Fraud Evidence and Investigation

Question 1

Which of the following methods is acceptable to handle computer equipment seized in a computer crime investigation?
Subjecting the magnetic media to forensic testing.
Laying the magnetic media on top of electronic equipment.
Exposing the magnetic media to radio waves.
Leaving the magnetic media in the trunk of a vehicle containing a radio unit.

Answer 1

Subjecting the magnetic media to forensic testing.

Question 2

Which of the following investigative tools ismosteffective when large volumes of evidence need to be analyzed?
Computer.
Questionnaires.
Forensic analysis.
Interviews.

Answer 2

Computer.

Question 3

The concept of admissibility of evidence does not include which of the following?
Relevance.
Competence.
Materiality.
Sufficiency.

Answer 3

Sufficiency.

Question 4

Data diddling can be prevented by all of the following except:
Access controls.
Integrity checking.
Program change controls.
Rapid correction of data.

Answer 4

Rapid correction of data.

Question 5

In a computer-related crime investigation, computer evidence is:
Difficult and erasable.
Volatile and invisible.
Electronic and inadmissible.
Apparent and magnetic.

Answer 5

Volatile and invisible.

Question 6

The final stage of reporting results of computer evidence life cycle is:
Receive.
Examine.
Report.
Return.

Answer 6

Return.

Question 7

Identify the computer-related crime and fraud method that involves obtaining information that may be left in or around a computer system after the execution of a job.
Piggybacking.
Data diddling.
Scavenging.
Salami technique.

Answer 7

Scavenging.

Question 8

Once evidence is seized, a law enforcement officer should follow which of the following?
Chain of control.
Chain of command.
Chain of custody.
Chain of communications.

Answer 8

Chain of custody.

Question 9

If a computer or peripheral equipment involved in a computer crime isnotcovered by a search warrant, what should the investigator do?
Analyze the equipment or its contents, and record it.
Leave it alone until a warrant can be obtained.
Seize it before someone takes it away.
Store it in a locked cabinet in a secure warehouse.

Answer 9

Leave it alone until a warrant can be obtained.

Question 10

Are an investigator?s handwritten notes considered valid evidence in court of law?
No.
Yes.
Maybe.
Depends.

Answer 10

Yes.

Question 11

The most objective and relevant evidence in a computer environment involving fraud is.
Physical examination.
Computer logs.
Physical observation.
Inquiries of people.

Answer 11

Computer logs.

Question 12

What determines if a computer crime has been committed?
When the crime is reported.
When the investigation is completed.
When a computer expert has completed his or her work.
When the allegation has been substantiated.

Answer 12

When the allegation has been substantiated.

Question 13

Most of the evidence submitted in a computer crime case is:
Secondary evidence.
Documentary evidence.
Admissible evidence.
Legal evidence.

Answer 13

Documentary evidence.

Question 14

What is a data diddling technique?
I.Changing data before input to a computer system.
II.Changing data during input to a computer system.
III.Changing data during output from a computer system.
IV.All options.

Answer 14

IV.

Question 15

An internal auditor suspects fraud. Which of the following sample plans should be used if the purpose is to select a sample with a given probability of containing at least one example of the irregularity?
Probability proportional to size.
Attributes.
Stop and go.
Discovery.

Answer 15

Discovery.

Question 16

Because of control weaknesses, it is possible that the individual managers of 122 restaurants could have placed fictitious employees on the payroll. Each restaurant employs between 25 and 30 people. To efficiently determine whether this fraud exists at less than a 1% level, the auditor should use:
Discovery sampling.
Judgment sampling.
Directed sampling.
Attributes sampling.

Answer 16

Discovery sampling.

Question 17

Which of the following is needed to produce technical evidence in computer-related crimes?
Audit methodology.
Criminal methodology.
Forensic methodology.
System methodology.

Answer 17

Forensic methodology.

Question 18

A reliable way to detect superzapping work is by:
Noting discrepancies by those who receive reports.
Comparing current data files with previous data files.
Examining computer usage logs.
Reviewing undocumented transactions.

Answer 18

Comparing current data files with previous data files.

Question 19

An auditor applying a discovery sampling plan with a 5% risk of overreliance may conclude that there is:
A 95% probability that the actual rate of occurrence in the population is less than the critical rate if only one exception is found.
Greater than a 95% probability that the actual rate of occurrence in the population is less than the critical rate if no exceptions are found.
A 95% probability that the actual rate of occurrence in the population is less than the critical rate if no exceptions are found.
A 95% probability that the actual rate of occurrence in the population is less than the critical rate if the occurrence rate in the sample is less than the critical rate.

Answer 19

A 95% probability that the actual rate of occurrence in the population is less than the critical rate if no exceptions are found.

Question 20

Evidence is needed to do which of the following?
Charge a case.
Classify a case.
Prove a case.
Make a case.

Answer 20

Prove a case.

Question 21

What is a salami technique?
Stealing small amounts of money from bank accounts.
Using the rounding-down concept.
Taking small amounts of assets.
All options.

Answer 21

All options.

