B4

Question 1

A report that does not currently exist but that needs to be created on demand without having to get a software developer involved is known as a/an:

a. Ad hoc report.
b. Exception report.
c. Demand report.
d. Scheduled report.

Answer 1

An ad hoc report is a report that does not currently exist but that needs to be created on demand without having to get a software developer involved.
Choice “c” is incorrect. A demand report is a specific report that can be printed or viewed on demand.
Choice “b” is incorrect. An exception report is a report produced when a specific condition or “exception” occurs.
Choice “d” is incorrect. Scheduled reports are the more traditional reports that display information in a predefined format and that are made available on a regular basis.

Question 2

Avon Corporation has a management information system. From the management information system, several different reports are available, including reports that are monthly budget vs. actual reports, reports that highlight where sales representatives have not met their assigned sales quotas, account analysis reports that can be requested by accountants as needed as a part of the closing process, and reports that are created by end users to obtain information as needed at any time during the month. The 4 types of reports are best described as:

a. Scheduled reports, exception reports, demand reports, and ad hoc reports.
b. Demand reports, scheduled reports, exception reports, and ad hoc reports.
c. Scheduled reports, ad hoc reports, exception reports, and demand reports.
d. Exception reports, scheduled reports, demand reports, and ad hoc reports.

Answer 2

Scheduled reports, exception reports, demand reports, and ad hoc reports.
Choice “a” is correct. Monthly reports of budget vs. actual data are normally called scheduled reports that are produced without anybody having to request them. Reports that highlight sales representatives not having met their assigned sales quotas are normally called exception reports. Reports that analyze accounts, or that provide other specific and non-changeable information, but only on demand, are normally called demand reports. Reports that provide information as requested by the end user, and are available on demand, are normally called ad hoc reports.
Note that these names are generic names.

Question 3

In an accounting information system, which of the following types of computer files most likely would be a master file?

a. Payroll transactions.
b. Cash receipts.
c. Inventory subsidiary.
d. Cash disbursements.

Answer 3

Inventory subsidiary.
Choice “c” is correct. The question can be readily addressed by using the “odd man out” principle. Just look at the other three choices. Each of them is a transaction file of some type; one of them is even called a transaction file. The other two (cash disbursements and cash receipts) are both transactions in a non-computerized accounting system and are transaction files in a computerized accounting system.

Question 4

A distributed processing environment would be most beneficial in which of the following situations?

a. Large volumes of data are generated centrally and fast access is not required.
b. Small volumes of data are generated centrally, fast access is required, and summaries are needed monthly at many locations.
c. Small volumes of data are generated at many locations, fast access is required, and summaries of the data are needed promptly at a central site.
d. Large volumes of data are generated at many locations and fast access is required.

Answer 4

Large volumes of data are generated at many locations and fast access is required.
A distributed (or decentralized) processing environment would be the most beneficial when large volumes of data are generated at many (remote) locations and fast access to the data is required. In centralized processing, there is always some delay (however small these days) in transmitting large volumes of data or transactions to the central site to be processed and then to be able to access the processed information. Decentralized processing eliminates that particular problem (although it does present other problems). Note that there seems to be an implied assumption in this question that the (remote) locations need access only to their own local data and not to all of the data for all locations. This choice seems to be better than choice “c”.
Choice “a” is incorrect. If large volumes of data are generated centrally, centralized processing would probably be more beneficial, regardless of whether or not fast access to that data is required. This choice implies that little, if any, data or transactions are generated at the remote locations so there would be no real need for distributed processing.
Choice “c” is incorrect. If summaries of the data are needed “promptly” at the central site, centralized processing MIGHT be more beneficial. Since only small volumes of data are generated at the remote locations, there would probably not be much delay in transmitting that data to the central location and probably not much delay in accessing that data. Since only summaries of the data are needed at the central location, those summaries could probably be readily prepared at the remote locations. This choice is the next best, and a case could certainly be made that the choice is correct. The decision could readily come down to summaries of “what” data. Is it summaries of all of the data generated by all locations or summaries of only the data generated by the remote location? If the former is what is meant, centralized processing would be more beneficial. If the latter is what is meant, distributed processing would probably be more beneficial.

