Information Accounting Systems, 7eTest Bank, Chapter 15 Chapter 15IT Controls Part I: Sarbanes-Oxley and IT GovernanceTRUE/FALSE1. Corporate management (including the CEO) must certify monthly and annually their organizations internal controls over financial reporting.ANS: F PTS: 12. Both the SEC and the PCAOB require management to use the COBIT framework for assessing internal control adequacy.ANS: F PTS: 13. Both the SEC and the PCAOB require management to use the COSO framework for assessing internal control adequacy.ANS: F PTS: 14. A qualified opinion on managements assessment of internal controls over the financial reporting system necessitates a qualified opinion on the financial statements?ANS: F PTS: 15. The same internal control objectives apply to manual and computer-based information systems. ANS: T PTS: 16. To fulfill the segregation of duties control objective, computer processing functions (like authorization of credit and billing) are separated.ANS: F PTS: 17. To ensure sound internal control, program coding and program processing should be separated. ANS: T PTS: 18. Some systems professionals have unrestricted access to the organization's programs and data. ANS: T PTS: 19. Application controls apply to a wide range of exposures that threaten the integrity of all programs processed within the computer environment.ANS: F PTS: 110. The database administrator should be separated from systems development.ANS: T PTS: 111. A disaster recovery plan is a comprehensive statement of all actions to be taken after a disaster. ANS: T PTS: 112. IT auditing is a small part of most external and internal audits.ANS: F PTS: 113. Assurance services is an emerging field that goes beyond the auditors traditional attestation function.ANS: T PTS: 114. An IT auditor expresses an opinion on the fairness of the financial statements.ANS: F PTS: 115. External auditing is an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization.ANS: F PTS: 116. External auditors can cooperate with and use evidence gathered by internal audit departments that are organizationally independent and that report to the Audit Committee of the Board of Directors.ANS: T PTS: 117. Tests of controls determine whether the database contents fairly reflect the organization's transactions.ANS: F PTS: 118. Audit risk is the probability that the auditor will render an unqualified opinion on financial statements that are materially misstated.ANS: T PTS: 119. A strong internal control system will reduce the amount of substantive testing that must be performed.ANS: T PTS: 120. Substantive testing techniques provide information about the accuracy and completeness of an application's processes.ANS: F PTS: 1

21. The most common access point for perpetrating computer fraud is at the data collection stage. ANS: T PTS: 122. Changing the Hours Worked field in an otherwise legitimate payroll transaction to increase the amount of the paycheck is an example of data collection fraud.ANS: T PTS: 123. Scavenging is a form of fraud in which the perpetrator uses a computer program to search for key terms in a database and then steal the data.ANS: F PTS: 124. Transaction cost economics (TCE) theory suggests that firms should outsource specific non core IT assetsANS: F PTS: 125. Commodity IT assets easily acquired in the marketplace and should be outsourced under the core competency theory.ANS: F PTS: 1 MULTIPLE CHOICE1. Which of the following is NOT an implication of section 302 of the Sarbanes-Oxley Act?a. Auditors must determine, whether changes in internal control has, or is likely to, materially affect internal control over financial reporting.b. Auditors must interview management regarding significant changes in the design or operation of internal control that occurred since the last audit.c. Corporate management (including the CEO) must certify monthly and annually their organizations internal controls over financial reporting. d. Management must disclose any material changes in the companys internal controls that have occurred during the most recent fiscal quarter.ANS: C PTS: 1 2. Which of the following is NOT a requirement in managements report on the effectiveness of internal controls over financial reporting?a. A statement of managements responsibility for establishing and maintaining adequate internal control user satisfaction.b. A statement that the organizations internal auditors has issued an attestation report on managements assessment of the companies internal controls.c. A statement identifying the framework used by management to conduct their assessment of internal controls.d. An explicit written conclusion as to the effectiveness of internal control over financial reporting.ANS: B PTS: 1 3. In a computer-based information system, which of the following duties needs to be separated?a. program coding from program operationsb. program operations from program maintenancec. program maintenance from program codingd. all of the above duties should be separatedANS: D PTS: 1 4.Supervision in a computerized environment is more complex than in a manual environment for all of the following reasons excepta. rapid turnover of systems professionals complicates management's task of assessing the competence and honesty of prospective employeesb. many systems professionals have direct and unrestricted access to the organization's programs and datac. rapid changes in technology make staffing the systems environment challengingd. systems professionals and their supervisors work at the same physical locationANS: D PTS: 1 5.Adequate backups will protect against all of the following except

