AIS test 4

Ace your homework & exams now with Quizwiz!

28) A manufacturing firm identified that it would have difficulty sourcing raw materials locally, so it decided to relocate its production facilities. According to COSO, this decision represents which of the following response to the risk? A) Risk reduction. B) Prospect theory. C) Risk sharing. D) Risk acceptance.

A

32) The Public Company Accounting Oversight Board (PCAOB) is not responsible for standards related to: A) Accounting practice. B) Attestation. C) Auditing. D) Quality control over attestation and/or assurance.

A

34) According to COSO which of the following is not a component of internal control? A) Control risk. B) Control activities. C) Monitoring. D) Control environment.

A

39) Reconciliation of cash accounts may be referred to as what type of control? A) Detective. B) Preventive. C) Adjustive. D) Non-routine.

A

42) A customer intended to order 100 units of a product A, | but incorrectly ordered nonexistent product B. Which of the following controls most likely would detect this error? A) Validity check B) Record count C) Hash total D) Parity check

A

50) In a computerized environment, internal controls can be categorized into which of the following? A) General controls and application controls. B) Detective controls and protective controls. C) Network controls and transaction controls. D) Preventive controls and mandatory controls.

A

55) Which of the following statements is true regarding risk management and vulnerability management? A) They both have the objective of reducing the likelihood that detrimental events occur. B) Risk management is often conducted using an IT asset-based approach. C) Vulnerability management is more complex and strategic. D) Both approaches involve processes that typically take many months or years to complete.

A

In addition to focusing on controls, COBIT 5 expands its scope by incorporating which of the following broad perpsectives? A) How IT brings value to the firm. B) How IT can automate specific business processess. C) IT networking requirements. D) IT cost reductions.

A

The COSO ERM framework encourages a review of risks as they apply to achieving firms' objectives. Which of the following is not one of the listed categories of objectives to be considered? A) Environment. B) Operations. C) Strategic. D) Compliance.

A

Which of the following IT controls would best prevent a currency trader from concealing his/her trading errors? A) End user access to source code. B) Multifactor authentication. C) Symmetric encryption. D) Use of a private key.

A

Which of the following does not represent a viable data backup method? A) Disaster recovery plan. B) Redundant arrays of independent drives. C) Virtualization. D) Cloud computing.

A

Which of the following is a password security weakness? A) Users are assigned passwords when accounts are created, but do not change them. B) Users have accounts on several systems with different passwords. C) Users write down their passwords on a note paper, and carry it with them. D) Users select passwords that are not part of an online password dictionary.

A

Which of the following is not an example of vulnerability within the process of IT operations? A) Software not patched. B) Inappropriate data classification. C) Ineffective training. D) Poor firewall rules.

A

Which of the following represents a residual risk for a services company? A) Two employees are colluding to facilitate theft. B) All checks require two signatures. C) Bank accounts are reconciled weekly. D) A manager reviews all account reconciliations.

A

Which of the following represents an application control for a customer sale? A. The customer name must be populated B. Accounts are reconciled C. A manager reviews all return transactions D. Procedures are documented

A

Which of the following statements is most accurate with regard to business continuity management (BCM) and disaster recovery planning (DRP)? A) DRP is an important component of BCM. B) BCM and DRP should be considered independently of each other. C) BCM is an important component of DRP. D) DRP should be considered as optional, while BCM should be considered as necessary.

A

26) Which of the following statement is correct regarding internal control? A) A well-designed internal control environment ensures the achievement of an entity's control objectives. B) An inherent limitation to internal control is the fact that controls can be circumvented by management override. C) A well-designed and operated internal control environment should detect collusion perpetrated by two people. D) Internal control in a necessary business function and should be designed and operated to detect errors and fraud.

B

27) All of the following are the primary functions of internal controls except : A) Prevention. B) Reflection. C) Detection. D) Correction.

B

38) The internal control provisions of SOX apply to which companies in the United States? A) All companies. B) SEC registrants. C) All issuer (public) companies and nonissuer (nonpublic) companies with more than $100,000,000 of net worth. D) All nonissuer companies.