Question 5

what type of processing methods can you use for Batch Processing?

Answer 5

sequential storage or random access storage device.

magnetic tape and or disks

Question 6

What type of computerized data processing system would be most appropriate for a company that is opening a new retail location?

a. Sequential-file processing.
b. Batch processing.
c. Direct-access processing.
d. Real-time processing.

Answer 6

Real-time processing

Choice “d” is correct. In this question, a new “retail” location is being opened. Retail locations will normally have a large number of small transactions (think of a convenience store selling beer and chips), and that might make batch processing look to be most appropriate. However, it is important to know the current status of inventory so that inventory (what is and what is not selling) can be properly replenished (think of Walmart and its supply chain systems) and so that quick price reductions can be made for inventory that is not selling. This last factor makes real-time processing most appropriate.
Choice “b” is incorrect. There is nothing wrong with batch processing, but batch processing would probably not be used these days in the situation described in the question. In the past, batch processing was used to upload transaction data from individual stores to the retailer’s centralized processors (with the remainder of the processing being done centrally and possibly in batch); however, real time processing would be better (and more expensive). This kind of decision is almost always a cost/benefit decision. It would certainly be possible, in this situation, to have the retail store transactions uploaded after the close of business in batch, further processing of the transactions to be done centrally in batch, and new inventory figures transmitted back to the store in batch after the central processing is complete.
Choice “a” is incorrect. Sequential file processing is almost totally restricted to batch processing. Before direct access media were available at a reasonable cost, sequential file processing was used extensively. Tapes (which are commonly used for sequential files) are normally restricted to backups and storage for very large amounts of data that are too expensive to be stored on disk and for which there is no real need for relatively quick access.
Choice “c” is incorrect. Direct access processing is not a term used to describe a processing method. Direct access refers to the method of accessing data on a storage medium. Direct access means that you can go directly to a location on a storage device without reading through all of the data as would be necessary in sequential access.

Question 7

Which of the following tasks would be included in a document flowchart for processing cash receipts?

a. Compare control and remittance totals.
b. Record returns and allowances.
c. Authorize and generate a voucher.
d. Authorize and generate an invoice.

Answer 7

Compare control and remittance totals
Choice “a” is correct. A task (a box on a document or system flowchart) to compare control totals and remittance totals would be included in the processing of cash receipts. Note that this is a very general step that could appear on almost any document flowchart. All of the other choices in this question are specific to a particular type of processing.
Choice “b” is incorrect. Recording returns and allowances would not be included in the processing of cash receipts. Anything returned will not be received in cash. Returns and allowances would be included in the processing (and thus the document flowchart) of sales.
Choice “d” is incorrect. Authorizing and generating invoices would not be included in the processing of cash receipts. Invoices would be included in the processing of sales.
Choice “c” is incorrect. Authorizing and generating vouchers would not be included in the processing of cash receipts. Vouchers would be included in the processing of accounts payable and payments.

Question 8

Compared to online real-time processing, batch processing has which of the following disadvantages?

a. Additional computing resources are required.
b. Additional personnel are required.
c. Stored data are current only after the update process.
d. A greater level of control is necessary.

Answer 8

Stored data are current only after the update process
Choice “c” is correct. Batch processing means that transactions are processed in batches on a periodic basis. Because the transactions are processed on a periodic basis, the data that is being updated can only be considered current just after the update. At any other time, it is possible that a transaction has occured that would affect the data.
Choice “d” is incorrect. There is no greater level of control necessary for batch processing versus online real-time (online) processing.
Choice “a” is incorrect. There is nothing that says that additional computing resources are required for batch processing versus online processing. In fact, online processing normally requires more computing resources, which is one reason why online processing has become popular once computing resources became cheaper and thus more available.

Question 9

Which of the following are components of a Business Information System (BIS)?

a. Hardware, software, network, people, and data.
b. Software, reports, data, and networks.
c. Queries, data, reports, and people.
d. Hardware, software, and reports.

