Exam 2 (Ch. 7 / 8)

Multiple Choice 6 Which of the following statements is TRUE? a. An internal environment consists of an organizational structure. b. Control activities are a component of COSO ERM. c. The Sarbanes-Oxley Act requires all public companies to have an audit committee. d. All of the above are true.

All of the above are true.

Multiple Choice 4 Which of the following is not a component of COSO-ERM? a. Event identification. b. External environment. c. Risk identification. d. b and c. e. All of the above are components of COSO.

External environment.

Multiple Choice 8 Why are threats to accounting information systems increasing? a. Many companies have invested significant resources to protect their assets. b. Many companies do not realize that data security is crucial to their survival. c. Many companies believe that protecting information is a vial strategic requirement. d. Computer control problems are often overestimated and overly emphasized by management.

Many companies do not realize that data security is crucial to their survival.

Multiple Choice 6 Which of the following is not a step in the security life cycle? a. Assess the information security-related threats that the organization faces and select an appropriate response. b. Develop information security policies and communicate them to all employees. c. Acquire and implement specific technological tools. d. Monitor performance to evaluate the effectiveness of the organization's information security program. e. None of the above; all are steps in the security life cycle.

None of the above; all are steps in the security life cycle.

Multiple Choice 7 The formula to evaluate if security procedures are effective is: a. P > D + R b. P > D - R c. P = D + R d. P < D - R

P > D + R

Multiple Choice 1 What type of internal controls finds the problem before it occurs? a. Detective controls. b. Preventive controls. c. General controls. d. Corrective controls.

Preventive controls.

Multiple Choice 1 The five principles of the Trust Services Framework that contribute to the overall objective of systems reliability include: a. Effectiveness. b. Processing integrity. c. Plan and organize. d. Reliability.

Processing integrity.

Multiple Choice 5 The fundamental principles related to systems reliability includes: a. Security, privacy and availability. b. Processing integrity, availability and prevention. c. Privacy, prevention and confidentiality. d. Security, processing integrity and limitation.

Security, privacy and availability.

Multiple Choice 7 What corporate objective is based on a company's mission statement? a. Strategic objectives. b. Operations objectives. c. Compliance objectives. d. Reporting objectives.

Strategic objectives.

Multiple Choice 10 Which of the following does not violate separation of duties? a. Approving purchase orders and receiving items ordered. b. Approving payment to vendors and completing the monthly bank reconciliation. c. Receiving checks in the mail and maintaining the cash receipts journal. d. Writing checks and receiving checks in the mail.

Writing checks and receiving checks in the mail.

Multiple Choice 27 A(n) ________ measures company progress by comparing actual performance to planned performance. a. boundary system b. diagnostic control system c. interactive control system d. belief system

b. diagnostic control system

Multiple Choice 30 Who bears the responsibility for information security in an organization? a. CIO. b. CFO. c. CISO. d. CEA.

c. CISO.

Multiple Choice 15 Identify the corrective control below. a. Reconciling the bank statement to the cash control account. b. Approving customer credit prior to approving a sales order. c. Maintaining frequent backup records to prevent loss of data. d. Counting inventory on hand and comparing counts to the perpetual inventory records.

c. Maintaining frequent backup records to prevent loss of data.

Multiple Choice 69 Which type of audits can detect fraud and errors? a. External audits. b. Internal audits. c. Network security audits. d. All of the above.

d. All of the above.

Multiple Choice 35 The process that uses automated tools to identify whether a system possesses any well-known security problems is known as a(n) a. intrusion detection system. b. log analysis. c. penetration test. d. vulnerability scan.

d. vulnerability scan.

Multiple Choice 34 Which of the following is not a component of the COSO Enterprise Risk Management Integrated Framework (ERM)? a. Monitoring. b. Ethical culture. c. Risk assessment. d. Control environment.

. Ethical culture.

Multiple Choice 2 The time-based model of information security is defined as: a. Time it takes an attacker to break through the various controls that protect the organization's information assets. b. Time it takes for the organization to detect an attack. c. Time it takes to respond to an attack. d. All of the above.

Time it takes an attacker to break through the various controls that protect the organization's information assets.

Multiple Choice 42 Melissa is a staff accountant for Quality Paper Company, which has strict corporate policies on appropriate use of corporate resources. The first week of March, Melissa saw Kent, the branch manager putting printer paper and toner into his briefcase on his way out the door. This situation best reflects a weakness in which aspect of internal environment, as discussed in the COSO Enterprise Risk Management Framework? a. Integrity and ethical values. b. Risk management philosophy. c. Restrict access to assets. d. Methods of assigning authority and responsibility.

a. Integrity and ethical values.