B

41) Tracing shipping documents to pre-numbered sales invoices provides evidence that: A) No duplicate shipments or billings occurred. B) Shipments to customers were properly invoiced. C) All goods ordered by customers were shipped. D) All pre-numbered sales invoices were accounted for.

B

46) Ethical principals are derived from all of the following except: A) Personal attitudes on issues of right and wrong. B) Cost benefit analysis. C) Cultural values. D) Societal traditions.

B

51) According to COSO ERM, which of the following is not one of the bases that should be used to analyze the risks of an identified event? A) Inherent risk. B) Organizational risk. C) Residual risk. D) Control risk.

B

53) Which of the following best illustrates the use of multifactor authentication? A) Requiring password changes every 30, 60, or 90 days. B) Requiring the use of a smart card and a password. C) Requiring the use of upper case, lower case, numeric, and special characters for a password. D) The use cess to a device.

B

56) Which of the following describes the recommended prerequisites for managing vulnerabilities? A) Implement the COSO ERM framework, and identify key vulnerabilities. B) Determine the main objective of vulnerability management, and assign roles and responsibilities. C) Identify the key vulnerabilities, and implement appropriate controls to minimize the vulnerabilities. D) Implement suitable controls, and assess those controls for potential vulnerabilities.

B

According to COSO 2013, which of the following components of the enterprise risk management addresses an entity's integrity and ethical values? A) Information and communication. B) Internal environment. C) Risk assessment. D) Control activities.

B

An information technology director collected the names and locations of key vendors, current hardware configuration, names of team members, and an alternative processing location. What is the director most likely preparing? A) Data restoration plan. B) Disaster recovery plan. C) System security policy. D) System hardware policy.

B

If a Chief Technology Officer wanted to ensure a new system had appropriate input controls which of the following would he/she require? A) Disposal of documents. B) Access control. C) Sequence checks. D) URL Class diagram.

B

In the event identification component of the COSO ERM framework, management must classify events into which of the following? A) Weaknesses and vulnerabilities. B) Risks and opportunities. C) Risks and rewards. Đ) Contrels and vumerabnies.

B

Review of the audit log is an example of which of the following types of security control? A) Governance. B) Detective. C) Preventive. D) Corrective.

B

Select a correct statement regarding a hashing process. A) It is reversible. B) The outcome is a message digest. C) It is not necessary to use a hashing process in creating a digital signature. D) It is used for authentication.

B

To prevent invalid data input, a bank added an extra number at the end of each account number and subjected the new number to an algorithm. This technique is known as: A) A validation check. B) check digit verification. C) A dependency check. D) A format check.

B

What is the primary objective of data security controls? A) To establish a framework for controlling the design, security, and use of computer programs throughout an organization. B) To ensure that data storage media are subject to authorization prior to access, change, or destruction. C) To formalize standard, rules, and procedures to ensure the organization's control are properly executed. D) To monitor the use of system software to prevent unauthorized access to system software and computer programs.

B

When computer programs or files can be accessed from terminals, users should be required to enter a(n): A) Parity check . B) Password as a personal identification code. C) Check digit. D) Echo check.

B

Which of the following IT controls would best prevent a developer from inappropriately accessing the system? A) Forced password changes. B) Secondary code review. C) Symmetric encryption. D) Lack of authentication.

B

Which of the following controls would most likely assure that a company can reconstruct its financial records? A) Security controls such as firewalls. B) Backup data are tested and stored safely. C) Personnel understand the data very well. D) Paper records.

B

Which of the following describes the primary goals of the CIA approach to information security management? A) Controls, Innovation, Analysis. B) Confidentiality, Integrity, Availability. C) Convenience, Integrity, Awareness. D) Confidentiality, Innovation, Availability.

B

Which of the following is considered an application input control? A) Run control total. B) Edit check. C) Reporting distribution log. D) Exception report

B

Which of the following is considered an application input control? A) Run control total. B) Edit check. C) Reporting distribution log. D)Pyrntiou renoT

B

Which of the following is not an example of a physical security vulnerability? A) Unescorted visitors on the premises. B) Poor choice of passwords. C) Lack of a smoke detector in the room housing servers. D) Lack of disaster recovery plan.