Answer 9

Hardware, software, network, people, and data

Question 10

Business Information Systems (BIS) allow a business to perform the following functions on data:

a. Collect, process, store, transform, and distribute.
b. Process, report, and store.
c. Distribute, collect, report, and transform.
d. Initiate, process, distribute, transform, and store.

Answer 10

Collect, process, store, transform, and distribute.

Question 11

Which of the following is an open, royalty free standard that can be used to facilitate data aggregation, transfer, and connectivity between disparate or stand-alone systems?

a. XBRL.
b. HTTP.
c. Linux.
d. CAT5.

Answer 11

XBRL, the acronym for eXtensible Business Reporting Language, is derived from XML (eXtensible markup language). XBRL is an open, royalty-free, Internet-based information standard for business reporting of all kinds. XBRL labels data so that they are provided with context that remains with them and brings conformity to the names by which they are recognized by disparate software.

Question 12

Which of the following transaction processing modes provides the most accurate and complete information for decision making?

a. Batch.
b. Online, real-time.
c. Distributed.
d. Application.

Answer 12

Online, Real-Time (OLRT) Processing is an immediate processing method in which each transaction goes through all processing steps (data entry, data validation, and master file update) before the next transaction is processed. OLRT files are always current, and error detection is immediate.

Question 13

Compared to batch processing, real-time processing has which of the following advantages?

a. Timeliness of information.
b. Efficiency of processing.
c. Ease of implementation.
d. Ease of auditing.

Answer 13

Timeliness of information
Choice “a” is correct. Compared to batch processing, real-time processing has the advantage of timeliness of information because data is processed and records updated immediately when a transaction is entered.

Question 14

What statement best describes some of the general characteristics of Accounting Information Systems?

a. AIS systems can only handle large volumes of identical transactions.
b. AIS systems cannot handle nonrecurring transactions.
c. All AIS systems are uniform since all businesses must deal with the same issues.
d. AIS systems generally have similar capabilities; however, the applications implemented for a particular business are generally modified to meet the specific needs of that business.

Answer 14

Choice “d” is correct. An AIS is customized to the needs of a particular business or enterprise. The requirements of a manufacturer (including inventory and production) will be different from the requirements of a service firm that might not have any inventory.
Choice “c” is incorrect. AIS systems likely have similar capabilities, but the extent to which they are implemented will vary based on the requirements of the specific business.
Choice “a” is incorrect. An AIS can typically handle any transaction it is set up for. However, many AIS are set up to handle a large volume of transactions.
Choice “b” is incorrect. Nonrecurring transactions can be accommodated by an AIS. Typically, the initial organization of the business, debt issuance, capital outlay, etc., represent types of nonrecurring transactions that should be easily handled by an AIS.

Question 15

Security Federated Insurance Company numbers its insurance policies with a 10 character code that identifies the type of property or casualty insurance sold, the policy year, the customer type, and a customer number. Numbering of this character is an example of:

a. Sequential code.
b. Group code.
c. Block code.
d. Object code.

Answer 15

Group coding embeds intelligence into the identification numbers associated with a particular item. The identification of different features of an insurance policy with specific numbering scheme is an example of group coding.

Question 16

Data processing methods are generally described as either batch or online real-time processing (OLRT). These data processing methods are distinguished by the timing of:

a. Data creation.
b. Data deletion.
c. Data reading.
d. Data updating.

Answer 16

Data updating.
Choice “d” is correct. Batch processing updates data periodically (when a batch is processed) while on-line real time processing updates data immediately when transactions are entered.

Question 17

Which of the following statements is not correct for segregation of duties in an IT environment?

a. The duties of system analysts and application programmers should never be combined.
b. Segregation of duties in an IT environment normally revolves around granting and/or restricting access to production data and/or production programs.
c. Segregation of duties in an IT environment is defined as dividing responsibilities for different portions of a transaction among several different people.
d. The IT department is a support group in that it normally does not initiate or authorize transactions.