a. natural disasters such as firesb. unauthorized accessc. data corruption caused by program errorsd. system crashesANS: B PTS: 1 6. Which is the most critical segregation of duties in the centralized computer services function?a. systems development from data processingb. data operations from data librarianc. data preparation from data controld. data control from data librarianANS: A PTS: 1 7. Systems development is separated from data processing activities because failure to do soa. weakens database access securityb. allows programmers access to make unauthorized changes to applications during executionc. results in inadequate documentationd. results in master files being inadvertently erasedANS: B PTS: 1 8. Which organizational structure is most likely to result in good documentation procedures?a. separate systems development from systems maintenanceb. separate systems analysis from application programmingc. separate systems development from data processingd. separate database administrator from data processing ANS: A PTS: 1 9. All of the following are control risks associated with the distributed data processing structure excepta. lack of separation of dutiesb. system incompatibilitiesc. system interdependencyd. lack of documentation standardsANS: C PTS: 1 10. Which of the following is not an essential feature of a disaster recovery plan?a. off-site storage of backupsb. computer services functionc. second site backupd. critical applications identifiedANS: B PTS: 1 11. A cold site backup approach is also known asa. internally provided backupb. recovery operations centerc. empty shelld. mutual aid pactANS: C PTS: 1 12. The major disadvantage of an empty shell solution as a second site backup is  a. the host site may be unwilling to disrupt its processing needs to process the critical applications of the disaster stricken companyb. intense competition for shell resources during a widespread disasterc. maintenance of excess hardware capacityd. the control of the shell site is an administrative drain on the companyANS: B PTS: 1

 13. An advantage of a recovery operations center is thata. this is an inexpensive solutionb. the initial recovery period is very quickc. the company has sole control over the administration of the centerd. none of the above are advantages of the recovery operations centerANS: B PTS: 1 14. For most companies, which of the following is the least critical application for disaster recovery purposes?a. month-end adjustmentsb. accounts receivablec. accounts payabled. order entry/billingANS: A PTS: 1 15.The least important item to store off-site in case of an emergency isa. backups of systems softwareb. backups of application softwarec. documentation and blank formsd. results of the latest test of the disaster recovery programANS: D PTS: 1 16. Some companies separate systems analysis from programming/program maintenance. All of the following are control weaknesses that may occur with this organizational structure excepta. systems documentation is inadequate because of pressures to begin coding a new program before documenting the current programb. illegal lines of code are hidden among legitimate code and a fraud is covered up for a long period of timec. a new systems analyst has difficulty in understanding the logic of the programd. inadequate systems documentation is prepared because this provides a sense of job security to the programmerANS: C PTS: 1 17. All of the following are recommended features of a fire protection system for a computer center excepta. clearly marked exitsb. an elaborate water sprinkler systemc. manual fire extinguishers in strategic locationsd. automatic and manual alarms in strategic locationsANS: B PTS: 1 18. Which concept is not an integral part of an audit?a. evaluating internal controlsb. preparing financial statementsc. expressing an opiniond. analyzing financial dataANS: B PTS: 1 19. Which statement is not true?a. Auditors must maintain independence.b. IT auditors attest to the integrity of the computer system.c. IT auditing is independent of the general financial audit.d. IT auditing can be performed by both external and internal auditors.ANS: C PTS: 1 

20. Typically, internal auditors perform all of the following tasks excepta. IT auditsb. evaluation of operational efficiencyc. review of compliance with legal obligationsd. internal auditors perform all of the above tasksANS: D PTS: 1 21. The fundamental difference between internal and external auditing is thata. internal auditors represent the interests of the organization and external auditors represent outsidersb. internal auditors perform IT audits and external auditors perform financial statement auditsc. internal auditors focus on financial statement audits and external auditors focus on operational audits and financial statement auditsd. external auditors assist internal auditors but internal auditors cannot assist external auditorsANS: A PTS: 1 22. Internal auditors assist external auditors with financial audits toa. reduce audit feesb. ensure independencec. represent the interests of managementd. the statement is not true; internal auditors are not permitted to assist external auditors with financial auditsANS: A PTS: 1 23. Which statement is not correct?a. Auditors gather evidence using tests of controls and substantive tests.b. The most important element in determining the level of materiality is the mathematical formula.c. Auditors express an opinion in their audit report.d. Auditors compare evidence to established criteria.ANS: B PTS: 1 24. All of the following are steps in an IT audit excepta. substantive testingb. tests of controlsc. post-audit testingd. audit planningANS: C PTS: 1 25. When planning the audit, information is gathered by all of the following methods excepta. completing questionnaires b. interviewing managementc. observing activitiesd. confirming accounts receivable ANS: D PTS: 1 26. Substantive tests includea. examining the safety deposit box for stock certificatesb. reviewing systems documentationc. completing questionnairesd. observationANS: A PTS: 1 27. Tests of controls includea. confirming accounts receivableb. counting inventoryc. completing questionnaires

