized disclosure is known as A. Availability B. Security C. Confidentiality D. Integrity
Confidentiality
A border router A. Routes electronic communications within an organization B. Connects an organization's information system to the Internet C. Permits controlled access from the Internet to selected resources D. Serves as the main firewall
Connects an organization's information system to the Internet
Which of the following attributes in the Cash Receipts table would most likely be a foreign key? A. Cash receipt number B. Customer check number C. Customer number D. Cash receipt date
Customer number
If the time an attacker takes to break through the organization's preventive controls is greater than the sum of the time required to detect the attack and the time required to respond to the attack, then security is A. Effective B. Ineffective C. Overdone D. Undermanaged
Effective
Identify one aspect of systems reliability that is not a source of concern with regards to a public cloud. A. Confidentiality B. Privacy C. Efficiency D. Availability
Efficiency
Which of the following elements link rows in one table to rows in another table? A. Primary keys B. Foreign keys C. Semantic keys D. Link keys
Foreign keys
Internal controls are often segregated into A. Detective controls and preventive controls. B. General controls and application controls. C. Process controls and general controls. D. System controls and application controls.
General controls and application controls.
The largest differences between the COSO Integrated Control (IC) framework and the COSO Enterprise Risk Management (ERM) framework is A. IC is controls-based, while the ERM is risk-based. B. IC is risk-based, while ERM is controls-based. C. IC is required, while ERM is optional. D. IC is more applicable to international accounting standards, while ERM is more applicable to generally accepted accounting principles.
IC is controls-based, while the ERM is risk-based.
Which component of the COSO Enterprise Risk Management Integrated Framework is concerned with understanding how transactions are initiated, data are captured and processed, and information is reported? A. Information and communication. B. Internal environment. C. Event identification. D. Objective setting.
Information and communication.
COSO identified five interrelated components of internal control. Which of the following is NOT one of those five? A. Risk Assessment. B. Internal Controls Policies. C. Monitoring. D. Information and Communication.
Internal Controls Policies.
Which statement is true regarding file systems? A. Transaction files are similar to ledgers in a manual AIS. B. Multiple master files create problems with data consistency. C. Transaction files are permanent. D. Individual records are never deleted in a master file.
Multiple master files create problems with data consistency.
All other things being equal, which of the following is true? A. Detective Controls are superior to preventive controls. B. Corrective controls are superior to preventive controls. C. Preventive controls are equivalent to detective controls. D. Preventive controls are superior to detective controls.
Preventive controls are superior to detective controls.
Identify the statement below that is false with regards to basic requirements of a relational database model. A. Primary keys can be null. B. Foreign keys, if not null, must have values that correspond to the value of a primary key in another table. C. All non-key attributes in a table should describe a characteristic about the object identified by the primary key. D. Every column in a row must be single-valued.
Primary keys can be null.
Which is probably the most immediate and significant effect of database technology on accounting? A. Replacement of the double entry-system. B. Change in the nature of financial reporting. C. Elimination of traditional records such as journals and ledgers. D. Quicker access to and greater use of accounting information in decision-making.
Quicker access to and greater use of accounting information in decision-making.
An accounting policy that requires a purchasing manager to sign off on all purchases over $10,000 is an example of A. General authorization. B. Specific authorization. C. Management authorization. D. Generic authorization.
Specific authorization.
Which of the following is not one of the essential criteria for successfully implementing each of the principles that contribute to systems reliability, as discussed in the Trust Services Framework? a. Effectively communicating policies to all outsiders. b. Developing and documenting policies. c. Designing and employing appropriate control procedures to implement policies. d. Monitoring the system and taking corrective action to maintain compliance with policies.
a. Effectively communicating policies to all outsiders.
Which of the following is not a component of the COSO Enterprise Risk Management Integrated Framework (ERM)? a. Ethical culture. b. Control environment. c. Risk assessment. d. Monitoring.
a. Ethical culture.
Congress passed this federal law for the purpose of preventing financial statement fraud, to make financial reports more transparent and to strengthen the internal control of public companies. a. The Securities Exchange Act of 1934 b. The Sarbanes-Oxley Act of 2002 c. Foreign Corrupt Practices Act of 1977 d. The Securities Exchange Act of 1933
b. The Sarbanes-Oxley Act of 2002
The Sarbanes-Oxley Act (SOX) applies to a. publicly traded companies with gross annual revenues exceeding $500 million. b. all publicly traded companies. c. all private and public companies incorporated in the United States. d. all companies with gross annual revenues exceeding $500 million.
b. all publicly traded companies.
Which type of control prevents, detects, and corrects transaction errors and fraud? a. general b. application c. detective d. preventive
b. application
Restricting access of users to specific portions of the system as well as specific tasks, is an example of a. threat monitoring. b. authorization. c. identification. d. authentication.
b. authorization.
New employees of Baker Technologies are assigned user names and appropriate permissions. Each of them were given a company's issued laptop that have an integrated fingerprint reader. In order to log in, the user's fingerprint must be recognized by the reader. This is an example of a(n) a. authorization control. b. biometric device. c. defense in depth. d. remote access control.
b. biometric device.
All of the following are benefits of the database approach except a. minimal data redundancy. b. decentralized management of data. c. data integration and sharing. d. cross-functional analysis and reporting.
b. decentralized management of data.
A special purpose hardware device or software running on a general purpose computer, which filters information that is allowed to enter and leave the organization's information system, is known as a(n) a. demilitarized zone. b. firewall. c. intrusion detection system. d. intrusion prevention system.
b. firewall.
Which type of control is associated with making sure an organization's control environment is stable? a. preventive b. general c. application d. detective
b. general
Emma Kolb is a system analyst at a manufacturing company located in the Midwest. She has been asked to analyze the company's accounting information system and to recommend cost-effective improvements. After noting that the production and sales departments use database systems that are entirely separated, she recommends that they be combined. Implementation of her recommendation would benefit the company by contributing to data a. qualifications. b. integration. c. independence. d. redundancy.
b. integration.
An access control matrix a. matches the user's authentication credentials to his authorization. b. is a table specifying which portions of the system users are permitted to access. c. is used to implement authentication controls. d. is the process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform.
b. is a table specifying which portions of the system users are permitted to access.