Answer 17

Choice “a” is correct as it is the only incorrect statement. The duties of system analysts and application programmers can be, and often are, combined. The duties of system programmers and application programmers should not be combined.
Choice “d” is incorrect because the statement is true. The IT department is a support group that normally does not initiate or authorize transactions.
Choice “b” is incorrect because the statement is true. Segregation of duties normally revolves around granting and/or restricting access to production programs and/or production data.
Choice “c” is incorrect because the statement is true. Segregation of duties in an IT environment is defined as dividing responsibilities for different portions of a transaction among several different people.

Question 18

Which of the following areas of responsibility would normally be assigned to a systems programmer in a computer system environment?

a. Data communications hardware and software.
b. Systems analysis and applications programming.
c. Computer operations.
d. Operating systems and compilers.

Answer 18

Operating systems and compilers.

Question 19

What is the steps in the systems development life cycle? mnemonic A DITTO:

Answer 19

systems Analysis
Design (conceptual and physical)
Implementation and conversion
Training
Testing
Operations and maintenance

Question 20

What does COBIT (control objectives for information and related technology do/stand for?

Answer 20

provides managers, auditors and IT users with a set of measures, indicators, processes and best practices to maximize the benefit of IT

Question 21

Which of the following statements is/are correct with respect to segregation of duties in an IT environment?

a. The IT department is a support group and normally does not initiate or authorize transactions.
b. All of the statements are correct.
c. In general, segregation of duties is defined as dividing responsibilities for different portions of a transaction (authorization, recording, and custody) among several different people or departments.
d. Segregation of duties in an IT environment normally revolves around granting and/or restricting access to production programs and to production data.

Answer 21

All of the statements are correct.
The IT department is a support group and normally does not initiate or authorize transactions. When it does initiate or authorize transactions, those transactions normally are for such activities as leasing hardware, paying software license fees, and other IT-related activities.
In general, segregation of duties is defined as dividing responsibilities for different portions of a transaction (authorization, recording, and custody) among several different people or departments. This definition is true in an IT environment or with systems, but it is sometimes harder to accomplish in an IT environment since software may perform many of the functions.
Segregation of duties in an IT environment normally revolves around granting and/or restricting access to production programs and to production data.

Question 22

what are the 4 domains of COBIT that direct the delivery of solutions and services? PO AIDS ME

Answer 22

Plan and Organize
Acquire and Implement, Deliver and Support
Monitor and Evaluate

Question 23

To maintain effective segregation of duties within the information technology function, an application programmer should have which of the following responsibilities?

a. Modify and adapt operating system software.
b. Correct detected data entry errors for the cash disbursement system.
c. Maintain custody of the billing program code and its documentation.
d. Code approved changes to a payroll program.

Answer 23

Choice “d” is correct. An application programmer would have the responsibility to code approved changes to a payroll program. A payroll program is an application program. Note that the changes have been previously “approved.”
Choice “a” is incorrect. An application programmer should never be assigned the responsibility to modify or adapt operating system software. Few application programmers would have the knowledge and experience to deal with operating system software anyway, but that would be way too much responsibility in one person/position.
Choice “b” is incorrect. An application programmer should never be assigned the responsibility to correct data entry errors for the cash disbursement (or any other) system. Application programmers should not have access to data (other than for very controlled situations, such as data fixes).
Choice “c” is incorrect. An application programmer should not have custody of billing (or any other application system) program code. Custody should be with a librarian (either a person or a system), and application programmers should only have controlled access to the program code. Program documentation should probably also be secured, but it is nowhere near as important.

Question 24

Which one of the following terms best describes a Decision Support System (DSS)?

a. Formalized system.
b. Interactive system.
c. Structured system.
d. Management reporting system.

Answer 24

Interactive system.
Choice “b” is correct. Decision support systems are computer-based information systems that provide interactive support to managers or others during the decision-making process.
Choice “d” is incorrect. Management reporting systems provide managers with the information needed for day-to-day decision making.
Choice “a” is incorrect. A formalized system is a generic term used to describe any system operating in proper or regular form.
Choice “c” is incorrect. A structured system is a system in which each program within a system is independent of other programs within the system. This enables programming teams to work independently on different programs within the same system.