Multiple Choice 14 Identify the detective control below. a. Reconciling the bank statement to the cash control account. b. Approving customer credit prior to approving a sales order. c. Maintaining frequent backup records to prevent loss of data. d. Counting inventory on hand and comparing counts to the perpetual inventory records.

a. Reconciling the bank statement to the cash control account.

Multiple Choice 32 Identify the primary means of protecting data stored in a cloud from unauthorized access. a. authentication b. authorization c. virtualization d. securitization

a. authentication

Multiple Choice 12 Information security procedures protect information integrity by a. preventing fictitious transactions. b. reducing the system cost. c. making the system more efficient. d. making it impossible for unauthorized users to access the system.

a. preventing fictitious transactions.

Multiple Choice 33 Virtualization refers to the ability of a. running multiple systems simultaneously on one physical computer. b. eliminating the need for a physical computer. c. using the Internet to perform all needed system functions. d. using web-based security to protect an organization.

a. running multiple systems simultaneously on one physical computer.

Multiple Choice 17 The steps that criminals take to identify potential points of remote entry is called a. scanning and mapping the target. b. social engineering. c. research. d. reconnaissance.

a. scanning and mapping the target.

Multiple Choice 27 The most important element of any preventive control is a. the people. b. the performance. c. the procedure. d. the penalty.

a. the people.

Multiple Choice 40 The purpose of the COSO Enterprise Risk Management framework is a. to improve the organization's risk management process. b. to improve the organization's financial reporting process. c. to improve the organization's manufacturing process. d. to improve the organization's internal audit process.

a. to improve the organization's risk management process.

Multiple Choice 4 An example of preventive controls would include: a. Log analysis. b. Authorization controls. c. Encryption. d. a and b. e. b and c.

b and c.

Multiple Choice 34 A border router a. routes electronic communications within an organization. b. connects an organization's information system to the Internet. c. permits controlled access from the Internet to selected resources. d. serves as the main firewall.

b. connects an organization's information system to the Internet.

Multiple Choice 29 Which of the following is not a step in an organization's incident response process? a. Recognition. b. Recovery. c. Isolation. d. Containment.

c. Isolation.

Multiple Choice 31 Identify one aspect of systems reliability that is not a source of concern with regards to a public cloud. a. confidentiality b. privacy c. efficiency d. availability

c. efficiency

Multiple Choice 65 A ________ is created to guide and oversee systems development and acquisition. a. performance evaluation b. project development plan c. steering committee d. strategic master plan

c. steering committee

Multiple Choice 22 Which of the following preventive controls are necessary to provide adequate security for social engineering threats? a. Controlling physical access. b. Encryption. c. Profiling. d. Awareness training.

d. Awareness training.

Multiple Choice 15 Security: a. Is a technology issue but not a management issue. b. Is a management issue but not a technology issue. c. Is a technology issue and a management issue. d. None of the above.

Is a technology issue and a management issue.

Multiple Choice 10 Which of the following is not considered a detective control used to determine if an organization's information system is under attack? a. Limiting entry/access to the building. b. Examining logs to identify evidence of possible attacks. c. Continuous monitoring of employee compliance with an organization's security policies. d. Adequate intrusion detection systems.

Limiting entry/access to the building.

Multiple Choice 19 Verifying the identity of the person or device attempting to access the system is an example of a. authentication. b. authorization. c. identification. d. threat monitoring.

a. authentication.

Multiple Choice 30 A(n) ________________ helps employees act ethically. a. boundary system b. diagnostic control system c. interactive control system d. belief system

a. boundary system

Multiple Choice 32 Sue Room was relaxing after work with a colleague at a local bar. After a few drinks, she began expressing her feelings about her company's new control initiatives. It seems that as a result of controls put in place by the company, she now has to be more creative in solving problems and avoiding actions that might have a negative effect on her company's reputation. The level of control that the company is using in this case is a(n) a. boundary system. b. diagnostic control system. c. interactive control system. d. belief system.

a. boundary system.

Multiple Choice 49 According to the ERM model, ________ help the company address all applicable laws and regulations. a. compliance objectives b. operations objectives c. reporting objectives d. strategic objectives

a. compliance objectives

Multiple Choice 58 Independent checks on performance include all the following except a. data input validation checks. b. reconciling hash totals. c. preparing a trial balance report. d. supervisor review of journal entries and supporting documentation.

a. data input validation checks.