d. counting cashANS: C PTS: 1 28. All of the following are components of audit risk excepta. control riskb. legal riskc. detection riskd. inherent riskANS: B PTS: 1 29. Control risk isa. the probability that the auditor will render an unqualified opinion on financial statements that are materially misstatedb. associated with the unique characteristics of the business or industry of the clientc. the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accountsd. the risk that auditors are willing to take that errors not detected or prevented by the controlstructure will also not be detected by the auditorANS: C PTS: 1 30. All of the following tests of controls will provide evidence about the physical security of the computer center excepta. review of fire marshal recordsb. review of the test of the backup power supplyc. verification of the second site backup locationd. observation of procedures surrounding visitor access to the computer centerANS: C PTS: 1 31. All of the following tests of controls will provide evidence about the adequacy of the disaster recovery plan excepta. inspection of the second site backupb. analysis of the fire detection system at the primary sitec. review of the critical applications listd. composition of the disaster recovery teamANS: B PTS: 1 32. Which of the following is true?a. In the CBIS environment, auditors gather evidence relating only to the contents of databases, not the reliability of the computer system.b. Conducting an audit is a systematic and logical process that applies to all forms of information systems.c. Substantive tests establish whether internal controls are functioning properly.d. IT auditors prepare the audit report if the system is computerized.ANS: B PTS: 1 33. Inherent riska. exists because all control structures are flawed in some ways.b. is the likelihood that material misstatements exist in the financial statements of the firm.c. is associated with the unique characteristics of the business or industry of the client.d. is the likelihood that the auditor will not find material misstatements.ANS: C PTS: 1 34. Attestation services require all of the following excepta. written assertions and a practitioners written report

b. the engagement is designed to conduct risk assessment of the clients systems to verify their degree of SOX compliancec. the formal establishment of measurements criteriad. the engagement is limited to examination, review, and application of agreed-upon proceduresANS: B PTS: 1 35. The financial statements of an organization reflect a set of management assertions about the financial health of the business. All of the following describe types of assertions excepta. that all of the assets and equities on the balance sheet existb. that all employees are properly trained to carry out their assigned dutiesc. that all transactions on the income statement actually occurredd. that all allocated amounts such as depreciation are calculated on a systematic and rational basis ANS: B 36. PTS: 1 All of the following are issues of computer security excepta. releasing incorrect data to authorized individualsb. permitting computer operators unlimited access to the computer roomc. permitting access to data by unauthorized individualsd. providing correct data to unauthorized individualsANS: B PTS: 1 37 . Operations fraud includesa. altering program logic to cause the application to process data incorrectlyb. misusing the firms computer resourcesc. destroying or corrupting a programs logic using a computer virusd. creating illegal programs that can access data files to alter, delete, or insert valuesANS: B  PTS: 1 38.Segregation of duties in the computer-based information system includesa. separating the programmer from the computer operatorb. preventing management overridec. separating the inventory process from the billing processd. performing independent verifications by the computer operatorANS: A PTS: 1 39.Computer fraud can take on many forms, including each of the following excepta. theft or illegal use of computer-readable informationb. theft, misuse, or misappropriation of computer equipmentc. theft, misuse, or misappropriation of assets by altering computer-readable records and filesd. theft, misuse, or misappropriation of printer suppliesANS: D 40. The following are examples of commodity assets excepta. network managementb. systems operationsc. systems developmentd. server maintenanceANS: C 41. The following are examples of specific assets excepta.b.c.d. application maintenance data warehousing highly skilled employees server maintenance