Question 25

A fast-growing service company is developing its information technology internally. What is the first step in the company’s systems development life cycle?

a. Design.
b. Testing.
c. Analysis.
d. Implementation.

Answer 25

Analysis.

Question 26

Which of the following is a person who enters data or uses the information processed by a system?

a. Hardware Technician.
b. Network Administrator.
c. User.
d. Software Developer.

Answer 26

Users are any workers who enter data into a system or who use the information processed by the system. Users could be secretaries, administrators, accountants, auditors, CEOs, and so on.

Question 27

Review of the audit log is an example of which of the following types of security control?

a. Detective.
b. Preventive.
c. Governance.
d. Corrective.

Answer 27

Choice “a” is correct. Audit logs are detective security controls. They are generally chronological records that provide documentary evidence of the sequence of activities that can be used to detect errors or irregularities.
Choice “c” is incorrect. Audit logs do not represent governance security controls. Governance controls typically involve strategic and organizational controls to enhance security.
Choice “b” is incorrect. Audit logs do not represent preventive security controls. The existence of a log does not prevent errors or irregularities, it provides the record necessary to detect errors or irregularities.
Choice “d” is incorrect. Audit logs do not represent corrective security controls. Corrective security controls represent procedures put in place to correct security weaknesses.

Question 28

Which of the seven distinct information criteria included within the Control Objectives for Information and Related Technology (COBIT) framework includes the idea that information will be delivered timely in a correct, consistent and useful manner?

a. Availability.
b. Integrity.
c. Effectiveness.
d. Reliability.

Answer 28

Choice “c” is correct. The effectiveness business requirement for information includes the criteria that information be relevant to a business process and delivered timely in a correct, consistent and usable manner.
Choice “b” is incorrect. The integrity business requirement for information includes the criteria that information be accurate, complete and valid.
Choice “a” is incorrect. The availability business requirement for information includes the criteria that information be available currently and in the future, and that resources be safeguarded.
Choice “d” is incorrect. The reliability business requirement for information includes the criteria that information be appropriate to operate the entity.

Question 29

Which of the seven distinct information criteria included within the Control Objectives for Information and Related Technology (COBIT) framework includes the idea that information must be accurate and complete?

a. Effectiveness.
b. Reliability.
c. Integrity.
d. Efficiency.

Answer 29

Choice “c” is correct. The integrity business requirement for information includes the criteria that information be accurate, complete and valid.
Choice “a” is incorrect. The effectiveness business requirement for information includes the criteria that information be relevant to a business process and delivered timely in correct, consistent and usable manner.
Choice “d” is incorrect. Efficiency within the context of business requirements for information concerns delivery of information through the optimal use of resources (e.g., low cost without compromising effectiveness).
Choice “b” is incorrect. The reliability business requirement for information includes the criteria that information be appropriate to operate the entity.

Question 30

COBIT defines the enterprise architecture for IT as a:

a. Programming structure that integrates applications.
b. Networking and hardware configuration unique to each installation.
c. Combination of IT resources and defined processes.
d. Combination of hardware, networking and system software.

Answer 30

Choice “c” is correct. IT resources (applications, information, infrastructure and people) along with will defined processes are referred to as the enterprise architecture for IT.
Choice “a” is incorrect. A programming structure that integrates applications is not defined within COBIT.
Choice “b” is incorrect. Networking and hardware configurations are a part of IT infrastructure.
Choice “d” is incorrect. Hardware, networking and system software are part of IT infrastructure.

Question 31

What is a major disadvantage to using symmetric encryption to encrypt data?

a. The private key is used by the sender for encryption but not by the receiver for decryption.
b. The private key cannot be broken into fragments and distributed to the receiver.
c. Both sender and receiver must have the private key before this encryption method will work.
d. The private key is used by the receiver for decryption but not by the sender for encryption.

Answer 31

Choice “c” is correct. With symmetric encryption, both parties use the same key to encrypt and decrypt the message so that the key must be shared. This would require a unique private key for each entity with which one wanted to share encrypted data. In asymmetric encryption, the private key is not shared and the public key provides the other half necessary to encrypt/decrypt.