Multiple Choice 14 If the time an attacker takes to break through the organization's preventive controls is greater than the sum of the time required to detect the attack and the time required to respond to the attack, then security is a. effective. b. ineffective. c. overdone. d. undermanaged.

a. effective.

Multiple Choice 22 Which type of control is associated with making sure an organization's control environment is stable? a. general b. application c. detective d. preventive

a. general

Multiple Choice 60 Identify the statement below which is true. a. Requiring two signatures on checks over 20,000 is an example of segregation of duties. b. Although forensic specialists utilize computers, only people can accurately identify fraud. c. Internal auditors, rather than external auditors, can conduct evaluations of effectiveness of Enterprise Risk Management processes.

c. Internal auditors, rather than external auditors, can conduct evaluations of effectiveness of Enterprise Risk Management processes.

Multiple Choice 48 The amount of risk a company is willing to accept in order to achieve its goals and objectives is a. inherent risk. b. residual risk. c. risk appetite. d. risk assessment.

c. risk appetite.

Multiple Choice 35 The COSO Enterprise Risk Management Integrated Framework stresses that a. risk management activities are an inherent part of all business operations and should be considered during strategy setting. b. effective risk management is comprised of just three interrelated components; internal environment, risk assessment, and control activities. c. risk management is the sole responsibility of top management. d. risk management policies, if enforced, guarantee achievement of corporate objectives.

c. risk management activities are an inherent part of all business operations and should be considered during strategy setting.

Multiple Choice 33 Debbie Jones was relaxing after work with a colleague at a local bar. After a few drinks, she began expressing her feelings about her company's new control initiatives. It seems that as a result of controls put in place by the company, she now has to find ways to help her staff to better understand the company's vision and core values. The level of control that the company is using in this case is a(n) a. boundary system. b. diagnostic control system. c. interactive control system. d. belief system.

d. belief system.

Multiple Choice 11 Duplicate checking of calculations and preparing bank reconciliations and monthly trial balances are examples of what type of control? a. Preventive control b. Detective control c. Corrective control d. Authorization control

b. Detective control

Multiple Choice 36 How many principles are there is the 2013 updated COSO - Internal Control Framework? a. 21 b. 17 c. 5 d. 8

b. 17

Multiple Choice 20 ________ is/are an example of a preventive control. a. Emergency response teams b. Encryption c. Log analysis d. Intrusion detection

b. Encryption

Multiple Choice 55 How is expected loss calculated when performing risk assessment? a. Impact times expected loss. b. Impact times likelihood. c. Inherent risk times likelihood. d. Residual risk times likelihood.

b. Impact times likelihood.

Multiple Choice 16 According to The Sarbanes-Oxley Act of 2002, the audit committee of the board of directors is directly responsible for a. Performing tests of the company's internal control structure. b. Certifying the accuracy of the company's financial reporting process. c. Hiring and firing the external auditors. d. Overseeing day-to-day operations of the internal audit department.

c. Hiring and firing the external auditors. Mul

Multiple Choice 66 COSO requires that any internal deficiencies identified through monitoring be reported to whom? a. The external auditor. b. The company's management. c. The board of directors. d. The audit committee.

c. The board of directors.

Multiple Choice 21 Hiring qualified personnel is an example of a ________ control, and procedures to resubmit rejected transactions are an example of a ________ control. a. corrective; detective b. detective; corrective c. preventive; corrective d. detective; preventive

c. preventive; corrective

tiple Choice 17 Which of the following measures can protect a company from AIS threats? a. Take a proactive approach to eliminate threats. b. Detect threats that do occur. c. Correct and recover from threats that do occur. d. All of the above are proper measures for the accountant to take.

d. All of the above are proper measures for the accountant to take.

Multiple Choice 64 A document that shows all projects that must be completed and the related IT needs in order to achieve long-range company goals is known as a a. performance evaluation b. project development plan c. steering committee d. strategic master plan

d. strategic master plan

Multiple Choice 54 _______________ is the risk that exists before management takes any steps to mitigate it. a. Inherent risk. b. Residual risk. c. Risk appetite. d. Risk assessment.

a. Inherent risk.

Multiple Choice 13 The Trust Services Framework reliability principle that states access to the system and its data should be accessible to meet operational and contractual obligations to legitimate users is known as a. availability. b. security. c. privacy. d. integrity.

a. availability.