ANS: D 42. Which of the following is true?a. Core competency theory argues that an organization should outsource specific core assets.b. Core competency theory argues that an organization should focus exclusively on its core business competenciesc. Core competency theory argues that an organization should not outsource specific commodity assets.d. Core competency theory argues that an organization should retain certain specific non core assets in-house.ANS: B 43. Which of the following is not true? a. Large-scale IT outsourcing involves transferring specific assets to a vendorb. Specific assets, while valuable to the client, are of little value to the vendorc. Once an organization outsources its specific assets, it may not be able to return to its pre-outsource state.d. Specific assets are of value to vendors because, once acquired, vendors can achieve economies of scale by employing them with other clientsANS: D 44. Which of the following is not true?a. When management outsources their organizations IT functions, they also outsource responsibility for internal control.b. Once a client firm has outsourced specific IT assets, its performance becomes linked to the vendors performance.c. IT outsourcing may affect incongruence between a firms IT strategic planning and its business planning functions.d. The financial justification for IT outsourcing depends upon the vendor achieving economies of scale.ANS: A 45. Which of the following is not true?a. Management may outsource their organizations IT functions, but they cannot outsource their management responsibilities for internal control.b. section 404 requires the explicit testing of outsourced controls.c. The SAS 70 report, which is prepared by the outsourcers auditor, attests to the adequacy of the vendors internal controls.d. Auditors issue two types of SAS 70 reports: SAS 70 Type I report and SAS 70 Type II report.ANS: C

Chap5/6?? CISInformation Accounting Systems, 7eTest Bank, Chapter 17

Chapter 17IT Controls Part III: Systems Development, Program Changes, and Application Controls

TRUE/FALSE1. Programs in their compiled state are very susceptible to the threat of unauthorized modification. ANS: F 

2. Maintenance access to systems increases the risk that logic will be corrupted either by the accident or intent to defraud. ANS: T 

3. Source program library controls should prevent and detect unauthorized access to application programs. ANS: T 

4. A check digit is a method of detecting data coding errors. ANS: T 

5. Input controls are intended to detect errors in transaction data after processing. ANS: F 

6. The black box approach to testing computer applications allows the auditor to explicitly review program logic. ANS: F

7. The user test and acceptance procedure is the last point at which the user can determine the systems acceptability prior to it going into service. ANS: T 

8. A run-to-run control is an example of an output control. ANS: F 

9. Shredding computer printouts is an example of an output control. ANS: T 

10. In a computerized environment, all input controls are implemented after data is input. ANS: F 

11. Achieving batch control objectives requires grouping similar types of input transactions (such as sales orders) together in batches and then controlling the batches throughout data processing. ANS: T 

12. The white box tests of program controls are also known as auditing through the computer. ANS: T

13. The presence of a SPLMS effectively guarantees program integrity. ANS: F 

14. When using the test data method, the presence of multiple error messages indicates a flaw in the preparation of test transactions. ANS: F 

15. The base case system evaluation is a variation of the test data method. ANS: T 

16. Tracing is a method used to verify the logical operations executed by a computer application. ANS: T 

17. Generalized audit software packages are used to assist the auditor in performing substantive tests. ANS: T 

18. The results of a parallel simulation are compared to the results of a production run in order to judge the quality of the application processes and controls. ANS: T 

19. Firms with an independent internal audit staff may conduct tests of the system development life cycle on an ongoing basis. ANS: T 

20. The programmers authority table will specify the libraries a programmer may access. ANS: T 

21. Use of the integrated test facility poses no threat to organizational data files. ANS: F 

22. Spooling is a form of processing control. ANS: F 

23. A salami fraud affects a large number of victims, but the harm to each appears to be very small. ANS: T 

24. An input control that tests time card records to verify than no employee has worked more 50 hours in a pay period is an example of a range test. ANS: F 

25. The black box approach to testing computer program controls is also known as auditing around the computer. ANS: T 

MULTIPLE CHOICE1. Which statement is not correct? The audit trail in a computerized environmenta. consists of records that are stored sequentially in an audit fileb. traces transactions from their source to their final dispositionc. is a function of the quality and integrity of the application programsd. may take the form of pointers, indexes, and embedded keysANS: A 

2. Which control is not associated with new systems development activities?a. reconciling program version numbersb. program testingc. user involvementd. internal audit participationANS: A 

3. Routine maintenance activities require all of the following controls excepta. documentation updatesb. testingc. formal authorizationd. internal audit approval 2011ANS: D 

4. Which statement is correct?a. compiled programs are very susceptible to unauthorized modificationb. the source program library stores application programs in source code formc. modifications are made to programs in machine code languaged. the source program library management system increases operating efficiencyANS: B

5. Which control is not a part of the source program library management system?a. using passwords to limit access to application programsb. assigning a test name to all programs undergoing maintenancec. combining access to the development and maintenance test librariesd. assigning version numbers to programs to record program modificationsANS: C 