B

Which of the following is not an example of a vulnerability within an Information System? A) Outdated intrusion detection/prevention system. B) Lack of a disaster recovery plan. C) Improper system configuration. D) Failure to audit and terminate unused accounts in a timely manner.

B

Which of the following provides the advantage of incorporating other widely accepted standards and frameworks? A) ITIL. B) COBIT 2019. C) COSO 2013. D) ISO 27000.

B

Which of the following represents an inherent risk for financial institution? A) Bank reconciliations are not performed on a timely basis. B) The economy goes into a recession. C) Customer credit check not performed. D) An error occurs in a loạn loss calculation.

B

Which of the following statements regarding authentication in conducting e-business incorrect? A) It is a process that establishes the origin of information or determines the identity of a user, process, or device. B) Only one key is used for encryption and decryption purposes in the authentication process. C) Successful authentication can prevent repudiation in electronic transactions. D) We need to use asymmetric-key encryption to authenticate the sender of a document or data set.

B

29) Each of the following types of controls is considered to be an entity-level control, except those: A) Relating to the control environment. B) Pertaining to the company's risk assessment process. C) Regarding the company's annual stockholder meeting. D) Addressing policies over significant risk management practices.

C

31) All of the following are examples of internal control procedures except A) Using pre-numbered documents B) Reconciling the bank statement C) Processing customer satisfaction surveys D) Insistence that employees take vacations

C

35) The overall attitude and awareness of a firm's top management and board of directors concerning the importance of internal control is often reflected in its: A) Computer-based controls. B) System of segregation of duties. C) Control environment. D) Safeguards over access to assets.

C

36) According to AS 5, control risk should be assessed in terms of A) Specific controls. B) Types of potential fraud. C) Financial statement assertions. D) Control environment factors.

C

40) Sound internal control dictates that immediately upon receiving checks from customers by mail, a responsible employee should A) Add the checks to the daily cash summary. B) Verify that each check is supported by a pre-numbered sales invoice. C) Prepare a summary listing of checks received. D) Record the checks in the cash receipts journal.

C

43) Which of the following is an example of a validity check? A) The computer ensures that a numerical amount in a record does not exceed some predetermined amount. B) As the computer corrects errors and data are successfully resubmitted to the system, the causes of the errors are printed out. C) The computer flags any transmission for which the control field value did not match that of an existing file record. D) After data for a transaction are entered, the compur sends certain data back to the terminal for comparison with data originally sent.

C

45) Which of the following is not a component of COSO ERM 2017? A) Information communication and reporting. B) Strategy and objective setting. C) Control activities. D) Review and revision.

C

47) Which of the following best describes why firms choose to create codes of ethics? A) Because most people will not behave ethically without a written set of guidelines. B) Codes of ethics protect firms against lawsuits that may be filed due to corporate fraud. C) They allow firms to create a formal set of expectations for employees who may have different sets of personal values. D) Companies must have a written code of ethics in order to conduct interstate commerce in the U.S.

C

49) The Sarbanes-Oxley Act (SOX) was passed as a response to which of the following events? A) The savings & loan scandals of the 1980s. B) The bust of dot-com bubble companies such as pets.com and Webvan. C) Corporate reporting scandals by companies such as WorldCom, Enron, and Tyco. D) Securities manipulation and insider trading in the 1930s.

C

49) Which of the following is not one of the common techniques for information security risks and attacks? A) Spam. B) Botnet. C) TraceRT. D) Social Engineering.

C

51) Asymmetric-key encryption uses which of the following techniques to allow users to communicate securely? A) A message digest. B) A 16-bit encryption key. C) A public key and a private key. D) A digital signature.

C

53) If a Chief Technology Officer wanted to ensure a new system had appropriate processing controls which of the following would he/she require? A) Disposal of excess documents. B) URL Class diagram. C) A record count. D) Password management.

C

60) A RAID array implemented in a data center is an example of which of the following? A) Virtualization. B) Uninterruptible power supply. C) Fault tolerance. D) SOC 3.