Multiple Choice 23 Which type of control prevents, detects, and corrects transaction errors and fraud? a. general b. application c. detective d. preventive

b. application

Multiple Choice 3 An example of how criminals attack an organization include these steps: a. Attempt social engineering. b. Conduct reconnaissance. c. Cover tracks by creating a back door. d. All of the above. e. None of the above.

All of the above.

Multiple Choice 5 Which of the following is not considered the Internal Environment in COSO-ERM? a. External influences. b. Management's risk appetite. c. Ethical Values. d. Compliance with the SEC.

Compliance with the SEC.

Multiple Choice 9 A control procedure designed so that the employee that records cash received from customers does not also have access to the cash itself is an example of a/an a. Preventive control. b. Detective control. c. Corrective control. d. Authorization control.

Preventive control.

Multiple Choice 61 A store policy that allows retail clerks to process sales returns for 1,000 or less, with a receipt dated within the past 30 days, is an example of a. general authorization. b. specific authorization. c. special authorization. d. generic authorization.

a. general authorization.

Multiple Choice 68 To ensure compliance with copyrights and to protect itself from software piracy lawsuits, companies should ________. a. periodically conduct software audits b. update the operating system frequently c. buy software from legitimate suppliers d. adopt cloud operating platforms

a. periodically conduct software audits

Multiple Choice 26 All employees of the Petty Co. are required to pass through a gate and present their photo identification cards to the guard before they are admitted. Entry to secure areas, such as the Information Technology Department offices, requires further procedures. This is an example of a(n) a. physical access control. b. authorization control. c. authentication control. d. hardening procedure.

a. physical access control.

Multiple Choice 8 Steps criminals use to attack an organization's information system includes: a. Attempting to deceive an employee into granting access to the business' information system. b. Researching to find weaknesses in software programs to gain access. c. Using automated tools to figure out computers that can be remotely accessed. d. a. and b. e. a., b. and c.

a., b. and c.

Multiple Choice 9 Preventative controls to protect an organization's information include: a. Adequate security to limit entry to an organization's place of business. b. Antimalware and network access controls. c. Effective employee training. d. a. and b. e. a., b. and c.

a., b. and c.

Multiple Choice 2 As a result of an internal risk assessment, Berryhill Insurance decided it was no longer profitable to provide flood insurance in the southern states. Berryhill apparently chose to ________ the risk of paying flood claims in the southern states. a. reduce b. share c. avoid d. accept

avoid

Multiple Choice 52 Identify the most correct statement with regards to an event. a. An event identified by management will occur. b. An event identified by management may or may not occur. c. An event identified by management may not trigger other events. d. It is easy to determine which events are most likely to occur.

b. An event identified by management may or may not occur.

Multiple Choice 13 Identify the preventive control below. a. Reconciling the bank statement to the cash control account. b. Approving customer credit prior to approving a sales order. c. Maintaining frequent backup records to prevent loss of data. d. Counting inventory on hand and comparing counts to the perpetual inventory records.

b. Approving customer credit prior to approving a sales order.

Multiple Choice 67 Which of the following is not a key method of monitoring performance? a. Performing internal control evaluation. b. Implementing a benefit incentive plan. c. Implementing effective supervision. d. Implementing a whistleblower hotline.

b. Implementing a benefit incentive plan.

Multiple Choice 70 Which type of audit assesses employee compliance with management policies and procedures? a. External audit. b. Internal audit. c. Compliance audit. d. Operational audit.

b. Internal audit.

Multiple Choice 46 Helping employees understand entity goals and objectives and then holding them accountable for achieving them are all related to which aspect of internal environment? a. Organizational structure. b. Methods of assigning authority and responsibility. c. Management philosophy and operating style. d. Commitment to competence.

b. Methods of assigning authority and responsibility.

Multiple Choice 53 ________________ remains after management implements internal control(s) a. Inherent risk. b. Residual risk. c. Risk appetite. d. Risk assessment.

b. Residual risk.

Multiple Choice 41 The principle of identifying and assessing changes that could significantly impact the system of internal control belongs to which of the COSO's Internal Control Model's component? a. Control environment. b. Risk assessment. c. Control activities. d. Information and communication.

b. Risk assessment.

Multiple Choice 43 Melissa is a staff accountant for Quality Paper Company suspected that management might have used "creative accounting" to improve company performance. This situation best reflects a weakness in which aspect of internal environment, as discussed in the COSO Enterprise Risk Management Framework? a. Integrity and ethical values. b. Risk management philosophy. c. Restrict access to assets. d. Methods of assigning authority and responsibility.

b. Risk management philosophy.