6. Which control ensures that production files cannot be accessed without specific permission?a. Database Management Systemb. Recovery Operations Functionc. Source Program Library Management Systemd. Computer Services FunctionANS: C 

7. Program testinga. involves individual modules only, not the full systemb. requires creation of meaningful test datac. need not be repeated once the system is implementedd. is primarily concerned with usabilityANS: B 

8. The correct purchase order number,is123456. All of the following are transcription errors excepta. 1234567b. 12345c. 124356d. 123454ANS: C 

9. Which of the following is correct?a. check digits should be used for all data codesb. check digits are always placed at the end of a data codec. check digits do not affect processing efficiencyd. check digits are designed to detect transcription and transposition errorsANS: D 

10. Which statement is not correct? The goal of batch controls is to ensure that during processinga. transactions are not omittedb. transactions are not addedc. transactions are free from clerical errorsd. an audit trail is created

ANS: C 

11. An example of a hash total isa. total payroll checks$12,315b. total number of employees10c. sum of the social security numbers12,555,437,251d. none of the aboveANS: C 

12. Which statement is not true? A batch control recorda. contains a transaction codeb. records the record countc. contains a hash totald. control figures in the record may be adjusted during processinge. All the above are trueANS: E 

13. Which of the following is not an example of a processing control?a. hash total.b. record count.c. batch total.d. check digitANS: D 

14. Which of the following is an example of input control test?a. sequence checkb. zero value checkc. spooling checkd. range checkANS: D

15. Which input control check would detect a payment made to a nonexistent vendor?a. missing data checkb. numeric/alphabetic checkc. range checkd. validity checkANS: D 

16. Which input control check would detect a posting to the wrong customer account?a. missing data checkb. check digitc. reasonableness checkd. validity checkANS: B 

17. The employee entered "40" in the "hours worked per day" field. Which check would detect this unintentional error?a. numeric/alphabetic data checkb. sign checkc. limit checkd. missing data checkANS: C 

18. An inventory record indicates that 12 items of a specific product are on hand. A customer purchased two of the items, but when recording the order, the data entry clerk mistakenly entered 20 items sold. Which check could detect this error?a. numeric/alphabetic data checksb. limit checkc. range checkd. reasonableness checkANS: B 

19. Which check is not an input control?a. reasonableness checkb. validity check.c. spooling checkd. missing data checkANS: C 

20. A computer operator was in a hurry and accidentally used the wrong master file to process a transaction file. As a result, the accounts receivable master file was erased. Which control would prevent this from happening?a. header label checkb. expiration date checkc. version checkd. validity checkANS: A 

21. Run-to-run control totals can be used for all of the following excepta. to ensure that all data input is validatedb. to ensure that only transactions of a similar type are being processedc. to ensure the records are in sequence and are not missingd. to ensure that no transaction is omittedANS: A 

22. Methods used to maintain an audit trail in a computerized environment include all of the following excepta. transaction logsb. Transaction Listings.c. data encryptiond. log of automatic transactionsANS: C 

23. Risk exposures associated with creating an output file as an intermediate step in the printing process (spooling) include all of the following actions by a computer criminal excepta. gaining access to the output file and changing critical data valuesb. using a remote printer and incurring operating inefficienciesc. making a copy of the output file and using the copy to produce illegal output reportsd. printing an extra hardcopy of the output fileANS: B 

24. Which statement is not correct?a. only successful transactions are recorded on a transaction logb. unsuccessful transactions are recorded in an error filec. a transaction log is a temporary filed. a hardcopy transaction listing is provided to usersANS: C 

25. Input controls include all of the following excepta. check digitsb. Limit check.c. spooling check d. missing data checkANS: C 

26. Which of the following is an example of an input error correction technique?a. immediate correctionb. rejection of batchc. creation of error filed. all are examples of input error correction techniquesANS: D 

27. Which test of controls will provide evidence that the system as originally implemented was free from material errors and free from fraud? Review of the documentation indicates that

a. a cost-benefit analysis was conductedb. the detailed design was an appropriate solution to the user's problemc. tests were conducted at the individual module and total system levels prior to implementation d. problems detected during the conversion period were corrected in the maintenance phaseANS: C 

28. Which statement is not true?a. An audit objective for systems maintenance is to detect unauthorized access to application databases.b. An audit objective for systems maintenance is to ensure that applications are free from errors.c. An audit objective for systems maintenance is to verify that user requests for maintenance reconcile to program version numbers.d. An audit objective for systems maintenance is to ensure that the production libraries are protected from unauthorized access.ANS: A 