C

Bacchus, Inc. is a large multinational corporation with various business units around the world. After a fire destroyed the corporation headquarters and largest manufacturing site, plans for which of the following would help Bacchus ensure a timely recovery? A) Daily backup. B) Network security. C) Business continuity. D) Backup power.

C

COBIT framework takes the view that all IT processes should provide clear links between all of the following except: A) IT processes. B) IT controls. C) IT components. D) IT governance requirements.

C

The ISO 27000 Series of standards are designed to address which of the following? A) Corporate governance. B) Internal controls. C) Information security issues. D) IT value.

C

When client's accounts payable computer system was relocated, the administrator provided support through a dial-up connection to server. Subsequently, the administrator left the company. No changes were made to the accounts payable system at that time. Which of the following situations represents the greatest security risk? A) User passwords are not required to the in alpha-numeric format. B) Management procedures for user accounts are not documented. C) User accounts are not removed upon termination of employees. D) Security logs are not periodically reviewed for violations.

C

Which of the following is not a component of internal control as defined by COSO? A) Control environment. B) Control activities. C) Inherent risk. D) Monitoring.

C

Which of the following is not included in the remediation phase for vulnerability management? A) Risk Response Plan. B) Policy and procedures for remediation. C) Vulnerability Prioritization. D) Control Implementation.

C

Which of the following is not one of the key COBIT 5 principles for governance and amangement of enterprise IT? A) Enabling a holistic approach. B) Meeting stakeholder needs. C) Separating management from shareholders. D) Applying an integrated framework.

C

Which of the following is not one of the main components of vulnerability management and assessment? A) Identification. B) Remediation. C) Internalization. D) Maintenance,

C

Which of the following is not one of the responses to risk presented in COSO ERM? A. Share the risk B. Accept the risk C. Elimnate the risk D. Reduce the risk

C

Which of the following items is one of the eight components of COSO's enterprise risk management 2004 framework? A) Operations. B) Reporting. C) Monitoring. D) Compliance.

C

Why do Certificate Authority (CA) play an important role in a company's information security management? A) Using a CA is required by SOX in managing information security. B) A CA is responsible to generate session keys for encryption purposes. C) Most companies use CA to manage their employees public keys. D) CA creates and maintains both the public and private keys for a company's employees.

C

30) Controls in the information technology area are classified into preventive, detective, and corrective categories. Which of the following is preventive control? A) Contingency planning. B) Hash total. C) Echo check. D) Access control software.

D

32) Which of the following statements is incorrect? A) A fraud prevention program starts with a fraud risk assessment across the entire firm B) The audit committee typically has an oversight role in risk assessment process C) Communicating a firm's policy file to employees is one of the most important responsibilities of management D) A fraud prevention program should include an evaluation on the efficiency of business processes.

D

37) The framework to be used by management in its internal control assessment under requirements of SOX is the: A) COSO internal control framework. B) COSO enterprise risk management framework. C) COBIT framework. D) All of the choices are correct.

D

48) Which of the following best describes what is meant by corporate governance? A) The organizational structure and responsibilities of the executive team and board of directors of a corporation. B) Regulatory bodies, such as the SEC and PCAOB, that govern the behavior of corporations. C) The ability of a corporation's management team to meet earnings forecasts over an extended period of time. D) Management's processes, policies, and ethical approach to safeguarding stakeholder interests.

D

A Public Key Infrastructure (PKI) provides the ability to do which of the following? A) Encrypt messages using a private key. B) Enable debit and credit card transactions. C) Read plaintext. D) Issue, maintain, and revoke digital certificates.

D

An entity doing business on the internet most likely could use any of the following methods to prevent unauthorized intruders from accessing proprietary information except: A) Password management. B) Data encryption. C) Digital certificates. D) Batch processing.

D

Encryption is a control that changes plain text into which of the following? A) Cyberspace. В) Crуptext. C) Mnemonic code. D) Cyphertext.

D

For businesses considering a cloud computing solution, which of the following should they ask the cloud vendor to provide before entering into a contract for critical business operations? A) FASB 51 Report. B) Audit Report. C) SAS 3 Report. D) SOC 2 Report.