Multiple Choice 56 At a movie theater box office, all tickets are sequentially prenumbered. At the end of each day, the beginning ticket number is subtracted from the ending number to calculate the number of tickets sold. Then, ticket stubs collected at the theater entrance are counted and compared with the number of tickets sold. Which of the following situations does this control detect? a. Some customers presented tickets purchased on a previous day when there wasn't a ticket taker at the theater entrance (so the tickets didn't get torn.) b. A group of kids snuck into the theater through a back door when customers left after a show. c. The box office cashier accidentally gives too much change to a customer. d. The ticket taker admits his friends without tickets.

b. Some customers presented tickets purchased on a previous day when there wasn't a ticket taker at the theater entrance (so the tickets didn't get torn.)

Multiple Choice 20 Duplicate checking of calculations is an example of a ________ control, and procedures to resubmit rejected transactions are an example of a ________ control. a. corrective; detective b. detective; corrective c. preventive; corrective d. detective; preventive

b. detective; corrective

Multiple Choice 47 Personnel policies such as background checks, mandatory vacations, and rotation of duties tend to deter a. unintentional errors. b. employee fraud or embezzlement. c. fraud by outsiders. d. disgruntled employees.

b. employee fraud or embezzlement.

Multiple Choice 19 Internal controls are often segregated into a. detective controls and preventive controls. b. general controls and application controls. c. process controls and general controls. d. system controls and application controls.

b. general controls and application controls.

Multiple Choice 28 A system that creates logs of all network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions is called a. log analysis. b. intrusion detection systems. c. continuous monitoring. d. defense in depth.

b. intrusion detection systems.

Multiple Choice 50 According to the ERM model, ________ help to deal with the effectiveness and efficiency of company operations, such as performance and profitability goals. a. compliance objectives b. operations objectives c. reporting objectives d. strategic objectives

b. operations objectives

Multiple Choice 45 The definition of the lines of authority and responsibility and the overall framework for planning, directing, and controlling is laid out by the a. control activities. b. organizational structure. c. budget framework. d. internal environment.

b. organizational structure.

Multiple Choice 63 A ________ shows how a project will be completed, including tasks and who will perform them as well as a timeline and cost estimates. a. performance evaluation b. project development plan c. steering committee d. strategic master plan

b. project development plan

Multiple Choice 62 An accounting policy that requires a purchasing manager to sign off on all purchases over 10,000 is an example of a. general authorization. b. specific authorization. c. special authorization. d. generic authorization.

b. specific authorization.

Multiple Choice 24 The primary purpose of the Foreign Corrupt Practices Act of 1977 was a. to require corporations to maintain a good system of internal control. b. to prevent the bribery of foreign officials by American companies. c. to require the reporting of any material fraud by a business. d. All of the above are required by the act.

b. to prevent the bribery of foreign officials by American companies.

Multiple Choice 18 Identify the statement below which is not a useful control procedure regarding access to system outputs. a. Restricting access to rooms with printers. b. Coding reports to reflect their importance. c. Allowing visitors to move through the building without supervision. d. Requiring employees to log out of applications when leaving their desk.

c. Allowing visitors to move through the building without supervision.

Multiple Choice 37 Why was the original 1992 COSO - Integrated Control framework updated in 2013? a. Congress required COSO to modernize. b. U.S. stock exchanges required more disclosure. c. As an effort to more effectively address technological advancements. d. None of the above.

c. As an effort to more effectively address technological advancements.

Multiple Choice 38 Which internal control framework is widely accepted as the authority on internal controls? a. COBIT. b. ISACA framework. c. COSO Integrated Control. d. Sarbanes-Oxley control framework.

c. COSO Integrated Control.