29. When the auditor reconciles the program version numbers, which audit objective is being tested?a. protect applications from unauthorized changesb. ensure applications are free from errorc. protect production libraries from unauthorized accessd. ensure incompatible functions have been identified and segregatedANS: A

30. When auditors do not rely on a detailed knowledge of the application's internal logic, they are performinga. black box tests of program controlsb. white box tests of program controlsc. substantive testingd. intuitive testingANS: A 

31. All of the following concepts are associated with the black box approach to auditing computer applications excepta. the application need not be removed from service and tested directlyb. auditors do not rely on a detailed knowledge of the application's internal logicc. the auditor reconciles previously produced output results with production input transactionsd. this approach is used for complex transactions that receive input from many sourcesANS: D 

32. Which test is not an example of a white box test?a. determining the fair value of inventoryb. ensuring that passwords are validc. verifying that all pay rates are within a specified ranged. reconciling control totalsANS: A 

33. When analyzing the results of the test data method, the auditor would spend the least amount of time reviewinga. the test transactionsb. error reportsc. updated master filesd. output reportsANS: A 

34. All of the following are advantages of the test data technique excepta. auditors need minimal computer expertise to use this methodb. this method causes minimal disruption to the firm's operationsc. the test data is easily compiledd. the auditor obtains explicit evidence concerning application functionsANS: C 

35. All of the following are disadvantages of the test data technique excepta. the test data technique requires extensive computer expertise on the part of the auditor

b. the auditor cannot be sure that the application being tested is a copy of the current application used by computer services personnelc. the auditor cannot be sure that the application being tested is the same application used throughout the entire yeard. preparation of the test data is time-consumingANS: A

36. All of the following statements are true about the integrated test facility (ITF) excepta. production reports are affected by ITF transactionsb. ITF databases contain "dummy" records integrated with legitimate recordsc. ITF permits ongoing application auditingd. ITF does not disrupt operations or require the intervention of computer services personnel ANS: A 

37. Which statement is not true? Embedded audit modulesa. can be turned on and off by the auditor.b. reduce operating efficiency.c. may lose their viability in an environment where programs are modified frequently.d. identify transactions to be analyzed using white box tests.ANS: D

38. Generalized audit software packages perform all of the following tasks excepta. recalculate data fieldsb. compare files and identify differencesc. stratify statistical samplesd. analyze results and form opinionsANS: D 

39. Which of the following is not an input control?a. Range checkb. Limit checkc. Spooling checkd. Validity checke. They are all input controlsANS: C 

40. Which of the following is an input control?a. Reasonableness checkb. Run-to-run checkc. Spooling checkd. Batch checke. None are input controlsANS: A

Chap 3/4?? CISInformation Accounting Systems, 7eTest Bank, Chapter 16

Chapter 16IT Controls Part II: Security and Access

TRUE/FALSE1. In a computerized environment, the audit trail log must be printed onto paper documents. ANS: F

2. Disguising message packets to look as if they came from another user and to gain access to the hosts network is called spooling. ANS: F 

3. A formal log-on procedure is the operating systems last line of defense against unauthorized access. ANS: F 

4. Computer viruses usually spread throughout the system before being detected. ANS: T

5. A worm is software program that replicates itself in areas of idle memory until the system fails. ANS: T 

6. Viruses rarely attach themselves to executable files. ANS: F 

7. Subschemas are used to authorize user access privileges to specific data elements. ANS: F 

8. A recovery module suspends all data processing while the system reconciles its journal files against the database. ANS: F

9. The database management system controls access to program files. ANS: F 

10. Operating system controls are of interest to system professionals but should not concern accountants and auditors. ANS: F 

11. The most frequent victims of program viruses are microcomputers. ANS: T 

12. Access controls protect databases against destruction, loss or misuse through unauthorized access. ANS: T 

13. Operating system integrity is not of concern to accountants because only hardware risks are involved. ANS: F 

14. Audit trails in computerized systems are comprised of two types of audit logs: detailed logs of individual keystrokes and event-oriented logs. ANS: T 

15. In a telecommunications environment, line errors can be detected by using an echo check. ANS: T

16. Firewalls are special materials used to insulate computer facilities ANS: F 

17. The message authentication code is calculated by the sender and the receiver of a data transmission. ANS: T 

18. The request-response technique should detect if a data communication transmission has been diverted. ANS: T 

19. Electronic data interchange translation software interfaces with the sending firm and the value added network. ANS: F 