Question 32

Which of the following is the step where the intended recipient converts the cipher text into plain text?

a. Encryption.
b. Digital certificates.
c. PKI.
d. Decryption or decipherment.

Answer 32

Decryption or decipherment is the step where the intended recipient converts the cipher text into plain text.
Choice “a” is incorrect. Encryption involves using a password or a digital key to scramble a readable (plain text) message into an unreadable (cipher text) message.
Choice “b” is incorrect. Digital certificates are yet another form of data security. It behaves in the online world the same way driver’s licenses, passports, and other trusted documents behave outside the online world.
Choice “c” is incorrect. The term public key infrastructure (PKI) refers to the system and processes used to issue and manage asymmetric keys and digital certificates.

Question 33

If Friday’s file is destroyed, a new Friday file can be reproduced by using the Friday transaction file (which is stored separately) and Thursday’s file. The backup concept that serves as the foundation for this process is often called:

a. Backups of Systems That Do Not Shut Down.
b. Disk Only Backup.
c. Critical Application Backup.
d. Son-Father-Grandfather Concept.

Answer 33

Choice “d” is correct. The Son-Father-Grandfather concept describes this backup file system. The most recent file is called the son, the second most recent file is called the father, and the preceding file is called the grandfather. The process includes reading the previous file, recording transactions being processed, and then creating a new updated master file.

Question 34

Which of the following is true regarding Public Key Infrastructure (PKI)?

a. PKI is intended for e-business use and is typically available through commercial certificate authorities.
b. PKI includes a "tree of trust" that's checked each time a certificate is presented as proof of one's identity.
c. PKI assumes asymmetric encryption to create legally-binding electronic documents.
d. PKI refers to the system and processes used to issue and manage asymmetric keys and digital certificates.

Answer 34

Choice “d” is correct. Public key infrastructure represents the mechanisms used to issue keys and digital certificates.
Choice “a” is incorrect. Digital certificates are available through commercial certificate authorities, not public key infrastructure.
Choice “b” is incorrect. CA’s (Certificate Authorities) include a “tree of trust” to verify identities by checking certificates, not public key infrastructure.
Choice “c” is incorrect. Digital signatures facilitate the creation of legally binding electronic documents, not public key infrastructure.

Question 35

Transactions between businesses are frequently handled through electronic media. Business to business transactions, often called B2B transactions, typically happen:

a. E-mail verified by certified postal delivery.
b. Only through pre-established Electronic Data Interchange (EDI) protocols.
c. Only through Internet sites.
d. Through Internet, EDI, intranets or extranets.

Answer 35

Choice “d” is correct. Business to business (B2B) transactions typically occur through any number of different networks including the Internet, private corporate intranets, extranets, or Electronic Data Interchange (EDI) arrangements.

Question 36

What is the difference between EDI and E commerce?

Answer 36

EDI usually used a VAN (private)

E commerce always uses the internet (fast)

Question 37

After a B2B transaction occurs, the area of management that is concerned with what goods were ordered, when and where the goods were to be delivered, and what the amount paid is:
	a.	
The Business Information Systems group.
	b.	
The Supply Chain Management group.
	c.	
The Management Information System group.
	d.	
The Database Management group.

Answer 37

Choice “b” is correct. Supply Chain Management (SCM) is concerned with four important characteristics for every sale: what, when and where the goods were delivered and how much the goods cost.

Question 38

Electronic data interchange (EDI) is best described as:
a.
An enterprise-wide database that stores data that has been extracted from other databases.
b.
Computer-to-computer transactions for direct processing.
c.
A Federal Reserve wire system used for electronic, computer-to-computer, money transfers.
d.
A privately owned value added network.

Answer 38

Choice “b” is correct. By definition, EDI is the computer-to-computer exchange of business data in structured formats that allows direct processing of the data by the receiving system.
Choice “a” is incorrect. This accurately describes a data warehouse.
Choice “c” is incorrect. This accurately describes an electronic funds transfer.
Choice “d” is incorrect. EDI transactions may be transmitted using a VAN, but EDI is not a VAN by definition.