Multiple Choice 12 Maintaining backup copies of files, correcting data entry errors, and resubmitting transactions for subsequent processing are examples of what type of control? a. Preventive control b. Detective control c. Corrective control d. Authorization control

c. Corrective control

Multiple Choice 11 Sue Wideman called a meeting of the top management at Room Management. Number one on the agenda was computer system security. "The risk of security breach incidents has become unacceptable," she said, and turned to the Chief Information Officer. "What do you intend to do?" Which of the following is the best answer? a. Evaluate and modify the system using COBOL. b. Evaluate and modify the system using the CTC checklist. c. Evaluate and modify the system using the Trust Services framework d. Evaluate and modify the system using the COSO Internal Control Framework.

c. Evaluate and modify the system using the Trust Services framework

Multiple Choice 21 ________ is/are an example of a detective control. a. Emergency response teams b. Encryption c. Log analysis d. Physical access controls.

c. Log analysis

Multiple Choice 23 ________ is an authorized attempt by an internal audit team or an external security consultant to attempt to break into the organization's information system. a. Log analysis test b. Intrusion test c. Penetration test d. Vulnerability test

c. Penetration test

Multiple Choice 25 Congress passed this federal law for the purpose of preventing financial statement fraud, to make financial reports more transparent and to strengthen the internal control of public companies. a. Foreign Corrupt Practices Act of 1977 b. The Securities Exchange Act of 1934 c. The Sarbanes-Oxley Act of 2002 d. The Securities Exchange Act of 1933

c. The Sarbanes-Oxley Act of 2002

Multiple Choice 57 At a movie theater box office, all tickets are sequentially prenumbered. At the end of each day, the beginning ticket number is subtracted from the ending number to calculate the number of tickets sold. Cash is counted and compared with the number of tickets sold. Which of the following situations does this control detect? a. Some customers presented tickets purchased on a previous day when there wasn't a ticket taker at the theater entrance (so the tickets didn't get torn.) b. A group of kids snuck into the theater through a back door when customers left after a show. c. The box office cashier accidentally gives too much change to a customer. d. The ticket taker admits his friends without tickets.

c. The box office cashier accidentally gives too much change to a customer.

Multiple Choice 24 The ________ disseminates information about fraud, errors, breaches and other improper system uses and their consequences. a. chief information officer b. chief operations officer c. chief security officer d. computer emergency response team

c. chief security officer

Multiple Choice 28 A(n) ________ helps top-level managers with high-level activities that demand frequent and regular attention. a. boundary system b. diagnostic control system c. interactive control system d. belief system

c. interactive control system

Multiple Choice 18 Internal control is often referred to as a(n) ________, because it permeates an organization's operating activities and is an integral part of management activities. a. event b. activity c. process d. system

c. process

Multiple Choice 44 The audit committee of the board of directors a. is usually chaired by the CFO. b. conducts testing of controls on behalf of the external auditors. c. provides a check and balance on management. d. all of the above.

c. provides a check and balance on management.

Multiple Choice 51 According to the ERM model, ________ help to ensure the accuracy, completeness and reliability of internal and external company reports. a. compliance objectives b. operations objectives c. reporting objectives d. strategic objectives

c. reporting objectives

Multiple Choice 26 Which of the following was not an important change introduced by the Sarbanes-Oxley Act of 2002? a. New roles for audit committees b. New rules for auditors and management c. New rules for internal control requirements d. New rules for information systems development

d. New rules for information systems development

500 million. c. all private and public companies incorporated in the United States. d. all publicly traded companies.

d. all publicly traded companies.

Multiple Choice 25 New employees of Baker Technologies are assigned user names and appropriate permissions. Their credentials are then entered into the company's information system's access control matrix. This is an example of a(n) a. authentication control. b. biometric device. c. remote access control. d. authorization control.

d. authorization control.

Multiple Choice 29 A(n) ________ helps employees understand management's vision. It communicates company core values and inspires employees to live by those values. a. boundary system b. diagnostic control system c. interactive control system d. belief system

d. belief system

Multiple Choice 39 The COBIT5 framework primarily relates to a. best practices and effective governance and management of private companies. b. best practices and effective governance and management of public companies. c. best practices and effective governance and management of information technology. d. best practices and effective governance and management of organizational assets.

d. best practices and effective governance and management of organizational assets.

Multiple Choice 59 One of the key objectives of segregating duties is to a. ensure that no collusion will occur. b. achieve an optimal division of labor for efficient operations. c. make sure that different people handle different transactions. d. make sure that different people handle different parts of the same transaction.

d. make sure that different people handle different parts of the same transaction.

Multiple Choice 16 The steps that criminals take to study their target's physical layout to learn about the controls it has in place is called a. scanning and mapping the target. b. social engineering. c. research. d. reconnaissance.

d. reconnaissance.

Multiple Choice 3 Upon acquiring a new computer operating system, management at Fox Co. worried that computer virus might cripple the company's operation. Management decided to install anti-virus software and to build a firewall for its operating system. Fox Co. chose to ______________ the risk of being crippled by computer virus. a. share b. reduce c. avoid d. accept

e. reduce