20. A value added network can detect and reject transactions by unauthorized trading partners. ANS: T 

21. Electronic data interchange customers may be given access to the vendor's data files. ANS: T 

22. The audit trail for electronic data interchange transactions is stored on magnetic media. ANS: T 

23. A firewall is a hardware partition designed to protect networks from power surges. ANS: F 

24. To preserve audit trails in a computerized environment, transaction logs are permanent records of transactions. ANS: T 

25. Examining programmer authority tables for information about who has access to Data Definition Language commands will provide evidence about who is responsible for creating subschemas. ANS: T 

MULTIPLE CHOICE

1. The operating system performs all of the following tasks excepta. translates third-generation languages into machine languageb. assigns memory to applicationsc. authorizes user accessd. schedules job processing

ANS: C 

2. Which of the following is considered an unintentional threat to the integrity of the operating system?a. a hacker gaining access to the system because of a security flawb. a hardware flaw that causes the system to crashc. a virus that formats the hard drived. the systems programmer accessing individual user filesANS: B 

3. A software program that replicates itself in areas of idle memory until the system fails is called aa. Trojan horseb. wormc. logic bombd. none of the aboveANS: B 

4. A software program that allows access to a system without going through the normal logon procedures is called aa. logic bombb. Trojan horsec. wormd. back doorANS: D 

5. All of the following will reduce the exposure to computer viruses excepta. install antivirus softwareb. install factory-sealed application softwarec. assign and control user passwordsd. install public-domain software from reputable bulletin boardsANS: D 

6. Which backup technique is most appropriate for sequential batch systems?a. grandparent-parent-child approachb. staggered backup approachc. direct backupd. remote site, intermittent backupANS: A 

7. When creating and controlling backups for a sequential batch system,a. the number of backup versions retained depends on the amount of data in the fileb. off-site backups are not requiredc. backup files can never be used for scratch filesd. the more significant the data, the greater the number of backup versionsANS: D 

8. Hackers can disguise their message packets to look as if they came from an authorized user and gain access to the hosts network using a technique calleda. spoofing.b. spooling.c. dual-homed.d. screening.ANS: A 

9. In a direct access file systema. backups are created using the grandfather-father-son approachb. processing a transaction file against a maser file creates a backup filec. files are backed up immediately before an update run

d. if the master file is destroyed, it cannot be reconstructedANS: C 

10. Which of the following is not an access control in a database system?a. antivirus softwareb. database authorization tablec. passwordsd. voice printsANS: A 

11. Which is not a biometric device?a. passwordb. retina printsc. voice printsd. signature characteristicsANS: A 

12. Which of the following is not a basic database backup and recovery feature?a. checkpointb. backup databasec. transaction logd. database authority tableANS: D 

13. All of the following are objectives of operating system control excepta. protecting the OS from usersb. protesting users from each otherc. protecting users from themselvesd. protecting the environment from usersANS: D 

14. Passwords are secret codes that users enter to gain access to systems. Security can be compromised by all of the following excepta. failure to change passwords on a regular basisb. using obscure passwords unknown to othersc. recording passwords in obvious placesd. selecting passwords that can be easily detected by computer criminalsANS: B 

15. Audit trails cannot be used toa. detect unauthorized access to systemsb. facilitate reconstruction of eventsc. reduce the need for other forms of securityd. promote personal accountabilityANS: C 

16. Which control will not reduce the likelihood of data loss due to a line error?a. echo checkb. encryptionc. vertical parity bitd. horizontal parity bitANS: B 

17. Which method will render useless data captured by unauthorized receivers?a. echo checkb. parity bitc. public key encryption

d. message sequencingANS: C 

18. Which method is most likely to detect unauthorized access to the system?a. message transaction logb. data encryption standardc. vertical parity checkd. request-response techniqueANS: A 

19. All of the following techniques are used to validate electronic data interchange transactions excepta. value added networks can compare passwords to a valid customer file before message transmissionb. prior to converting the message, the translation software of the receiving company can compare the password against a validation file in the firm's databasec. the recipient's application software can validate the password prior to processingd. the recipient's application software can validate the password after the transaction has been processedANS: D 

20. In an electronic data interchange environment, customers routinely accessa. the vendor's price list fileb. the vendor's accounts payable filec. the vendor's open purchase order filed. none of the aboveANS: A 

21. All of the following tests of controls will provide evidence that adequate computer virus control techniques are in place and functioning excepta. verifying that only authorized software is used on company computersb. reviewing system maintenance recordsc. confirming that antivirus software is in used. examining the password policy including a review of the authority tableANS: B 