Question 39

n advantage of an e-commerce transaction over an EDI transaction is that e-commerce:
	a.	
Is generally slower than EDI.
	b.	
Requires that organizations enter a contract before transacting business.
	c.	
Is generally less expensive than EDI.
	d.	
Is generally less secure than EDI.

Answer 39

Choice “c” is correct. Since e-commerce transactions are usually conducted through the Internet, not a VAN, e-commerce transactions are less expensive than EDI transactions. This is true because a privately owned VAN is more expensive.

Question 40

All of the following are different types of reporting risk that an accountant must recognize as threats to accuracy of reports, except:
	a.	
Data integrity risk.
	b.	
Information risk.
	c.	
Financial risk.
	d.	
Strategic risk.

Answer 40

Choice “a” is correct. There is no separate data integrity risk category.
Choice “d” is incorrect. Strategic risk includes risks such as choosing inappropriate technology.
Choice “c” is incorrect. Financial risk includes risks such as having financial resources lost, wasted, or stolen.
Choice “b” is incorrect. Information risk includes risks such as loss of data integrity, incomplete transactions, or hackers.

Question 41

The system of user identification and authentication that prevents unauthorized users from gaining access to network resources is called a:
	a.	
Network force field.
	b.	
Network server.
	c.	
Firewall.
	d.	
Login ID and encryption.

Answer 41

hoice “c” is correct. A firewall is a system of user identification and authentication that prevents unauthorized users from gaining access to network resources. This name may also be applied to a network node used to improve network traffic and to set up a boundary that prevents traffic from one segment from crossing over to another. The most common use is to prevent Internet users from gaining access to an organization’s private intranet.

Question 42

Which of the following types of control plans is particular to a specific process or subsystem, rather than related to the timing of its occurrence?
	a.	
Corrective.
	b.	
Detective.
	c.	
Application.
	d.	
Preventive.

Answer 42

Choice “c” is correct. Application controls are written into the application and are specific to the particular process or subsystem. The words “specific to the particular process or subsystem” almost give it away. The words “process” and “subsystem” are quite similar to the word “application.”

Question 43

Which of the following risks can be minimized by requiring all employees accessing the information system to use passwords?
	a.	
Data entry errors.
	b.	
Failure of server duplicating function.
	c.	
Firewall vulnerability.
	d.	
Collusion.

Answer 43

Choice “c” is correct. Since the a primary purpose of the firewall is to prevent unauthorized access to the network, requiring all users to have a password helps to minimize vulnerability.

Question 44

Which of the following activities would most likely detect computer-related fraud?
	a.	
Conducting fraud-awareness training.
	b.	
Reviewing the systems-access log.
	c.	
Performing validity checks.
	d.	
Using data encryption.

Answer 44

Choice “b” is correct. Because computer-related fraud often involves unauthorized access to systems and/or data, review of system access logs is the most likely of these choices to detect fraud. System access logs are electronic lists of who has accessed or has attempted to access systems or parts of systems or data or subsets of data.

Question 45

Which of the following statements is/are correct?
a.
A denial-of-service attack is an attack in which one computer bombards another computer with a flood of information.
b.
A virus is a piece of computer program that inserts itself into some other program. Virus protection software can be utilized to protect against viruses. One of the benefits of such software is that it can be installed and forgotten, allowing security personnel to devote their attention to other areas.
c.
Phishing is the sending of phony emails to try to convince people to divulge information.
d.
Choices “a” and “c” are correct.

Answer 45

Choice “d” is correct, which means that both “a” and “c” are incorrect.
Choice “b” is incorrect. A virus is a piece of computer program that inserts itself into some other program. Virus protection software can be utilized to protect against viruses. One of the benefits of such software is definitely not that it can be installed and forgotten. Virus protection software must be continually updated because new viruses are being continually developed. Security personnel who install and forget virus protection software will soon be looking for new jobs.