D

In general, the goal of information security management is to protect all of the following except: A) Confidentiality. B) Integrity. C) Availability. D) Redundancy.

D

Select a correct statement regarding encryption methods? A) To use symmetric-key encryption, each user needs two different keys. B) Most companies prefer using symmetric-key encryption than asymmetric-key encryption method. C) Both symmetric-key and asymmetric-key encryption methods require the involvement of a certificate authority. D) When conducting e-business, most companies use both symmetric-key and asymmetric-key encryption methods.

D

The IT Infrastructure Libarary (ITIL) is considered a de facto standard in which of the following regions? A) Asia and Australia. B) North America. C) The UK. D) Europe.

D

What could result from the failure to audit and terminate unused accounts in a timely manner? A) A disgruntled employee may send out phishing emails. B) A SOC I report will be generated. C) Computer hardware may be taken off premises. D) A disgruntled employee may tamper with company applications.

D

Which of the following control activities should be taken to reduce the risk of incorrect processing in a newly installed computerized accounting system? A) Segregation of duties. B) Ensure proper authorization of transactions. C) Adequately safeguard assets. D) Independently verify the transactions.

D

Which of the following is the best way to compensate for the lack of adequate segregation of duties in a small organization? A) Disclosing lack of segregation of duties to external auditors during the annual review. B) Replacing personnel every three or four years. C) Requiring accountants to pass a yearly background check. D) Providing greater management oversight of incompatible activities.

D

Which of the following represents a control risk for a retail business? A) Bank reconciliations are not performed on a timely basis. B) Two employees are colluding to facilitate theft. C) There are many competitors in the region. D) A bank reconciliation is not performed correctly.

D

Which of the following statements about asymmetric- key encryption is correct? A) When using asymmetric-key encryption method, a total of two keys are necessary in electronic communication between two parties. B) Employees in the same company share the same public key. C) Most companies would like to manage the private keys for their employees. D) Most companies would like to use a Certificate Authority to manage the public keys of their employees. E) Two of the above are correct.

D

Which of the following statements is incorrect about digital signatures? A) A digital signature can ensure data integrity. B) A digital signature also authenticates the document creator. C) A digital signature is an encrypted message digest. D) A digital signature is a message digest encrypted using the document creator's public key.

D

Why would companies want to use digital signatures when conducting e-business? A) They are cheap. B) They are always the same so it can be verified easily. C) They are more convenient than requiring a real signature. D) They can authenticate the document sender and maintain data integrity.

D

publically available Discovering and accounts, publishing metadata, and identity documents like otherwise email anonymous accounts, as Internet well as user by hacking, by tracing their online and stalking harassing

Doxing

44) Which of the following is a component of COSO ERM 2017? A) Governance and culture. B) Strategy and objective setting. C) Performance. D) Review and revision. E) All of the choices are correct.

E

A hacker whose goals are social or political. Examples range from reporting online anonymouly from whose CEO has issued a country objectionable that attacks free speech statements. Not to be to confased launching a with DDeS slacktivism, campaign which against refers a to company push-bumon activism in which a supporter a of a social or political campaign's goals does nothing but register their support online, for instance by "laing" Eacchook page.

Hacktivist

A vinas secreted into a system that triggers a malicious action when certain conditions are met. The most common version is the time bomb

Logic bomb:

Tricking someone into giving you their personal information, including login information and passwords, often credit done card via numbers, fake emails and so or on links by to imitating fraudulent legitimate websites. companies, organizationms, or people online. Phishing's

Phishing:

: Spear-phishing that the upper management of for-profit companies, presumably in the hope that their higher net worth will result targets in either more profit, if the cracker is after financial gain, or that their higher profike will ensure the gray hat hacker more exposure for his or her cause.

Whaling:

is a previoudy unknown vulnerability in a system. A zero dav atack is the first such use of the exploit by a cracker.

Zero day


Related study sets

Ap Euro Scientific Revolution Answers

View Set

U4 - Ready for CAE unit 4 (Vocabulary Gap Fills)

View Set

Money, Banking and Financial Markets

View Set