22. Audit objectives for the database management system include all of the following excepta. verifying that the security group monitors and reports on fault tolerance violationsb. confirming that backup procedures are adequatec. ensuring that authorized users access only those files they need to perform their dutiesd. verifying that unauthorized users cannot access data filesANS: A 

23. All of the following tests of controls will provide evidence that access to the data files is limited excepta. inspecting biometric controlsb. reconciling program version numbersc. comparing job descriptions with access privileges stored in the authority tabled. attempting to retrieve unauthorized data via inference queriesANS: B 

24. Audit objectives for communications controls include all of the following excepta. detection and correction of message loss due to equipment failureb. prevention and detection of illegal access to communication channelsc. procedures that render intercepted messages uselessd. all of the aboveANS: D 

25. When auditors examine and test the call-back feature, they are testing which audit objective?a. incompatible functions have been segregatedb. application programs are protected from unauthorized access

c. physical security measures are adequate to protect the organization from natural disasterd. illegal access to the system is prevented and detectedANS: D 

26. In an electronic data interchange (EDI) environment, when the auditor compares the terms of the trading partner agreement against the access privileges stated in the database authority table, the auditor is testing which audit objective?a. all EDI transactions are authorizedb. unauthorized trading partners cannot gain access to database recordsc. authorized trading partners have access only to approved datad. a complete audit trail is maintainedANS: C 

27. Audit objectives in the electronic data interchange (EDI) environment include all of the following excepta. all EDI transactions are authorizedb. unauthorized trading partners cannot gain access to database recordsc. a complete audit trail of EDI transactions is maintainedd. backup procedures are in place and functioning properlyANS: D 

28. In determining whether a system is adequately protected from attacks by computer viruses, all of the following policies are relevant excepta. the policy on the purchase of software only from reputable vendorsb. the policy that all software upgrades are checked for viruses before they are implementedc. the policy that current versions of antivirus software should be available to all usersd. the policy that permits users to take files home to work on themANS: D 

29. Which of the following is not a test of access controls?a. biometric controlsb. encryption controlsc. backup controlsd. inference controlsANS: C 

30. In an electronic data interchange environment, customers routinelya. access the vendor's accounts receivable file with read/write authorityb. access the vendor's price list file with read/write authorityc. access the vendor's inventory file with read-only authorityd. access the vendor's open purchase order file with read-only authorityANS: C 

31. In an electronic data interchange environment, the audit traila. is a printout of all incoming and outgoing transactionsb. is an electronic log of all transactions received, translated, and processed by the systemc. is a computer resource authority tabled. consists of pointers and indexes within the databaseANS: B 

32. All of the following are designed to control exposures from subversive threats excepta. firewallsb. one-time passwordsc. field interrogationd. data encryptionANS: C 

33. Many techniques exist to reduce the likelihood and effects of data communication hardware failure. One

of these isa. hardware access proceduresb. antivirus softwarec. parity checksd. data encryptionANS: C 

34. Which of the following deal with transaction legitimacy?a. transaction authorization and validationb. access controlsc. EDI audit traild. all of the aboveANS: D 

35. Firewalls area. special materials used to insulate computer facilitiesb. a system that enforces access control between two networksc. special software used to screen Internet accessd. none of the aboveANS: B 

36. The database attributes that individual users have permission to access are defined ina. operating system.b. user manual.c. database schema.d. user view.e. application listing.ANS: D 

37. An integrated group of programs that supports the applications and facilitates their access to specified resources is called a (an)a. operating system.b. database management system.c. utility systemd. facility system.e. object system.ANS: A 

38. Transmitting numerous SYN packets to a targeted receiver, but NOT responding to an ACK, isa. a smurf attack.b. IP Spoofing.c. an ACK echo attackd. a ping attack.e. none of the aboveANS: E 

39. Which of the following is true?a. Deep Packet Inspection uses a variety of analytical and statistical techniques to evaluate the contents of message packets.b. An Intrusion prevention system works in parallel with a firewall at the perimeter of the network to act as a filer that removes malicious packets from the flow before they can affect servers and networks.c. A distributed denial of service attack is so named because it is capable of attacking many victims simultaneously who are distributed across the internet.d. None of the above are true statements.ANS: A 

40. Advance encryption standard (AES) is

a. a 64 -bit private key encryption techniqueb. a 128-bit private key encryption techniquec. a 128-bit public key encryption techniqued. a 256-bit public encryption technique that has become a U.S. government standardANS: B