Question 22

After partially completing an internal control review of the accounts payable department, the auditor suspects that some type of fraud has occurred. To ascertain whether the fraud is present, thebestsampling approach would be to use:
Judgmental sampling to select a sample of vouchers processed by clerks identified by the department manager as acting suspiciously.
Simple random sampling to select a sample of vouchers processed by the department during the past year.
Probability-proportional-to-size sampling to select a sample of vouchers processed by the department during the past year.
Discovery sampling to select a sample of vouchers processed by the department during the past year.

Answer 22

Discovery sampling to select a sample of vouchers processed by the department during the past year.

Question 23

When large volumes of writing are presented in court, which type of evidence is inapplicable?
Flowchart evidence.
Demonstrative evidence.
Magnetic tapes evidence.
Best evidence.

Answer 23

Best evidence.

Question 24

In a computer-related crime investigation, maintenance of evidence is important for which of the following reasons?
To protect the evidence.
To collect the evidence.
To record the crime.
To avoid problems of proof.

Answer 24

To avoid problems of proof.

Question 25

The objective of which of the following team members is similar to that of the information systems security officer involved in a computer crime investigation?
District attorney.
Investigator.
Computer expert.
Internal systems auditor.

Answer 25

Internal systems auditor.

Question 26

Computer fraud is discouraged by:
Ostracizing whistleblowers.
Accepting the lack of integrity in the system.
Being willing to prosecute.
Overlooking inefficiencies in the judicial system.

Answer 26

Being willing to prosecute.

Question 27

With respect to computer security and fraud, a legal liability exists to an organization under which of the following conditions?
When estimated security costs are equal to estimated losses.
When estimated security costs are greater than estimated losses.
When estimated security costs are less than estimated losses.
When actual security costs are equal to actual losses.

Answer 27

When estimated security costs are less than estimated losses.

Question 28

From a computer security viewpoint, courts expect what amount of care from organizations?
Great care.
Extraordinary care.
Super care.
Due care.

Answer 28

Due care.

Question 29

When computers and peripheral equipment are seized in relation to a computer crime, it is an example of:
Collateral evidence.
Duplicate evidence.
Best evidence.
Physical evidence.

Answer 29

Physical evidence.

Question 30

When an auditor?s sampling objective is to obtain a measurable assurance that a sample will contain at least one occurrence of a specific critical exception existing in a population, the sampling approach to use is:
Variables.
Discovery.
Random.
Probability proportional to size.

Answer 30

Discovery.

Question 31

All of the following are proper ways to handle the computer equipment and magnetic media items involved in a computer crime investigationexcept:
Seal and store items in a cardboard box.
Seal and store items in a paper bag.
Seal and store items in a plastic bag.
Seal, store, and tag the items.

Answer 31

Seal and store items in a plastic bag.

Question 32

The chain of custody does not ask which of the following questions?
Who damaged the evidence?
Who collected the evidence?
Who controlled the evidence?
Who stored the evidence?

Answer 32

Who damaged the evidence?

Question 33

A search warrant is required:
Before identifying the number of investigators needed.
After establishing the probable cause(s).
After seizing the computer and related equipment.
Before the allegation has been substantiated.

Answer 33

After establishing the probable cause(s).

Question 34

Which of the following security techniques allows time for response by investigative authorities?
Detect.
Deny.
Delay.
Deter.

Answer 34

Delay.

Question 35

Computer fraud is increased when:
Documentation is not available.
Employee performance appraisals are not given.
Employees are not trained.
Audit trails are not available.

Answer 35

Audit trails are not available.

Question 36

Management is legally required to prepare a shipping document for all movement of hazardous materials. The document must be filed with bills of lading. Management expects 100% compliance with the procedure. Which of the following sampling approaches would bemostappropriate?
Discovery sampling.
Targeted sampling.
Attributes sampling.
Variables sampling.

Answer 36

Discovery sampling.

Question 37

Which of the following is not a criminal activity in most jurisdictions?
Writing a computer virus program.
Spreading a computer virus program.
Using a computer virus program.
Releasing a computer virus program.

Answer 37

Writing a computer virus program.

Question 38

The correct sequence of preliminary investigation is:
I.Consult with a computer expert.
II.Prepare an investigative plan.
III.Consult with a prosecutor.
IV.Substantiate the allegation.
IV, II, III, and I.
I, IV, II, and III.
III, I, II, and IV.
IV, I, II, and III.

Answer 38

IV, I, II, and III.

Question 39

In the audit of a health insurance claims processing department, a sample is taken to test for the presence of fictitious payees, although none is suspected. The most appropriate sampling plan would be:
Variables sampling.
Attributes sampling.
Discovery sampling.
Stop-and-go sampling.

Answer 39

Discovery sampling.

Question 40

The appropriate sampling plan to use to identify at least one irregularity, assuming some number of such irregularities exist in a population, and then to discontinue sampling when one irregularity is observed is:
Stop-and-go sampling.
Attributes sampling.
Variables sampling.
Discovery sampling.

Answer 40

Discovery sampling.

Question 41

A security investigator or law enforcement officer should observe which of the following during a computer crime investigation?
Chain of logs.
Chain of custody.
Chain of events.
Chain of computers.

Answer 41

Chain of custody.