Question 46

A company's web server has been overwhelmed with a sudden surge of false requests that caused the server to crash. The company has most likely been the target of:
	a.	
Piggybacking.
	b.	
An eavesdropping attack.
	c.	
Spoofing.
	d.	
A denial of service attack.

Answer 46

Choice “d” is correct. In a denial of service attack, one computer bombards another computer with a flood of information intended to keep legitimate users from accessing the target computer or network. A sudden surge of false requests that cause a company’s server to crash is a denial of service attack.
Choice “c” is incorrect. A spoofing attack is a breach of network security resulting from a person or program successfully impersonating a legitimate network user for illegitimate purposes.
Choice “a” is incorrect. Piggybacking is the practice of using another person or organization’s wireless network connection without the express permission of the subscriber or owner of the network.
Choice “b” is incorrect. An eavesdropping attack seeks to access a network and steal or eavesdrop on communications in an attempt to illicitly obtain passwords or other confidential or sensitive information.

Question 47

Which of the following procedures should be included in the disaster recovery plan for an Information Technology department?
a.
Replacement personal computers for user departments.
b.
Physical security of warehouse facilities.
c.
Cross-training of operating personnel.
d.
Identification of critical applications.

Answer 47

Choice “d” is correct. The identification of critical applications will be found in almost all disaster recovery plans and thus is the best answer

Question 48

To prevent interrupted information systems operation, which of the following controls are typically included in an organization’s disaster recovery plan?

a. Disaster recovery and data processing controls.
b. Backup and data transmission controls.
c. Backup and downtime controls.
d. Data input and downtime controls.

Answer 48

Choice “c” is correct. Downtime (or the complete lack thereof) is a key factor in the disaster recovery plan. Backup is always essential in any disaster recovery plan. Choice “c” is the only choice with both downtime and backup.
Choice “b” is incorrect. Backup is always essential in any disaster recovery plan. These days, data transmission is an integral part of normal processing and of disaster recovery, and data transmission would definitely be important in any disaster recovery plan (normal data transmission has to be re-established at the disaster recovery facility, and this sometimes is one of the more difficult things to do). However, this choice does not include the word “downtime” and this choice is thus not as good as choice “c”.

Question 49

Bacchus, Inc. is a large multinational corporation with various business units around the world. After a fire destroyed the corporate headquarters and largest manufacturing site, plans for which of the following would help Bacchus ensure a timely recovery?

a. Network security.
b. Backup power.
c. Business continuity.
d. Daily backup.

Answer 49

Business continuity.

Question 50

Which of the following procedures would an entity most likely include in its disaster recovery plan?

a. Maintain a Trojan horse program to prevent illicit activity.
b. Store duplicate copies of files in a location away from the computer center.
c. Convert all data from EDI format to an internal company format.
d. Develop an auxiliary power supply to provide uninterrupted electricity.

Answer 50

Store duplicate copies of files in a location away from the computer center.
Choice “b” is correct. Storing duplicate copies of key files in a separate location can help a company continue operations in the event a disaster destroys the originals
Choice “d” is incorrect. Provision of uninterrupted electricity may prevent accidental loss of data, but it does not help a company recover from a disaster that has already occurred.

Question 51

Which of the following types of business planning focuses on how a company can most effectively restore business operations following a disaster?
	a.	
Budget planning.
	b.	
Strategy planning.
	c.	
Capacity planning.
	d.	
Continuity planning.

Answer 51

Business continuity planning focuses on restoring and continuing operations in the event a disaster occurs that affects an organization. Disaster recovery and business continuity plans are used for dealing with the destruction of program and data files as well as how to restore business processing capability.
Choice “c” is incorrect. Capacity planning pertains to having the necessary physical space or capability for an entity’s production operations. Continuity planning deals with how to restore and maintain operations after a disaster.
Choice “a” is incorrect. Budgetary planning deals with financial planning (budgets) versus disaster recovery planning.
Choice “b” is incorrect. Strategic planning is high-level management planning that involves how the entity will execute its goals for near and longer term periods. Continuity planning deals with how to restore and maintain operations after a disaster.